Skip to content

priya25800/zero-trust-final

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Zero Trust Access Control & Authorization System

A multi-domain web security portal that implements Zero Trust Architecture — "Never Trust, Always Verify" — using Attribute-Based Access Control (ABAC), real-time risk scoring, and step-up MFA authentication.

Built as a full-stack Node.js/Express/MongoDB application, the system enforces per-request authentication and authorization across four independent enterprise domains: University, Hospital, Corporate, and Banking.

Live Dashboard Preview

Screenshots available in the /screenshots folder (or link them here once added).

Key Features

  • Zero Trust enforcement — every resource request is individually authenticated and authorized; no session is implicitly trusted
  • ABAC policy engine — evaluates subject attributes (role, department), resource classification (public/internal/confidential/critical), action type, and environmental context on every request
  • Real-time risk scoring (0–100) — combines resource sensitivity, role-resource alignment, device trust, time-of-access, and login history to classify each request as ALLOW, STEP-UP, or DENY
  • JWT-based stateless authentication — 15-minute access tokens with refresh token rotation
  • MFA step-up verification — 6-digit OTP challenge triggered automatically for medium-risk requests
  • Brute-force protection — account lockout after 5 failed login attempts, plus global rate limiting
  • Domain-locked login — users can only authenticate through the portal matching their email domain
  • Full audit logging — every access decision (allow/deny/step-up) is logged with user, resource, risk score, IP, and timestamp; exportable as CSV
  • Admin panel — user block/unblock, ABAC policy management, and system-wide log monitoring
  • Attack simulation module — educational demo of brute-force, privilege escalation, and token replay attacks

Tech Stack

Layer Technology
Backend Node.js, Express.js
Database MongoDB, Mongoose (ODM)
Auth JSON Web Tokens (JWT), bcrypt
Security Helmet.js, express-rate-limit, CORS
Frontend HTML5, CSS3, Vanilla JavaScript (SPA)

Architecture Highlights

  • Policy Enforcement Point (PEP)authMiddleware.js wraps every protected route
  • Policy Decision Point (PDP) — policy evaluation logic inside the authorize() middleware
  • Risk Scorer — computes a fresh 0–100 score per request based on resource classification (+40 critical / +25 confidential / +10 internal), off-hours access (+15), untrusted device (+20), and failed login history (+25)

Results

  • 100% access control accuracy across all tested role-resource scenarios
  • ~45ms average response time for ABAC evaluation + risk scoring per request
  • Full test suite covering registration, domain-lock validation, resource access (allow/deny), MFA step-up, audit logging, and admin operations

Getting Started

Prerequisites

  • Node.js 18+
  • MongoDB (local or Atlas)

Installation

git clone https://github.com/priya25800/zero-trust-final.git
cd zero-trust-final
npm install

Environment Setup

Create a .env file in the project root:

MONGO_URI=mongodb://localhost:27017/zerotrust
JWT_ACCESS_SECRET=your_access_secret_here
JWT_REFRESH_SECRET=your_refresh_secret_here
PORT=3000

Run

npm start

Then open http://localhost:3000 in your browser.

Demo Domains

The portal supports four separate enterprise environments, each with its own role hierarchy:

Domain Example Roles
University Student, Faculty, HOD, Examiner, Admin
Hospital Patient, Nurse, Doctor/Surgeon, Lab Technician, Admin
Corporate Employee, Team Manager, HR Manager, Finance Officer, IT Admin
Banking Customer, Bank Teller, Branch Manager, Loan Officer, Admin

Future Enhancements

  • Real SMS/Email OTP delivery (Twilio/SendGrid)
  • FIDO2/WebAuthn biometric step-up authentication
  • ML-based adaptive risk scoring
  • Blockchain-backed tamper-evident audit logs
  • SSO integration (SAML/OAuth 2.0)

Author

Supriya Dharmapuri LinkedIn · GitHub

About

Full-stack Zero Trust access control system with ABAC policies, real-time risk scoring, JWT auth, and step-up MFA across 4 enterprise domains.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors