@alibarbar/common 1.1.2 → 1.1.4

package/dist/storage.js

@@ -1,4 +1,7 @@
-// src/helper/crypto/index.ts
+import JSEncrypt from 'jsencrypt';
+import CryptoJS from 'crypto-js';
+
+// src/helper/encryption/index.ts
 function base64Encode(data) {
   if (typeof data === "string") {
     return btoa(unescape(encodeURIComponent(data)));
@@ -10,989 +13,419 @@ function base64Encode(data) {
   }
   return btoa(binary);
 }
-function base64Decode(data) {
-  try {
-    return decodeURIComponent(escape(atob(data)));
-  } catch {
-    throw new Error("Invalid Base64 string");
-  }
-}
-function generateRandomString(length, charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") {
-  let result = "";
-  for (let i = 0; i < length; i++) {
-    result += charset.charAt(Math.floor(Math.random() * charset.length));
-  }
-  return result;
-}
-async function generateRSAKeyPair(modulusLength = 2048) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const keyPair = await crypto.subtle.generateKey(
-    {
-      name: "RSA-OAEP",
-      modulusLength,
-      publicExponent: new Uint8Array([1, 0, 1]),
-      hash: "SHA-256"
-    },
-    true,
-    ["encrypt", "decrypt"]
-  );
-  return {
-    publicKey: keyPair.publicKey,
-    privateKey: keyPair.privateKey
-  };
-}
-async function rsaEncrypt(data, publicKey) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const encoder = new TextEncoder();
-  const dataBuffer = encoder.encode(data);
-  const algo = publicKey.algorithm;
-  const modulusLength = typeof algo.modulusLength === "number" ? algo.modulusLength : 2048;
-  const hashName = typeof algo.hash === "object" && "name" in algo.hash ? algo.hash.name : "SHA-256";
-  const hashLength = hashName === "SHA-1" ? 20 : 32;
-  const maxChunkSize = Math.max(Math.floor(modulusLength / 8 - 2 * hashLength - 2), 1);
-  const chunks = [];
-  for (let i = 0; i < dataBuffer.length; i += maxChunkSize) {
-    const chunk = dataBuffer.slice(i, i + maxChunkSize);
-    const encrypted = await crypto.subtle.encrypt(
-      {
-        name: "RSA-OAEP"
-      },
-      publicKey,
-      chunk
-    );
-    chunks.push(encrypted);
-  }
-  const totalLength = chunks.reduce((sum, chunk) => sum + chunk.byteLength, 0);
-  const merged = new Uint8Array(totalLength);
-  let offset = 0;
-  for (const chunk of chunks) {
-    merged.set(new Uint8Array(chunk), offset);
-    offset += chunk.byteLength;
-  }
-  return base64Encode(merged.buffer);
+function generateRandomAESKeyString() {
+  return CryptoJS.lib.WordArray.random(256 / 8).toString();
 }
-async function rsaDecrypt(encryptedData, privateKey) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const binaryString = atob(encryptedData);
-  const encryptedArray = new Uint8Array(binaryString.length);
-  for (let i = 0; i < binaryString.length; i++) {
-    encryptedArray[i] = binaryString.charCodeAt(i);
-  }
-  const chunkSize = 256;
-  const chunks = [];
-  for (let i = 0; i < encryptedArray.length; i += chunkSize) {
-    const chunk = encryptedArray.slice(i, i + chunkSize);
-    const decrypted = await crypto.subtle.decrypt(
-      {
-        name: "RSA-OAEP"
-      },
-      privateKey,
-      chunk
+function encryptJsonWithAES(data, aesKey) {
+  try {
+    const jsonString = JSON.stringify(data);
+    return CryptoJS.AES.encrypt(jsonString, aesKey).toString();
+  } catch (error) {
+    throw new Error(
+      "[encryption] AES encryptJsonWithAES failed: " + (error instanceof Error ? error.message : String(error))
     );
-    const decoder = new TextDecoder();
-    chunks.push(decoder.decode(decrypted));
-  }
-  return chunks.join("");
-}
-async function exportPublicKey(publicKey) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
   }
-  const exported = await crypto.subtle.exportKey("spki", publicKey);
-  return base64Encode(exported);
 }
-async function exportPrivateKey(privateKey) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const exported = await crypto.subtle.exportKey("pkcs8", privateKey);
-  return base64Encode(exported);
-}
-async function importPublicKey(keyData) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const keyBuffer = base64Decode(keyData);
-  const keyArray = new Uint8Array(keyBuffer.split("").map((char) => char.charCodeAt(0)));
-  return crypto.subtle.importKey(
-    "spki",
-    keyArray.buffer,
-    {
-      name: "RSA-OAEP",
-      hash: "SHA-256"
-    },
-    true,
-    ["encrypt"]
-  );
-}
-async function importPrivateKey(keyData) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const keyBuffer = base64Decode(keyData);
-  const keyArray = new Uint8Array(keyBuffer.split("").map((char) => char.charCodeAt(0)));
-  return crypto.subtle.importKey(
-    "pkcs8",
-    keyArray.buffer,
-    {
-      name: "RSA-OAEP",
-      hash: "SHA-256"
-    },
-    true,
-    ["decrypt"]
-  );
-}
-async function generateHMACKey() {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  return crypto.subtle.generateKey(
-    {
-      name: "HMAC",
-      hash: "SHA-256"
-    },
-    true,
-    ["sign", "verify"]
-  );
-}
-async function computeHMAC(data, key) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
-  const buffer = typeof data === "string" ? new TextEncoder().encode(data) : data;
-  const signature = await crypto.subtle.sign("HMAC", key, buffer);
-  return base64Encode(signature);
-}
-async function verifyHMAC(data, signature, key) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
-  }
+function decryptJsonWithAES(encryptedData, aesKey) {
   try {
-    const dataBuffer = typeof data === "string" ? new TextEncoder().encode(data) : data;
-    const signatureBuffer = new Uint8Array(
-      atob(signature).split("").map((char) => char.charCodeAt(0))
+    const decrypted = CryptoJS.AES.decrypt(encryptedData, aesKey);
+    const jsonString = decrypted.toString(CryptoJS.enc.Utf8);
+    if (!jsonString) {
+      throw new Error("decrypted JSON string is empty");
+    }
+    return JSON.parse(jsonString);
+  } catch (error) {
+    throw new Error(
+      "[encryption] AES decryptJsonWithAES failed: " + (error instanceof Error ? error.message : String(error))
     );
-    return await crypto.subtle.verify("HMAC", key, signatureBuffer, dataBuffer);
-  } catch {
-    return false;
   }
 }
-async function deriveKeyFromPassword(password, salt, iterations = 1e5, keyLength = 256) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
+function getEnvPublicKey() {
+  const key = import.meta.env.VITE_RSA_PUBLIC_KEY?.trim();
+  if (!key) {
+    throw new Error(
+      "[encryption] VITE_RSA_PUBLIC_KEY is not set. Please configure RSA public key in environment variables."
+    );
   }
-  const saltBuffer = typeof salt === "string" ? new TextEncoder().encode(salt) : salt;
-  const passwordKey = await crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(password),
-    "PBKDF2",
-    false,
-    ["deriveBits", "deriveKey"]
-  );
-  return crypto.subtle.deriveKey(
-    {
-      name: "PBKDF2",
-      salt: saltBuffer,
-      iterations,
-      hash: "SHA-256"
-    },
-    passwordKey,
-    {
-      name: "AES-GCM",
-      length: keyLength
-    },
-    false,
-    ["encrypt", "decrypt"]
-  );
+  return key;
 }
-async function aesGCMEncrypt(data, key) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
+function getEnvPrivateKey() {
+  const key = import.meta.env.VITE_RSA_PRIVATE_KEY?.trim();
+  if (!key) {
+    throw new Error(
+      "[encryption] VITE_RSA_PRIVATE_KEY is not set. Please configure RSA private key in environment variables."
+    );
   }
-  const dataBuffer = typeof data === "string" ? new TextEncoder().encode(data) : data;
-  const iv = crypto.getRandomValues(new Uint8Array(12));
-  const encrypted = await crypto.subtle.encrypt(
-    {
-      name: "AES-GCM",
-      iv
-    },
-    key,
-    dataBuffer
-  );
-  return {
-    encrypted: base64Encode(encrypted),
-    iv: base64Encode(iv.buffer)
-  };
+  return key;
 }
-async function aesGCMDecrypt(encryptedData, iv, key) {
-  if (typeof crypto === "undefined" || !crypto.subtle) {
-    throw new Error("Web Crypto API is not available");
+function base64ToPem(base64Key, type) {
+  const chunks = [];
+  for (let i = 0; i < base64Key.length; i += 64) {
+    chunks.push(base64Key.slice(i, i + 64));
   }
-  const encryptedBuffer = new Uint8Array(
-    atob(encryptedData).split("").map((char) => char.charCodeAt(0))
-  );
-  const ivBuffer = new Uint8Array(
-    atob(iv).split("").map((char) => char.charCodeAt(0))
-  );
-  const decrypted = await crypto.subtle.decrypt(
-    {
-      name: "AES-GCM",
-      iv: ivBuffer
-    },
-    key,
-    encryptedBuffer
-  );
-  return new TextDecoder().decode(decrypted);
+  const body = chunks.join("\n");
+  const header = type === "PUBLIC" ? "-----BEGIN PUBLIC KEY-----" : "-----BEGIN PRIVATE KEY-----";
+  const footer = type === "PUBLIC" ? "-----END PUBLIC KEY-----" : "-----END PRIVATE KEY-----";
+  return `${header}
+${body}
+${footer}`;
 }
-
-// src/browser/SecureStorage/index.ts
-var globalKeyPair = null;
-var globalHMACKey = null;
-var keyPairInitialized = false;
-var initOptions = {
-  autoGenerateKeys: true,
-  persistKeys: false,
-  keyStorageKey: void 0,
-  // 将自动生成随机键名
-  keyEncryptionPassword: void 0,
-  pbkdf2Iterations: 1e5,
-  keyModulusLength: 2048,
-  enableHMAC: true,
-  enableTimestampValidation: true,
-  timestampMaxAge: 7 * 24 * 60 * 60 * 1e3,
-  // 7 天
-  isProduction: false
-};
-var actualKeyStorageKey = null;
-var keyUsageCount = 0;
-var initializationPromise = null;
-var KEY_STORAGE_KEY_REGISTRY = "__SECURE_STORAGE_KEY__";
-function generateKeyStorageKey() {
-  return `_sk_${generateRandomString(32)}_${Date.now()}`;
-}
-async function initializeStorageKeys(options = {}) {
-  if (options.forceReinitialize) {
-    globalKeyPair = null;
-    globalHMACKey = null;
-    keyPairInitialized = false;
-    actualKeyStorageKey = null;
-    keyUsageCount = 0;
-    initializationPromise = null;
-  } else if (keyPairInitialized && globalKeyPair) {
-    initOptions = { ...initOptions, ...options };
-    return;
-  }
-  initOptions = { ...initOptions, ...options };
-  if (initOptions.keyStorageKey) {
-    actualKeyStorageKey = initOptions.keyStorageKey;
-  } else if (!actualKeyStorageKey) {
-    if (typeof window !== "undefined" && window.localStorage) {
-      const savedKeyName = window.localStorage.getItem(KEY_STORAGE_KEY_REGISTRY);
-      if (savedKeyName) {
-        actualKeyStorageKey = savedKeyName;
+async function rsaEncrypt(plain, publicKeyPem) {
+  try {
+    const encrypt = new JSEncrypt();
+    let publicKeyString;
+    if (typeof publicKeyPem === "string") {
+      const trimmedKey = publicKeyPem.trim();
+      if (!trimmedKey) {
+        throw new Error("Public key string is empty");
+      }
+      if (trimmedKey.includes("-----BEGIN")) {
+        publicKeyString = trimmedKey;
       } else {
-        actualKeyStorageKey = generateKeyStorageKey();
-        window.localStorage.setItem(KEY_STORAGE_KEY_REGISTRY, actualKeyStorageKey);
+        publicKeyString = base64ToPem(trimmedKey, "PUBLIC");
       }
+    } else if (publicKeyPem instanceof CryptoJS.lib.WordArray) {
+      const base64Key = publicKeyPem.toString();
+      publicKeyString = base64ToPem(base64Key, "PUBLIC");
     } else {
-      actualKeyStorageKey = generateKeyStorageKey();
+      try {
+        const exported = await crypto.subtle.exportKey("spki", publicKeyPem);
+        const base64Key = base64Encode(exported);
+        publicKeyString = base64ToPem(base64Key, "PUBLIC");
+      } catch (error) {
+        throw new Error(
+          "Failed to export CryptoKey. In non-HTTPS environment, use string publicKey (Base64 or PEM) directly. " + (error instanceof Error ? error.message : String(error))
+        );
+      }
     }
-  }
-  if (initOptions.persistKeys && typeof window !== "undefined" && window.localStorage) {
-    try {
-      const storedKeys = window.localStorage.getItem(actualKeyStorageKey);
-      if (storedKeys) {
-        const keyData = JSON.parse(storedKeys);
-        if (keyData.encrypted && keyData.privateKeyEncrypted && keyData.salt) {
-          if (!initOptions.keyEncryptionPassword) {
-            if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-              console.error("Encrypted keys found but no password provided");
-            }
-            throw new Error("Password required to decrypt stored keys");
-          }
-          const saltArray = new Uint8Array(
-            atob(keyData.salt).split("").map((char) => char.charCodeAt(0))
+    encrypt.setPublicKey(publicKeyString);
+    const MAX_ENCRYPT_LENGTH = 200;
+    if (plain.length > MAX_ENCRYPT_LENGTH) {
+      const chunks = [];
+      for (let i = 0; i < plain.length; i += MAX_ENCRYPT_LENGTH) {
+        const chunk = plain.slice(i, i + MAX_ENCRYPT_LENGTH);
+        const encrypted2 = encrypt.encrypt(chunk);
+        if (!encrypted2) {
+          throw new Error(
+            `RSA encryption failed for chunk ${i / MAX_ENCRYPT_LENGTH + 1}. Public key may be invalid or JSEncrypt may not be loaded correctly.`
           );
-          const iterations = keyData.pbkdf2Iterations || initOptions.pbkdf2Iterations;
-          const derivedKey = await deriveKeyFromPassword(
-            initOptions.keyEncryptionPassword,
-            saltArray.buffer,
-            iterations
-          );
-          const decryptedPrivateKey = await aesGCMDecrypt(
-            keyData.privateKeyEncrypted,
-            keyData.iv,
-            derivedKey
-          );
-          globalKeyPair = {
-            publicKey: await importPublicKey(keyData.publicKey),
-            privateKey: await importPrivateKey(decryptedPrivateKey)
-          };
-        } else if (keyData.publicKey && keyData.privateKey) {
-          if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-            console.warn(
-              "\u26A0\uFE0F SECURITY WARNING: Loading unencrypted keys from storage. Consider re-initializing with password encryption."
-            );
-          }
-          globalKeyPair = {
-            publicKey: await importPublicKey(keyData.publicKey),
-            privateKey: await importPrivateKey(keyData.privateKey)
-          };
         }
-        if (globalKeyPair) {
-          keyPairInitialized = true;
-          if (initOptions.enableHMAC && !globalHMACKey) {
-            globalHMACKey = await generateHMACKey();
-          }
-          return;
-        }
-      }
-    } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-        console.warn("Failed to load persisted keys, will generate new ones");
+        chunks.push(encrypted2);
       }
+      return chunks.join("|");
     }
-  }
-  if (initOptions.autoGenerateKeys && !globalKeyPair) {
-    try {
-      globalKeyPair = await generateRSAKeyPair(initOptions.keyModulusLength);
-      if (initOptions.enableHMAC && !globalHMACKey) {
-        globalHMACKey = await generateHMACKey();
-      }
-      keyPairInitialized = true;
-      keyUsageCount = 0;
-      if (initOptions.persistKeys && typeof window !== "undefined" && window.localStorage) {
-        try {
-          const publicKeyStr = await exportPublicKey(globalKeyPair.publicKey);
-          if (initOptions.keyEncryptionPassword) {
-            const privateKeyStr = await exportPrivateKey(globalKeyPair.privateKey);
-            const salt = crypto.getRandomValues(new Uint8Array(16));
-            const derivedKey = await deriveKeyFromPassword(
-              initOptions.keyEncryptionPassword,
-              salt.buffer,
-              initOptions.pbkdf2Iterations
-            );
-            const { encrypted, iv } = await aesGCMEncrypt(privateKeyStr, derivedKey);
-            const keyData = {
-              encrypted: true,
-              publicKey: publicKeyStr,
-              privateKeyEncrypted: encrypted,
-              iv,
-              salt: base64Encode(salt.buffer),
-              pbkdf2Iterations: initOptions.pbkdf2Iterations
-            };
-            window.localStorage.setItem(actualKeyStorageKey, JSON.stringify(keyData));
-            if (!initOptions.isProduction && typeof console !== "undefined" && console.info) {
-              console.info("\u2705 Keys encrypted and stored securely");
-            }
-          } else {
-            if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-              console.warn(
-                "\u26A0\uFE0F SECURITY WARNING: Storing private keys without encryption! Private keys will be stored in plain text (Base64 encoded). Provide keyEncryptionPassword for secure storage."
-              );
-            }
-            const keyData = {
-              publicKey: publicKeyStr,
-              privateKey: await exportPrivateKey(globalKeyPair.privateKey)
-            };
-            window.localStorage.setItem(actualKeyStorageKey, JSON.stringify(keyData));
-          }
-        } catch (error) {
-          if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-            console.error("Failed to persist keys");
-          }
-        }
-      }
-    } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("Failed to generate storage keys");
+    const encrypted = encrypt.encrypt(plain);
+    if (!encrypted) {
+      throw new Error(
+        `RSA encryption failed. Public key may be invalid or JSEncrypt may not be loaded correctly. Plain text length: ${plain.length} bytes.`
+      );
+    }
+    return encrypted;
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.message.includes("RSA encryption failed") || error.message.includes("Public key")) {
+        throw error;
       }
-      throw error;
+      throw new Error(`[encryption] rsaEncrypt failed: ${error.message}`);
     }
+    throw new Error(`[encryption] rsaEncrypt failed: ${String(error)}`);
   }
-  if (initOptions.enableHMAC && !globalHMACKey) {
-    globalHMACKey = await generateHMACKey();
-  }
-}
-function setStorageKeyPair(keyPair) {
-  globalKeyPair = keyPair;
-  keyPairInitialized = true;
 }
-function getStorageKeyPair() {
-  return globalKeyPair;
-}
-function clearPersistedKeys() {
-  if (typeof window !== "undefined" && window.localStorage && actualKeyStorageKey) {
+async function rsaDecrypt(cipher, privateKeyPem) {
+  const decrypt = new JSEncrypt();
+  let privateKeyString;
+  if (typeof privateKeyPem === "string") {
+    if (privateKeyPem.includes("-----BEGIN")) {
+      privateKeyString = privateKeyPem.trim();
+    } else {
+      const trimmed = privateKeyPem.trim();
+      privateKeyString = base64ToPem(trimmed, "PRIVATE");
+    }
+  } else if (privateKeyPem instanceof CryptoJS.lib.WordArray) {
+    const base64Key = privateKeyPem.toString();
+    privateKeyString = base64ToPem(base64Key, "PRIVATE");
+  } else {
     try {
-      window.localStorage.removeItem(actualKeyStorageKey);
-      actualKeyStorageKey = null;
-      keyPairInitialized = false;
-      globalKeyPair = null;
-      globalHMACKey = null;
-      keyUsageCount = 0;
+      const exported = await crypto.subtle.exportKey("pkcs8", privateKeyPem);
+      const base64Key = base64Encode(exported);
+      privateKeyString = base64ToPem(base64Key, "PRIVATE");
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("Failed to clear persisted keys");
-      }
-    }
-  }
-}
-function getKeyUsageCount() {
-  return keyUsageCount;
-}
-function resetKeyUsageCount() {
-  keyUsageCount = 0;
-}
-async function ensureKeyPair() {
-  if (globalKeyPair) {
-    keyUsageCount++;
-    return;
-  }
-  if (!initOptions.autoGenerateKeys) {
-    return;
-  }
-  if (initializationPromise) {
-    await initializationPromise;
-    if (globalKeyPair) {
-      keyUsageCount++;
+      throw new Error(
+        "[encryption] rsaDecrypt: failed to export CryptoKey. In non-HTTPS environment, use PEM string directly."
+      );
     }
-    return;
-  }
-  initializationPromise = initializeStorageKeys();
-  try {
-    await initializationPromise;
-  } finally {
-    initializationPromise = null;
   }
-  if (globalKeyPair) {
-    keyUsageCount++;
-  }
-}
-function safeParseJSON(jsonStr, expectedType) {
-  try {
-    const parsed = JSON.parse(jsonStr);
-    if (expectedType === "object" && (typeof parsed !== "object" || parsed === null || Array.isArray(parsed))) {
-      throw new Error("Expected object but got different type");
-    }
-    if (expectedType === "array" && !Array.isArray(parsed)) {
-      throw new Error("Expected array but got different type");
-    }
-    return parsed;
-  } catch (error) {
-    if (error instanceof SyntaxError) {
-      throw new Error(`Invalid JSON format: ${error.message}`);
+  decrypt.setPrivateKey(privateKeyString);
+  const chunks = cipher.split("|");
+  const decryptedChunks = [];
+  for (const chunk of chunks) {
+    const decrypted = decrypt.decrypt(chunk);
+    if (!decrypted) {
+      throw new Error("[encryption] rsaDecrypt: RSA decryption failed");
     }
-    throw error;
+    decryptedChunks.push(decrypted);
   }
+  return decryptedChunks.join("");
 }
-function validateTimestamp(timestamp, maxClockSkew = 5 * 60 * 1e3) {
-  if (!initOptions.enableTimestampValidation || !timestamp) {
-    return true;
-  }
-  if (initOptions.timestampMaxAge === 0) {
-    return true;
-  }
-  const now = Date.now();
-  const age = now - timestamp;
-  const maxAge = initOptions.timestampMaxAge || 7 * 24 * 60 * 60 * 1e3;
-  if (age < -maxClockSkew) {
-    return false;
-  }
-  return age >= -maxClockSkew && age <= maxAge;
+async function encryptWithEnvPublicKey(plain) {
+  const publicKey = getEnvPublicKey();
+  return rsaEncrypt(plain, publicKey);
 }
-async function encryptValue(value, publicKey, hmacKey) {
-  const encryptedData = await rsaEncrypt(value, publicKey);
-  if (hmacKey) {
-    const hmac = await computeHMAC(encryptedData, hmacKey);
-    const item = {
-      data: encryptedData,
-      hmac,
-      encrypted: true,
-      timestamp: Date.now()
-    };
-    return JSON.stringify(item);
-  }
-  return encryptedData;
+async function decryptWithEnvPrivateKey(cipher) {
+  const privateKey = getEnvPrivateKey();
+  return rsaDecrypt(cipher, privateKey);
 }
-async function handleDecryptError(error, encryptedStr, key) {
-  if (error instanceof Error && error.message.includes("HMAC verification failed")) {
-    if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-      console.error(
-        "\u26A0\uFE0F SECURITY ALERT: Data integrity check failed! Data may have been tampered with."
-      );
+
+// src/browser/SecureStorage/index.ts
+var CONFIG = {
+  NAMESPACE: "sec_b_",
+  DEFAULT_EXPIRE: null
+};
+var SecureStorage = class _SecureStorage {
+  static get instances() {
+    if (!this._instances) {
+      this._instances = /* @__PURE__ */ new Map();
     }
-    throw error;
-  }
-  if (error instanceof Error && error.message.includes("Data timestamp validation failed")) {
-    if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-      console.warn("\u26A0\uFE0F SECURITY WARNING: Data timestamp validation failed");
+    return this._instances;
+  }
+  constructor(options) {
+    const storageType = options.storage === window.sessionStorage ? "session" : "local";
+    const namespace = options.namespace || CONFIG.NAMESPACE;
+    const instanceKey = `${storageType}_${namespace}`;
+    const existingInstance = _SecureStorage.instances.get(instanceKey);
+    if (existingInstance) {
+      return existingInstance;
     }
-    throw error;
+    this.namespace = namespace;
+    this.storage = options.storage || window.localStorage;
+    this.defaultExpire = options.defaultExpire ?? CONFIG.DEFAULT_EXPIRE;
+    this.instanceKey = instanceKey;
+    _SecureStorage.instances.set(instanceKey, this);
   }
-  try {
-    const decryptedStr = base64Decode(encryptedStr);
-    if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-      console.warn(
-        `\u26A0\uFE0F SECURITY WARNING: Reading unencrypted data for key "${key}". This may be a security risk if sensitive data was stored without encryption.`
-      );
-    }
-    return decryptedStr;
-  } catch {
-    throw error;
+  /**
+   * 获取单例实例（静态方法）
+   */
+  static getInstance(options) {
+    return new _SecureStorage(options);
   }
-}
-function handleNoKeyDecode(encryptedStr, key) {
-  try {
-    const decryptedStr = base64Decode(encryptedStr);
-    if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-      console.warn(
-        `\u26A0\uFE0F SECURITY WARNING: Reading unencrypted data for key "${key}" without encryption keys.`
-      );
-    }
-    return decryptedStr;
-  } catch (error) {
-    throw new Error(`Failed to decode storage value for key "${key}"`);
+  /**
+   * 清除所有单例实例（用于测试或重置）
+   */
+  static clearInstances() {
+    _SecureStorage.instances.clear();
   }
-}
-async function decryptValue(encryptedValue, privateKey, hmacKey) {
-  try {
-    const item = JSON.parse(encryptedValue);
-    if (item.encrypted && item.data && item.hmac) {
-      if (hmacKey) {
-        const isValid = await verifyHMAC(item.data, item.hmac, hmacKey);
-        if (!isValid) {
-          throw new Error("HMAC verification failed: data may have been tampered with");
-        }
-      }
-      if (item.timestamp && !validateTimestamp(item.timestamp)) {
-        throw new Error("Data timestamp validation failed: data may be expired or replayed");
-      }
-      return await rsaDecrypt(item.data, privateKey);
-    }
-    return await rsaDecrypt(encryptedValue, privateKey);
-  } catch (error) {
-    if (error instanceof Error && error.message.includes("HMAC verification failed")) {
-      throw error;
-    }
-    throw new Error("Failed to decrypt storage value: invalid format or corrupted data");
+  /**
+   * 获取当前所有实例的数量（用于调试）
+   */
+  static getInstanceCount() {
+    return _SecureStorage.instances.size;
+  }
+  /**
+   * 获取完整键名（带命名空间）
+   */
+  _getFullKey(key) {
+    return `${this.namespace}${key}`;
+  }
+  /**
+   * 检查数据是否过期
+   */
+  _isExpired(expire) {
+    if (!expire) return false;
+    return Date.now() > expire;
   }
-}
-var localStorage = {
   /**
    * 设置值
-   * @param key - 键
-   * @param value - 值
-   * @param options - 选项（过期时间、密钥等）
-   * @returns Promise<void>
    */
-  async set(key, value, options = {}) {
-    if (typeof window === "undefined" || !window.localStorage) {
-      throw new Error("localStorage is not available");
-    }
-    const { expiry, publicKey } = options;
-    const item = {
-      value,
-      expiry: expiry ? Date.now() + expiry : void 0
-    };
+  async set(key, value, expire = this.defaultExpire) {
     try {
-      const jsonStr = JSON.stringify(item);
-      await ensureKeyPair();
-      const keyToUse = publicKey || globalKeyPair?.publicKey;
-      if (keyToUse) {
-        const encrypted = await encryptValue(jsonStr, keyToUse, globalHMACKey);
-        window.localStorage.setItem(key, encrypted);
-      } else {
-        if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-          console.warn(
-            `\u26A0\uFE0F SECURITY WARNING: Storing data without encryption for key "${key}". Data is only Base64 encoded, not encrypted!`
-          );
-        }
-        const encoded = base64Encode(jsonStr);
-        window.localStorage.setItem(key, encoded);
-      }
+      const fullKey = this._getFullKey(key);
+      const aesKey = generateRandomAESKeyString();
+      const storageData = {
+        value,
+        expire: expire ? Date.now() + expire : null,
+        timestamp: Date.now()
+      };
+      const encryptedData = encryptJsonWithAES(storageData, aesKey);
+      const encryptedKey = await encryptWithEnvPublicKey(aesKey);
+      const finalData = {
+        data: encryptedData,
+        key: encryptedKey,
+        version: "1.0"
+      };
+      this.storage.setItem(fullKey, JSON.stringify(finalData));
+      return true;
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("localStorage.set error:", error);
-      }
-      throw error;
+      console.error("[SecureStorage] \u4FDD\u5B58\u5931\u8D25:", error);
+      return false;
     }
-  },
+  }
   /**
    * 获取值
-   * @param key - 键
-   * @param options - 选项（默认值、私钥等）
-   * @returns Promise<T | undefined> 值或默认值
    */
-  async get(key, options = {}) {
-    if (typeof window === "undefined" || !window.localStorage) {
-      return options.defaultValue;
-    }
-    const { defaultValue, privateKey } = options;
+  async get(key, defaultValue = null) {
     try {
-      const encryptedStr = window.localStorage.getItem(key);
-      if (!encryptedStr) return defaultValue;
-      await ensureKeyPair();
-      let decryptedStr;
-      const keyToUse = privateKey || globalKeyPair?.privateKey;
-      if (keyToUse) {
-        try {
-          decryptedStr = await decryptValue(encryptedStr, keyToUse, globalHMACKey);
-        } catch (error) {
-          try {
-            decryptedStr = await handleDecryptError(error, encryptedStr, key);
-          } catch {
-            return defaultValue;
-          }
-        }
-      } else {
-        try {
-          decryptedStr = handleNoKeyDecode(encryptedStr, key);
-        } catch {
-          return defaultValue;
-        }
+      const fullKey = this._getFullKey(key);
+      const storedData = this.storage.getItem(fullKey);
+      if (!storedData) {
+        return defaultValue;
       }
-      const item = safeParseJSON(decryptedStr, "object");
-      if (item.expiry && Date.now() > item.expiry) {
-        window.localStorage.removeItem(key);
+      const finalData = JSON.parse(storedData);
+      const aesKey = await decryptWithEnvPrivateKey(finalData.key);
+      const storageData = decryptJsonWithAES(finalData.data, aesKey);
+      if (this._isExpired(storageData.expire)) {
+        this.remove(key);
         return defaultValue;
       }
-      return item.value;
+      return storageData.value;
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-        console.warn(`Failed to parse storage item for key "${key}"`);
-      }
+      console.error("[SecureStorage] \u8BFB\u53D6\u5931\u8D25:", error);
       return defaultValue;
     }
-  },
+  }
   /**
-   * 移除值
-   * @param key - 键
+   * 删除值
    */
   remove(key) {
-    if (typeof window === "undefined" || !window.localStorage) return;
     try {
-      window.localStorage.removeItem(key);
+      const fullKey = this._getFullKey(key);
+      this.storage.removeItem(fullKey);
+      return true;
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("localStorage.remove error");
-      }
+      console.error("[SecureStorage] \u79FB\u9664\u5931\u8D25:", error);
+      return false;
     }
-  },
+  }
   /**
-   * 清空所有值
+   * 检查键是否存在
    */
-  clear() {
-    if (typeof window === "undefined" || !window.localStorage) return;
+  async has(key) {
     try {
-      window.localStorage.clear();
-    } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("localStorage.clear error");
+      const fullKey = this._getFullKey(key);
+      const storedData = this.storage.getItem(fullKey);
+      if (!storedData) return false;
+      const finalData = JSON.parse(storedData);
+      const aesKey = await decryptWithEnvPrivateKey(finalData.key);
+      const storageData = decryptJsonWithAES(finalData.data, aesKey);
+      if (this._isExpired(storageData.expire)) {
+        this.remove(key);
+        return false;
       }
+      return true;
+    } catch (error) {
+      return false;
     }
-  },
+  }
   /**
-   * 获取所有键
-   * @returns 键数组
+   * 清空所有数据
    */
-  keys() {
-    if (typeof window === "undefined" || !window.localStorage) return [];
-    const keys = [];
+  clear() {
     try {
-      for (let i = 0; i < window.localStorage.length; i++) {
-        const key = window.localStorage.key(i);
-        if (key) keys.push(key);
+      let count = 0;
+      const keys = [];
+      for (let i = 0; i < this.storage.length; i++) {
+        const key = this.storage.key(i);
+        if (key && key.startsWith(this.namespace)) {
+          keys.push(key);
+        }
       }
+      keys.forEach((key) => {
+        this.storage.removeItem(key);
+        count++;
+      });
+      return count;
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("localStorage.keys error");
-      }
+      console.error("[SecureStorage] \u6E05\u7A7A\u5931\u8D25:", error);
+      return 0;
     }
-    return keys;
   }
-};
-var sessionStorage = {
   /**
-   * 设置值
-   * @param key - 键
-   * @param value - 值
-   * @param options - 选项（公钥等）
-   * @returns Promise<void>
+   * 获取所有键名
    */
-  async set(key, value, options = {}) {
-    if (typeof window === "undefined" || !window.sessionStorage) {
-      throw new Error("sessionStorage is not available");
-    }
-    const { publicKey } = options;
+  keys() {
     try {
-      const jsonStr = JSON.stringify(value);
-      await ensureKeyPair();
-      const keyToUse = publicKey || globalKeyPair?.publicKey;
-      if (keyToUse) {
-        const encrypted = await encryptValue(jsonStr, keyToUse, globalHMACKey);
-        window.sessionStorage.setItem(key, encrypted);
-      } else {
-        if (!initOptions.isProduction && typeof console !== "undefined" && console.warn) {
-          console.warn(
-            `\u26A0\uFE0F SECURITY WARNING: Storing data without encryption for key "${key}". Data is only Base64 encoded, not encrypted!`
-          );
+      const keys = [];
+      for (let i = 0; i < this.storage.length; i++) {
+        const key = this.storage.key(i);
+        if (key && key.startsWith(this.namespace)) {
+          keys.push(key.substring(this.namespace.length));
         }
-        const encoded = base64Encode(jsonStr);
-        window.sessionStorage.setItem(key, encoded);
       }
+      return keys;
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("sessionStorage.set error:", error);
-      }
-      throw error;
+      console.error("[SecureStorage] \u83B7\u53D6\u952E\u540D\u5931\u8D25:", error);
+      return [];
     }
-  },
+  }
   /**
-   * 获取值
-   * @param key - 键
-   * @param options - 选项（默认值、私钥等）
-   * @returns Promise<T | undefined> 值或默认值
+   * 获取数据条数
    */
-  async get(key, options = {}) {
-    if (typeof window === "undefined" || !window.sessionStorage) {
-      return options.defaultValue;
-    }
-    const { defaultValue, privateKey } = options;
+  size() {
+    return this.keys().length;
+  }
+  /**
+   * 清理过期数据
+   */
+  async clearExpired() {
     try {
-      const encryptedStr = window.sessionStorage.getItem(key);
-      if (!encryptedStr) return defaultValue;
-      await ensureKeyPair();
-      let decryptedStr;
-      const keyToUse = privateKey || globalKeyPair?.privateKey;
-      if (keyToUse) {
+      let count = 0;
+      const keys = this.keys();
+      for (const key of keys) {
+        const fullKey = this._getFullKey(key);
         try {
-          decryptedStr = await decryptValue(encryptedStr, keyToUse, globalHMACKey);
-        } catch (error) {
-          try {
-            decryptedStr = await handleDecryptError(error, encryptedStr, key);
-          } catch {
-            return defaultValue;
+          const storedData = this.storage.getItem(fullKey);
+          if (storedData) {
+            const finalData = JSON.parse(storedData);
+            const aesKey = await decryptWithEnvPrivateKey(finalData.key);
+            const storageData = decryptJsonWithAES(finalData.data, aesKey);
+            if (this._isExpired(storageData.expire)) {
+              this.remove(key);
+              count++;
+            }
           }
-        }
-      } else {
-        try {
-          decryptedStr = handleNoKeyDecode(encryptedStr, key);
-        } catch {
-          return defaultValue;
+        } catch (error) {
+          this.remove(key);
+          count++;
         }
       }
-      return safeParseJSON(decryptedStr);
-    } catch {
-      return defaultValue;
-    }
-  },
-  /**
-   * 移除值
-   * @param key - 键
-   */
-  remove(key) {
-    if (typeof window === "undefined" || !window.sessionStorage) return;
-    try {
-      window.sessionStorage.removeItem(key);
+      return count;
     } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("sessionStorage.remove error");
-      }
-    }
-  },
-  /**
-   * 清空所有值
-   */
-  clear() {
-    if (typeof window === "undefined" || !window.sessionStorage) return;
-    try {
-      window.sessionStorage.clear();
-    } catch (error) {
-      if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-        console.error("sessionStorage.clear error");
-      }
+      console.error("[SecureStorage] \u6E05\u7406\u8FC7\u671F\u6570\u636E\u5931\u8D25:", error);
+      return 0;
     }
   }
-};
-var cookie = {
-  /**
-   * 设置Cookie
-   * @param key - 键
-   * @param value - 值
-   * @param options - Cookie选项
-   */
-  set(key, value, options = {}) {
-    if (typeof document === "undefined") {
-      throw new Error("document is not available");
-    }
-    let cookieStr = `${encodeURIComponent(key)}=${encodeURIComponent(value)}`;
-    if (options.expires) {
-      const expiresDate = options.expires instanceof Date ? options.expires : new Date(Date.now() + options.expires * 24 * 60 * 60 * 1e3);
-      cookieStr += `; expires=${expiresDate.toUTCString()}`;
-    }
-    if (options.path) cookieStr += `; path=${options.path}`;
-    if (options.domain) cookieStr += `; domain=${options.domain}`;
-    if (options.secure) cookieStr += "; secure";
-    if (options.sameSite) cookieStr += `; sameSite=${options.sameSite}`;
-    document.cookie = cookieStr;
-  },
   /**
-   * 获取Cookie
-   * @param key - 键
-   * @returns Cookie值
+   * 获取实例的唯一标识
    */
-  get(key) {
-    if (typeof document === "undefined") return void 0;
-    const name = encodeURIComponent(key);
-    const cookies = document.cookie.split(";");
-    for (const cookieStr of cookies) {
-      const trimmed = cookieStr.trim();
-      const eqIndex = trimmed.indexOf("=");
-      if (eqIndex === -1) continue;
-      const cookieKey = trimmed.substring(0, eqIndex).trim();
-      const cookieValue = trimmed.substring(eqIndex + 1).trim();
-      if (cookieKey === name) {
-        const decoded = decodeURIComponent(cookieValue);
-        return decoded === "" ? void 0 : decoded;
-      }
-    }
-    return void 0;
-  },
-  /**
-   * 移除Cookie
-   * @param key - 键
-   * @param options - Cookie选项
-   */
-  remove(key, options = {}) {
-    cookie.set(key, "", {
-      ...options,
-      expires: /* @__PURE__ */ new Date(0)
-    });
-  },
+  getInstanceKey() {
+    return this.instanceKey;
+  }
   /**
-   * 获取所有Cookie
-   * @returns Cookie对象
+   * 检查是否为单例实例
    */
-  getAll() {
-    if (typeof document === "undefined") return {};
-    const cookies = {};
-    document.cookie.split(";").forEach((cookieStr) => {
-      const trimmed = cookieStr.trim();
-      if (!trimmed) return;
-      const eqIndex = trimmed.indexOf("=");
-      if (eqIndex === -1) return;
-      const key = trimmed.substring(0, eqIndex).trim();
-      const value = trimmed.substring(eqIndex + 1).trim();
-      if (key && value) {
-        const decodedKey = decodeURIComponent(key);
-        const decodedValue = decodeURIComponent(value);
-        if (decodedValue !== "") {
-          cookies[decodedKey] = decodedValue;
-        }
-      }
-    });
-    return cookies;
+  isSingleton() {
+    return _SecureStorage.instances.has(this.instanceKey);
   }
 };
-function createBackendAdapter(type) {
-  switch (type) {
-    case "local":
-      return {
-        async set(key, value, options) {
-          await localStorage.set(key, value, {
-            expiry: options?.expiry,
-            publicKey: options?.publicKey
-          });
-        },
-        async get(key, options) {
-          return localStorage.get(key, {
-            defaultValue: options?.defaultValue,
-            privateKey: options?.privateKey
-          });
-        },
-        remove(key) {
-          localStorage.remove(key);
-        },
-        clear() {
-          localStorage.clear();
-        },
-        keys() {
-          return localStorage.keys();
-        }
-      };
-    case "session":
-      return {
-        async set(key, value, options) {
-          await sessionStorage.set(key, value, {
-            publicKey: options?.publicKey
-          });
-        },
-        async get(key, options) {
-          return sessionStorage.get(key, {
-            defaultValue: options?.defaultValue,
-            privateKey: options?.privateKey
-          });
-        },
-        remove(key) {
-          sessionStorage.remove(key);
-        },
-        clear() {
-          sessionStorage.clear();
-        },
-        keys() {
-          if (typeof window === "undefined" || !window.sessionStorage) return [];
-          const keys = [];
-          try {
-            for (let i = 0; i < window.sessionStorage.length; i++) {
-              const key = window.sessionStorage.key(i);
-              if (key) keys.push(key);
-            }
-          } catch (error) {
-            if (!initOptions.isProduction && typeof console !== "undefined" && console.error) {
-              console.error("sessionStorage.keys error");
-            }
-          }
-          return keys;
-        }
-      };
-    case "cookie":
-      return {
-        async set(key, value) {
-          cookie.set(key, String(value));
-        },
-        async get(key, options) {
-          const value = cookie.get(key);
-          if (value === void 0) return options?.defaultValue;
-          try {
-            return JSON.parse(value);
-          } catch {
-            return value;
-          }
-        },
-        remove(key) {
-          cookie.remove(key);
-        },
-        clear() {
-          const all = cookie.getAll();
-          Object.keys(all).forEach((k) => cookie.remove(k));
-        },
-        keys() {
-          return Object.keys(cookie.getAll());
-        }
-      };
-    default:
-      return createBackendAdapter("local");
+var _defaultSecureStorage = null;
+function _getDefaultSecureStorage() {
+  if (typeof window === "undefined") {
+    throw new Error("[SecureStorage] secureStorage is only available in browser environments.");
+  }
+  if (!_defaultSecureStorage) {
+    _defaultSecureStorage = new SecureStorage({});
+  }
+  return _defaultSecureStorage;
+}
+var secureStorage = new Proxy({}, {
+  get(_target, prop) {
+    const instance = _getDefaultSecureStorage();
+    const value = instance[prop];
+    if (typeof value === "function") {
+      return value.bind(instance);
+    }
+    return value;
   }
-}
-function createSecureStorage(type = "local") {
-  return createBackendAdapter(type);
-}
-var secureStorage = createSecureStorage("local");
+});
+var SecureStorage_default = SecureStorage;
 
-export { clearPersistedKeys, cookie, createSecureStorage, getKeyUsageCount, getStorageKeyPair, initializeStorageKeys, resetKeyUsageCount, secureStorage, setStorageKeyPair };
+export { SecureStorage, SecureStorage_default as default, secureStorage };