npm - @angular-helpers/security - Versions diffs - 21.0.4 → 21.2.0 - Mend

@angular-helpers/security 21.0.4 → 21.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.es.md +161 -1
package/README.md +156 -0
package/fesm2022/angular-helpers-security.mjs +561 -2
package/package.json +12 -5
package/types/angular-helpers-security.d.ts +185 -3

package/README.es.md CHANGED Viewed

@@ -4,7 +4,11 @@
 # Angular Security Helpers
-Paquete de seguridad para aplicaciones Angular que previene ataques comunes como ReDoS (Regular Expression Denial of Service) usando Web Workers para ejecución segura.
+Paquete de seguridad para aplicaciones Angular que previene ataques comunes como ReDoS (Regular Expression Denial of Service), XSS, y proporciona utilidades criptográficas usando Web Workers y Web Crypto API para ejecución segura.
+> **Versión**: 21.2.0 — [CHANGELOG](./CHANGELOG.md)
+---
 ## 🛡️ Características
@@ -18,9 +22,32 @@ Paquete de seguridad para aplicaciones Angular que previene ataques comunes como
 ### **Web Crypto API**
 - **Cifrado/Descifrado**: Soporte AES-GCM para manejo seguro de datos
+- **Firmas HMAC**: Firmar y verificar datos con HMAC-SHA256/384/512
 - **Hashing**: SHA-256 y otros algoritmos
 - **Gestión de Claves**: Generar, importar y exportar claves criptográficas
 - **Aleatorio Seguro**: Valores aleatorios criptográficamente seguros
+- **Generación UUID**: UUIDs RFC4122 v4
+### **Almacenamiento Seguro**
+- **Cifrado Transparente**: Almacenamiento cifrado AES-GCM sobre localStorage/sessionStorage
+- **Modo Efímero**: Claves en memoria para seguridad de sesión única
+- **Modo Passphrase**: Claves derivadas PBKDF2 para persistencia entre sesiones
+- **Aislamiento por Namespace**: Organiza datos almacenados con prefijos
+### **Sanitización de Input**
+- **Prevención XSS**: Limpieza de HTML con lista de permitidos
+- **Validación de URLs**: Esquemas de URL seguros
+- **Escape de HTML**: Caracteres especiales para interpolación segura
+- **JSON Seguro**: Parseo seguro sin eval
+### **Fuerza de Contraseña**
+- **Puntuación basada en Entropía**: Calcular fuerza en bits de entropía
+- **Detección de Contraseñas Comunes**: Bloquear contraseñas débiles conocidas
+- **Detección de Patrones**: Detectar patrones de teclado y secuencias
+- **Feedback Accionable**: Sugerencias específicas para mejorar
 ### **Patrón Builder**
@@ -44,7 +71,16 @@ import { provideSecurity } from '@angular-helpers/security';
 bootstrapApplication(AppComponent, {
   providers: [
     provideSecurity({
+      // Servicios core (habilitados por defecto)
       enableRegexSecurity: true,
+      enableWebCrypto: true,
+      // Nuevos servicios (opt-in, deshabilitados por defecto)
+      enableSecureStorage: true,
+      enableInputSanitizer: true,
+      enablePasswordStrength: true,
+      // Configuración global
       defaultTimeout: 5000,
       safeMode: false,
     }),
@@ -52,6 +88,27 @@ bootstrapApplication(AppComponent, {
 });
 ```
+### **Providers Individuales**
+```typescript
+import {
+  provideRegexSecurity,
+  provideWebCrypto,
+  provideSecureStorage,
+  provideInputSanitizer,
+  providePasswordStrength,
+} from '@angular-helpers/security';
+// Usar solo los servicios que necesites
+bootstrapApplication(AppComponent, {
+  providers: [
+    provideSecureStorage({ storage: 'session', pbkdf2Iterations: 600_000 }),
+    provideInputSanitizer({ allowedTags: ['b', 'i', 'em', 'strong'] }),
+    providePasswordStrength(),
+  ],
+});
+```
 ### **Inyección de Servicios**
 ```typescript
@@ -142,6 +199,109 @@ export class SecureStorageComponent {
   generateUUID(): string {
     return this.cryptoService.randomUUID();
   }
+  async signAndVerify(data: string): Promise<boolean> {
+    // Generar clave HMAC para SHA-256
+    const key = await this.cryptoService.generateHmacKey('HMAC-SHA-256');
+    // Firmar los datos
+    const signature = await this.cryptoService.sign(key, data);
+    // Verificar la firma
+    return await this.cryptoService.verify(key, data, signature);
+  }
+}
+```
+### **SecureStorageService — Almacenamiento Cifrado**
+```typescript
+import { SecureStorageService } from '@angular-helpers/security';
+export class UserSettingsComponent {
+  private storage = inject(SecureStorageService);
+  async saveUserToken(token: string): Promise<void> {
+    // Modo efímero (por defecto): datos sobreviven solo esta sesión
+    await this.storage.set('authToken', { token, createdAt: Date.now() });
+  }
+  async getUserToken(): Promise<{ token: string; createdAt: number } | null> {
+    return await this.storage.get<{ token: string; createdAt: number }>('authToken');
+  }
+  async initWithPassphrase(passphrase: string): Promise<void> {
+    // Modo passphrase: datos sobreviven recargas de página
+    await this.storage.initWithPassphrase(passphrase);
+  }
+  async saveWithNamespace(userId: string, data: unknown): Promise<void> {
+    // Aislamiento por namespace
+    await this.storage.set('profile', data, `user:${userId}`);
+  }
+  clearUserData(userId: string): void {
+    // Limpiar solo los datos de este usuario
+    this.storage.clear(`user:${userId}`);
+  }
+}
+```
+### **InputSanitizerService — Prevención XSS**
+```typescript
+import { InputSanitizerService } from '@angular-helpers/security';
+export class CommentComponent {
+  private sanitizer = inject(InputSanitizerService);
+  sanitizeUserComment(html: string): string {
+    // Limpiar tags peligrosos, mantener seguros (b, i, em, a, etc.)
+    return this.sanitizer.sanitizeHtml(html);
+    // Ejemplo: '<b>Hola</b><script>alert(1)</script>' → '<b>Hola</b>'
+  }
+  validateUserLink(url: string): string | null {
+    // Solo permitir URLs http/https
+    return this.sanitizer.sanitizeUrl(url);
+    // Ejemplo: 'javascript:alert(1)' → null
+    // Ejemplo: 'https://example.com' → 'https://example.com/'
+  }
+  escapeForDisplay(text: string): string {
+    // Seguro para nodos de texto HTML
+    return this.sanitizer.escapeHtml(text);
+    // Ejemplo: '<b>hola</b>' → '&lt;b&gt;hola&lt;/b&gt;'
+  }
+  parseUserJson(json: string): unknown | null {
+    // Parseo seguro de JSON sin eval
+    return this.sanitizer.sanitizeJson(json);
+  }
+}
+```
+### **PasswordStrengthService — Evaluación de Contraseñas**
+```typescript
+import { PasswordStrengthService } from '@angular-helpers/security';
+export class RegistrationComponent {
+  private passwordStrength = inject(PasswordStrengthService);
+  checkPasswordStrength(password: string): void {
+    const result = this.passwordStrength.assess(password);
+    console.log(`Score: ${result.score}/4`); // 0-4
+    console.log(`Label: ${result.label}`); // 'very-weak' a 'very-strong'
+    console.log(`Entropía: ${result.entropy} bits`); // entropía calculada
+    console.log('Feedback:', result.feedback); // sugerencias de mejora
+    // Ejemplos de resultados:
+    // 'password' → score: 0, label: 'very-weak', feedback: ['Contraseña común']
+    // 'P@ssw0rd!' → score: 2, label: 'fair', feedback: ['Evita patrones de teclado']
+    // 'xK#9mZ$vLq2@rBnT7' → score: 4, label: 'very-strong', feedback: []
+  }
 }
 ```

package/README.md CHANGED Viewed

@@ -19,8 +19,31 @@ Security package for Angular applications that prevents common attacks like ReDo
 - **Encryption/Decryption**: AES-GCM support for secure data handling
 - **Hashing**: SHA-256 and other algorithms
+- **HMAC Signing**: HMAC-SHA-256/384/512 for message authentication
 - **Key Management**: Generate, import, and export cryptographic keys
 - **Secure Random**: Cryptographically secure random values
+- **UUID Generation**: RFC4122 v4 UUIDs
+### **Secure Storage**
+- **Transparent Encryption**: AES-GCM encrypted localStorage/sessionStorage
+- **Ephemeral Mode**: In-memory keys for single-session security
+- **Passphrase Mode**: PBKDF2-derived keys for cross-session persistence
+- **Namespace Isolation**: Organize stored data with prefixes
+### **Input Sanitization**
+- **XSS Prevention**: Strip dangerous tags and attributes from HTML
+- **URL Validation**: Allow only http/https schemes
+- **HTML Escaping**: Safe interpolation of user content
+- **JSON Safety**: Safe parsing without eval
+### **Password Strength**
+- **Entropy-Based Scoring**: 0-4 score with labeled strength levels
+- **Pattern Detection**: Detects sequences, repetitions, keyboard walks
+- **Common Password Check**: Blocks frequently used passwords
+- **Feedback Messages**: Actionable improvement suggestions
 ### **Builder Pattern**
@@ -44,7 +67,16 @@ import { provideSecurity } from '@angular-helpers/security';
 bootstrapApplication(AppComponent, {
   providers: [
     provideSecurity({
+      // Core services (enabled by default)
       enableRegexSecurity: true,
+      enableWebCrypto: true,
+      // New services (opt-in, disabled by default)
+      enableSecureStorage: true,
+      enableInputSanitizer: true,
+      enablePasswordStrength: true,
+      // Global settings
       defaultTimeout: 5000,
       safeMode: false,
     }),
@@ -52,6 +84,27 @@ bootstrapApplication(AppComponent, {
 });
 ```
+### **Individual Providers**
+```typescript
+import {
+  provideRegexSecurity,
+  provideWebCrypto,
+  provideSecureStorage,
+  provideInputSanitizer,
+  providePasswordStrength,
+} from '@angular-helpers/security';
+// Use only the services you need
+bootstrapApplication(AppComponent, {
+  providers: [
+    provideSecureStorage({ storage: 'session', pbkdf2Iterations: 600_000 }),
+    provideInputSanitizer({ allowedTags: ['b', 'i', 'em', 'strong'] }),
+    providePasswordStrength(),
+  ],
+});
+```
 ### **Service Injection**
 ```typescript
@@ -212,6 +265,109 @@ export class SecureStorageComponent {
   generateUUID(): string {
     return this.cryptoService.randomUUID();
   }
+  async signAndVerify(data: string): Promise<boolean> {
+    // Generate HMAC key for SHA-256
+    const key = await this.cryptoService.generateHmacKey('HMAC-SHA-256');
+    // Sign the data
+    const signature = await this.cryptoService.sign(key, data);
+    // Verify the signature
+    return await this.cryptoService.verify(key, data, signature);
+  }
+}
+```
+### **SecureStorageService**
+```typescript
+import { SecureStorageService } from '@angular-helpers/security';
+export class UserSettingsComponent {
+  private storage = inject(SecureStorageService);
+  async saveUserToken(token: string): Promise<void> {
+    // Ephemeral mode (default): data survives only this session
+    await this.storage.set('authToken', { token, createdAt: Date.now() });
+  }
+  async getUserToken(): Promise<{ token: string; createdAt: number } | null> {
+    return await this.storage.get<{ token: string; createdAt: number }>('authToken');
+  }
+  async initWithPassphrase(passphrase: string): Promise<void> {
+    // Passphrase mode: data survives page reloads
+    await this.storage.initWithPassphrase(passphrase);
+  }
+  async saveWithNamespace(userId: string, data: unknown): Promise<void> {
+    // Namespace isolation
+    await this.storage.set('profile', data, `user:${userId}`);
+  }
+  clearUserData(userId: string): void {
+    // Clear only this user's data
+    this.storage.clear(`user:${userId}`);
+  }
+}
+```
+### **InputSanitizerService**
+```typescript
+import { InputSanitizerService } from '@angular-helpers/security';
+export class CommentComponent {
+  private sanitizer = inject(InputSanitizerService);
+  sanitizeUserComment(html: string): string {
+    // Strip dangerous tags, keep safe ones (b, i, em, a, etc.)
+    return this.sanitizer.sanitizeHtml(html);
+    // Example: '<b>Hello</b><script>alert(1)</script>' → '<b>Hello</b>'
+  }
+  validateUserLink(url: string): string | null {
+    // Only allow http/https URLs
+    return this.sanitizer.sanitizeUrl(url);
+    // Example: 'javascript:alert(1)' → null
+    // Example: 'https://example.com' → 'https://example.com/'
+  }
+  escapeForDisplay(text: string): string {
+    // Safe for HTML text nodes
+    return this.sanitizer.escapeHtml(text);
+    // Example: '<b>hello</b>' → '&lt;b&gt;hello&lt;/b&gt;'
+  }
+  parseUserJson(json: string): unknown | null {
+    // Safe JSON parsing without eval
+    return this.sanitizer.sanitizeJson(json);
+  }
+}
+```
+### **PasswordStrengthService**
+```typescript
+import { PasswordStrengthService } from '@angular-helpers/security';
+export class RegistrationComponent {
+  private passwordStrength = inject(PasswordStrengthService);
+  checkPasswordStrength(password: string): void {
+    const result = this.passwordStrength.assess(password);
+    console.log(`Score: ${result.score}/4`); // 0-4
+    console.log(`Label: ${result.label}`); // 'very-weak' to 'very-strong'
+    console.log(`Entropy: ${result.entropy} bits`); // calculated entropy
+    console.log('Feedback:', result.feedback); // improvement suggestions
+    // Example results:
+    // 'password' → score: 0, label: 'very-weak', feedback: ['This is a commonly used password']
+    // 'P@ssw0rd!' → score: 2, label: 'fair', feedback: ['Avoid keyboard patterns']
+    // 'xK#9mZ$vLq2@rBnT7' → score: 4, label: 'very-strong', feedback: []
+  }
 }
 ```

package/fesm2022/angular-helpers-security.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 import * as i0 from '@angular/core';
-import { inject, DestroyRef, Injectable, PLATFORM_ID, makeEnvironmentProviders } from '@angular/core';
+import { inject, DestroyRef, Injectable, PLATFORM_ID, InjectionToken, makeEnvironmentProviders } from '@angular/core';
 import { isPlatformBrowser } from '@angular/common';
 /**
@@ -470,11 +470,63 @@ class WebCryptoService {
         }
         return crypto.randomUUID();
     }
+    async generateHmacKey(algorithm = 'HMAC-SHA-256') {
+        this.ensureSecureContext();
+        return this.subtle.generateKey({ name: 'HMAC', hash: { name: this.hmacHashName(algorithm) } }, true, ['sign', 'verify']);
+    }
+    /**
+     * Signs data with an HMAC key. Returns a hex-encoded signature.
+     */
+    async sign(key, data) {
+        this.ensureSecureContext();
+        const buffer = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+        const signature = await this.subtle.sign('HMAC', key, buffer);
+        return this.bufferToHex(signature);
+    }
+    /**
+     * Verifies an HMAC signature (hex-encoded). Returns false for malformed input — never throws.
+     */
+    async verify(key, data, signature) {
+        this.ensureSecureContext();
+        let sigBytes;
+        try {
+            sigBytes = this.hexToBytes(signature);
+        }
+        catch {
+            return false;
+        }
+        try {
+            const buffer = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+            return await this.subtle.verify('HMAC', key, sigBytes, buffer);
+        }
+        catch {
+            return false;
+        }
+    }
+    async importHmacKey(jwk, algorithm = 'HMAC-SHA-256') {
+        this.ensureSecureContext();
+        return this.subtle.importKey('jwk', jwk, { name: 'HMAC', hash: { name: this.hmacHashName(algorithm) } }, true, ['sign', 'verify']);
+    }
     bufferToHex(buffer) {
         return Array.from(new Uint8Array(buffer))
             .map((b) => b.toString(16).padStart(2, '0'))
             .join('');
     }
+    hexToBytes(hex) {
+        if (hex.length % 2 !== 0)
+            throw new Error('Invalid hex string');
+        const bytes = new Uint8Array(new ArrayBuffer(hex.length / 2));
+        for (let i = 0; i < hex.length; i += 2) {
+            const byte = parseInt(hex.substring(i, i + 2), 16);
+            if (isNaN(byte))
+                throw new Error('Invalid hex string');
+            bytes[i / 2] = byte;
+        }
+        return bytes;
+    }
+    hmacHashName(algorithm) {
+        return algorithm.replace('HMAC-', '');
+    }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
     static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: WebCryptoService });
 }
@@ -482,9 +534,492 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImpor
             type: Injectable
         }] });
+const SECURE_STORAGE_CONFIG = new InjectionToken('SECURE_STORAGE_CONFIG');
+const SALT_STORAGE_KEY = '__ss_salt__';
+const DEFAULT_ITERATIONS = 600_000;
+/**
+ * Service for transparent AES-GCM encrypted storage on top of localStorage/sessionStorage.
+ *
+ * Two key modes are supported:
+ * - **Ephemeral** (default): a CryptoKey is generated in memory per service instance.
+ *   Data is unrecoverable after page reload or service re-creation.
+ * - **Passphrase-derived**: call `initWithPassphrase(passphrase)` to derive a stable key
+ *   via PBKDF2. Data survives page reloads as long as the same passphrase is used.
+ *
+ * @example
+ * // Ephemeral mode
+ * await storage.set('token', { value: 'abc' });
+ * const token = await storage.get<{ value: string }>('token');
+ *
+ * @example
+ * // Passphrase mode
+ * await storage.initWithPassphrase('my-secret');
+ * await storage.set('user', { id: 1 }, 'auth');
+ * const user = await storage.get<{ id: number }>('user', 'auth');
+ */
+class SecureStorageService {
+    platformId = inject(PLATFORM_ID);
+    storageConfig;
+    activeKey = null;
+    constructor() {
+        const config = inject(SECURE_STORAGE_CONFIG, { optional: true }) ?? {};
+        this.storageConfig = {
+            storage: config.storage ?? 'local',
+            pbkdf2Iterations: config.pbkdf2Iterations ?? DEFAULT_ITERATIONS,
+        };
+    }
+    isSupported() {
+        return (isPlatformBrowser(this.platformId) &&
+            'crypto' in window &&
+            'subtle' in crypto &&
+            'localStorage' in window);
+    }
+    /**
+     * Initializes the service with a passphrase-derived key (PBKDF2 + AES-GCM).
+     * The salt is automatically persisted in storage on first call and reused on subsequent calls.
+     * Calling this again replaces the active key.
+     *
+     * @param passphrase Secret passphrase for key derivation.
+     * @param explicitSalt Optional base64 salt. When provided, the stored salt is ignored.
+     */
+    async initWithPassphrase(passphrase, explicitSalt) {
+        this.assertSupported();
+        let salt;
+        if (explicitSalt) {
+            salt = this.base64ToBytes(explicitSalt);
+        }
+        else {
+            const stored = this.nativeStorage.getItem(SALT_STORAGE_KEY);
+            if (stored) {
+                salt = this.base64ToBytes(stored);
+            }
+            else {
+                salt = crypto.getRandomValues(new Uint8Array(new ArrayBuffer(16)));
+                this.nativeStorage.setItem(SALT_STORAGE_KEY, this.bytesToBase64(salt));
+            }
+        }
+        const keyMaterial = await crypto.subtle.importKey('raw', new TextEncoder().encode(passphrase), 'PBKDF2', false, ['deriveKey']);
+        this.activeKey = await crypto.subtle.deriveKey({
+            name: 'PBKDF2',
+            salt,
+            iterations: this.storageConfig.pbkdf2Iterations,
+            hash: 'SHA-256',
+        }, keyMaterial, { name: 'AES-GCM', length: 256 }, true, ['encrypt', 'decrypt']);
+    }
+    /**
+     * Encrypts and stores a value.
+     * A fresh random IV is generated for every write.
+     *
+     * @throws {TypeError} When `value` is `undefined`.
+     * @throws {DOMException} When storage quota is exceeded.
+     */
+    async set(key, value, namespace) {
+        this.assertSupported();
+        if (value === undefined) {
+            throw new TypeError('Cannot store undefined value in SecureStorageService');
+        }
+        const cryptoKey = await this.ensureKey();
+        const iv = crypto.getRandomValues(new Uint8Array(new ArrayBuffer(12)));
+        const plaintext = new TextEncoder().encode(JSON.stringify(value));
+        const ciphertext = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, cryptoKey, plaintext);
+        const entry = {
+            iv: this.bytesToBase64(iv),
+            ct: this.bytesToBase64(ciphertext),
+        };
+        this.nativeStorage.setItem(this.buildStorageKey(key, namespace), JSON.stringify(entry));
+    }
+    /**
+     * Decrypts and returns a stored value.
+     * Returns `null` if the key does not exist, was written without encryption,
+     * or the ciphertext is corrupted.
+     */
+    async get(key, namespace) {
+        this.assertSupported();
+        const raw = this.nativeStorage.getItem(this.buildStorageKey(key, namespace));
+        if (!raw)
+            return null;
+        let entry;
+        try {
+            const parsed = JSON.parse(raw);
+            if (!parsed || typeof parsed !== 'object' || !('iv' in parsed) || !('ct' in parsed)) {
+                return null;
+            }
+            entry = parsed;
+        }
+        catch {
+            return null;
+        }
+        try {
+            const cryptoKey = await this.ensureKey();
+            const iv = this.base64ToBytes(entry.iv);
+            const ciphertext = this.base64ToBytes(entry.ct);
+            const decrypted = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, cryptoKey, ciphertext);
+            return JSON.parse(new TextDecoder().decode(decrypted));
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Removes a single entry from storage.
+     */
+    remove(key, namespace) {
+        this.assertSupported();
+        this.nativeStorage.removeItem(this.buildStorageKey(key, namespace));
+    }
+    /**
+     * Clears all entries belonging to a namespace.
+     * When called without arguments, clears the entire storage target.
+     */
+    clear(namespace) {
+        this.assertSupported();
+        if (!namespace) {
+            this.nativeStorage.clear();
+            return;
+        }
+        const prefix = `${namespace}:`;
+        const keysToRemove = [];
+        for (let i = 0; i < this.nativeStorage.length; i++) {
+            const k = this.nativeStorage.key(i);
+            if (k?.startsWith(prefix)) {
+                keysToRemove.push(k);
+            }
+        }
+        keysToRemove.forEach((k) => this.nativeStorage.removeItem(k));
+    }
+    get nativeStorage() {
+        return this.storageConfig.storage === 'session' ? sessionStorage : localStorage;
+    }
+    buildStorageKey(key, namespace) {
+        return namespace ? `${namespace}:${key}` : key;
+    }
+    async ensureKey() {
+        if (this.activeKey)
+            return this.activeKey;
+        this.activeKey = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, [
+            'encrypt',
+            'decrypt',
+        ]);
+        return this.activeKey;
+    }
+    assertSupported() {
+        if (!this.isSupported()) {
+            throw new Error('SecureStorageService is not supported in this environment (requires browser + Web Crypto API)');
+        }
+    }
+    bytesToBase64(buffer) {
+        const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+        let binary = '';
+        for (let i = 0; i < bytes.length; i++) {
+            binary += String.fromCharCode(bytes[i]);
+        }
+        return btoa(binary);
+    }
+    base64ToBytes(base64) {
+        return Uint8Array.from(atob(base64), (c) => c.charCodeAt(0));
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: SecureStorageService, decorators: [{
+            type: Injectable
+        }], ctorParameters: () => [] });
+const SANITIZER_CONFIG = new InjectionToken('SANITIZER_CONFIG');
+const DEFAULT_ALLOWED_TAGS = [
+    'b',
+    'i',
+    'em',
+    'strong',
+    'a',
+    'p',
+    'br',
+    'ul',
+    'ol',
+    'li',
+    'span',
+];
+const DEFAULT_ALLOWED_ATTRIBUTES = {
+    a: ['href'],
+};
+const SAFE_URL_SCHEMES = ['http:', 'https:'];
+/**
+ * Service for structured input sanitization to defend against XSS, URL injection, and unsafe HTML.
+ *
+ * This service is defense-in-depth and DOES NOT replace a Content Security Policy (CSP).
+ * Always configure a proper CSP alongside using this service.
+ *
+ * @example
+ * const clean = sanitizer.sanitizeHtml('<b>Hello</b><script>alert(1)</script>');
+ * // → '<b>Hello</b>'
+ *
+ * @example
+ * const url = sanitizer.sanitizeUrl('javascript:alert(1)');
+ * // → null
+ */
+class InputSanitizerService {
+    platformId = inject(PLATFORM_ID);
+    allowedTags;
+    allowedAttributes;
+    constructor() {
+        const config = inject(SANITIZER_CONFIG, { optional: true }) ?? {};
+        this.allowedTags = new Set(config.allowedTags ?? DEFAULT_ALLOWED_TAGS);
+        this.allowedAttributes = config.allowedAttributes ?? DEFAULT_ALLOWED_ATTRIBUTES;
+    }
+    isSupported() {
+        return isPlatformBrowser(this.platformId) && typeof DOMParser !== 'undefined';
+    }
+    /**
+     * Parses and sanitizes an HTML string, keeping only allowed tags and attributes.
+     * Script execution is prevented — parsing is done via DOMParser, not innerHTML assignment.
+     *
+     * @throws {Error} When called in a non-browser environment.
+     */
+    sanitizeHtml(input) {
+        if (!this.isSupported()) {
+            throw new Error('sanitizeHtml requires a browser environment (DOMParser unavailable)');
+        }
+        if (!input)
+            return '';
+        const parser = new DOMParser();
+        const doc = parser.parseFromString(input, 'text/html');
+        this.processNode(doc.body);
+        return doc.body.innerHTML;
+    }
+    /**
+     * Validates and normalizes a URL string.
+     * Returns the normalized URL only for `http:` and `https:` schemes.
+     * Returns `null` for `javascript:`, `data:`, `vbscript:`, relative URLs, or malformed input.
+     */
+    sanitizeUrl(input) {
+        if (!input)
+            return null;
+        try {
+            const url = new URL(input);
+            return SAFE_URL_SCHEMES.includes(url.protocol) ? url.toString() : null;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Escapes HTML special characters for safe text interpolation.
+     * Use this when inserting user content into HTML text nodes or attributes.
+     */
+    escapeHtml(input) {
+        if (!input)
+            return '';
+        return input
+            .replace(/&/g, '&amp;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#x27;');
+    }
+    /**
+     * Safely parses a JSON string. Returns the parsed value on success, `null` on any error.
+     * Does NOT use `eval` or `Function` — uses JSON.parse only.
+     */
+    sanitizeJson(input) {
+        if (!input)
+            return null;
+        try {
+            return JSON.parse(input);
+        }
+        catch {
+            return null;
+        }
+    }
+    processNode(node) {
+        const children = Array.from(node.childNodes);
+        for (const child of children) {
+            if (child.nodeType !== Node.ELEMENT_NODE)
+                continue;
+            const element = child;
+            const tagName = element.tagName.toLowerCase();
+            if (!this.allowedTags.has(tagName)) {
+                const text = element.textContent ?? '';
+                node.replaceChild(document.createTextNode(text), element);
+                continue;
+            }
+            this.sanitizeAttributes(element, tagName);
+            this.processNode(element);
+        }
+    }
+    sanitizeAttributes(element, tagName) {
+        const attrsToRemove = [];
+        const allowed = this.allowedAttributes[tagName] ?? [];
+        for (let i = 0; i < element.attributes.length; i++) {
+            const attr = element.attributes[i];
+            if (attr.name.startsWith('on')) {
+                attrsToRemove.push(attr.name);
+                continue;
+            }
+            if (!allowed.includes(attr.name)) {
+                attrsToRemove.push(attr.name);
+                continue;
+            }
+            if (attr.name === 'href' && this.sanitizeUrl(attr.value) === null) {
+                attrsToRemove.push(attr.name);
+            }
+        }
+        attrsToRemove.forEach((name) => element.removeAttribute(name));
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: InputSanitizerService, decorators: [{
+            type: Injectable
+        }], ctorParameters: () => [] });
+const COMMON_PASSWORDS = new Set([
+    'password',
+    '123456',
+    'qwerty',
+    'letmein',
+    'admin',
+    'welcome',
+    '111111',
+    'abc123',
+    'monkey',
+    'master',
+    'login',
+    'pass',
+]);
+const ALPHA_SEQUENCES = 'abcdefghijklmnopqrstuvwxyz';
+const DIGIT_SEQUENCES = '0123456789';
+const KEYBOARD_ROWS = ['qwertyuiop', 'asdfghjkl', 'zxcvbnm'];
+const SCORE_LABELS = {
+    0: 'very-weak',
+    1: 'weak',
+    2: 'fair',
+    3: 'strong',
+    4: 'very-strong',
+};
+/**
+ * Service for entropy-based password strength evaluation.
+ * All methods are synchronous and side-effect free — safely wrappable in Angular `computed()`.
+ *
+ * Score thresholds (bits of entropy):
+ * - 0 (very-weak):  < 28 bits
+ * - 1 (weak):       28–35 bits
+ * - 2 (fair):       36–49 bits
+ * - 3 (strong):     50–69 bits
+ * - 4 (very-strong): ≥ 70 bits
+ *
+ * @example
+ * const result = passwordStrength.assess('P@ssw0rd!');
+ * console.log(result.score);   // 2
+ * console.log(result.label);   // 'fair'
+ * console.log(result.entropy); // ~42.5
+ */
+class PasswordStrengthService {
+    /**
+     * Evaluates the strength of a password.
+     * Never throws — returns score 0 for empty or null-like input.
+     */
+    assess(password) {
+        if (!password) {
+            return {
+                score: 0,
+                label: 'very-weak',
+                entropy: 0,
+                feedback: ['Password cannot be empty'],
+            };
+        }
+        const feedback = [];
+        const chars = [...password];
+        const length = chars.length;
+        const hasLower = /[a-z]/.test(password);
+        const hasUpper = /[A-Z]/.test(password);
+        const hasDigit = /[0-9]/.test(password);
+        const hasSymbol = /[!@#$%^&*()\-_=+[\]{}|;:'",.<>/?\\`~]/.test(password);
+        const hasExtended = chars.some((c) => c.codePointAt(0) > 127);
+        let poolSize = 0;
+        if (hasLower)
+            poolSize += 26;
+        if (hasUpper)
+            poolSize += 26;
+        if (hasDigit)
+            poolSize += 10;
+        if (hasSymbol)
+            poolSize += 32;
+        if (hasExtended)
+            poolSize += 64;
+        if (poolSize === 0)
+            poolSize = 26;
+        let entropy = length * Math.log2(poolSize);
+        const hasAlphaSeq = this.containsSequence(password.toLowerCase(), ALPHA_SEQUENCES, 3);
+        const hasDigitSeq = this.containsSequence(password, DIGIT_SEQUENCES, 3);
+        const hasRepeat = /(.)\1{2,}/.test(password);
+        const hasKeyboard = KEYBOARD_ROWS.some((row) => this.containsSequence(password.toLowerCase(), row, 4));
+        if (hasAlphaSeq || hasDigitSeq) {
+            entropy *= 0.8;
+            feedback.push('Avoid predictable sequences (abc, 123)');
+        }
+        if (hasRepeat) {
+            entropy *= 0.9;
+            feedback.push('Avoid repeated characters');
+        }
+        if (hasKeyboard) {
+            entropy *= 0.85;
+            feedback.push('Avoid keyboard patterns (qwerty, asdf)');
+        }
+        if (length < 8) {
+            feedback.push('Use at least 8 characters');
+        }
+        if (!hasUpper)
+            feedback.push('Add uppercase letters');
+        if (!hasDigit)
+            feedback.push('Add numbers');
+        if (!hasSymbol)
+            feedback.push('Add special characters');
+        const isCommon = COMMON_PASSWORDS.has(password.toLowerCase());
+        let score = this.entropyToScore(entropy);
+        if (isCommon) {
+            score = Math.min(score, 1);
+            if (!feedback.includes('Use at least 8 characters')) {
+                feedback.push('This is a commonly used password');
+            }
+        }
+        return {
+            score,
+            label: SCORE_LABELS[score],
+            entropy: Math.round(entropy * 100) / 100,
+            feedback,
+        };
+    }
+    entropyToScore(entropy) {
+        if (entropy < 28)
+            return 0;
+        if (entropy < 36)
+            return 1;
+        if (entropy < 50)
+            return 2;
+        if (entropy < 70)
+            return 3;
+        return 4;
+    }
+    containsSequence(input, sequence, minLength) {
+        for (let i = 0; i <= sequence.length - minLength; i++) {
+            if (input.includes(sequence.substring(i, i + minLength)))
+                return true;
+        }
+        return false;
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.4", ngImport: i0, type: PasswordStrengthService, decorators: [{
+            type: Injectable
+        }] });
 const defaultSecurityConfig = {
     enableRegexSecurity: true,
     enableWebCrypto: true,
+    enableSecureStorage: false,
+    enableInputSanitizer: false,
+    enablePasswordStrength: false,
     defaultTimeout: 5000,
     safeMode: false,
 };
@@ -497,6 +1032,15 @@ function provideSecurity(config = {}) {
     if (mergedConfig.enableWebCrypto) {
         providers.push(WebCryptoService);
     }
+    if (mergedConfig.enableSecureStorage) {
+        providers.push(SecureStorageService);
+    }
+    if (mergedConfig.enableInputSanitizer) {
+        providers.push(InputSanitizerService);
+    }
+    if (mergedConfig.enablePasswordStrength) {
+        providers.push(PasswordStrengthService);
+    }
     return makeEnvironmentProviders(providers);
 }
 function provideRegexSecurity() {
@@ -505,9 +1049,24 @@ function provideRegexSecurity() {
 function provideWebCrypto() {
     return makeEnvironmentProviders([WebCryptoService]);
 }
+function provideSecureStorage(config) {
+    return makeEnvironmentProviders([
+        SecureStorageService,
+        ...(config ? [{ provide: SECURE_STORAGE_CONFIG, useValue: config }] : []),
+    ]);
+}
+function provideInputSanitizer(config) {
+    return makeEnvironmentProviders([
+        InputSanitizerService,
+        ...(config ? [{ provide: SANITIZER_CONFIG, useValue: config }] : []),
+    ]);
+}
+function providePasswordStrength() {
+    return makeEnvironmentProviders([PasswordStrengthService]);
+}
 /**
  * Generated bundle index. Do not edit.
  */
-export { RegexSecurityBuilder, RegexSecurityService, WebCryptoService, defaultSecurityConfig, provideRegexSecurity, provideSecurity, provideWebCrypto };
+export { InputSanitizerService, PasswordStrengthService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, WebCryptoService, defaultSecurityConfig, provideInputSanitizer, providePasswordStrength, provideRegexSecurity, provideSecureStorage, provideSecurity, provideWebCrypto };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@angular-helpers/security",
-  "version": "21.0.4",
+  "version": "21.2.0",
   "description": "Angular security helpers for preventing ReDoS and other security vulnerabilities",
   "keywords": [
     "angular",
@@ -9,18 +9,25 @@
     "redos",
     "prevention",
     "web-worker",
-    "builder-pattern"
+    "builder-pattern",
+    "encryption",
+    "web-crypto",
+    "hmac",
+    "xss",
+    "sanitization",
+    "password-strength",
+    "secure-storage"
   ],
   "author": "Angular Helpers Team",
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/angular-helpers/security"
+    "url": "https://github.com/Gaspar1992/angular-helpers"
   },
   "bugs": {
-    "url": "https://github.com/angular-helpers/security/issues"
+    "url": "https://github.com/Gaspar1992/angular-helpers/issues"
   },
-  "homepage": "https://github.com/angular-helpers/security#readme",
+  "homepage": "https://gaspar1992.github.io/angular-helpers/docs/security",
   "publishConfig": {
     "access": "public"
   },

package/types/angular-helpers-security.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import * as i0 from '@angular/core';
-import { EnvironmentProviders } from '@angular/core';
+import { InjectionToken, EnvironmentProviders } from '@angular/core';
 interface RegexSecurityConfig {
     timeout?: number;
@@ -152,6 +152,7 @@ declare class RegexSecurityBuilder {
 }
 type HashAlgorithm = 'SHA-1' | 'SHA-256' | 'SHA-384' | 'SHA-512';
+type HmacAlgorithm = 'HMAC-SHA-256' | 'HMAC-SHA-384' | 'HMAC-SHA-512';
 type AesKeyLength = 128 | 192 | 256;
 interface AesEncryptResult {
     ciphertext: ArrayBuffer;
@@ -170,14 +171,192 @@ declare class WebCryptoService {
     importAesKey(jwk: JsonWebKey): Promise<CryptoKey>;
     generateRandomBytes(length: number): Uint8Array;
     randomUUID(): string;
+    generateHmacKey(algorithm?: HmacAlgorithm): Promise<CryptoKey>;
+    /**
+     * Signs data with an HMAC key. Returns a hex-encoded signature.
+     */
+    sign(key: CryptoKey, data: string | ArrayBuffer): Promise<string>;
+    /**
+     * Verifies an HMAC signature (hex-encoded). Returns false for malformed input — never throws.
+     */
+    verify(key: CryptoKey, data: string | ArrayBuffer, signature: string): Promise<boolean>;
+    importHmacKey(jwk: JsonWebKey, algorithm?: HmacAlgorithm): Promise<CryptoKey>;
     private bufferToHex;
+    private hexToBytes;
+    private hmacHashName;
     static ɵfac: i0.ɵɵFactoryDeclaration<WebCryptoService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<WebCryptoService>;
 }
+type StorageTarget = 'local' | 'session';
+interface SecureStorageConfig {
+    storage?: StorageTarget;
+    pbkdf2Iterations?: number;
+}
+declare const SECURE_STORAGE_CONFIG: InjectionToken<SecureStorageConfig>;
+/**
+ * Service for transparent AES-GCM encrypted storage on top of localStorage/sessionStorage.
+ *
+ * Two key modes are supported:
+ * - **Ephemeral** (default): a CryptoKey is generated in memory per service instance.
+ *   Data is unrecoverable after page reload or service re-creation.
+ * - **Passphrase-derived**: call `initWithPassphrase(passphrase)` to derive a stable key
+ *   via PBKDF2. Data survives page reloads as long as the same passphrase is used.
+ *
+ * @example
+ * // Ephemeral mode
+ * await storage.set('token', { value: 'abc' });
+ * const token = await storage.get<{ value: string }>('token');
+ *
+ * @example
+ * // Passphrase mode
+ * await storage.initWithPassphrase('my-secret');
+ * await storage.set('user', { id: 1 }, 'auth');
+ * const user = await storage.get<{ id: number }>('user', 'auth');
+ */
+declare class SecureStorageService {
+    private readonly platformId;
+    private readonly storageConfig;
+    private activeKey;
+    constructor();
+    isSupported(): boolean;
+    /**
+     * Initializes the service with a passphrase-derived key (PBKDF2 + AES-GCM).
+     * The salt is automatically persisted in storage on first call and reused on subsequent calls.
+     * Calling this again replaces the active key.
+     *
+     * @param passphrase Secret passphrase for key derivation.
+     * @param explicitSalt Optional base64 salt. When provided, the stored salt is ignored.
+     */
+    initWithPassphrase(passphrase: string, explicitSalt?: string): Promise<void>;
+    /**
+     * Encrypts and stores a value.
+     * A fresh random IV is generated for every write.
+     *
+     * @throws {TypeError} When `value` is `undefined`.
+     * @throws {DOMException} When storage quota is exceeded.
+     */
+    set<T>(key: string, value: T, namespace?: string): Promise<void>;
+    /**
+     * Decrypts and returns a stored value.
+     * Returns `null` if the key does not exist, was written without encryption,
+     * or the ciphertext is corrupted.
+     */
+    get<T>(key: string, namespace?: string): Promise<T | null>;
+    /**
+     * Removes a single entry from storage.
+     */
+    remove(key: string, namespace?: string): void;
+    /**
+     * Clears all entries belonging to a namespace.
+     * When called without arguments, clears the entire storage target.
+     */
+    clear(namespace?: string): void;
+    private get nativeStorage();
+    private buildStorageKey;
+    private ensureKey;
+    private assertSupported;
+    private bytesToBase64;
+    private base64ToBytes;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SecureStorageService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SecureStorageService>;
+}
+interface SanitizerConfig {
+    allowedTags?: string[];
+    allowedAttributes?: Record<string, string[]>;
+}
+declare const SANITIZER_CONFIG: InjectionToken<SanitizerConfig>;
+/**
+ * Service for structured input sanitization to defend against XSS, URL injection, and unsafe HTML.
+ *
+ * This service is defense-in-depth and DOES NOT replace a Content Security Policy (CSP).
+ * Always configure a proper CSP alongside using this service.
+ *
+ * @example
+ * const clean = sanitizer.sanitizeHtml('<b>Hello</b><script>alert(1)</script>');
+ * // → '<b>Hello</b>'
+ *
+ * @example
+ * const url = sanitizer.sanitizeUrl('javascript:alert(1)');
+ * // → null
+ */
+declare class InputSanitizerService {
+    private readonly platformId;
+    private readonly allowedTags;
+    private readonly allowedAttributes;
+    constructor();
+    isSupported(): boolean;
+    /**
+     * Parses and sanitizes an HTML string, keeping only allowed tags and attributes.
+     * Script execution is prevented — parsing is done via DOMParser, not innerHTML assignment.
+     *
+     * @throws {Error} When called in a non-browser environment.
+     */
+    sanitizeHtml(input: string): string;
+    /**
+     * Validates and normalizes a URL string.
+     * Returns the normalized URL only for `http:` and `https:` schemes.
+     * Returns `null` for `javascript:`, `data:`, `vbscript:`, relative URLs, or malformed input.
+     */
+    sanitizeUrl(input: string): string | null;
+    /**
+     * Escapes HTML special characters for safe text interpolation.
+     * Use this when inserting user content into HTML text nodes or attributes.
+     */
+    escapeHtml(input: string): string;
+    /**
+     * Safely parses a JSON string. Returns the parsed value on success, `null` on any error.
+     * Does NOT use `eval` or `Function` — uses JSON.parse only.
+     */
+    sanitizeJson(input: string): unknown | null;
+    private processNode;
+    private sanitizeAttributes;
+    static ɵfac: i0.ɵɵFactoryDeclaration<InputSanitizerService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<InputSanitizerService>;
+}
+interface PasswordStrengthResult {
+    score: 0 | 1 | 2 | 3 | 4;
+    label: 'very-weak' | 'weak' | 'fair' | 'strong' | 'very-strong';
+    entropy: number;
+    feedback: string[];
+}
+/**
+ * Service for entropy-based password strength evaluation.
+ * All methods are synchronous and side-effect free — safely wrappable in Angular `computed()`.
+ *
+ * Score thresholds (bits of entropy):
+ * - 0 (very-weak):  < 28 bits
+ * - 1 (weak):       28–35 bits
+ * - 2 (fair):       36–49 bits
+ * - 3 (strong):     50–69 bits
+ * - 4 (very-strong): ≥ 70 bits
+ *
+ * @example
+ * const result = passwordStrength.assess('P@ssw0rd!');
+ * console.log(result.score);   // 2
+ * console.log(result.label);   // 'fair'
+ * console.log(result.entropy); // ~42.5
+ */
+declare class PasswordStrengthService {
+    /**
+     * Evaluates the strength of a password.
+     * Never throws — returns score 0 for empty or null-like input.
+     */
+    assess(password: string): PasswordStrengthResult;
+    private entropyToScore;
+    private containsSequence;
+    static ɵfac: i0.ɵɵFactoryDeclaration<PasswordStrengthService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<PasswordStrengthService>;
+}
 interface SecurityConfig {
     enableRegexSecurity?: boolean;
     enableWebCrypto?: boolean;
+    enableSecureStorage?: boolean;
+    enableInputSanitizer?: boolean;
+    enablePasswordStrength?: boolean;
     defaultTimeout?: number;
     safeMode?: boolean;
 }
@@ -185,6 +364,9 @@ declare const defaultSecurityConfig: SecurityConfig;
 declare function provideSecurity(config?: SecurityConfig): EnvironmentProviders;
 declare function provideRegexSecurity(): EnvironmentProviders;
 declare function provideWebCrypto(): EnvironmentProviders;
+declare function provideSecureStorage(config?: SecureStorageConfig): EnvironmentProviders;
+declare function provideInputSanitizer(config?: SanitizerConfig): EnvironmentProviders;
+declare function providePasswordStrength(): EnvironmentProviders;
-export { RegexSecurityBuilder, RegexSecurityService, WebCryptoService, defaultSecurityConfig, provideRegexSecurity, provideSecurity, provideWebCrypto };
-export type { AesEncryptResult, AesKeyLength, HashAlgorithm, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SecurityConfig };
+export { InputSanitizerService, PasswordStrengthService, RegexSecurityBuilder, RegexSecurityService, SANITIZER_CONFIG, SECURE_STORAGE_CONFIG, SecureStorageService, WebCryptoService, defaultSecurityConfig, provideInputSanitizer, providePasswordStrength, provideRegexSecurity, provideSecureStorage, provideSecurity, provideWebCrypto };
+export type { AesEncryptResult, AesKeyLength, HashAlgorithm, HmacAlgorithm, PasswordStrengthResult, RegexBuilderOptions, RegexSecurityConfig, RegexSecurityResult, RegexTestResult, SanitizerConfig, SecureStorageConfig, SecurityConfig, StorageTarget };