@bhandari88/express-auth 1.2.0 → 1.3.0

package/README.md

@@ -45,6 +45,14 @@ npm install @bhandari88/express-auth
   - Optional refresh tokens
   - Customizable user fields
 
+- ✅ **End-to-End Encryption** (NEW in v1.3.0)
+  - AES-256-GCM authenticated encryption
+  - Automatic chunking for large data
+  - Password-based key derivation (PBKDF2)
+  - Secure IV/nonce generation
+  - Support for strings and Buffers
+  - Easy-to-use API for encryption/decryption
+
 ## Peer Dependencies
 
 Make sure you have the following peer dependencies installed:
@@ -366,6 +374,199 @@ Or with `abortEarly: true`, only the first error:
 }
 ```
 
+### 6. End-to-End Data Encryption & Decryption
+
+The package includes a powerful encryption service for secure end-to-end encryption and decryption of large data using AES-256-GCM with automatic chunking support.
+
+#### Basic Usage
+
+```typescript
+import { EncryptionService } from '@bhandari88/express-auth';
+
+// Create encryption service with default settings
+const encryption = new EncryptionService();
+
+// Encrypt data
+const data = 'Sensitive information that needs to be encrypted';
+const password = 'my-secure-password-123';
+
+const encrypted = await encryption.encrypt(data, password);
+console.log(encrypted);
+// {
+//   encrypted: 'base64-encrypted-data...',
+//   salt: 'base64-salt...',
+//   iv: 'base64-iv...',
+//   authTag: 'base64-auth-tag...',
+//   algorithm: 'aes-256-gcm'
+// }
+
+// Decrypt data
+const decrypted = await encryption.decrypt(encrypted, password);
+console.log(decrypted.toString('utf8')); // 'Sensitive information that needs to be encrypted'
+```
+
+#### Encrypt/Decrypt Strings (Convenience Methods)
+
+```typescript
+// Encrypt to string (includes all metadata as JSON)
+const encryptedString = await encryption.encryptToString(data, password);
+// Store encryptedString in database, file, etc.
+
+// Decrypt from string
+const decryptedString = await encryption.decryptFromString(encryptedString, password);
+console.log(decryptedString); // Original data
+```
+
+#### Encrypt/Decrypt Large Data
+
+The encryption service automatically handles large data by chunking it into smaller pieces. This is transparent to you:
+
+```typescript
+// Encrypt large file or data
+const fs = require('fs');
+const largeData = fs.readFileSync('large-file.pdf');
+
+const encrypted = await encryption.encrypt(largeData, password);
+// Automatically chunked and encrypted
+
+// Decrypt large data
+const decrypted = await encryption.decrypt(encrypted, password);
+fs.writeFileSync('decrypted-file.pdf', decrypted);
+```
+
+#### Encrypt/Decrypt Buffers
+
+```typescript
+// Encrypt Buffer
+const buffer = Buffer.from('Binary data', 'utf8');
+const encrypted = await encryption.encrypt(buffer, password);
+
+// Decrypt to Buffer
+const decrypted = await encryption.decrypt(encrypted, password);
+console.log(decrypted); // Buffer
+```
+
+#### Custom Configuration
+
+```typescript
+import { EncryptionService, EncryptionConfig } from '@bhandari88/express-auth';
+
+const config: EncryptionConfig = {
+  algorithm: 'aes-256-gcm',           // 'aes-256-gcm' | 'aes-192-gcm' | 'aes-128-gcm'
+  keyDerivationIterations: 100000,    // PBKDF2 iterations (higher = more secure but slower)
+  saltLength: 32,                      // Salt length in bytes
+  ivLength: 16,                        // IV length in bytes
+  authTagLength: 16,                   // Auth tag length in bytes
+  chunkSize: 64 * 1024,                // Chunk size for large data (64KB default)
+};
+
+const encryption = new EncryptionService(config);
+```
+
+#### Generate Secure Passwords
+
+```typescript
+import { EncryptionService } from '@bhandari88/express-auth';
+
+// Generate secure random password (base64)
+const password = EncryptionService.generateSecurePassword(32);
+console.log(password); // Random base64 string
+
+// Generate secure random password (hex)
+const hexPassword = EncryptionService.generateSecurePasswordHex(32);
+console.log(hexPassword); // Random hex string
+```
+
+#### Express Route Example
+
+```typescript
+import express from 'express';
+import { EncryptionService } from '@bhandari88/express-auth';
+
+const app = express();
+app.use(express.json());
+
+const encryption = new EncryptionService();
+
+// Encrypt endpoint
+app.post('/api/encrypt', async (req, res) => {
+  try {
+    const { data, password } = req.body;
+    
+    if (!data || !password) {
+      return res.status(400).json({ 
+        success: false, 
+        error: 'Data and password are required' 
+      });
+    }
+
+    const encrypted = await encryption.encryptToString(data, password);
+    res.json({ success: true, encrypted });
+  } catch (error) {
+    res.status(500).json({ 
+      success: false, 
+      error: error instanceof Error ? error.message : 'Encryption failed' 
+    });
+  }
+});
+
+// Decrypt endpoint
+app.post('/api/decrypt', async (req, res) => {
+  try {
+    const { encrypted, password } = req.body;
+    
+    if (!encrypted || !password) {
+      return res.status(400).json({ 
+        success: false, 
+        error: 'Encrypted data and password are required' 
+      });
+    }
+
+    const decrypted = await encryption.decryptFromString(encrypted, password);
+    res.json({ success: true, decrypted });
+  } catch (error) {
+    res.status(500).json({ 
+      success: false, 
+      error: error instanceof Error ? error.message : 'Decryption failed' 
+    });
+  }
+});
+```
+
+#### Security Features
+
+- **AES-256-GCM**: Industry-standard authenticated encryption
+- **Automatic Chunking**: Handles large data efficiently without memory issues
+- **PBKDF2 Key Derivation**: 100,000 iterations by default (configurable)
+- **Random Salt & IV**: Unique salt and IV for each encryption
+- **Authentication Tags**: Prevents tampering with encrypted data
+- **No External Dependencies**: Uses Node.js built-in crypto module
+
+#### Encryption Configuration Options
+
+```typescript
+interface EncryptionConfig {
+  algorithm?: 'aes-256-gcm' | 'aes-192-gcm' | 'aes-128-gcm';  // Default: 'aes-256-gcm'
+  keyDerivationIterations?: number;                             // Default: 100000
+  saltLength?: number;                                          // Default: 32 bytes
+  ivLength?: number;                                            // Default: 16 bytes
+  authTagLength?: number;                                       // Default: 16 bytes
+  chunkSize?: number;                                           // Default: 64KB
+}
+```
+
+#### Encryption Result Format
+
+```typescript
+interface EncryptionResult {
+  encrypted: string;      // Base64 encoded encrypted data
+  salt: string;           // Base64 encoded salt used for key derivation
+  iv: string;             // Base64 encoded IV/nonce
+  authTag?: string;       // Base64 encoded authentication tag (for single chunk)
+  algorithm: string;      // Algorithm used ('aes-256-gcm')
+}
+```
+
 ## API Endpoints
 
 ### Register User
@@ -585,6 +786,13 @@ interface AuthConfig {
 
 5. **Input Validation**: All inputs are validated and sanitized automatically
 
+6. **Data Encryption**:
+   - Use AES-256-GCM for authenticated encryption
+   - Minimum 8 character password for encryption
+   - Store encrypted data securely (database, files, etc.)
+   - Never share encryption passwords in plain text
+   - Use strong, randomly generated passwords when possible
+
 ## Types
 
 ```typescript

package/dist/index.d.ts

@@ -56,6 +56,7 @@ export * from './types';
 export { JwtService } from './utils/jwt';
 export { PasswordService } from './utils/password';
 export { ValidatorService } from './utils/validator';
+export { EncryptionService, EncryptionConfig, EncryptionResult } from './utils/encryption';
 export { AuthMiddleware } from './middleware/auth.middleware';
 export { validate, validateBody, validateQuery, validateParams, ValidationOptions, ValidationSource, ValidationSchema, ValidationRule, FieldValidation } from './middleware/validation.middleware';
 export { LocalAuthHandler } from './handlers/local-auth';

package/dist/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.SocialAuthHandler = exports.LocalAuthHandler = exports.validateParams = exports.validateQuery = exports.validateBody = exports.validate = exports.AuthMiddleware = exports.ValidatorService = exports.PasswordService = exports.JwtService = exports.Auth = void 0;
+exports.SocialAuthHandler = exports.LocalAuthHandler = exports.validateParams = exports.validateQuery = exports.validateBody = exports.validate = exports.AuthMiddleware = exports.EncryptionService = exports.ValidatorService = exports.PasswordService = exports.JwtService = exports.Auth = void 0;
 const jwt_1 = require("./utils/jwt");
 const password_1 = require("./utils/password");
 const local_auth_1 = require("./handlers/local-auth");
@@ -224,6 +224,8 @@ var password_2 = require("./utils/password");
 Object.defineProperty(exports, "PasswordService", { enumerable: true, get: function () { return password_2.PasswordService; } });
 var validator_1 = require("./utils/validator");
 Object.defineProperty(exports, "ValidatorService", { enumerable: true, get: function () { return validator_1.ValidatorService; } });
+var encryption_1 = require("./utils/encryption");
+Object.defineProperty(exports, "EncryptionService", { enumerable: true, get: function () { return encryption_1.EncryptionService; } });
 var auth_middleware_2 = require("./middleware/auth.middleware");
 Object.defineProperty(exports, "AuthMiddleware", { enumerable: true, get: function () { return auth_middleware_2.AuthMiddleware; } });
 var validation_middleware_1 = require("./middleware/validation.middleware");

package/dist/utils/encryption.d.ts

@@ -0,0 +1,145 @@
+/**
+ * Configuration options for encryption service
+ */
+export interface EncryptionConfig {
+    /**
+     * Algorithm to use for encryption (default: 'aes-256-gcm')
+     */
+    algorithm?: 'aes-256-gcm' | 'aes-192-gcm' | 'aes-128-gcm';
+    /**
+     * Key derivation iterations for PBKDF2 (default: 100000)
+     * Higher values are more secure but slower
+     */
+    keyDerivationIterations?: number;
+    /**
+     * Salt length in bytes (default: 32)
+     */
+    saltLength?: number;
+    /**
+     * IV length in bytes (default: 16 for GCM)
+     */
+    ivLength?: number;
+    /**
+     * Authentication tag length in bytes (default: 16 for GCM)
+     */
+    authTagLength?: number;
+    /**
+     * Chunk size for large data encryption in bytes (default: 64KB)
+     * Data larger than this will be encrypted in chunks
+     */
+    chunkSize?: number;
+}
+/**
+ * Encryption result containing encrypted data and metadata
+ */
+export interface EncryptionResult {
+    /**
+     * Encrypted data as base64 string
+     */
+    encrypted: string;
+    /**
+     * Salt used for key derivation (base64)
+     */
+    salt: string;
+    /**
+     * IV/nonce used for encryption (base64)
+     */
+    iv: string;
+    /**
+     * Authentication tag for GCM mode (base64)
+     */
+    authTag?: string;
+    /**
+     * Algorithm used
+     */
+    algorithm: string;
+}
+/**
+ * Service for end-to-end encryption and decryption of large data
+ * Uses AES-256-GCM for authenticated encryption with chunking support
+ */
+export declare class EncryptionService {
+    private algorithm;
+    private keyDerivationIterations;
+    private saltLength;
+    private ivLength;
+    private authTagLength;
+    private chunkSize;
+    private keyLength;
+    constructor(config?: EncryptionConfig);
+    /**
+     * Derive encryption key from password using PBKDF2
+     */
+    private deriveKey;
+    /**
+     * Encrypt data (string or Buffer) with password-based encryption
+     * Automatically handles chunking for large data
+     *
+     * @param data - Data to encrypt (string or Buffer)
+     * @param password - Password for encryption
+     * @returns Encryption result with encrypted data and metadata
+     */
+    encrypt(data: string | Buffer, password: string): Promise<EncryptionResult>;
+    /**
+     * Encrypt a single chunk of data
+     */
+    private encryptChunk;
+    /**
+     * Encrypt large data in chunks
+     */
+    private encryptLargeData;
+    /**
+     * Decrypt data that was encrypted with encrypt()
+     *
+     * @param encryptedData - Encryption result from encrypt()
+     * @param password - Password used for encryption
+     * @returns Decrypted data as Buffer
+     */
+    decrypt(encryptedData: EncryptionResult, password: string): Promise<Buffer>;
+    /**
+     * Decrypt a single chunk
+     */
+    private decryptChunk;
+    /**
+     * Decrypt large data that was encrypted in chunks
+     */
+    private decryptLargeData;
+    /**
+     * Encrypt data and return as string (convenience method)
+     *
+     * @param data - Data to encrypt (string or Buffer)
+     * @param password - Password for encryption
+     * @returns Encrypted data as base64 string (includes all metadata)
+     */
+    encryptToString(data: string | Buffer, password: string): Promise<string>;
+    /**
+     * Decrypt data from string format (convenience method)
+     *
+     * @param encryptedString - Encrypted data as JSON string from encryptToString()
+     * @param password - Password used for encryption
+     * @returns Decrypted data as string
+     */
+    decryptFromString(encryptedString: string, password: string): Promise<string>;
+    /**
+     * Decrypt data from string format and return as Buffer
+     *
+     * @param encryptedString - Encrypted data as JSON string from encryptToString()
+     * @param password - Password used for encryption
+     * @returns Decrypted data as Buffer
+     */
+    decryptFromStringToBuffer(encryptedString: string, password: string): Promise<Buffer>;
+    /**
+     * Generate a secure random password/key
+     *
+     * @param length - Length of password in bytes (default: 32)
+     * @returns Random password as base64 string
+     */
+    static generateSecurePassword(length?: number): string;
+    /**
+     * Generate a secure random password/key as hex string
+     *
+     * @param length - Length of password in bytes (default: 32)
+     * @returns Random password as hex string
+     */
+    static generateSecurePasswordHex(length?: number): string;
+}

package/dist/utils/encryption.js

@@ -0,0 +1,291 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EncryptionService = void 0;
+const crypto = __importStar(require("crypto"));
+/**
+ * Service for end-to-end encryption and decryption of large data
+ * Uses AES-256-GCM for authenticated encryption with chunking support
+ */
+class EncryptionService {
+    constructor(config = {}) {
+        this.algorithm = config.algorithm || 'aes-256-gcm';
+        this.keyDerivationIterations = config.keyDerivationIterations || 100000;
+        this.saltLength = config.saltLength || 32;
+        this.ivLength = config.ivLength || 16;
+        this.authTagLength = config.authTagLength || 16;
+        this.chunkSize = config.chunkSize || 64 * 1024; // 64KB default
+        // Determine key length based on algorithm
+        if (this.algorithm.includes('256')) {
+            this.keyLength = 32; // 256 bits
+        }
+        else if (this.algorithm.includes('192')) {
+            this.keyLength = 24; // 192 bits
+        }
+        else {
+            this.keyLength = 16; // 128 bits
+        }
+    }
+    /**
+     * Derive encryption key from password using PBKDF2
+     */
+    async deriveKey(password, salt) {
+        return new Promise((resolve, reject) => {
+            crypto.pbkdf2(password, salt, this.keyDerivationIterations, this.keyLength, 'sha256', (err, derivedKey) => {
+                if (err)
+                    reject(err);
+                else
+                    resolve(derivedKey);
+            });
+        });
+    }
+    /**
+     * Encrypt data (string or Buffer) with password-based encryption
+     * Automatically handles chunking for large data
+     *
+     * @param data - Data to encrypt (string or Buffer)
+     * @param password - Password for encryption
+     * @returns Encryption result with encrypted data and metadata
+     */
+    async encrypt(data, password) {
+        if (!data) {
+            throw new Error('Data to encrypt cannot be empty');
+        }
+        if (!password || password.length < 8) {
+            throw new Error('Password must be at least 8 characters long');
+        }
+        // Convert string to Buffer if needed
+        const dataBuffer = Buffer.isBuffer(data) ? data : Buffer.from(data, 'utf8');
+        // Generate random salt and IV
+        const salt = crypto.randomBytes(this.saltLength);
+        const iv = crypto.randomBytes(this.ivLength);
+        // Derive encryption key from password
+        const key = await this.deriveKey(password, salt);
+        // For small data, encrypt directly
+        if (dataBuffer.length <= this.chunkSize) {
+            const result = this.encryptChunk(dataBuffer, key, iv);
+            result.salt = salt.toString('base64');
+            return result;
+        }
+        // For large data, encrypt in chunks
+        const result = await this.encryptLargeData(dataBuffer, key, iv);
+        result.salt = salt.toString('base64');
+        return result;
+    }
+    /**
+     * Encrypt a single chunk of data
+     */
+    encryptChunk(data, key, iv) {
+        const cipher = crypto.createCipheriv(this.algorithm, key, iv);
+        const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+        const authTag = cipher.getAuthTag();
+        return {
+            encrypted: encrypted.toString('base64'),
+            salt: '', // Will be set by caller
+            iv: iv.toString('base64'),
+            authTag: authTag.toString('base64'),
+            algorithm: this.algorithm,
+        };
+    }
+    /**
+     * Encrypt large data in chunks
+     */
+    async encryptLargeData(data, key, iv) {
+        const chunks = [];
+        const totalChunks = Math.ceil(data.length / this.chunkSize);
+        // Generate a unique IV for each chunk (derive from base IV)
+        const chunkIVs = [];
+        for (let i = 0; i < totalChunks; i++) {
+            // Derive chunk IV from base IV and chunk index
+            const chunkIVBuffer = Buffer.allocUnsafe(this.ivLength);
+            crypto.createHash('sha256')
+                .update(iv)
+                .update(Buffer.from(i.toString()))
+                .digest()
+                .copy(chunkIVBuffer, 0, 0, this.ivLength);
+            chunkIVs.push(chunkIVBuffer);
+        }
+        // Encrypt each chunk
+        for (let i = 0; i < totalChunks; i++) {
+            const start = i * this.chunkSize;
+            const end = Math.min(start + this.chunkSize, data.length);
+            const chunk = data.slice(start, end);
+            const chunkIV = chunkIVs[i];
+            const cipher = crypto.createCipheriv(this.algorithm, key, chunkIV);
+            const encrypted = Buffer.concat([cipher.update(chunk), cipher.final()]);
+            const authTag = cipher.getAuthTag();
+            // Store chunk with its auth tag: base64(encrypted:authTag)
+            const chunkWithTag = Buffer.concat([encrypted, authTag]);
+            chunks.push(chunkWithTag.toString('base64'));
+        }
+        // Combine all chunks with delimiter
+        const encryptedData = chunks.join('|');
+        return {
+            encrypted: encryptedData,
+            salt: '', // Will be set by caller
+            iv: iv.toString('base64'),
+            authTag: undefined, // Not used for chunked encryption (each chunk has its own tag)
+            algorithm: this.algorithm,
+        };
+    }
+    /**
+     * Decrypt data that was encrypted with encrypt()
+     *
+     * @param encryptedData - Encryption result from encrypt()
+     * @param password - Password used for encryption
+     * @returns Decrypted data as Buffer
+     */
+    async decrypt(encryptedData, password) {
+        if (!encryptedData || !encryptedData.encrypted) {
+            throw new Error('Invalid encrypted data');
+        }
+        if (!password || password.length < 8) {
+            throw new Error('Password must be at least 8 characters long');
+        }
+        // Reconstruct salt and IV
+        if (!encryptedData.salt) {
+            throw new Error('Salt is required for decryption');
+        }
+        const salt = Buffer.from(encryptedData.salt, 'base64');
+        const iv = Buffer.from(encryptedData.iv, 'base64');
+        // Derive encryption key from password
+        const key = await this.deriveKey(password, salt);
+        // Check if data is chunked (contains '|' delimiter)
+        if (encryptedData.encrypted.includes('|')) {
+            return this.decryptLargeData(encryptedData.encrypted, key, iv);
+        }
+        // Decrypt single chunk
+        return this.decryptChunk(encryptedData, key, iv);
+    }
+    /**
+     * Decrypt a single chunk
+     */
+    decryptChunk(encryptedData, key, iv) {
+        const encrypted = Buffer.from(encryptedData.encrypted, 'base64');
+        if (!encryptedData.authTag) {
+            throw new Error('Authentication tag is required for decryption');
+        }
+        const authTag = Buffer.from(encryptedData.authTag, 'base64');
+        const decipher = crypto.createDecipheriv(encryptedData.algorithm || this.algorithm, key, iv);
+        decipher.setAuthTag(authTag);
+        return Buffer.concat([decipher.update(encrypted), decipher.final()]);
+    }
+    /**
+     * Decrypt large data that was encrypted in chunks
+     */
+    decryptLargeData(encryptedData, key, iv) {
+        const chunks = encryptedData.split('|');
+        const decryptedChunks = [];
+        for (let i = 0; i < chunks.length; i++) {
+            // Derive chunk IV from base IV and chunk index
+            const chunkIVBuffer = Buffer.allocUnsafe(this.ivLength);
+            crypto.createHash('sha256')
+                .update(iv)
+                .update(Buffer.from(i.toString()))
+                .digest()
+                .copy(chunkIVBuffer, 0, 0, this.ivLength);
+            // Extract encrypted data and auth tag
+            const chunkWithTag = Buffer.from(chunks[i], 'base64');
+            const encrypted = chunkWithTag.slice(0, -this.authTagLength);
+            const authTag = chunkWithTag.slice(-this.authTagLength);
+            // Decrypt chunk
+            const decipher = crypto.createDecipheriv(this.algorithm, key, chunkIVBuffer);
+            decipher.setAuthTag(authTag);
+            const decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
+            decryptedChunks.push(decrypted);
+        }
+        return Buffer.concat(decryptedChunks);
+    }
+    /**
+     * Encrypt data and return as string (convenience method)
+     *
+     * @param data - Data to encrypt (string or Buffer)
+     * @param password - Password for encryption
+     * @returns Encrypted data as base64 string (includes all metadata)
+     */
+    async encryptToString(data, password) {
+        const result = await this.encrypt(data, password);
+        // Include salt in result for proper decryption
+        if (!result.salt) {
+            // Generate salt for this encryption
+            const salt = crypto.randomBytes(this.saltLength);
+            result.salt = salt.toString('base64');
+        }
+        // Return as JSON string (can be easily stored/transmitted)
+        return JSON.stringify(result);
+    }
+    /**
+     * Decrypt data from string format (convenience method)
+     *
+     * @param encryptedString - Encrypted data as JSON string from encryptToString()
+     * @param password - Password used for encryption
+     * @returns Decrypted data as string
+     */
+    async decryptFromString(encryptedString, password) {
+        const encryptedData = JSON.parse(encryptedString);
+        const decrypted = await this.decrypt(encryptedData, password);
+        return decrypted.toString('utf8');
+    }
+    /**
+     * Decrypt data from string format and return as Buffer
+     *
+     * @param encryptedString - Encrypted data as JSON string from encryptToString()
+     * @param password - Password used for encryption
+     * @returns Decrypted data as Buffer
+     */
+    async decryptFromStringToBuffer(encryptedString, password) {
+        const encryptedData = JSON.parse(encryptedString);
+        return this.decrypt(encryptedData, password);
+    }
+    /**
+     * Generate a secure random password/key
+     *
+     * @param length - Length of password in bytes (default: 32)
+     * @returns Random password as base64 string
+     */
+    static generateSecurePassword(length = 32) {
+        return crypto.randomBytes(length).toString('base64');
+    }
+    /**
+     * Generate a secure random password/key as hex string
+     *
+     * @param length - Length of password in bytes (default: 32)
+     * @returns Random password as hex string
+     */
+    static generateSecurePasswordHex(length = 32) {
+        return crypto.randomBytes(length).toString('hex');
+    }
+}
+exports.EncryptionService = EncryptionService;

package/dist/utils/index.d.ts

@@ -1,3 +1,4 @@
 export { JwtService } from './jwt';
 export { PasswordService } from './password';
 export { ValidatorService } from './validator';
+export { EncryptionService, EncryptionConfig, EncryptionResult } from './encryption';

package/dist/utils/index.js

@@ -1,9 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ValidatorService = exports.PasswordService = exports.JwtService = void 0;
+exports.EncryptionService = exports.ValidatorService = exports.PasswordService = exports.JwtService = void 0;
 var jwt_1 = require("./jwt");
 Object.defineProperty(exports, "JwtService", { enumerable: true, get: function () { return jwt_1.JwtService; } });
 var password_1 = require("./password");
 Object.defineProperty(exports, "PasswordService", { enumerable: true, get: function () { return password_1.PasswordService; } });
 var validator_1 = require("./validator");
 Object.defineProperty(exports, "ValidatorService", { enumerable: true, get: function () { return validator_1.ValidatorService; } });
+var encryption_1 = require("./encryption");
+Object.defineProperty(exports, "EncryptionService", { enumerable: true, get: function () { return encryption_1.EncryptionService; } });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bhandari88/express-auth",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Plug-and-play authentication handler for Express.js with TypeScript supporting email, username, phone, and social login",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",