@blokjs/runner 0.6.20 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/Blok.d.ts +2 -0
- package/dist/Blok.js +42 -110
- package/dist/Blok.js.map +1 -1
- package/dist/DefaultLogger.d.ts +13 -0
- package/dist/DefaultLogger.js +25 -0
- package/dist/DefaultLogger.js.map +1 -1
- package/dist/RunnerSteps.d.ts +23 -0
- package/dist/RunnerSteps.js +128 -87
- package/dist/RunnerSteps.js.map +1 -1
- package/dist/SubworkflowNode.js +19 -0
- package/dist/SubworkflowNode.js.map +1 -1
- package/dist/TriggerBase.d.ts +12 -0
- package/dist/TriggerBase.js +216 -181
- package/dist/TriggerBase.js.map +1 -1
- package/dist/adapters/grpc/GrpcRuntimeAdapter.d.ts +9 -0
- package/dist/adapters/grpc/GrpcRuntimeAdapter.js +76 -6
- package/dist/adapters/grpc/GrpcRuntimeAdapter.js.map +1 -1
- package/dist/index.d.ts +4 -39
- package/dist/index.js +7 -32
- package/dist/index.js.map +1 -1
- package/dist/monitoring/JanitorMetrics.d.ts +3 -0
- package/dist/monitoring/JanitorMetrics.js +11 -0
- package/dist/monitoring/JanitorMetrics.js.map +1 -1
- package/dist/monitoring/ProcessErrorMetrics.d.ts +32 -0
- package/dist/monitoring/ProcessErrorMetrics.js +43 -0
- package/dist/monitoring/ProcessErrorMetrics.js.map +1 -0
- package/dist/monitoring/PrometheusMetricsBridge.d.ts +7 -0
- package/dist/monitoring/PrometheusMetricsBridge.js +8 -2
- package/dist/monitoring/PrometheusMetricsBridge.js.map +1 -1
- package/dist/monitoring/SubworkflowMetrics.d.ts +25 -0
- package/dist/monitoring/SubworkflowMetrics.js +38 -0
- package/dist/monitoring/SubworkflowMetrics.js.map +1 -0
- package/dist/observability/ErrorSink.d.ts +23 -0
- package/dist/observability/ErrorSink.js +32 -0
- package/dist/observability/ErrorSink.js.map +1 -0
- package/dist/observability/SentryIntegration.d.ts +9 -0
- package/dist/observability/SentryIntegration.js +31 -0
- package/dist/observability/SentryIntegration.js.map +1 -0
- package/dist/scheduling/DebounceCoordinator.d.ts +7 -53
- package/dist/scheduling/DebounceCoordinator.js +8 -207
- package/dist/scheduling/DebounceCoordinator.js.map +1 -1
- package/dist/tracing/InMemoryRunStore.d.ts +5 -1
- package/dist/tracing/InMemoryRunStore.js +14 -0
- package/dist/tracing/InMemoryRunStore.js.map +1 -1
- package/dist/tracing/Janitor.js +3 -0
- package/dist/tracing/Janitor.js.map +1 -1
- package/dist/tracing/PostgresRunStore.d.ts +4 -1
- package/dist/tracing/PostgresRunStore.js +73 -3
- package/dist/tracing/PostgresRunStore.js.map +1 -1
- package/dist/tracing/RunStore.d.ts +17 -1
- package/dist/tracing/RunTracker.d.ts +13 -34
- package/dist/tracing/RunTracker.js +62 -32
- package/dist/tracing/RunTracker.js.map +1 -1
- package/dist/tracing/SqliteRunStore.d.ts +4 -1
- package/dist/tracing/SqliteRunStore.js +60 -0
- package/dist/tracing/SqliteRunStore.js.map +1 -1
- package/dist/tracing/TraceRouter.d.ts +13 -0
- package/dist/tracing/TraceRouter.js +43 -11
- package/dist/tracing/TraceRouter.js.map +1 -1
- package/dist/tracing/TracingLogger.js +22 -0
- package/dist/tracing/TracingLogger.js.map +1 -1
- package/dist/tracing/createStore.js +51 -22
- package/dist/tracing/createStore.js.map +1 -1
- package/dist/tracing/types.d.ts +22 -0
- package/dist/types/GlobalOptions.d.ts +5 -7
- package/dist/workflow/WorkflowNormalizer.js +63 -0
- package/dist/workflow/WorkflowNormalizer.js.map +1 -1
- package/package.json +7 -4
- package/dist/cache/NodeResultCache.d.ts +0 -286
- package/dist/cache/NodeResultCache.js +0 -506
- package/dist/cache/NodeResultCache.js.map +0 -1
- package/dist/cache/index.d.ts +0 -1
- package/dist/cache/index.js +0 -2
- package/dist/cache/index.js.map +0 -1
- package/dist/concurrency/ConcurrencyBackend.d.ts +0 -61
- package/dist/concurrency/ConcurrencyBackend.js +0 -20
- package/dist/concurrency/ConcurrencyBackend.js.map +0 -1
- package/dist/concurrency/NatsKvConcurrencyBackend.d.ts +0 -64
- package/dist/concurrency/NatsKvConcurrencyBackend.js +0 -310
- package/dist/concurrency/NatsKvConcurrencyBackend.js.map +0 -1
- package/dist/concurrency/RedisConcurrencyBackend.d.ts +0 -64
- package/dist/concurrency/RedisConcurrencyBackend.js +0 -374
- package/dist/concurrency/RedisConcurrencyBackend.js.map +0 -1
- package/dist/concurrency/createConcurrencyBackend.d.ts +0 -24
- package/dist/concurrency/createConcurrencyBackend.js +0 -38
- package/dist/concurrency/createConcurrencyBackend.js.map +0 -1
- package/dist/graphql/GraphQLSchemaGenerator.d.ts +0 -129
- package/dist/graphql/GraphQLSchemaGenerator.js +0 -425
- package/dist/graphql/GraphQLSchemaGenerator.js.map +0 -1
- package/dist/integrations/APMIntegration.d.ts +0 -141
- package/dist/integrations/APMIntegration.js +0 -212
- package/dist/integrations/APMIntegration.js.map +0 -1
- package/dist/integrations/AzureMonitorIntegration.d.ts +0 -118
- package/dist/integrations/AzureMonitorIntegration.js +0 -254
- package/dist/integrations/AzureMonitorIntegration.js.map +0 -1
- package/dist/integrations/CloudWatchIntegration.d.ts +0 -135
- package/dist/integrations/CloudWatchIntegration.js +0 -293
- package/dist/integrations/CloudWatchIntegration.js.map +0 -1
- package/dist/integrations/SentryIntegration.d.ts +0 -153
- package/dist/integrations/SentryIntegration.js +0 -200
- package/dist/integrations/SentryIntegration.js.map +0 -1
- package/dist/integrations/index.d.ts +0 -19
- package/dist/integrations/index.js +0 -16
- package/dist/integrations/index.js.map +0 -1
- package/dist/marketplace/RuntimeAutoScaler.d.ts +0 -148
- package/dist/marketplace/RuntimeAutoScaler.js +0 -366
- package/dist/marketplace/RuntimeAutoScaler.js.map +0 -1
- package/dist/marketplace/RuntimeCatalog.d.ts +0 -180
- package/dist/marketplace/RuntimeCatalog.js +0 -339
- package/dist/marketplace/RuntimeCatalog.js.map +0 -1
- package/dist/marketplace/RuntimeDiscovery.d.ts +0 -86
- package/dist/marketplace/RuntimeDiscovery.js +0 -231
- package/dist/marketplace/RuntimeDiscovery.js.map +0 -1
- package/dist/marketplace/RuntimeHealthMonitor.d.ts +0 -100
- package/dist/marketplace/RuntimeHealthMonitor.js +0 -241
- package/dist/marketplace/RuntimeHealthMonitor.js.map +0 -1
- package/dist/marketplace/RuntimeMetricsDashboard.d.ts +0 -113
- package/dist/marketplace/RuntimeMetricsDashboard.js +0 -293
- package/dist/marketplace/RuntimeMetricsDashboard.js.map +0 -1
- package/dist/openapi/OpenAPIGenerator.d.ts +0 -192
- package/dist/openapi/OpenAPIGenerator.js +0 -378
- package/dist/openapi/OpenAPIGenerator.js.map +0 -1
- package/dist/openapi/index.d.ts +0 -20
- package/dist/openapi/index.js +0 -20
- package/dist/openapi/index.js.map +0 -1
- package/dist/scheduling/DebounceBackend.d.ts +0 -108
- package/dist/scheduling/DebounceBackend.js +0 -23
- package/dist/scheduling/DebounceBackend.js.map +0 -1
- package/dist/scheduling/NatsKvDebounceBackend.d.ts +0 -53
- package/dist/scheduling/NatsKvDebounceBackend.js +0 -334
- package/dist/scheduling/NatsKvDebounceBackend.js.map +0 -1
- package/dist/scheduling/RedisDebounceBackend.d.ts +0 -49
- package/dist/scheduling/RedisDebounceBackend.js +0 -356
- package/dist/scheduling/RedisDebounceBackend.js.map +0 -1
- package/dist/scheduling/createDebounceBackend.d.ts +0 -25
- package/dist/scheduling/createDebounceBackend.js +0 -39
- package/dist/scheduling/createDebounceBackend.js.map +0 -1
- package/dist/security/ABAC.d.ts +0 -224
- package/dist/security/ABAC.js +0 -380
- package/dist/security/ABAC.js.map +0 -1
- package/dist/security/AuditLogger.d.ts +0 -242
- package/dist/security/AuditLogger.js +0 -317
- package/dist/security/AuditLogger.js.map +0 -1
- package/dist/security/AuthMiddleware.d.ts +0 -162
- package/dist/security/AuthMiddleware.js +0 -289
- package/dist/security/AuthMiddleware.js.map +0 -1
- package/dist/security/EncryptionAtRest.d.ts +0 -206
- package/dist/security/EncryptionAtRest.js +0 -236
- package/dist/security/EncryptionAtRest.js.map +0 -1
- package/dist/security/OAuthProvider.d.ts +0 -334
- package/dist/security/OAuthProvider.js +0 -719
- package/dist/security/OAuthProvider.js.map +0 -1
- package/dist/security/PIIDetector.d.ts +0 -233
- package/dist/security/PIIDetector.js +0 -354
- package/dist/security/PIIDetector.js.map +0 -1
- package/dist/security/RBAC.d.ts +0 -143
- package/dist/security/RBAC.js +0 -285
- package/dist/security/RBAC.js.map +0 -1
- package/dist/security/SecretManager.d.ts +0 -652
- package/dist/security/SecretManager.js +0 -1147
- package/dist/security/SecretManager.js.map +0 -1
- package/dist/security/TLSConfig.d.ts +0 -305
- package/dist/security/TLSConfig.js +0 -550
- package/dist/security/TLSConfig.js.map +0 -1
- package/dist/security/index.d.ts +0 -81
- package/dist/security/index.js +0 -82
- package/dist/security/index.js.map +0 -1
|
@@ -1,289 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Authentication Middleware for Blok Triggers
|
|
3
|
-
*
|
|
4
|
-
* @deprecated Since v0.4.1. Will be removed in v0.5. This class ships as
|
|
5
|
-
* example-grade code (HS256-only JWT verification, no JWKS, no key
|
|
6
|
-
* rotation, non-constant-time API-key lookup) and is not wired into any
|
|
7
|
-
* trigger. Production deployments should compose auth from a hardened
|
|
8
|
-
* library (`jose`, `hono/jwt`, `node-jsonwebtoken`) at the trigger or
|
|
9
|
-
* workflow layer instead. See `docs/d/security/cookbook.mdx` for the
|
|
10
|
-
* recommended patterns.
|
|
11
|
-
*
|
|
12
|
-
* @example
|
|
13
|
-
* ```typescript
|
|
14
|
-
* // Recommended (jose):
|
|
15
|
-
* import { jwtVerify } from "jose";
|
|
16
|
-
* const { payload } = await jwtVerify(token, secret, { issuer, audience });
|
|
17
|
-
* ```
|
|
18
|
-
*/
|
|
19
|
-
import { createHmac, timingSafeEqual } from "node:crypto";
|
|
20
|
-
let authMiddlewareWarningEmitted = false;
|
|
21
|
-
function emitAuthMiddlewareDeprecationWarning() {
|
|
22
|
-
if (authMiddlewareWarningEmitted)
|
|
23
|
-
return;
|
|
24
|
-
authMiddlewareWarningEmitted = true;
|
|
25
|
-
if (process.env.BLOK_SUPPRESS_AUTHMIDDLEWARE_WARNING === "1")
|
|
26
|
-
return;
|
|
27
|
-
console.warn("[blok] AuthMiddleware (and JWTAuthProvider, APIKeyAuthProvider) is deprecated and will be removed in v0.5. " +
|
|
28
|
-
"It ships as example-grade code, not production auth. " +
|
|
29
|
-
"Use `jose`, `hono/jwt`, or `node-jsonwebtoken` at the trigger or workflow layer instead. " +
|
|
30
|
-
"See docs/d/security/cookbook.mdx. " +
|
|
31
|
-
"Set BLOK_SUPPRESS_AUTHMIDDLEWARE_WARNING=1 to silence.");
|
|
32
|
-
}
|
|
33
|
-
/**
|
|
34
|
-
* @deprecated Since v0.4.1. See file-level JSDoc; will be removed in v0.5.
|
|
35
|
-
*/
|
|
36
|
-
export class AuthMiddleware {
|
|
37
|
-
config;
|
|
38
|
-
constructor(config) {
|
|
39
|
-
this.config = {
|
|
40
|
-
excludePaths: ["/health-check", "/metrics", "/health", "/liveness", "/readiness"],
|
|
41
|
-
required: true,
|
|
42
|
-
...config,
|
|
43
|
-
};
|
|
44
|
-
emitAuthMiddlewareDeprecationWarning();
|
|
45
|
-
}
|
|
46
|
-
/**
|
|
47
|
-
* Authenticate a request against all registered providers.
|
|
48
|
-
* Returns the first successful authentication result.
|
|
49
|
-
*/
|
|
50
|
-
async authenticate(request) {
|
|
51
|
-
// Check excluded paths
|
|
52
|
-
if (request.path && this.isExcludedPath(request.path)) {
|
|
53
|
-
return {
|
|
54
|
-
authenticated: true,
|
|
55
|
-
identity: {
|
|
56
|
-
sub: "anonymous",
|
|
57
|
-
roles: ["public"],
|
|
58
|
-
claims: {},
|
|
59
|
-
provider: "excluded-path",
|
|
60
|
-
},
|
|
61
|
-
};
|
|
62
|
-
}
|
|
63
|
-
// Try each provider in order
|
|
64
|
-
for (const provider of this.config.providers) {
|
|
65
|
-
const result = await provider.authenticate(request);
|
|
66
|
-
if (result.authenticated) {
|
|
67
|
-
return result;
|
|
68
|
-
}
|
|
69
|
-
}
|
|
70
|
-
// No provider authenticated the request
|
|
71
|
-
if (!this.config.required) {
|
|
72
|
-
return {
|
|
73
|
-
authenticated: true,
|
|
74
|
-
identity: {
|
|
75
|
-
sub: "anonymous",
|
|
76
|
-
roles: ["public"],
|
|
77
|
-
claims: {},
|
|
78
|
-
provider: "anonymous",
|
|
79
|
-
},
|
|
80
|
-
};
|
|
81
|
-
}
|
|
82
|
-
const result = {
|
|
83
|
-
authenticated: false,
|
|
84
|
-
error: "Authentication required",
|
|
85
|
-
statusCode: 401,
|
|
86
|
-
};
|
|
87
|
-
if (this.config.onAuthFailure) {
|
|
88
|
-
this.config.onAuthFailure(result, request);
|
|
89
|
-
}
|
|
90
|
-
return result;
|
|
91
|
-
}
|
|
92
|
-
/**
|
|
93
|
-
* Express-compatible middleware function
|
|
94
|
-
*/
|
|
95
|
-
expressMiddleware() {
|
|
96
|
-
return async (req, res, next) => {
|
|
97
|
-
const result = await this.authenticate({
|
|
98
|
-
headers: req.headers,
|
|
99
|
-
query: req.query,
|
|
100
|
-
path: req.path,
|
|
101
|
-
method: req.method,
|
|
102
|
-
});
|
|
103
|
-
if (!result.authenticated) {
|
|
104
|
-
res.status(result.statusCode || 401).json({
|
|
105
|
-
error: result.error || "Unauthorized",
|
|
106
|
-
});
|
|
107
|
-
return;
|
|
108
|
-
}
|
|
109
|
-
// Attach identity to request
|
|
110
|
-
req.auth = result.identity;
|
|
111
|
-
next();
|
|
112
|
-
};
|
|
113
|
-
}
|
|
114
|
-
isExcludedPath(path) {
|
|
115
|
-
return (this.config.excludePaths || []).some((excluded) => path === excluded || path.startsWith(`${excluded}/`));
|
|
116
|
-
}
|
|
117
|
-
}
|
|
118
|
-
/**
|
|
119
|
-
* @deprecated Since v0.4.1. See file-level JSDoc; will be removed in v0.5.
|
|
120
|
-
*/
|
|
121
|
-
export class JWTAuthProvider {
|
|
122
|
-
name = "jwt";
|
|
123
|
-
config;
|
|
124
|
-
constructor(config) {
|
|
125
|
-
this.config = {
|
|
126
|
-
headerName: "authorization",
|
|
127
|
-
clockToleranceSec: 30,
|
|
128
|
-
rolesClaim: "roles",
|
|
129
|
-
...config,
|
|
130
|
-
};
|
|
131
|
-
emitAuthMiddlewareDeprecationWarning();
|
|
132
|
-
}
|
|
133
|
-
async authenticate(request) {
|
|
134
|
-
const headerValue = request.headers[this.config.headerName || "authorization"];
|
|
135
|
-
if (!headerValue) {
|
|
136
|
-
return { authenticated: false, error: "No authorization header" };
|
|
137
|
-
}
|
|
138
|
-
const token = String(headerValue).replace(/^Bearer\s+/i, "");
|
|
139
|
-
if (!token || token === String(headerValue)) {
|
|
140
|
-
return { authenticated: false, error: "Invalid Bearer token format" };
|
|
141
|
-
}
|
|
142
|
-
try {
|
|
143
|
-
const payload = this.verifyToken(token);
|
|
144
|
-
if (!payload) {
|
|
145
|
-
return { authenticated: false, error: "Invalid token signature", statusCode: 401 };
|
|
146
|
-
}
|
|
147
|
-
// Validate expiry
|
|
148
|
-
const now = Math.floor(Date.now() / 1000);
|
|
149
|
-
const tolerance = this.config.clockToleranceSec || 30;
|
|
150
|
-
const exp = typeof payload.exp === "number" ? payload.exp : undefined;
|
|
151
|
-
const nbf = typeof payload.nbf === "number" ? payload.nbf : undefined;
|
|
152
|
-
if (exp && exp + tolerance < now) {
|
|
153
|
-
return { authenticated: false, error: "Token expired", statusCode: 401 };
|
|
154
|
-
}
|
|
155
|
-
if (nbf && nbf - tolerance > now) {
|
|
156
|
-
return { authenticated: false, error: "Token not yet valid", statusCode: 401 };
|
|
157
|
-
}
|
|
158
|
-
// Validate issuer
|
|
159
|
-
if (this.config.issuer && payload.iss !== this.config.issuer) {
|
|
160
|
-
return { authenticated: false, error: "Invalid token issuer", statusCode: 401 };
|
|
161
|
-
}
|
|
162
|
-
// Validate audience
|
|
163
|
-
if (this.config.audience) {
|
|
164
|
-
const aud = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
|
|
165
|
-
if (!aud.includes(this.config.audience)) {
|
|
166
|
-
return { authenticated: false, error: "Invalid token audience", statusCode: 401 };
|
|
167
|
-
}
|
|
168
|
-
}
|
|
169
|
-
// Extract roles
|
|
170
|
-
const rolesClaim = this.config.rolesClaim || "roles";
|
|
171
|
-
const roles = Array.isArray(payload[rolesClaim])
|
|
172
|
-
? payload[rolesClaim]
|
|
173
|
-
: typeof payload[rolesClaim] === "string"
|
|
174
|
-
? [payload[rolesClaim]]
|
|
175
|
-
: [];
|
|
176
|
-
const iat = typeof payload.iat === "number" ? payload.iat : undefined;
|
|
177
|
-
return {
|
|
178
|
-
authenticated: true,
|
|
179
|
-
identity: {
|
|
180
|
-
sub: typeof payload.sub === "string" ? payload.sub : "unknown",
|
|
181
|
-
name: payload.name,
|
|
182
|
-
email: payload.email,
|
|
183
|
-
roles,
|
|
184
|
-
claims: payload,
|
|
185
|
-
provider: "jwt",
|
|
186
|
-
issuedAt: iat,
|
|
187
|
-
expiresAt: exp,
|
|
188
|
-
},
|
|
189
|
-
};
|
|
190
|
-
}
|
|
191
|
-
catch (err) {
|
|
192
|
-
return {
|
|
193
|
-
authenticated: false,
|
|
194
|
-
error: `Token verification failed: ${err instanceof Error ? err.message : String(err)}`,
|
|
195
|
-
statusCode: 401,
|
|
196
|
-
};
|
|
197
|
-
}
|
|
198
|
-
}
|
|
199
|
-
/**
|
|
200
|
-
* Verify JWT token using HS256
|
|
201
|
-
*/
|
|
202
|
-
verifyToken(token) {
|
|
203
|
-
const parts = token.split(".");
|
|
204
|
-
if (parts.length !== 3)
|
|
205
|
-
return null;
|
|
206
|
-
const [headerB64, payloadB64, signatureB64] = parts;
|
|
207
|
-
// Verify signature (HS256)
|
|
208
|
-
const expectedSignature = createHmac("sha256", this.config.secret)
|
|
209
|
-
.update(`${headerB64}.${payloadB64}`)
|
|
210
|
-
.digest("base64url");
|
|
211
|
-
const signatureBuffer = Buffer.from(signatureB64, "base64url");
|
|
212
|
-
const expectedBuffer = Buffer.from(expectedSignature, "base64url");
|
|
213
|
-
if (signatureBuffer.length !== expectedBuffer.length)
|
|
214
|
-
return null;
|
|
215
|
-
if (!timingSafeEqual(signatureBuffer, expectedBuffer))
|
|
216
|
-
return null;
|
|
217
|
-
// Decode payload
|
|
218
|
-
try {
|
|
219
|
-
const payload = JSON.parse(Buffer.from(payloadB64, "base64url").toString("utf-8"));
|
|
220
|
-
return payload;
|
|
221
|
-
}
|
|
222
|
-
catch {
|
|
223
|
-
return null;
|
|
224
|
-
}
|
|
225
|
-
}
|
|
226
|
-
}
|
|
227
|
-
/**
|
|
228
|
-
* @deprecated Since v0.4.1. See file-level JSDoc; will be removed in v0.5.
|
|
229
|
-
*/
|
|
230
|
-
export class APIKeyAuthProvider {
|
|
231
|
-
name = "api-key";
|
|
232
|
-
config;
|
|
233
|
-
constructor(config) {
|
|
234
|
-
this.config = {
|
|
235
|
-
headerName: "x-api-key",
|
|
236
|
-
queryParam: "api_key",
|
|
237
|
-
...config,
|
|
238
|
-
};
|
|
239
|
-
emitAuthMiddlewareDeprecationWarning();
|
|
240
|
-
}
|
|
241
|
-
async authenticate(request) {
|
|
242
|
-
// Try header first
|
|
243
|
-
let apiKey = request.headers[this.config.headerName || "x-api-key"];
|
|
244
|
-
if (Array.isArray(apiKey))
|
|
245
|
-
apiKey = apiKey[0];
|
|
246
|
-
// Then try query param
|
|
247
|
-
if (!apiKey && request.query) {
|
|
248
|
-
let queryKey = request.query[this.config.queryParam || "api_key"];
|
|
249
|
-
if (Array.isArray(queryKey))
|
|
250
|
-
queryKey = queryKey[0];
|
|
251
|
-
apiKey = queryKey;
|
|
252
|
-
}
|
|
253
|
-
if (!apiKey) {
|
|
254
|
-
return { authenticated: false, error: "No API key provided" };
|
|
255
|
-
}
|
|
256
|
-
// Try custom validator first
|
|
257
|
-
if (this.config.validate) {
|
|
258
|
-
const info = await this.config.validate(apiKey);
|
|
259
|
-
if (info) {
|
|
260
|
-
return this.buildResult(apiKey, info);
|
|
261
|
-
}
|
|
262
|
-
return { authenticated: false, error: "Invalid API key", statusCode: 401 };
|
|
263
|
-
}
|
|
264
|
-
// Check static keys
|
|
265
|
-
const info = this.config.keys.get(apiKey);
|
|
266
|
-
if (!info) {
|
|
267
|
-
return { authenticated: false, error: "Invalid API key", statusCode: 401 };
|
|
268
|
-
}
|
|
269
|
-
return this.buildResult(apiKey, info);
|
|
270
|
-
}
|
|
271
|
-
buildResult(key, info) {
|
|
272
|
-
// Check expiry
|
|
273
|
-
if (info.expiresAt && info.expiresAt < Math.floor(Date.now() / 1000)) {
|
|
274
|
-
return { authenticated: false, error: "API key expired", statusCode: 401 };
|
|
275
|
-
}
|
|
276
|
-
return {
|
|
277
|
-
authenticated: true,
|
|
278
|
-
identity: {
|
|
279
|
-
sub: info.name,
|
|
280
|
-
name: info.name,
|
|
281
|
-
roles: info.roles,
|
|
282
|
-
claims: info.metadata || {},
|
|
283
|
-
provider: "api-key",
|
|
284
|
-
expiresAt: info.expiresAt,
|
|
285
|
-
},
|
|
286
|
-
};
|
|
287
|
-
}
|
|
288
|
-
}
|
|
289
|
-
//# sourceMappingURL=AuthMiddleware.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"AuthMiddleware.js","sourceRoot":"","sources":["../../src/security/AuthMiddleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D,IAAI,4BAA4B,GAAG,KAAK,CAAC;AACzC,SAAS,oCAAoC;IAC5C,IAAI,4BAA4B;QAAE,OAAO;IACzC,4BAA4B,GAAG,IAAI,CAAC;IACpC,IAAI,OAAO,CAAC,GAAG,CAAC,oCAAoC,KAAK,GAAG;QAAE,OAAO;IACrE,OAAO,CAAC,IAAI,CACX,6GAA6G;QAC5G,uDAAuD;QACvD,2FAA2F;QAC3F,oCAAoC;QACpC,wDAAwD,CACzD,CAAC;AACH,CAAC;AAwDD;;GAEG;AACH,MAAM,OAAO,cAAc;IAClB,MAAM,CAAuB;IAErC,YAAY,MAA4B;QACvC,IAAI,CAAC,MAAM,GAAG;YACb,YAAY,EAAE,CAAC,eAAe,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,YAAY,CAAC;YACjF,QAAQ,EAAE,IAAI;YACd,GAAG,MAAM;SACT,CAAC;QACF,oCAAoC,EAAE,CAAC;IACxC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAAC,OAAoB;QACtC,uBAAuB;QACvB,IAAI,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACvD,OAAO;gBACN,aAAa,EAAE,IAAI;gBACnB,QAAQ,EAAE;oBACT,GAAG,EAAE,WAAW;oBAChB,KAAK,EAAE,CAAC,QAAQ,CAAC;oBACjB,MAAM,EAAE,EAAE;oBACV,QAAQ,EAAE,eAAe;iBACzB;aACD,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC9C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YACpD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBAC1B,OAAO,MAAM,CAAC;YACf,CAAC;QACF,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC3B,OAAO;gBACN,aAAa,EAAE,IAAI;gBACnB,QAAQ,EAAE;oBACT,GAAG,EAAE,WAAW;oBAChB,KAAK,EAAE,CAAC,QAAQ,CAAC;oBACjB,MAAM,EAAE,EAAE;oBACV,QAAQ,EAAE,WAAW;iBACrB;aACD,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAe;YAC1B,aAAa,EAAE,KAAK;YACpB,KAAK,EAAE,yBAAyB;YAChC,UAAU,EAAE,GAAG;SACf,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,MAAM,CAAC;IACf,CAAC;IAED;;OAEG;IACH,iBAAiB;QAChB,OAAO,KAAK,EACX,GAMC,EACD,GAAoE,EACpE,IAAgB,EACf,EAAE;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC;gBACtC,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;aAClB,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;gBAC3B,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;oBACzC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,cAAc;iBACrC,CAAC,CAAC;gBACH,OAAO;YACR,CAAC;YAED,6BAA6B;YAC7B,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;YAC3B,IAAI,EAAE,CAAC;QACR,CAAC,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,IAAY;QAClC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClH,CAAC;CACD;AAuBD;;GAEG;AACH,MAAM,OAAO,eAAe;IAClB,IAAI,GAAG,KAAK,CAAC;IACd,MAAM,CAAwB;IAEtC,YAAY,MAA6B;QACxC,IAAI,CAAC,MAAM,GAAG;YACb,UAAU,EAAE,eAAe;YAC3B,iBAAiB,EAAE,EAAE;YACrB,UAAU,EAAE,OAAO;YACnB,GAAG,MAAM;SACT,CAAC;QACF,oCAAoC,EAAE,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAoB;QACtC,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,eAAe,CAAC,CAAC;QAC/E,IAAI,CAAC,WAAW,EAAE,CAAC;YAClB,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;QACnE,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAC7D,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC;YAC7C,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC;QACvE,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACd,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YACpF,CAAC;YAED,kBAAkB;YAClB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC;YAEtD,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YACtE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YAEtE,IAAI,GAAG,IAAI,GAAG,GAAG,SAAS,GAAG,GAAG,EAAE,CAAC;gBAClC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,eAAe,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YAC1E,CAAC;YAED,IAAI,GAAG,IAAI,GAAG,GAAG,SAAS,GAAG,GAAG,EAAE,CAAC;gBAClC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YAChF,CAAC;YAED,kBAAkB;YAClB,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;gBAC9D,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,sBAAsB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;YACjF,CAAC;YAED,oBAAoB;YACpB,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC1B,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBACrE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACzC,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,wBAAwB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;gBACnF,CAAC;YACF,CAAC;YAED,gBAAgB;YAChB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,OAAO,CAAC;YACrD,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;gBAC/C,CAAC,CAAE,OAAO,CAAC,UAAU,CAAc;gBACnC,CAAC,CAAC,OAAO,OAAO,CAAC,UAAU,CAAC,KAAK,QAAQ;oBACxC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAW,CAAC;oBACjC,CAAC,CAAC,EAAE,CAAC;YAEP,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YAEtE,OAAO;gBACN,aAAa,EAAE,IAAI;gBACnB,QAAQ,EAAE;oBACT,GAAG,EAAE,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;oBAC9D,IAAI,EAAE,OAAO,CAAC,IAA0B;oBACxC,KAAK,EAAE,OAAO,CAAC,KAA2B;oBAC1C,KAAK;oBACL,MAAM,EAAE,OAAO;oBACf,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,GAAG;oBACb,SAAS,EAAE,GAAG;iBACd;aACD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,OAAO;gBACN,aAAa,EAAE,KAAK;gBACpB,KAAK,EAAE,8BAA8B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;gBACvF,UAAU,EAAE,GAAG;aACf,CAAC;QACH,CAAC;IACF,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,KAAa;QAChC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,2BAA2B;QAC3B,MAAM,iBAAiB,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;aAChE,MAAM,CAAC,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;aACpC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEtB,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAC/D,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,WAAW,CAAC,CAAC;QAEnE,IAAI,eAAe,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAClE,IAAI,CAAC,eAAe,CAAC,eAAe,EAAE,cAAc,CAAC;YAAE,OAAO,IAAI,CAAC;QAEnE,iBAAiB;QACjB,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YACnF,OAAO,OAAO,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;CACD;AA6BD;;GAEG;AACH,MAAM,OAAO,kBAAkB;IACrB,IAAI,GAAG,SAAS,CAAC;IAClB,MAAM,CAA2B;IAEzC,YAAY,MAAgC;QAC3C,IAAI,CAAC,MAAM,GAAG;YACb,UAAU,EAAE,WAAW;YACvB,UAAU,EAAE,SAAS;YACrB,GAAG,MAAM;SACT,CAAC;QACF,oCAAoC,EAAE,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,OAAoB;QACtC,mBAAmB;QACnB,IAAI,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,WAAW,CAAC,CAAC;QACpE,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAE9C,uBAAuB;QACvB,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,SAAS,CAAC,CAAC;YAClE,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC;gBAAE,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;YACpD,MAAM,GAAG,QAAQ,CAAC;QACnB,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC;QAC/D,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAChD,IAAI,IAAI,EAAE,CAAC;gBACV,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YACvC,CAAC;YACD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QAC5E,CAAC;QAED,oBAAoB;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACX,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QAC5E,CAAC;QAED,OAAO,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;IAEO,WAAW,CAAC,GAAW,EAAE,IAAgB;QAChD,eAAe;QACf,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YACtE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;QAC5E,CAAC;QAED,OAAO;YACN,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE;gBACT,GAAG,EAAE,IAAI,CAAC,IAAI;gBACd,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;gBAC3B,QAAQ,EAAE,SAAS;gBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;aACzB;SACD,CAAC;IACH,CAAC;CACD"}
|
|
@@ -1,206 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Encryption at Rest for Blok Framework
|
|
3
|
-
*
|
|
4
|
-
* Provides AES-256-GCM encryption and decryption for data at rest:
|
|
5
|
-
* - Symmetric encryption using AES-256-GCM (authenticated encryption)
|
|
6
|
-
* - Key derivation via PBKDF2 with configurable iterations and salt length
|
|
7
|
-
* - JSON object encryption/decryption with type safety
|
|
8
|
-
* - Key rotation support for seamless secret re-keying
|
|
9
|
-
*
|
|
10
|
-
* @example
|
|
11
|
-
* ```typescript
|
|
12
|
-
* import { EncryptionAtRest } from "@blokjs/runner";
|
|
13
|
-
*
|
|
14
|
-
* const encryption = new EncryptionAtRest({
|
|
15
|
-
* algorithm: "aes-256-gcm",
|
|
16
|
-
* keyDerivation: { iterations: 100_000, saltLength: 16, digest: "sha512" },
|
|
17
|
-
* encoding: "base64",
|
|
18
|
-
* });
|
|
19
|
-
*
|
|
20
|
-
* // Encrypt a string
|
|
21
|
-
* const payload = encryption.encrypt("sensitive data", "my-secret-key");
|
|
22
|
-
*
|
|
23
|
-
* // Decrypt it back
|
|
24
|
-
* const plaintext = encryption.decrypt(payload, "my-secret-key");
|
|
25
|
-
*
|
|
26
|
-
* // Encrypt/decrypt JSON objects
|
|
27
|
-
* const encrypted = encryption.encryptObject({ userId: 42, email: "a@b.com" }, "key");
|
|
28
|
-
* const obj = encryption.decryptObject<{ userId: number; email: string }>(encrypted, "key");
|
|
29
|
-
*
|
|
30
|
-
* // Rotate encryption key
|
|
31
|
-
* const reEncrypted = encryption.rotateKey(encrypted, "old-key", "new-key");
|
|
32
|
-
* ```
|
|
33
|
-
*/
|
|
34
|
-
/**
|
|
35
|
-
* Encrypted payload containing all data needed for decryption.
|
|
36
|
-
*
|
|
37
|
-
* This is a self-describing structure: it includes the algorithm and
|
|
38
|
-
* initialization vector so that the correct decryption parameters can be
|
|
39
|
-
* reconstructed without external metadata.
|
|
40
|
-
*/
|
|
41
|
-
export interface EncryptedPayload {
|
|
42
|
-
/** Base64- or hex-encoded initialization vector */
|
|
43
|
-
iv: string;
|
|
44
|
-
/** Base64- or hex-encoded ciphertext */
|
|
45
|
-
ciphertext: string;
|
|
46
|
-
/** Base64- or hex-encoded GCM authentication tag */
|
|
47
|
-
tag: string;
|
|
48
|
-
/** Algorithm used for encryption (e.g. "aes-256-gcm") */
|
|
49
|
-
algorithm: string;
|
|
50
|
-
/** Optional identifier for the key that was used */
|
|
51
|
-
keyId?: string;
|
|
52
|
-
}
|
|
53
|
-
/**
|
|
54
|
-
* PBKDF2 key derivation settings.
|
|
55
|
-
*/
|
|
56
|
-
export interface KeyDerivationConfig {
|
|
57
|
-
/** Number of PBKDF2 iterations (recommended >= 100 000) */
|
|
58
|
-
iterations: number;
|
|
59
|
-
/** Length of the random salt in bytes (default 16) */
|
|
60
|
-
saltLength: number;
|
|
61
|
-
/** Hash digest algorithm (default "sha512") */
|
|
62
|
-
digest: string;
|
|
63
|
-
}
|
|
64
|
-
/**
|
|
65
|
-
* Configuration for the {@link EncryptionAtRest} class.
|
|
66
|
-
*/
|
|
67
|
-
export interface EncryptionConfig {
|
|
68
|
-
/**
|
|
69
|
-
* Cipher algorithm to use.
|
|
70
|
-
* @default "aes-256-gcm"
|
|
71
|
-
*/
|
|
72
|
-
algorithm?: string;
|
|
73
|
-
/**
|
|
74
|
-
* PBKDF2 key derivation settings.
|
|
75
|
-
* @default { iterations: 100_000, saltLength: 16, digest: "sha512" }
|
|
76
|
-
*/
|
|
77
|
-
keyDerivation?: Partial<KeyDerivationConfig>;
|
|
78
|
-
/**
|
|
79
|
-
* Output encoding for binary values in {@link EncryptedPayload}.
|
|
80
|
-
* @default "base64"
|
|
81
|
-
*/
|
|
82
|
-
encoding?: BufferEncoding;
|
|
83
|
-
}
|
|
84
|
-
/**
|
|
85
|
-
* Provides AES-256-GCM encryption and decryption for data at rest.
|
|
86
|
-
*
|
|
87
|
-
* All encrypted payloads are self-describing: they embed the IV, auth tag,
|
|
88
|
-
* and algorithm so that decryption does not require out-of-band metadata.
|
|
89
|
-
*
|
|
90
|
-
* Keys are derived from a passphrase via PBKDF2 with a per-encryption random
|
|
91
|
-
* salt. The salt is prepended to the ciphertext so it can be recovered
|
|
92
|
-
* during decryption.
|
|
93
|
-
*
|
|
94
|
-
* @example
|
|
95
|
-
* ```typescript
|
|
96
|
-
* const enc = new EncryptionAtRest();
|
|
97
|
-
* const payload = enc.encrypt("hello", "passphrase");
|
|
98
|
-
* const plain = enc.decrypt(payload, "passphrase");
|
|
99
|
-
* console.log(plain); // "hello"
|
|
100
|
-
* ```
|
|
101
|
-
*/
|
|
102
|
-
export declare class EncryptionAtRest {
|
|
103
|
-
private readonly algorithm;
|
|
104
|
-
private readonly keyDerivation;
|
|
105
|
-
private readonly encoding;
|
|
106
|
-
/**
|
|
107
|
-
* Create a new EncryptionAtRest instance.
|
|
108
|
-
*
|
|
109
|
-
* @param config - Optional configuration overrides
|
|
110
|
-
*/
|
|
111
|
-
constructor(config?: EncryptionConfig);
|
|
112
|
-
/**
|
|
113
|
-
* Encrypt a plaintext string using AES-256-GCM.
|
|
114
|
-
*
|
|
115
|
-
* A fresh random IV and PBKDF2 salt are generated for every call, meaning
|
|
116
|
-
* encrypting the same plaintext twice with the same key will produce
|
|
117
|
-
* different ciphertexts.
|
|
118
|
-
*
|
|
119
|
-
* @param plaintext - The string to encrypt
|
|
120
|
-
* @param key - Passphrase from which the encryption key is derived
|
|
121
|
-
* @returns An {@link EncryptedPayload} containing everything needed for decryption
|
|
122
|
-
*
|
|
123
|
-
* @example
|
|
124
|
-
* ```typescript
|
|
125
|
-
* const payload = encryption.encrypt("my secret", "passphrase");
|
|
126
|
-
* // payload.ciphertext, payload.iv, payload.tag are all present
|
|
127
|
-
* ```
|
|
128
|
-
*/
|
|
129
|
-
encrypt(plaintext: string, key: string): EncryptedPayload;
|
|
130
|
-
/**
|
|
131
|
-
* Decrypt an {@link EncryptedPayload} back to the original plaintext.
|
|
132
|
-
*
|
|
133
|
-
* @param payload - The encrypted payload produced by {@link encrypt}
|
|
134
|
-
* @param key - The same passphrase that was used for encryption
|
|
135
|
-
* @returns The original plaintext string
|
|
136
|
-
* @throws {Error} If the key is wrong or the payload has been tampered with
|
|
137
|
-
*
|
|
138
|
-
* @example
|
|
139
|
-
* ```typescript
|
|
140
|
-
* const plaintext = encryption.decrypt(payload, "passphrase");
|
|
141
|
-
* ```
|
|
142
|
-
*/
|
|
143
|
-
decrypt(payload: EncryptedPayload, key: string): string;
|
|
144
|
-
/**
|
|
145
|
-
* Encrypt a JSON-serializable object.
|
|
146
|
-
*
|
|
147
|
-
* The object is serialized to JSON and then encrypted. The result is a
|
|
148
|
-
* single Base64/hex string that encodes the full {@link EncryptedPayload}
|
|
149
|
-
* as JSON.
|
|
150
|
-
*
|
|
151
|
-
* @typeParam T - Type of the object being encrypted
|
|
152
|
-
* @param obj - The object to encrypt
|
|
153
|
-
* @param key - Passphrase from which the encryption key is derived
|
|
154
|
-
* @returns A single encoded string representing the encrypted object
|
|
155
|
-
*
|
|
156
|
-
* @example
|
|
157
|
-
* ```typescript
|
|
158
|
-
* const token = encryption.encryptObject({ userId: 1 }, "key");
|
|
159
|
-
* ```
|
|
160
|
-
*/
|
|
161
|
-
encryptObject<T>(obj: T, key: string): string;
|
|
162
|
-
/**
|
|
163
|
-
* Decrypt a string produced by {@link encryptObject} back to the original
|
|
164
|
-
* typed object.
|
|
165
|
-
*
|
|
166
|
-
* @typeParam T - Expected type of the decrypted object
|
|
167
|
-
* @param ciphertext - The encoded string produced by {@link encryptObject}
|
|
168
|
-
* @param key - The same passphrase that was used for encryption
|
|
169
|
-
* @returns The original object
|
|
170
|
-
* @throws {Error} If decryption or JSON parsing fails
|
|
171
|
-
*
|
|
172
|
-
* @example
|
|
173
|
-
* ```typescript
|
|
174
|
-
* const obj = encryption.decryptObject<{ userId: number }>(token, "key");
|
|
175
|
-
* console.log(obj.userId); // 1
|
|
176
|
-
* ```
|
|
177
|
-
*/
|
|
178
|
-
decryptObject<T>(ciphertext: string, key: string): T;
|
|
179
|
-
/**
|
|
180
|
-
* Re-encrypt data with a new key (key rotation).
|
|
181
|
-
*
|
|
182
|
-
* This is a convenience method that decrypts with the old key and
|
|
183
|
-
* re-encrypts with the new key in a single call. It works with the
|
|
184
|
-
* encoded strings produced by {@link encryptObject}.
|
|
185
|
-
*
|
|
186
|
-
* @param data - The encoded ciphertext string to re-encrypt
|
|
187
|
-
* @param oldKey - The current passphrase
|
|
188
|
-
* @param newKey - The new passphrase to encrypt with
|
|
189
|
-
* @returns A new encoded ciphertext string encrypted under the new key
|
|
190
|
-
*
|
|
191
|
-
* @example
|
|
192
|
-
* ```typescript
|
|
193
|
-
* const rotated = encryption.rotateKey(existingCiphertext, "old-pass", "new-pass");
|
|
194
|
-
* ```
|
|
195
|
-
*/
|
|
196
|
-
rotateKey(data: string, oldKey: string, newKey: string): string;
|
|
197
|
-
/**
|
|
198
|
-
* Derive a fixed-length encryption key from a passphrase and salt using
|
|
199
|
-
* PBKDF2.
|
|
200
|
-
*
|
|
201
|
-
* @param passphrase - The user-supplied passphrase
|
|
202
|
-
* @param salt - Random salt bytes
|
|
203
|
-
* @returns A Buffer of {@link KEY_LENGTH_BYTES} bytes
|
|
204
|
-
*/
|
|
205
|
-
private deriveKey;
|
|
206
|
-
}
|