@dainprotocol/oauth2-token-manager 0.3.0 → 0.3.1

package/README.md

@@ -11,6 +11,7 @@ A simple OAuth2 token management library for Node.js. Store and manage OAuth2 to
 - [API Reference](#-api-reference)
 - [Storage Adapters](#-storage-adapters)
 - [Examples](#-examples)
+- [Security](#-security)
 
 ## 🚀 Features
 
@@ -20,6 +21,7 @@ A simple OAuth2 token management library for Node.js. Store and manage OAuth2 to
 - **Profile Fetching**: Get user profiles during OAuth callback
 - **Custom Profile Fetchers**: Register custom profile fetchers per storage instance
 - **Pluggable Storage**: In-memory, PostgreSQL, Drizzle, or custom adapters
+- **Token Encryption**: AES-256-CBC encryption for tokens at rest (CASA compliant)
 - **Type Safe**: Full TypeScript support
 
 ## 📦 Installation
@@ -93,6 +95,7 @@ const accessToken = await oauth.getAccessToken('google', 'user@example.com');
 2. **Automatic override**: Saving a token with same provider + email replaces the old one
 3. **Auto refresh**: Expired tokens refresh automatically when you request them
 4. **Simple storage**: Just provider (string), userId (string), and email (string)
+5. **Encrypted tokens**: Access and refresh tokens are encrypted at rest using AES-256-CBC
 
 ## 📚 API Reference
 
@@ -502,6 +505,49 @@ const accessToken = await oauth.getAccessToken('customApi', 'user@example.com');
 
 See [Custom Token Paths Guide](./CUSTOM_TOKEN_PATHS.md) for more examples.
 
+### Token Encryption
+
+All storage adapters support AES-256-CBC encryption for tokens at rest:
+
+```typescript
+// In-Memory with encryption
+import { InMemoryStorageAdapter } from '@dainprotocol/oauth2-token-manager';
+
+const storage = new InMemoryStorageAdapter({
+  encryptionKey: process.env.TOKEN_ENCRYPTION_KEY, // Min 32 characters
+});
+
+// PostgreSQL with encryption
+import { PostgresStorageFactory } from '@dainprotocol/oauth2-storage-postgres';
+
+const storage = await PostgresStorageFactory.create({
+  host: 'localhost',
+  port: 5432,
+  username: 'user',
+  password: 'password',
+  database: 'oauth_tokens',
+  encryption: {
+    encryptionKey: process.env.TOKEN_ENCRYPTION_KEY,
+  },
+});
+
+// Drizzle with encryption
+import { DrizzleStorageAdapter } from '@dainprotocol/oauth2-storage-drizzle';
+
+const storage = await DrizzleStorageAdapter.create(db, {
+  dialect: 'postgres',
+  encryption: {
+    encryptionKey: process.env.TOKEN_ENCRYPTION_KEY,
+  },
+});
+```
+
+Generate a secure encryption key:
+
+```bash
+openssl rand -base64 32
+```
+
 ### Custom Profile Fetcher Example
 
 ```typescript
@@ -562,6 +608,28 @@ const testStorage = await DrizzleStorageAdapter.create(testDb, {
 });
 ```
 
+## 🔒 Security
+
+### Encryption Specification
+
+| Specification  | Implementation |
+| -------------- | -------------- |
+| Algorithm      | AES-256-CBC    |
+| Key Derivation | PBKDF2         |
+| Integrity      | HMAC signature |
+| Min Key Length | 32 characters  |
+
+### What Gets Encrypted
+
+- `accessToken` - Always encrypted
+- `refreshToken` - Always encrypted (when present)
+
+### CASA Compliance
+
+This library meets Google CASA (Cloud Application Security Assessment) requirements for token storage. For CASA submissions:
+
+> OAuth tokens (access_token, refresh_token) are encrypted at rest using AES-256-CBC symmetric encryption with PBKDF2 key derivation via the iron-session library, which includes HMAC integrity verification.
+
 ## 📄 License
 
 MIT © Dain Protocol

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dainprotocol/oauth2-token-manager",
-  "version": "0.3.0",
+  "version": "0.3.1",
   "description": "A scalable OAuth2 token management library with multi-system support",
   "keywords": [
     "oauth2",