npm - @digitaldefiance/node-express-suite - Versions diffs - 1.0.21 → 1.0.23 - Mend

@digitaldefiance/node-express-suite 1.0.21 → 1.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (633) hide show

package/README.md +9 -0
package/package.json +27 -32
package/src/application-base.ts +492 -0
package/src/application.ts +254 -0
package/src/backup-code.ts +336 -0
package/src/constants.ts +69 -0
package/src/controllers/base.ts +440 -0
package/{dist/controllers/index.d.ts → src/controllers/index.ts} +0 -1
package/src/controllers/user.ts +1451 -0
package/src/decorators/base-controller.ts +61 -0
package/src/decorators/controller.ts +109 -0
package/{dist/decorators/index.d.ts → src/decorators/index.ts} +0 -1
package/src/decorators/zod-validation.ts +57 -0
package/src/defaults.ts +94 -0
package/src/documents/base.ts +7 -0
package/src/documents/email-token.ts +14 -0
package/{dist/documents/index.d.ts → src/documents/index.ts} +0 -1
package/{dist/documents/mnemonic.d.ts → src/documents/mnemonic.ts} +5 -2
package/{dist/documents/role.d.ts → src/documents/role.ts} +5 -2
package/src/documents/used-direct-login-token.ts +7 -0
package/{dist/documents/user-role.d.ts → src/documents/user-role.ts} +5 -2
package/{dist/documents/user.d.ts → src/documents/user.ts} +4 -2
package/src/enumerations/base-model-name.ts +41 -0
package/{dist/enumerations/index.d.ts → src/enumerations/index.ts} +0 -1
package/src/enumerations/length-encoding-type.ts +6 -0
package/src/enumerations/schema-collection.ts +33 -0
package/src/enumerations/symmetric-error-type.ts +4 -0
package/src/environment.ts +770 -0
package/src/errors/express-validation.ts +21 -0
package/{dist/errors/index.d.ts → src/errors/index.ts} +0 -1
package/src/errors/invalid-backup-code-version.ts +14 -0
package/src/errors/invalid-jwt-token.ts +10 -0
package/src/errors/invalid-model.ts +11 -0
package/src/errors/invalid-new-password.ts +18 -0
package/src/errors/invalid-password.ts +13 -0
package/src/errors/missing-validated-data.ts +36 -0
package/src/errors/mnemonic-or-password-required.ts +12 -0
package/src/errors/model-not-registered.ts +11 -0
package/src/errors/mongoose-validation.ts +34 -0
package/src/errors/symmetric.ts +41 -0
package/src/errors/token-expired.ts +10 -0
package/src/get-language.ts +53 -0
package/src/get-timezone.ts +45 -0
package/{dist/index.d.ts → src/index.ts} +3 -2
package/{dist/interfaces/api-error-response.d.ts → src/interfaces/api-error-response.ts} +2 -2
package/src/interfaces/api-express-validation-error-response.ts +8 -0
package/src/interfaces/api-message-response.ts +3 -0
package/{dist/interfaces/api-mongo-validation-error-response.d.ts → src/interfaces/api-mongo-validation-error-response.ts} +2 -2
package/{dist/interfaces/api-responses/backup-codes-response.d.ts → src/interfaces/api-responses/backup-codes-response.ts} +2 -2
package/{dist/interfaces/api-responses/challenge-response.d.ts → src/interfaces/api-responses/challenge-response.ts} +3 -3
package/{dist/interfaces/api-responses/code-count-response.d.ts → src/interfaces/api-responses/code-count-response.ts} +2 -2
package/{dist/interfaces/api-responses/index.d.ts → src/interfaces/api-responses/index.ts} +0 -1
package/{dist/interfaces/api-responses/login-response.d.ts → src/interfaces/api-responses/login-response.ts} +4 -4
package/{dist/interfaces/api-responses/mnemonic-response.d.ts → src/interfaces/api-responses/mnemonic-response.ts} +2 -2
package/{dist/interfaces/api-responses/registration-response.d.ts → src/interfaces/api-responses/registration-response.ts} +3 -3
package/{dist/interfaces/api-responses/request-user-response.d.ts → src/interfaces/api-responses/request-user-response.ts} +2 -2
package/{dist/interfaces/application.d.ts → src/interfaces/application.ts} +7 -7
package/src/interfaces/backend-objects/email-token.ts +11 -0
package/{dist/interfaces/backend-objects/index.d.ts → src/interfaces/backend-objects/index.ts} +0 -1
package/{dist/interfaces/backend-objects/request-user.d.ts → src/interfaces/backend-objects/request-user.ts} +7 -2
package/{dist/interfaces/backend-objects/role.d.ts → src/interfaces/backend-objects/role.ts} +1 -1
package/src/interfaces/backend-objects/user.ts +9 -0
package/src/interfaces/checksum-config.ts +4 -0
package/src/interfaces/checksum-consts.ts +13 -0
package/{dist/interfaces/constants.d.ts → src/interfaces/constants.ts} +5 -5
package/src/interfaces/create-user-basics.ts +17 -0
package/src/interfaces/csp-config.ts +35 -0
package/src/interfaces/deep-partial.ts +3 -0
package/{dist/interfaces/discriminator-collections.d.ts → src/interfaces/discriminator-collections.ts} +3 -3
package/src/interfaces/email-service.ts +8 -0
package/src/interfaces/environment-mongo.ts +76 -0
package/src/interfaces/environment.ts +181 -0
package/src/interfaces/failable-result.ts +6 -0
package/src/interfaces/fec-consts.ts +4 -0
package/src/interfaces/handleable-error-options.ts +6 -0
package/{dist/interfaces/index.d.ts → src/interfaces/index.ts} +0 -1
package/src/interfaces/jwt-consts.ts +23 -0
package/src/interfaces/jwt-sign-response.ts +19 -0
package/src/interfaces/mongo-errors.ts +5 -0
package/src/interfaces/request-user.ts +50 -0
package/src/interfaces/required-string-keys.ts +26 -0
package/src/interfaces/schema.ts +31 -0
package/src/interfaces/server-init-result.ts +37 -0
package/src/interfaces/status-code-response.ts +7 -0
package/src/interfaces/symmetric-encryption-results.d.ts +5 -0
package/src/interfaces/symmetric-encryption-results.d.ts.map +1 -0
package/src/interfaces/symmetric-encryption-results.js.map +1 -0
package/src/interfaces/symmetric-encryption-results.ts +4 -0
package/{dist/interfaces/token-response.d.ts → src/interfaces/token-response.ts} +2 -2
package/src/middlewares/authenticate-crypto.ts +243 -0
package/src/middlewares/authenticate-token.ts +152 -0
package/src/middlewares/cleanup-crypto.ts +40 -0
package/{dist/middlewares/index.d.ts → src/middlewares/index.ts} +0 -1
package/src/middlewares/set-global-context-language.ts +24 -0
package/src/middlewares.ts +120 -0
package/src/model-registry.ts +75 -0
package/src/models/email-token.ts +19 -0
package/{dist/models/index.d.ts → src/models/index.ts} +0 -1
package/src/models/mnemonic.ts +19 -0
package/src/models/role.ts +19 -0
package/src/models/used-direct-login-token.ts +23 -0
package/src/models/user-role.ts +17 -0
package/src/models/user.ts +19 -0
package/src/registry/email-service-registry.ts +24 -0
package/{dist/registry/index.d.ts → src/registry/index.ts} +0 -1
package/src/routers/api.ts +151 -0
package/src/routers/app.ts +258 -0
package/src/routers/base.ts +17 -0
package/{dist/routers/index.d.ts → src/routers/index.ts} +0 -1
package/src/schemas/email-token.ts +91 -0
package/{dist/schemas/index.d.ts → src/schemas/index.ts} +1 -2
package/src/schemas/mnemonic.ts +37 -0
package/src/schemas/role.ts +127 -0
package/src/schemas/schema.ts +140 -0
package/src/schemas/used-direct-login-token.ts +38 -0
package/src/schemas/user-role.ts +75 -0
package/src/schemas/user.ts +202 -0
package/src/services/backup-code.ts +316 -0
package/src/services/base.ts +33 -0
package/src/services/checksum.ts +161 -0
package/src/services/crc.ts +213 -0
package/src/services/database-initialization.ts +1479 -0
package/src/services/db-init-cache.d.ts +16 -0
package/src/services/direct-login-token.ts +62 -0
package/src/services/fec-usage-example.ts +102 -0
package/src/services/fec.ts +296 -0
package/{dist/services/index.d.ts → src/services/index.ts} +0 -1
package/src/services/jwt.ts +134 -0
package/src/services/key-wrapping.ts +434 -0
package/src/services/mnemonic.ts +167 -0
package/src/services/request-user.ts +62 -0
package/src/services/role.ts +396 -0
package/src/services/symmetric.ts +139 -0
package/src/services/system-user.ts +82 -0
package/src/services/user.ts +2137 -0
package/src/services/xor.ts +34 -0
package/src/types.d.ts +44 -0
package/src/types.ts +128 -0
package/src/utils.ts +1022 -0
package/dist/application-base.d.ts +0 -112
package/dist/application-base.d.ts.map +0 -1
package/dist/application-base.js +0 -301
package/dist/application-base.js.map +0 -1
package/dist/application.d.ts +0 -23
package/dist/application.d.ts.map +0 -1
package/dist/application.js +0 -126
package/dist/application.js.map +0 -1
package/dist/backup-code.d.ts +0 -67
package/dist/backup-code.d.ts.map +0 -1
package/dist/backup-code.js +0 -270
package/dist/backup-code.js.map +0 -1
package/dist/constants.d.ts +0 -16
package/dist/constants.d.ts.map +0 -1
package/dist/constants.js +0 -54
package/dist/constants.js.map +0 -1
package/dist/controllers/base.d.ts +0 -63
package/dist/controllers/base.d.ts.map +0 -1
package/dist/controllers/base.js +0 -269
package/dist/controllers/base.js.map +0 -1
package/dist/controllers/index.d.ts.map +0 -1
package/dist/controllers/index.js +0 -19
package/dist/controllers/index.js.map +0 -1
package/dist/controllers/user.d.ts +0 -45
package/dist/controllers/user.d.ts.map +0 -1
package/dist/controllers/user.js +0 -750
package/dist/controllers/user.js.map +0 -1
package/dist/decorators/base-controller.d.ts +0 -14
package/dist/decorators/base-controller.d.ts.map +0 -1
package/dist/decorators/base-controller.js +0 -49
package/dist/decorators/base-controller.js.map +0 -1
package/dist/decorators/controller.d.ts +0 -32
package/dist/decorators/controller.d.ts.map +0 -1
package/dist/decorators/controller.js +0 -67
package/dist/decorators/controller.js.map +0 -1
package/dist/decorators/index.d.ts.map +0 -1
package/dist/decorators/index.js +0 -20
package/dist/decorators/index.js.map +0 -1
package/dist/decorators/zod-validation.d.ts +0 -5
package/dist/decorators/zod-validation.d.ts.map +0 -1
package/dist/decorators/zod-validation.js +0 -47
package/dist/decorators/zod-validation.js.map +0 -1
package/dist/defaults.d.ts +0 -7
package/dist/defaults.d.ts.map +0 -1
package/dist/defaults.js +0 -83
package/dist/defaults.js.map +0 -1
package/dist/documents/base.d.ts +0 -3
package/dist/documents/base.d.ts.map +0 -1
package/dist/documents/base.js +0 -3
package/dist/documents/base.js.map +0 -1
package/dist/documents/email-token.d.ts +0 -8
package/dist/documents/email-token.d.ts.map +0 -1
package/dist/documents/email-token.js +0 -3
package/dist/documents/email-token.js.map +0 -1
package/dist/documents/index.d.ts.map +0 -1
package/dist/documents/index.js +0 -3
package/dist/documents/index.js.map +0 -1
package/dist/documents/mnemonic.d.ts.map +0 -1
package/dist/documents/mnemonic.js +0 -3
package/dist/documents/mnemonic.js.map +0 -1
package/dist/documents/role.d.ts.map +0 -1
package/dist/documents/role.js +0 -3
package/dist/documents/role.js.map +0 -1
package/dist/documents/used-direct-login-token.d.ts +0 -5
package/dist/documents/used-direct-login-token.d.ts.map +0 -1
package/dist/documents/used-direct-login-token.js +0 -3
package/dist/documents/used-direct-login-token.js.map +0 -1
package/dist/documents/user-role.d.ts.map +0 -1
package/dist/documents/user-role.js +0 -3
package/dist/documents/user-role.js.map +0 -1
package/dist/documents/user.d.ts.map +0 -1
package/dist/documents/user.js +0 -3
package/dist/documents/user.js.map +0 -1
package/dist/enumerations/base-model-name.d.ts +0 -38
package/dist/enumerations/base-model-name.d.ts.map +0 -1
package/dist/enumerations/base-model-name.js +0 -34
package/dist/enumerations/base-model-name.js.map +0 -1
package/dist/enumerations/index.d.ts.map +0 -1
package/dist/enumerations/index.js +0 -21
package/dist/enumerations/index.js.map +0 -1
package/dist/enumerations/length-encoding-type.d.ts +0 -7
package/dist/enumerations/length-encoding-type.d.ts.map +0 -1
package/dist/enumerations/length-encoding-type.js +0 -11
package/dist/enumerations/length-encoding-type.js.map +0 -1
package/dist/enumerations/schema-collection.d.ts +0 -34
package/dist/enumerations/schema-collection.d.ts.map +0 -1
package/dist/enumerations/schema-collection.js +0 -38
package/dist/enumerations/schema-collection.js.map +0 -1
package/dist/enumerations/symmetric-error-type.d.ts +0 -5
package/dist/enumerations/symmetric-error-type.d.ts.map +0 -1
package/dist/enumerations/symmetric-error-type.js +0 -9
package/dist/enumerations/symmetric-error-type.js.map +0 -1
package/dist/environment.d.ts +0 -189
package/dist/environment.d.ts.map +0 -1
package/dist/environment.js +0 -618
package/dist/environment.js.map +0 -1
package/dist/errors/express-validation.d.ts +0 -9
package/dist/errors/express-validation.d.ts.map +0 -1
package/dist/errors/express-validation.js +0 -17
package/dist/errors/express-validation.js.map +0 -1
package/dist/errors/index.d.ts.map +0 -1
package/dist/errors/index.js +0 -29
package/dist/errors/index.js.map +0 -1
package/dist/errors/invalid-backup-code-version.d.ts +0 -6
package/dist/errors/invalid-backup-code-version.d.ts.map +0 -1
package/dist/errors/invalid-backup-code-version.js +0 -14
package/dist/errors/invalid-backup-code-version.js.map +0 -1
package/dist/errors/invalid-jwt-token.d.ts +0 -5
package/dist/errors/invalid-jwt-token.d.ts.map +0 -1
package/dist/errors/invalid-jwt-token.js +0 -11
package/dist/errors/invalid-jwt-token.js.map +0 -1
package/dist/errors/invalid-model.d.ts +0 -6
package/dist/errors/invalid-model.d.ts.map +0 -1
package/dist/errors/invalid-model.js +0 -13
package/dist/errors/invalid-model.js.map +0 -1
package/dist/errors/invalid-new-password.d.ts +0 -5
package/dist/errors/invalid-new-password.d.ts.map +0 -1
package/dist/errors/invalid-new-password.js +0 -14
package/dist/errors/invalid-new-password.js.map +0 -1
package/dist/errors/invalid-password.d.ts +0 -5
package/dist/errors/invalid-password.d.ts.map +0 -1
package/dist/errors/invalid-password.js +0 -14
package/dist/errors/invalid-password.js.map +0 -1
package/dist/errors/missing-validated-data.d.ts +0 -7
package/dist/errors/missing-validated-data.d.ts.map +0 -1
package/dist/errors/missing-validated-data.js +0 -34
package/dist/errors/missing-validated-data.js.map +0 -1
package/dist/errors/mnemonic-or-password-required.d.ts +0 -5
package/dist/errors/mnemonic-or-password-required.d.ts.map +0 -1
package/dist/errors/mnemonic-or-password-required.js +0 -13
package/dist/errors/mnemonic-or-password-required.js.map +0 -1
package/dist/errors/model-not-registered.d.ts +0 -5
package/dist/errors/model-not-registered.d.ts.map +0 -1
package/dist/errors/model-not-registered.js +0 -12
package/dist/errors/model-not-registered.js.map +0 -1
package/dist/errors/mongoose-validation.d.ts +0 -11
package/dist/errors/mongoose-validation.d.ts.map +0 -1
package/dist/errors/mongoose-validation.js +0 -16
package/dist/errors/mongoose-validation.js.map +0 -1
package/dist/errors/symmetric.d.ts +0 -8
package/dist/errors/symmetric.d.ts.map +0 -1
package/dist/errors/symmetric.js +0 -23
package/dist/errors/symmetric.js.map +0 -1
package/dist/errors/token-expired.d.ts +0 -5
package/dist/errors/token-expired.d.ts.map +0 -1
package/dist/errors/token-expired.js +0 -11
package/dist/errors/token-expired.js.map +0 -1
package/dist/get-language.d.ts +0 -2
package/dist/get-language.d.ts.map +0 -1
package/dist/get-language.js +0 -30
package/dist/get-language.js.map +0 -1
package/dist/get-timezone.d.ts +0 -3
package/dist/get-timezone.d.ts.map +0 -1
package/dist/get-timezone.js +0 -31
package/dist/get-timezone.js.map +0 -1
package/dist/index.d.ts.map +0 -1
package/dist/index.js +0 -40
package/dist/index.js.map +0 -1
package/dist/interfaces/api-error-response.d.ts.map +0 -1
package/dist/interfaces/api-error-response.js +0 -3
package/dist/interfaces/api-error-response.js.map +0 -1
package/dist/interfaces/api-express-validation-error-response.d.ts +0 -7
package/dist/interfaces/api-express-validation-error-response.d.ts.map +0 -1
package/dist/interfaces/api-express-validation-error-response.js +0 -3
package/dist/interfaces/api-express-validation-error-response.js.map +0 -1
package/dist/interfaces/api-message-response.d.ts +0 -4
package/dist/interfaces/api-message-response.d.ts.map +0 -1
package/dist/interfaces/api-message-response.js +0 -3
package/dist/interfaces/api-message-response.js.map +0 -1
package/dist/interfaces/api-mongo-validation-error-response.d.ts.map +0 -1
package/dist/interfaces/api-mongo-validation-error-response.js +0 -3
package/dist/interfaces/api-mongo-validation-error-response.js.map +0 -1
package/dist/interfaces/api-responses/backup-codes-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/backup-codes-response.js +0 -3
package/dist/interfaces/api-responses/backup-codes-response.js.map +0 -1
package/dist/interfaces/api-responses/challenge-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/challenge-response.js +0 -3
package/dist/interfaces/api-responses/challenge-response.js.map +0 -1
package/dist/interfaces/api-responses/code-count-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/code-count-response.js +0 -3
package/dist/interfaces/api-responses/code-count-response.js.map +0 -1
package/dist/interfaces/api-responses/index.d.ts.map +0 -1
package/dist/interfaces/api-responses/index.js +0 -24
package/dist/interfaces/api-responses/index.js.map +0 -1
package/dist/interfaces/api-responses/login-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/login-response.js +0 -3
package/dist/interfaces/api-responses/login-response.js.map +0 -1
package/dist/interfaces/api-responses/mnemonic-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/mnemonic-response.js +0 -3
package/dist/interfaces/api-responses/mnemonic-response.js.map +0 -1
package/dist/interfaces/api-responses/registration-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/registration-response.js +0 -3
package/dist/interfaces/api-responses/registration-response.js.map +0 -1
package/dist/interfaces/api-responses/request-user-response.d.ts.map +0 -1
package/dist/interfaces/api-responses/request-user-response.js +0 -3
package/dist/interfaces/api-responses/request-user-response.js.map +0 -1
package/dist/interfaces/application.d.ts.map +0 -1
package/dist/interfaces/application.js +0 -3
package/dist/interfaces/application.js.map +0 -1
package/dist/interfaces/backend-objects/email-token.d.ts +0 -4
package/dist/interfaces/backend-objects/email-token.d.ts.map +0 -1
package/dist/interfaces/backend-objects/email-token.js +0 -3
package/dist/interfaces/backend-objects/email-token.js.map +0 -1
package/dist/interfaces/backend-objects/index.d.ts.map +0 -1
package/dist/interfaces/backend-objects/index.js +0 -21
package/dist/interfaces/backend-objects/index.js.map +0 -1
package/dist/interfaces/backend-objects/request-user.d.ts.map +0 -1
package/dist/interfaces/backend-objects/request-user.js +0 -3
package/dist/interfaces/backend-objects/request-user.js.map +0 -1
package/dist/interfaces/backend-objects/role.d.ts.map +0 -1
package/dist/interfaces/backend-objects/role.js +0 -3
package/dist/interfaces/backend-objects/role.js.map +0 -1
package/dist/interfaces/backend-objects/user.d.ts +0 -4
package/dist/interfaces/backend-objects/user.d.ts.map +0 -1
package/dist/interfaces/backend-objects/user.js +0 -3
package/dist/interfaces/backend-objects/user.js.map +0 -1
package/dist/interfaces/checksum-config.d.ts +0 -5
package/dist/interfaces/checksum-config.d.ts.map +0 -1
package/dist/interfaces/checksum-config.js +0 -3
package/dist/interfaces/checksum-config.js.map +0 -1
package/dist/interfaces/checksum-consts.d.ts +0 -11
package/dist/interfaces/checksum-consts.d.ts.map +0 -1
package/dist/interfaces/checksum-consts.js +0 -3
package/dist/interfaces/checksum-consts.js.map +0 -1
package/dist/interfaces/constants.d.ts.map +0 -1
package/dist/interfaces/constants.js +0 -3
package/dist/interfaces/constants.js.map +0 -1
package/dist/interfaces/create-user-basics.d.ts +0 -18
package/dist/interfaces/create-user-basics.d.ts.map +0 -1
package/dist/interfaces/create-user-basics.js +0 -3
package/dist/interfaces/create-user-basics.js.map +0 -1
package/dist/interfaces/csp-config.d.ts +0 -14
package/dist/interfaces/csp-config.d.ts.map +0 -1
package/dist/interfaces/csp-config.js +0 -3
package/dist/interfaces/csp-config.js.map +0 -1
package/dist/interfaces/deep-partial.d.ts +0 -4
package/dist/interfaces/deep-partial.d.ts.map +0 -1
package/dist/interfaces/deep-partial.js +0 -3
package/dist/interfaces/deep-partial.js.map +0 -1
package/dist/interfaces/discriminator-collections.d.ts.map +0 -1
package/dist/interfaces/discriminator-collections.js +0 -3
package/dist/interfaces/discriminator-collections.js.map +0 -1
package/dist/interfaces/email-service.d.ts +0 -4
package/dist/interfaces/email-service.d.ts.map +0 -1
package/dist/interfaces/email-service.js +0 -3
package/dist/interfaces/email-service.js.map +0 -1
package/dist/interfaces/environment-mongo.d.ts +0 -76
package/dist/interfaces/environment-mongo.d.ts.map +0 -1
package/dist/interfaces/environment-mongo.js +0 -3
package/dist/interfaces/environment-mongo.js.map +0 -1
package/dist/interfaces/environment.d.ts +0 -181
package/dist/interfaces/environment.d.ts.map +0 -1
package/dist/interfaces/environment.js +0 -3
package/dist/interfaces/environment.js.map +0 -1
package/dist/interfaces/failable-result.d.ts +0 -7
package/dist/interfaces/failable-result.d.ts.map +0 -1
package/dist/interfaces/failable-result.js +0 -3
package/dist/interfaces/failable-result.js.map +0 -1
package/dist/interfaces/fec-consts.d.ts +0 -5
package/dist/interfaces/fec-consts.d.ts.map +0 -1
package/dist/interfaces/fec-consts.js +0 -3
package/dist/interfaces/fec-consts.js.map +0 -1
package/dist/interfaces/handleable-error-options.d.ts +0 -7
package/dist/interfaces/handleable-error-options.d.ts.map +0 -1
package/dist/interfaces/handleable-error-options.js +0 -3
package/dist/interfaces/handleable-error-options.js.map +0 -1
package/dist/interfaces/index.d.ts.map +0 -1
package/dist/interfaces/index.js +0 -46
package/dist/interfaces/index.js.map +0 -1
package/dist/interfaces/jwt-consts.d.ts +0 -11
package/dist/interfaces/jwt-consts.d.ts.map +0 -1
package/dist/interfaces/jwt-consts.js +0 -3
package/dist/interfaces/jwt-consts.js.map +0 -1
package/dist/interfaces/jwt-sign-response.d.ts +0 -11
package/dist/interfaces/jwt-sign-response.d.ts.map +0 -1
package/dist/interfaces/jwt-sign-response.js +0 -3
package/dist/interfaces/jwt-sign-response.js.map +0 -1
package/dist/interfaces/mongo-errors.d.ts +0 -5
package/dist/interfaces/mongo-errors.d.ts.map +0 -1
package/dist/interfaces/mongo-errors.js +0 -3
package/dist/interfaces/mongo-errors.js.map +0 -1
package/dist/interfaces/request-user.d.ts +0 -42
package/dist/interfaces/request-user.d.ts.map +0 -1
package/dist/interfaces/request-user.js +0 -3
package/dist/interfaces/request-user.js.map +0 -1
package/dist/interfaces/required-string-keys.d.ts +0 -22
package/dist/interfaces/required-string-keys.d.ts.map +0 -1
package/dist/interfaces/required-string-keys.js +0 -3
package/dist/interfaces/required-string-keys.js.map +0 -1
package/dist/interfaces/schema.d.ts +0 -29
package/dist/interfaces/schema.d.ts.map +0 -1
package/dist/interfaces/schema.js +0 -3
package/dist/interfaces/schema.js.map +0 -1
package/dist/interfaces/server-init-result.d.ts +0 -35
package/dist/interfaces/server-init-result.d.ts.map +0 -1
package/dist/interfaces/server-init-result.js +0 -3
package/dist/interfaces/server-init-result.js.map +0 -1
package/dist/interfaces/status-code-response.d.ts +0 -7
package/dist/interfaces/status-code-response.d.ts.map +0 -1
package/dist/interfaces/status-code-response.js +0 -3
package/dist/interfaces/status-code-response.js.map +0 -1
package/dist/interfaces/symmetric-encryption-results.d.ts +0 -5
package/dist/interfaces/symmetric-encryption-results.d.ts.map +0 -1
package/dist/interfaces/symmetric-encryption-results.js.map +0 -1
package/dist/interfaces/token-response.d.ts.map +0 -1
package/dist/interfaces/token-response.js +0 -3
package/dist/interfaces/token-response.js.map +0 -1
package/dist/middlewares/authenticate-crypto.d.ts +0 -13
package/dist/middlewares/authenticate-crypto.d.ts.map +0 -1
package/dist/middlewares/authenticate-crypto.js +0 -146
package/dist/middlewares/authenticate-crypto.js.map +0 -1
package/dist/middlewares/authenticate-token.d.ts +0 -24
package/dist/middlewares/authenticate-token.d.ts.map +0 -1
package/dist/middlewares/authenticate-token.js +0 -102
package/dist/middlewares/authenticate-token.js.map +0 -1
package/dist/middlewares/cleanup-crypto.d.ts +0 -7
package/dist/middlewares/cleanup-crypto.d.ts.map +0 -1
package/dist/middlewares/cleanup-crypto.js +0 -32
package/dist/middlewares/cleanup-crypto.js.map +0 -1
package/dist/middlewares/index.d.ts.map +0 -1
package/dist/middlewares/index.js +0 -21
package/dist/middlewares/index.js.map +0 -1
package/dist/middlewares/set-global-context-language.d.ts +0 -3
package/dist/middlewares/set-global-context-language.d.ts.map +0 -1
package/dist/middlewares/set-global-context-language.js +0 -14
package/dist/middlewares/set-global-context-language.js.map +0 -1
package/dist/middlewares.d.ts +0 -18
package/dist/middlewares.d.ts.map +0 -1
package/dist/middlewares.js +0 -76
package/dist/middlewares.js.map +0 -1
package/dist/model-registry.d.ts +0 -23
package/dist/model-registry.d.ts.map +0 -1
package/dist/model-registry.js +0 -47
package/dist/model-registry.js.map +0 -1
package/dist/models/email-token.d.ts +0 -11
package/dist/models/email-token.d.ts.map +0 -1
package/dist/models/email-token.js +0 -11
package/dist/models/email-token.js.map +0 -1
package/dist/models/index.d.ts.map +0 -1
package/dist/models/index.js +0 -23
package/dist/models/index.js.map +0 -1
package/dist/models/mnemonic.d.ts +0 -11
package/dist/models/mnemonic.d.ts.map +0 -1
package/dist/models/mnemonic.js +0 -11
package/dist/models/mnemonic.js.map +0 -1
package/dist/models/role.d.ts +0 -11
package/dist/models/role.d.ts.map +0 -1
package/dist/models/role.js +0 -11
package/dist/models/role.js.map +0 -1
package/dist/models/used-direct-login-token.d.ts +0 -11
package/dist/models/used-direct-login-token.d.ts.map +0 -1
package/dist/models/used-direct-login-token.js +0 -11
package/dist/models/used-direct-login-token.js.map +0 -1
package/dist/models/user-role.d.ts +0 -6
package/dist/models/user-role.d.ts.map +0 -1
package/dist/models/user-role.js +0 -10
package/dist/models/user-role.js.map +0 -1
package/dist/models/user.d.ts +0 -7
package/dist/models/user.d.ts.map +0 -1
package/dist/models/user.js +0 -11
package/dist/models/user.js.map +0 -1
package/dist/registry/email-service-registry.d.ts +0 -9
package/dist/registry/email-service-registry.d.ts.map +0 -1
package/dist/registry/email-service-registry.js +0 -17
package/dist/registry/email-service-registry.js.map +0 -1
package/dist/registry/index.d.ts.map +0 -1
package/dist/registry/index.js +0 -6
package/dist/registry/index.js.map +0 -1
package/dist/routers/api.d.ts +0 -27
package/dist/routers/api.d.ts.map +0 -1
package/dist/routers/api.js +0 -44
package/dist/routers/api.js.map +0 -1
package/dist/routers/app.d.ts +0 -28
package/dist/routers/app.d.ts.map +0 -1
package/dist/routers/app.js +0 -182
package/dist/routers/app.js.map +0 -1
package/dist/routers/base.d.ts +0 -12
package/dist/routers/base.d.ts.map +0 -1
package/dist/routers/base.js +0 -12
package/dist/routers/base.js.map +0 -1
package/dist/routers/index.d.ts.map +0 -1
package/dist/routers/index.js +0 -20
package/dist/routers/index.js.map +0 -1
package/dist/schemas/email-token.d.ts +0 -38
package/dist/schemas/email-token.d.ts.map +0 -1
package/dist/schemas/email-token.js +0 -56
package/dist/schemas/email-token.js.map +0 -1
package/dist/schemas/index.d.ts.map +0 -1
package/dist/schemas/index.js +0 -24
package/dist/schemas/index.js.map +0 -1
package/dist/schemas/mnemonic.d.ts +0 -20
package/dist/schemas/mnemonic.d.ts.map +0 -1
package/dist/schemas/mnemonic.js +0 -30
package/dist/schemas/mnemonic.js.map +0 -1
package/dist/schemas/role.d.ts +0 -32
package/dist/schemas/role.d.ts.map +0 -1
package/dist/schemas/role.js +0 -86
package/dist/schemas/role.js.map +0 -1
package/dist/schemas/schema.d.ts +0 -40
package/dist/schemas/schema.d.ts.map +0 -1
package/dist/schemas/schema.js +0 -64
package/dist/schemas/schema.js.map +0 -1
package/dist/schemas/used-direct-login-token.d.ts +0 -27
package/dist/schemas/used-direct-login-token.d.ts.map +0 -1
package/dist/schemas/used-direct-login-token.js +0 -23
package/dist/schemas/used-direct-login-token.js.map +0 -1
package/dist/schemas/user-role.d.ts +0 -29
package/dist/schemas/user-role.d.ts.map +0 -1
package/dist/schemas/user-role.js +0 -54
package/dist/schemas/user-role.js.map +0 -1
package/dist/schemas/user.d.ts +0 -21
package/dist/schemas/user.d.ts.map +0 -1
package/dist/schemas/user.js +0 -178
package/dist/schemas/user.js.map +0 -1
package/dist/services/backup-code.d.ts +0 -78
package/dist/services/backup-code.d.ts.map +0 -1
package/dist/services/backup-code.js +0 -180
package/dist/services/backup-code.js.map +0 -1
package/dist/services/base.d.ts +0 -13
package/dist/services/base.d.ts.map +0 -1
package/dist/services/base.js +0 -14
package/dist/services/base.js.map +0 -1
package/dist/services/checksum.d.ts +0 -67
package/dist/services/checksum.d.ts.map +0 -1
package/dist/services/checksum.js +0 -175
package/dist/services/checksum.js.map +0 -1
package/dist/services/crc.d.ts +0 -87
package/dist/services/crc.d.ts.map +0 -1
package/dist/services/crc.js +0 -198
package/dist/services/crc.js.map +0 -1
package/dist/services/database-initialization.d.ts +0 -105
package/dist/services/database-initialization.d.ts.map +0 -1
package/dist/services/database-initialization.js +0 -779
package/dist/services/database-initialization.js.map +0 -1
package/dist/services/direct-login-token.d.ts +0 -9
package/dist/services/direct-login-token.d.ts.map +0 -1
package/dist/services/direct-login-token.js +0 -41
package/dist/services/direct-login-token.js.map +0 -1
package/dist/services/fec-usage-example.d.ts +0 -38
package/dist/services/fec-usage-example.d.ts.map +0 -1
package/dist/services/fec-usage-example.js +0 -77
package/dist/services/fec-usage-example.js.map +0 -1
package/dist/services/fec.d.ts +0 -46
package/dist/services/fec.d.ts.map +0 -1
package/dist/services/fec.js +0 -192
package/dist/services/fec.js.map +0 -1
package/dist/services/index.d.ts.map +0 -1
package/dist/services/index.js +0 -35
package/dist/services/index.js.map +0 -1
package/dist/services/jwt.d.ts +0 -33
package/dist/services/jwt.d.ts.map +0 -1
package/dist/services/jwt.js +0 -90
package/dist/services/jwt.js.map +0 -1
package/dist/services/key-wrapping.d.ts +0 -60
package/dist/services/key-wrapping.d.ts.map +0 -1
package/dist/services/key-wrapping.js +0 -311
package/dist/services/key-wrapping.js.map +0 -1
package/dist/services/mnemonic.d.ts +0 -61
package/dist/services/mnemonic.d.ts.map +0 -1
package/dist/services/mnemonic.js +0 -112
package/dist/services/mnemonic.js.map +0 -1
package/dist/services/request-user.d.ts +0 -20
package/dist/services/request-user.d.ts.map +0 -1
package/dist/services/request-user.js +0 -50
package/dist/services/request-user.js.map +0 -1
package/dist/services/role.d.ts +0 -88
package/dist/services/role.d.ts.map +0 -1
package/dist/services/role.js +0 -263
package/dist/services/role.js.map +0 -1
package/dist/services/symmetric.d.ts +0 -42
package/dist/services/symmetric.d.ts.map +0 -1
package/dist/services/symmetric.js +0 -101
package/dist/services/symmetric.js.map +0 -1
package/dist/services/system-user.d.ts +0 -17
package/dist/services/system-user.d.ts.map +0 -1
package/dist/services/system-user.js +0 -46
package/dist/services/system-user.js.map +0 -1
package/dist/services/user.d.ts +0 -320
package/dist/services/user.d.ts.map +0 -1
package/dist/services/user.js +0 -1374
package/dist/services/user.js.map +0 -1
package/dist/services/xor.d.ts +0 -24
package/dist/services/xor.d.ts.map +0 -1
package/dist/services/xor.js +0 -37
package/dist/services/xor.js.map +0 -1
package/dist/types.d.ts +0 -70
package/dist/types.d.ts.map +0 -1
package/dist/types.js +0 -14
package/dist/types.js.map +0 -1
package/dist/utils.d.ts +0 -202
package/dist/utils.d.ts.map +0 -1
package/dist/utils.js +0 -786
package/dist/utils.js.map +0 -1
/package/{dist → src}/interfaces/symmetric-encryption-results.js +0 -0

package/src/application.ts ADDED Viewed

@@ -0,0 +1,254 @@
+import { HandleableError } from '@digitaldefiance/i18n-lib';
+import {
+  Constants,
+  getSuiteCoreI18nEngine,
+  SuiteCoreComponentId,
+  SuiteCoreStringKey,
+  TranslatableSuiteError,
+} from '@digitaldefiance/suite-core-lib';
+import express, {
+  Application as ExpressApplication,
+  NextFunction,
+  Request,
+  Response,
+} from 'express';
+import { readFileSync } from 'fs';
+import { Server } from 'http';
+import { createServer } from 'https';
+import mongoose, { Types } from 'mongoose';
+import { isAbsolute, normalize, resolve } from 'path';
+import { BaseApplication } from './application-base';
+import { IBaseDocument } from './documents/base';
+import { Environment } from './environment';
+import { IApplication, ICSPConfig, IFailableResult } from './interfaces';
+import { IConstants } from './interfaces/constants';
+import { Middlewares } from './middlewares';
+import { AppRouter } from './routers/app';
+import { BaseRouter } from './routers/base';
+import { SchemaMap } from './types';
+import { debugLog, handleError, sendApiMessageResponse } from './utils';
+/**
+ * Application class
+ */
+type ServerWithOptionalClose = Server & { closeAllConnections?: () => void };
+export class Application<
+    T,
+    I extends Types.ObjectId | string,
+    TInitResults,
+    TModelDocs extends Record<string, IBaseDocument<any>>,
+    TBaseDocument extends IBaseDocument<T, I> = IBaseDocument<T, I>,
+    TEnvironment extends Environment = Environment,
+    TConstants extends IConstants = IConstants,
+  >
+  extends BaseApplication<TModelDocs, TInitResults, TConstants>
+  implements IApplication<T, I, TBaseDocument, TEnvironment, TConstants>
+{
+  public readonly expressApp: ExpressApplication;
+  private server: ServerWithOptionalClose | null = null;
+  private readonly _cspConfig: ICSPConfig;
+  private readonly _apiRouter: BaseRouter;
+  public override get environment(): TEnvironment {
+    return super.environment as TEnvironment;
+  }
+  constructor(
+    environment: TEnvironment,
+    apiRouter: BaseRouter,
+    schemaMapFactory: (
+      connection: mongoose.Connection,
+    ) => SchemaMap<TModelDocs>,
+    databaseInitFunction: (
+      application: BaseApplication<TModelDocs, TInitResults>,
+    ) => Promise<IFailableResult<TInitResults>>,
+    initResultHashFunction: (initResults: TInitResults) => string,
+    cspConfig: ICSPConfig = {
+      corsWhitelist: [],
+      csp: {
+        defaultSrc: [],
+        imgSrc: [],
+        connectSrc: [],
+        scriptSrc: [],
+        styleSrc: [],
+        fontSrc: [],
+        frameSrc: [],
+      },
+    },
+    constants: TConstants = Constants as TConstants,
+  ) {
+    super(
+      environment,
+      schemaMapFactory,
+      databaseInitFunction,
+      initResultHashFunction,
+      constants,
+    );
+    this._apiRouter = apiRouter;
+    this.expressApp = express();
+    this.server = null;
+    this._cspConfig = cspConfig;
+  }
+  public override async start(mongoUri?: string): Promise<void> {
+    const engine = getSuiteCoreI18nEngine();
+    await super.start(mongoUri, true);
+    try {
+      Middlewares.init(
+        this.expressApp,
+        this._cspConfig.corsWhitelist,
+        this._cspConfig.csp,
+      );
+      const appRouter = new AppRouter(this._apiRouter);
+      appRouter.init(this.expressApp);
+      this.expressApp.use(
+        (
+          err: HandleableError | Error,
+          req: Request,
+          res: Response,
+          next: NextFunction,
+        ) => {
+          const handleableError =
+            err instanceof HandleableError
+              ? err
+              : new HandleableError(
+                  new Error(
+                    err.message ||
+                      engine.translate(
+                        SuiteCoreComponentId,
+                        SuiteCoreStringKey.Common_UnexpectedError,
+                      ),
+                  ),
+                  { cause: err },
+                );
+          handleError(handleableError, res, sendApiMessageResponse, next);
+        },
+      );
+      const serversReady: Promise<void>[] = [];
+      serversReady.push(
+        new Promise<void>((resolve) => {
+          this.server = this.expressApp.listen(
+            this.environment.port,
+            this.environment.host,
+            () => {
+              debugLog(
+                this.environment.debug,
+                'log',
+                `[ ${engine.translate(
+                  SuiteCoreComponentId,
+                  SuiteCoreStringKey.Common_Ready,
+                )} ] http://${this.environment.host}:${this.environment.port}`,
+              );
+              resolve();
+            },
+          ) as ServerWithOptionalClose;
+        }),
+      );
+      if (this.environment.httpsDevCertRoot) {
+        try {
+          const certRoot = normalize(this.environment.httpsDevCertRoot);
+          if (!isAbsolute(certRoot) || certRoot.includes('..')) {
+            throw new TranslatableSuiteError(
+              SuiteCoreStringKey.Error_InvalidCertificatePathMustBeAbsolute,
+            );
+          }
+          const certPath = normalize(resolve(certRoot + '.pem'));
+          const keyPath = normalize(resolve(certRoot + '-key.pem'));
+          if (certPath.includes('..') || keyPath.includes('..')) {
+            throw new TranslatableSuiteError(
+              SuiteCoreStringKey.Error_InvalidCertificatePathAfterResolution,
+            );
+          }
+          const options = {
+            // amazonq-ignore-next-line fixed above
+            key: readFileSync(keyPath),
+            // amazonq-ignore-next-line fixed above
+            cert: readFileSync(certPath),
+          };
+          serversReady.push(
+            new Promise<void>((resolve) => {
+              createServer(options, this.expressApp).listen(
+                this.environment.httpsDevPort,
+                () => {
+                  console.log(
+                    `[ ${engine.translate(
+                      SuiteCoreComponentId,
+                      SuiteCoreStringKey.Common_Ready,
+                    )} ] https://${this.environment.host}:${
+                      this.environment.httpsDevPort
+                    }`,
+                  );
+                  resolve();
+                },
+              );
+            }),
+          );
+        } catch (err) {
+          console.error('Failed to start HTTPS server:', err);
+        }
+      }
+      await Promise.all(serversReady);
+      this._ready = true;
+    } catch (err) {
+      console.error(
+        engine.translate(
+          SuiteCoreComponentId,
+          SuiteCoreStringKey.Error_FailedToStartApplication,
+        ),
+        err,
+      );
+      if (process.env['NODE_ENV'] === 'test') {
+        throw err;
+      }
+      process.exit(1);
+    }
+  }
+  public override async stop(): Promise<void> {
+    const engine = getSuiteCoreI18nEngine();
+    if (this.server) {
+      debugLog(
+        this.environment.debug,
+        'log',
+        `[ ${engine.translate(
+          SuiteCoreComponentId,
+          SuiteCoreStringKey.Common_Stopping,
+        )} ] ${engine.translate(
+          SuiteCoreComponentId,
+          SuiteCoreStringKey.Common_ApplicationAndDatabase,
+        )}`,
+      );
+      await new Promise<void>((resolve, reject) => {
+        this.server!.closeAllConnections?.();
+        this.server!.close((err) => {
+          if (err) {
+            reject(err);
+          } else {
+            resolve();
+          }
+        });
+      });
+      this.server = null;
+    }
+    await super.stop();
+    this._ready = false;
+    debugLog(
+      this.environment.debug,
+      'log',
+      `[ ${engine.translate(
+        SuiteCoreComponentId,
+        SuiteCoreStringKey.Common_Stopped,
+      )} ] ${engine.translate(
+        SuiteCoreComponentId,
+        SuiteCoreStringKey.Common_ApplicationAndDatabase,
+      )}`,
+    );
+  }
+}

package/src/backup-code.ts ADDED Viewed

@@ -0,0 +1,336 @@
+import { MemberType } from '@digitaldefiance/ecies-lib';
+import {
+  Constants as ApiConstants,
+  Member as BackendMember,
+} from '@digitaldefiance/node-ecies-lib';
+import {
+  BackupCodeString,
+  IBackupCode,
+  InvalidBackupCodeError,
+  PrivateKeyRequiredError,
+} from '@digitaldefiance/suite-core-lib';
+import * as argon2 from 'argon2';
+import { createHmac, randomBytes, timingSafeEqual } from 'crypto';
+import { Constants } from './constants';
+import { InvalidBackupCodeVersionError } from './errors/invalid-backup-code-version';
+import { IConstants } from './interfaces';
+import { SymmetricService } from './services/symmetric';
+/**
+ * Class representing a backup code string with associated operations.
+ *
+ * v1 scheme:
+ * - Code: 32 lowercase alphanumerics (a–z0–9), displayed as 8 groups of 4: xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx
+ * - Checksum/tag: HKDF-SHA256(codeUtf8, salt, "backup-checksum") → 32 bytes (stored as hex)
+ * - KDF for encryption key: Argon2id(codeUtf8, salt) → 32 bytes
+ * - Encryption: SymmetricService AEAD (encryptedData must embed IV + authTag + ciphertext)
+ * - Wrapping: AEAD blob wrapped with system user's asymmetric key (ECIES)
+ */
+export class BackupCode extends BackupCodeString {
+  /** Current backup code scheme version implemented by this service. */
+  public static readonly BackupCodeVersion = '1.0.0';
+  // Centralized Argon2id parameters (tunable)
+  private static readonly Argon2Params = {
+    type: argon2.argon2id,
+    hashLength: 32, // derive AES-256 key
+    timeCost: 3,
+    memoryCost: 65536, // 64 MiB
+    parallelism: 1,
+    raw: true as const,
+  } as const;
+  constructor(code: string) {
+    super(code);
+  }
+  /**
+   * Generate the configured number of backup codes.
+   * Note: If generation alphabet/length is controlled elsewhere, prefer that path.
+   */
+  public static override generateBackupCodes(
+    constants: IConstants = Constants,
+  ): Array<BackupCode> {
+    const codes: Array<BackupCode> = [];
+    for (let i = 0; i < constants.BACKUP_CODES.Count; i++) {
+      codes.push(new BackupCode(BackupCode.generateBackupCode()));
+    }
+    return codes;
+  }
+  /**
+   * HKDF-Extract-and-Expand using HMAC-SHA-256.
+   *
+   * PRK = HMAC(salt, ikm)
+   * T(0) = empty
+   * T(i) = HMAC(PRK, T(i-1) || info || i)
+   * OKM = first 'length' bytes of T(1) || T(2) || ...
+   */
+  public static hkdfSha256(
+    ikm: Buffer,
+    salt: Buffer,
+    info: Buffer,
+    length: number,
+  ): Buffer {
+    if (length === 0) {
+      return Buffer.alloc(0);
+    }
+    // HKDF-Extract: PRK = HMAC-Hash(salt, IKM)
+    // If salt is empty, use a string of HashLen zeros
+    const actualSalt = salt.length === 0 ? Buffer.alloc(32, 0) : salt;
+    const prk = createHmac('sha256', actualSalt).update(ikm).digest();
+    // HKDF-Expand
+    const blocks: Buffer[] = [];
+    let prev = Buffer.alloc(0);
+    const n = Math.ceil(length / 32);
+    for (let i = 1; i <= n; i++) {
+      const hmac = createHmac('sha256', prk);
+      hmac.update(prev);
+      hmac.update(info);
+      hmac.update(Buffer.from([i]));
+      prev = Buffer.from(hmac.digest());
+      blocks.push(prev);
+    }
+    return Buffer.concat(blocks).subarray(0, length);
+  }
+  /**
+   * v1: Derive a 32-byte encryption key from a normalized backup code using Argon2id and the per-code salt.
+   * Uses UTF-8 bytes of the normalized code (not hex).
+   */
+  public static async getBackupKeyV1(
+    checksumSaltHex: string,
+    normalizedCode: string,
+    constants: IConstants = Constants,
+  ): Promise<Buffer> {
+    if (!constants.BACKUP_CODES.NormalizedHexRegex.test(normalizedCode)) {
+      throw new InvalidBackupCodeError();
+    }
+    const codeBytes = Buffer.from(normalizedCode, 'utf8');
+    const checksumSalt = Buffer.from(checksumSaltHex, 'hex');
+    try {
+      const key = (await argon2.hash(codeBytes, {
+        ...BackupCode.Argon2Params,
+        salt: checksumSalt,
+      })) as unknown as Buffer;
+      return key; // 32-byte Buffer
+    } finally {
+      codeBytes.fill(0);
+    }
+  }
+  /**
+   * v1: Compute a 32-byte checksum/tag for a normalized code using HKDF-SHA256(codeUtf8, salt, "backup-checksum").
+   */
+  private static computeChecksumV1(
+    normalizedCode: string,
+    checksumSalt: Buffer,
+  ): Buffer {
+    const codeBytes = Buffer.from(normalizedCode, 'utf8');
+    try {
+      return BackupCode.hkdfSha256(
+        codeBytes,
+        checksumSalt,
+        Buffer.from('backup-checksum'),
+        32,
+      );
+    } finally {
+      codeBytes.fill(0);
+    }
+  }
+  public async encrypt(
+    backupUser: BackendMember,
+    systemUser: BackendMember,
+    constants: IConstants = Constants,
+  ): Promise<IBackupCode> {
+    if (!backupUser.hasPrivateKey) {
+      throw new PrivateKeyRequiredError();
+    }
+    if (systemUser.type !== MemberType.System) {
+      throw new Error('System user must be of MemberType.System');
+    }
+    const raw = this.value ?? '';
+    const normalized = BackupCode.normalizeCode(raw);
+    if (
+      !(
+        constants.BACKUP_CODES.DisplayRegex.test(raw) ||
+        constants.BACKUP_CODES.NormalizedHexRegex.test(normalized)
+      )
+    ) {
+      throw new InvalidBackupCodeError();
+    }
+    const checksumSalt = randomBytes(ApiConstants.PBKDF2.SALT_BYTES);
+    const checksumBuf = BackupCode.computeChecksumV1(normalized, checksumSalt);
+    const encryptionKey = await BackupCode.getBackupKeyV1(
+      checksumSalt.toString('hex'),
+      normalized,
+    );
+    try {
+      const sealed = SymmetricService.encryptBuffer(
+        Buffer.from(backupUser.privateKey!.value),
+        encryptionKey,
+      );
+      const wrappedEncryptedPrivateKey = systemUser
+        .encryptData(sealed.encryptedData)
+        .toString('hex');
+      return {
+        version: BackupCode.BackupCodeVersion,
+        checksumSalt: checksumSalt.toString('hex'),
+        checksum: checksumBuf.toString('hex'),
+        encrypted: wrappedEncryptedPrivateKey,
+      } as IBackupCode;
+    } finally {
+      encryptionKey.fill(0);
+      checksumBuf.fill(0);
+    }
+  }
+  /**
+   * v1: Encrypt and wrap backup codes for a user.
+   * - Validates code format (display or normalized)
+   * - Computes HKDF checksum/tag
+   * - Derives Argon2id encryption key (32 bytes) from UTF-8 code
+   * - Encrypts the private key with AEAD and wraps with system user
+   */
+  public static async encryptBackupCodesV1(
+    backupUser: BackendMember,
+    systemUser: BackendMember,
+    codes: Array<BackupCode>,
+  ): Promise<Array<IBackupCode>> {
+    const encryptedCodes: Array<IBackupCode> = [];
+    for (const code of codes) {
+      encryptedCodes.push(await code.encrypt(backupUser, systemUser));
+    }
+    return encryptedCodes;
+  }
+  /** Delegate to current version. */
+  public static encryptBackupCodes(
+    backupUser: BackendMember,
+    systemUser: BackendMember,
+    codes: Array<BackupCode>,
+  ): Promise<Array<IBackupCode>> {
+    return BackupCode.encryptBackupCodesV1(backupUser, systemUser, codes);
+  }
+  /**
+   * v1: Validate whether a backup code exists (unused) in the provided collection.
+   * Uses constant-time comparison of binary checksums (codeUtf8 + salt).
+   */
+  public static validateBackupCodeV1(
+    encryptedBackupCodes: Array<IBackupCode>,
+    backupCode: string,
+    constants: IConstants = Constants,
+  ): boolean {
+    const normalizedCode = BackupCodeString.normalizeCode(backupCode);
+    if (!constants.BACKUP_CODES.NormalizedHexRegex.test(normalizedCode)) {
+      return false;
+    }
+    const codeBytes = Buffer.from(normalizedCode, 'utf8');
+    try {
+      for (const code of encryptedBackupCodes) {
+        if (code.version !== BackupCode.BackupCodeVersion) continue;
+        const checksumSalt = Buffer.from(code.checksumSalt, 'hex');
+        const expected = BackupCode.hkdfSha256(
+          codeBytes,
+          checksumSalt,
+          Buffer.from('backup-checksum'),
+          32,
+        );
+        if (
+          code.checksum.length === expected.length * 2 &&
+          timingSafeEqual(Buffer.from(code.checksum, 'hex'), expected)
+        ) {
+          return true;
+        }
+      }
+      return false;
+    } finally {
+      codeBytes.fill(0);
+    }
+  }
+  /**
+   * Validate a backup code against any supported version present in the collection.
+   */
+  public static validateBackupCode(
+    encryptedBackupCodes: Array<IBackupCode>,
+    backupCode: string,
+    constants: IConstants = Constants,
+  ): boolean {
+    const normalizedCode = BackupCodeString.normalizeCode(backupCode);
+    if (!constants.BACKUP_CODES.NormalizedHexRegex.test(normalizedCode)) {
+      return false;
+    }
+    if (
+      encryptedBackupCodes.some(
+        (c) => c.version === BackupCode.BackupCodeVersion,
+      )
+    ) {
+      return this.validateBackupCodeV1(
+        encryptedBackupCodes.filter(
+          (c) => c.version === BackupCode.BackupCodeVersion,
+        ),
+        normalizedCode,
+      );
+    }
+    return false;
+  }
+  /**
+   * Detect the version by matching checksum against stored codes; returns the matched version.
+   */
+  public static detectBackupCodeVersion(
+    encryptedBackupCodes: Array<IBackupCode>,
+    backupCode: string,
+    constants: IConstants = Constants,
+  ): string {
+    const normalizedCode = BackupCodeString.normalizeCode(backupCode);
+    if (!constants.BACKUP_CODES.NormalizedHexRegex.test(normalizedCode)) {
+      throw new InvalidBackupCodeError();
+    }
+    const v1Set = encryptedBackupCodes.filter(
+      (c) => c.version === BackupCode.BackupCodeVersion,
+    );
+    if (v1Set.length) {
+      const codeBytes = Buffer.from(normalizedCode, 'utf8');
+      try {
+        for (const c of v1Set) {
+          const checksumSalt = Buffer.from(c.checksumSalt, 'hex');
+          const expected = BackupCode.hkdfSha256(
+            codeBytes,
+            checksumSalt,
+            Buffer.from('backup-checksum'),
+            32,
+          );
+          if (
+            c.checksum.length === expected.length * 2 &&
+            timingSafeEqual(Buffer.from(c.checksum, 'hex'), expected)
+          ) {
+            return c.version;
+          }
+        }
+      } finally {
+        // zeroize
+        codeBytes.fill(0);
+      }
+    }
+    const versionsInSet = new Set(encryptedBackupCodes.map((c) => c.version));
+    if (
+      versionsInSet.size > 0 &&
+      !versionsInSet.has(BackupCode.BackupCodeVersion)
+    ) {
+      throw new InvalidBackupCodeVersionError([...versionsInSet][0]);
+    }
+    throw new InvalidBackupCodeError();
+  }
+}

package/src/constants.ts ADDED Viewed

@@ -0,0 +1,69 @@
+import { ECIES as ECIESDefaults } from '@digitaldefiance/ecies-lib';
+import { createConstants } from '@digitaldefiance/suite-core-lib';
+import { IFECConsts } from './interfaces';
+import { IChecksumConsts } from './interfaces/checksum-consts';
+import { IConstants } from './interfaces/constants';
+import { IJwtConsts } from './interfaces/jwt-consts';
+/**
+ * Constants for checksum operations
+ * These values are critical for data integrity and MUST NOT be changed
+ * in an already established system as it will break all existing checksums.
+ */
+export const CHECKSUM: IChecksumConsts = Object.freeze({
+  /** Default hash bits for SHA3 */
+  SHA3_DEFAULT_HASH_BITS: 512 as const,
+  /** Length of a SHA3 checksum buffer in bytes */
+  SHA3_BUFFER_LENGTH: 64 as const,
+  /** algorithm to use for checksum */
+  ALGORITHM: 'sha3-512' as const,
+  /** encoding to use for checksum */
+  ENCODING: 'hex' as const,
+} as const);
+export const JWT: IJwtConsts = {
+  /**
+   * Algorithm to use for JWT
+   */
+  ALGORITHM: 'HS256' as const,
+  /**
+   * The expiration time for a JWT token in seconds
+   */
+  EXPIRATION_SEC: 86400 as const,
+} as const;
+export const FEC: IFECConsts = {
+  /**
+   * Maximum size of a single shard
+   */
+  MAX_SHARD_SIZE: 1048576 as const,
+} as const;
+// use defaults from ecies-lib
+export const ECIES = Object.freeze(ECIESDefaults);
+export const createExpressConstants = (
+  siteDomain: string,
+  overrides?: Partial<IConstants>,
+): IConstants => {
+  return Object.freeze({
+    ...createConstants(siteDomain, overrides),
+    CHECKSUM: CHECKSUM,
+    JWT: JWT,
+    FEC: FEC,
+    ECIES: ECIES,
+  } as const);
+};
+export const Constants: IConstants = createExpressConstants('localhost');
+if (
+  CHECKSUM.SHA3_BUFFER_LENGTH !== CHECKSUM.SHA3_DEFAULT_HASH_BITS / 8 ||
+  CHECKSUM.SHA3_BUFFER_LENGTH !== CHECKSUM.SHA3_DEFAULT_HASH_BITS / 8
+) {
+  throw new Error('Invalid checksum constants');
+}