@edge-markets/connect-node 1.2.0 → 1.3.0

package/README.md

@@ -58,9 +58,38 @@ interface EdgeConnectServerConfig {
   apiBaseUrl?: string           // Custom API URL (dev only)
   authDomain?: string           // Custom Cognito domain (dev only)
   timeout?: number              // Request timeout (default: 30000ms)
+
+  // Optional: Message Level Encryption (Connect endpoints only)
+  mle?: {
+    enabled: boolean
+    edgePublicKey: string       // EDGE public encryption key (PEM)
+    edgeKeyId: string           // EDGE key ID (kid) used for requests
+    partnerPrivateKey: string   // Your private key (PEM) to decrypt responses
+    partnerKeyId: string        // Your key ID (kid) expected in response headers
+    strictResponseEncryption?: boolean // default true
+  }
 }
 ```
 
+### Message Level Encryption (MLE)
+
+```typescript
+const edge = new EdgeConnectServer({
+  clientId: process.env.EDGE_CLIENT_ID!,
+  clientSecret: process.env.EDGE_CLIENT_SECRET!,
+  environment: 'staging',
+  mle: {
+    enabled: true,
+    edgePublicKey: process.env.EDGE_MLE_EDGE_PUBLIC_KEY!,
+    edgeKeyId: process.env.EDGE_MLE_EDGE_KEY_ID!,
+    partnerPrivateKey: process.env.EDGE_MLE_PARTNER_PRIVATE_KEY!,
+    partnerKeyId: process.env.EDGE_MLE_PARTNER_KEY_ID!,
+  },
+})
+```
+
+When enabled, the SDK sends `X-Edge-MLE: v1`, encrypts request bodies, and decrypts encrypted Connect responses.
+
 ## Token Exchange
 
 After EdgeLink completes, exchange the code for tokens:
@@ -317,4 +346,3 @@ MIT
 
 
 
-

package/dist/index.d.mts

@@ -32,6 +32,14 @@ interface EdgeConnectServerConfig {
     retry?: RetryConfig;
     onRequest?: (info: RequestInfo) => void;
     onResponse?: (info: ResponseInfo) => void;
+    mle?: {
+        enabled: boolean;
+        edgePublicKey: string;
+        edgeKeyId: string;
+        partnerPrivateKey: string;
+        partnerKeyId: string;
+        strictResponseEncryption?: boolean;
+    };
 }
 interface TransferOptions {
     type: 'debit' | 'credit';

package/dist/index.d.ts

@@ -32,6 +32,14 @@ interface EdgeConnectServerConfig {
     retry?: RetryConfig;
     onRequest?: (info: RequestInfo) => void;
     onResponse?: (info: ResponseInfo) => void;
+    mle?: {
+        enabled: boolean;
+        edgePublicKey: string;
+        edgeKeyId: string;
+        partnerPrivateKey: string;
+        partnerKeyId: string;
+        strictResponseEncryption?: boolean;
+    };
 }
 interface TransferOptions {
     type: 'debit' | 'credit';

package/dist/index.js

@@ -41,6 +41,83 @@ module.exports = __toCommonJS(index_exports);
 
 // src/edge-connect-server.ts
 var import_connect = require("@edge-markets/connect");
+
+// src/mle.ts
+var import_crypto = require("crypto");
+function encryptMle(payload, clientId, config) {
+  const header = {
+    alg: "RSA-OAEP-256",
+    enc: "A256GCM",
+    kid: config.edgeKeyId,
+    typ: "application/json",
+    iat: Math.floor(Date.now() / 1e3),
+    jti: (0, import_crypto.randomUUID)(),
+    clientId
+  };
+  const protectedHeaderB64 = toBase64Url(Buffer.from(JSON.stringify(header), "utf8"));
+  const aad = Buffer.from(protectedHeaderB64, "utf8");
+  const cek = (0, import_crypto.randomBytes)(32);
+  const iv = (0, import_crypto.randomBytes)(12);
+  const cipher = (0, import_crypto.createCipheriv)("aes-256-gcm", cek, iv);
+  cipher.setAAD(aad);
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const encryptedKey = (0, import_crypto.publicEncrypt)(
+    {
+      key: config.edgePublicKey,
+      padding: import_crypto.constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: "sha256"
+    },
+    cek
+  );
+  return [
+    protectedHeaderB64,
+    toBase64Url(encryptedKey),
+    toBase64Url(iv),
+    toBase64Url(ciphertext),
+    toBase64Url(tag)
+  ].join(".");
+}
+function decryptMle(jwe, config) {
+  const parts = jwe.split(".");
+  if (parts.length !== 5) {
+    throw new Error("Invalid MLE payload format");
+  }
+  const [protectedHeaderB64, encryptedKeyB64, ivB64, ciphertextB64, tagB64] = parts;
+  const protectedHeader = JSON.parse(fromBase64Url(protectedHeaderB64).toString("utf8"));
+  if (protectedHeader.alg !== "RSA-OAEP-256" || protectedHeader.enc !== "A256GCM") {
+    throw new Error("Unsupported MLE algorithms");
+  }
+  if (protectedHeader.kid && protectedHeader.kid !== config.partnerKeyId) {
+    throw new Error(`Unexpected response key id: ${protectedHeader.kid}`);
+  }
+  const cek = (0, import_crypto.privateDecrypt)(
+    {
+      key: config.partnerPrivateKey,
+      padding: import_crypto.constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: "sha256"
+    },
+    fromBase64Url(encryptedKeyB64)
+  );
+  const decipher = (0, import_crypto.createDecipheriv)("aes-256-gcm", cek, fromBase64Url(ivB64));
+  decipher.setAAD(Buffer.from(protectedHeaderB64, "utf8"));
+  decipher.setAuthTag(fromBase64Url(tagB64));
+  const plaintext = Buffer.concat([
+    decipher.update(fromBase64Url(ciphertextB64)),
+    decipher.final()
+  ]);
+  return JSON.parse(plaintext.toString("utf8"));
+}
+function toBase64Url(buffer) {
+  return buffer.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function fromBase64Url(value) {
+  const normalized = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+  return Buffer.from(normalized, "base64");
+}
+
+// src/edge-connect-server.ts
 var DEFAULT_TIMEOUT = 3e4;
 var USER_AGENT = "@edge-markets/connect-node/1.0.0";
 var DEFAULT_RETRY_CONFIG = {
@@ -227,6 +304,8 @@ var EdgeConnectServer = class _EdgeConnectServer {
   async apiRequest(method, path, accessToken, body) {
     const url = `${this.apiBaseUrl}${path}`;
     let lastError = null;
+    const mleConfig = this.config.mle;
+    const mleEnabled = !!mleConfig?.enabled;
     for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
       const startTime = Date.now();
       if (attempt > 0) {
@@ -234,16 +313,42 @@ var EdgeConnectServer = class _EdgeConnectServer {
       }
       this.config.onRequest?.({ method, url, body });
       try {
+        const requestHeaders = {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json",
+          "User-Agent": USER_AGENT
+        };
+        let requestBody = body;
+        if (mleEnabled) {
+          requestHeaders["X-Edge-MLE"] = "v1";
+          if (body !== void 0) {
+            requestBody = { jwe: encryptMle(body, this.config.clientId, mleConfig) };
+          }
+        }
         const response = await this.fetchWithTimeout(url, {
           method,
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            "Content-Type": "application/json",
-            "User-Agent": USER_AGENT
-          },
-          body: body ? JSON.stringify(body) : void 0
+          headers: requestHeaders,
+          body: requestBody !== void 0 ? JSON.stringify(requestBody) : void 0
         });
-        const responseBody = await response.json().catch(() => ({}));
+        const rawResponseBody = await response.json().catch(() => ({}));
+        let responseBody = rawResponseBody;
+        if (mleEnabled && typeof rawResponseBody?.jwe === "string") {
+          responseBody = decryptMle(rawResponseBody.jwe, mleConfig);
+        } else if (!mleEnabled && typeof rawResponseBody?.jwe === "string") {
+          throw new import_connect.EdgeApiError(
+            "mle_required",
+            "The API responded with message-level encryption. Enable MLE in SDK config.",
+            response.status,
+            rawResponseBody
+          );
+        } else if (mleEnabled && mleConfig?.strictResponseEncryption !== false && response.ok && typeof rawResponseBody?.jwe !== "string") {
+          throw new import_connect.EdgeApiError(
+            "mle_response_missing",
+            "Expected encrypted response payload but received plaintext.",
+            response.status,
+            rawResponseBody
+          );
+        }
         const durationMs = Date.now() - startTime;
         this.config.onResponse?.({ status: response.status, body: responseBody, durationMs });
         if (!response.ok) {

package/dist/index.mjs

@@ -11,6 +11,83 @@ import {
   EdgeNetworkError,
   EdgeValidationError
 } from "@edge-markets/connect";
+
+// src/mle.ts
+import { randomUUID, randomBytes, createCipheriv, createDecipheriv, publicEncrypt, privateDecrypt, constants } from "crypto";
+function encryptMle(payload, clientId, config) {
+  const header = {
+    alg: "RSA-OAEP-256",
+    enc: "A256GCM",
+    kid: config.edgeKeyId,
+    typ: "application/json",
+    iat: Math.floor(Date.now() / 1e3),
+    jti: randomUUID(),
+    clientId
+  };
+  const protectedHeaderB64 = toBase64Url(Buffer.from(JSON.stringify(header), "utf8"));
+  const aad = Buffer.from(protectedHeaderB64, "utf8");
+  const cek = randomBytes(32);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", cek, iv);
+  cipher.setAAD(aad);
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const encryptedKey = publicEncrypt(
+    {
+      key: config.edgePublicKey,
+      padding: constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: "sha256"
+    },
+    cek
+  );
+  return [
+    protectedHeaderB64,
+    toBase64Url(encryptedKey),
+    toBase64Url(iv),
+    toBase64Url(ciphertext),
+    toBase64Url(tag)
+  ].join(".");
+}
+function decryptMle(jwe, config) {
+  const parts = jwe.split(".");
+  if (parts.length !== 5) {
+    throw new Error("Invalid MLE payload format");
+  }
+  const [protectedHeaderB64, encryptedKeyB64, ivB64, ciphertextB64, tagB64] = parts;
+  const protectedHeader = JSON.parse(fromBase64Url(protectedHeaderB64).toString("utf8"));
+  if (protectedHeader.alg !== "RSA-OAEP-256" || protectedHeader.enc !== "A256GCM") {
+    throw new Error("Unsupported MLE algorithms");
+  }
+  if (protectedHeader.kid && protectedHeader.kid !== config.partnerKeyId) {
+    throw new Error(`Unexpected response key id: ${protectedHeader.kid}`);
+  }
+  const cek = privateDecrypt(
+    {
+      key: config.partnerPrivateKey,
+      padding: constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: "sha256"
+    },
+    fromBase64Url(encryptedKeyB64)
+  );
+  const decipher = createDecipheriv("aes-256-gcm", cek, fromBase64Url(ivB64));
+  decipher.setAAD(Buffer.from(protectedHeaderB64, "utf8"));
+  decipher.setAuthTag(fromBase64Url(tagB64));
+  const plaintext = Buffer.concat([
+    decipher.update(fromBase64Url(ciphertextB64)),
+    decipher.final()
+  ]);
+  return JSON.parse(plaintext.toString("utf8"));
+}
+function toBase64Url(buffer) {
+  return buffer.toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function fromBase64Url(value) {
+  const normalized = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+  return Buffer.from(normalized, "base64");
+}
+
+// src/edge-connect-server.ts
 var DEFAULT_TIMEOUT = 3e4;
 var USER_AGENT = "@edge-markets/connect-node/1.0.0";
 var DEFAULT_RETRY_CONFIG = {
@@ -197,6 +274,8 @@ var EdgeConnectServer = class _EdgeConnectServer {
   async apiRequest(method, path, accessToken, body) {
     const url = `${this.apiBaseUrl}${path}`;
     let lastError = null;
+    const mleConfig = this.config.mle;
+    const mleEnabled = !!mleConfig?.enabled;
     for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
       const startTime = Date.now();
       if (attempt > 0) {
@@ -204,16 +283,42 @@ var EdgeConnectServer = class _EdgeConnectServer {
       }
       this.config.onRequest?.({ method, url, body });
       try {
+        const requestHeaders = {
+          Authorization: `Bearer ${accessToken}`,
+          "Content-Type": "application/json",
+          "User-Agent": USER_AGENT
+        };
+        let requestBody = body;
+        if (mleEnabled) {
+          requestHeaders["X-Edge-MLE"] = "v1";
+          if (body !== void 0) {
+            requestBody = { jwe: encryptMle(body, this.config.clientId, mleConfig) };
+          }
+        }
         const response = await this.fetchWithTimeout(url, {
           method,
-          headers: {
-            Authorization: `Bearer ${accessToken}`,
-            "Content-Type": "application/json",
-            "User-Agent": USER_AGENT
-          },
-          body: body ? JSON.stringify(body) : void 0
+          headers: requestHeaders,
+          body: requestBody !== void 0 ? JSON.stringify(requestBody) : void 0
         });
-        const responseBody = await response.json().catch(() => ({}));
+        const rawResponseBody = await response.json().catch(() => ({}));
+        let responseBody = rawResponseBody;
+        if (mleEnabled && typeof rawResponseBody?.jwe === "string") {
+          responseBody = decryptMle(rawResponseBody.jwe, mleConfig);
+        } else if (!mleEnabled && typeof rawResponseBody?.jwe === "string") {
+          throw new EdgeApiError(
+            "mle_required",
+            "The API responded with message-level encryption. Enable MLE in SDK config.",
+            response.status,
+            rawResponseBody
+          );
+        } else if (mleEnabled && mleConfig?.strictResponseEncryption !== false && response.ok && typeof rawResponseBody?.jwe !== "string") {
+          throw new EdgeApiError(
+            "mle_response_missing",
+            "Expected encrypted response payload but received plaintext.",
+            response.status,
+            rawResponseBody
+          );
+        }
         const durationMs = Date.now() - startTime;
         this.config.onResponse?.({ status: response.status, body: responseBody, durationMs });
         if (!response.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@edge-markets/connect-node",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "Server SDK for EDGE Connect token exchange and API calls",
   "author": "Edge Markets",
   "license": "MIT",