@futdevpro/fsm-dynamo 1.10.50 → 1.10.51

package/src/_modules/crypto/_collections/crypto.util.ts

@@ -5,94 +5,36 @@ import {
 } from '../../../_models/control-models/error.control-model';
 
 
-/**
- * Error codes for crypto operations
- */
-/* export enum CryptoErrorCode {
-  INVALID_INPUT = 'DyFM-CRY-EA0',
-  DECRYPTION_FAILED = '',
-  ENCRYPTION_FAILED = 'DyFM-CRY-ENF',
-  INVALID_KEY = 'DyFM-CRY-IKY',
-  INVALID_DATA = 'DyFM-CRY-IDT'
-} */
-
-/**
- * Configuration options for encryption/decryption
- */
-export interface CryptoConfig {
-  ivLength?: number;
-  saltLength?: number;
-  keyIterations?: number;
-  keySize?: number;
-}
-
 /**
  * A utility class for secure encryption and decryption of data
- * Uses AES-256-CBC with PBKDF2 key derivation
+ * Uses AES-256-CBC with deterministic IV and salt for consistent results
  */
 export class DyFM_Crypto {
-  private static readonly DEFAULT_CONFIG: Required<CryptoConfig> = {
-    ivLength: 16, // 128 bits
-    saltLength: 16, // 128 bits
-    keyIterations: 10000,
-    keySize: 8 // 256 bits (8 * 32)
-  };
   private static readonly defaultErrorUserMsg = 
     `We encountered an unhandled Authentication Error, ` +
     `\nplease contact the responsible development team.`;
 
-  // Tömör: kb. 60–80 karakteres token, nem 200+
-  // Nem szabványos: nehéz visszafejteni
-  // Használható cookie, header, URL-ben
-  
   /**
-   * Validates the input data and key
-   * @throws {DyFM_Error} if validation fails
+   * Validates the encryption key
    */
-  private static validateInput(data: any, key: string): void {
-    if (!key || typeof key !== 'string' || key.trim().length === 0) {
+  private static validateKey(key: string): void {
+    if (!key || typeof key !== 'string') {
       throw new DyFM_Error({
-        ...this.getDefaultErrorSettings('validateInput'),
-        errorCode: 'DyFM-CRY-IKY',
-        message: 'Invalid encryption key'
+        status: 401,
+        message: 'Encryption key is required and must be a string',
+        errorCode: 'DyFM-CRY-KEY-REQ'
       });
     }
-
-    if (data === undefined || data === null) {
+    
+    if (key.trim().length === 0) {
       throw new DyFM_Error({
-        ...this.getDefaultErrorSettings('validateInput'),
-        errorCode: 'DyFM-CRY-IDT',
-        message: 'Invalid data to encrypt/decrypt'
+        status: 401,
+        message: 'Encryption key cannot be empty or whitespace-only',
+        errorCode: 'DyFM-CRY-KEY-EMPTY'
       });
     }
   }
 
-  /**
-   * Generates a deterministic IV based on the input data and key
-   */
-  private static generateIV(data: string, key: string, config: Required<CryptoConfig>): CryptoJS.lib.WordArray {
-    const hash = CryptoJS.SHA256(data + key);
-    return CryptoJS.lib.WordArray.create(hash.words.slice(0, config.ivLength / 4));
-  }
-
-  /**
-   * Generates a deterministic salt based on the input data and key
-   */
-  private static generateSalt(data: string, key: string, config: Required<CryptoConfig>): CryptoJS.lib.WordArray {
-    const hash = CryptoJS.SHA256(key + data);
-    return CryptoJS.lib.WordArray.create(hash.words.slice(0, config.saltLength / 4));
-  }
-
-  /**
-   * Derives a key using PBKDF2
-   */
-  private static deriveKey(key: string, salt: CryptoJS.lib.WordArray, config: Required<CryptoConfig>): CryptoJS.lib.WordArray {
-    return CryptoJS.PBKDF2(key, salt, {
-      keySize: config.keySize,
-      iterations: config.keyIterations
-    });
-  }
-
   /**
    * Safely serializes data to JSON
    */
@@ -141,40 +83,58 @@ export class DyFM_Crypto {
   }
 
   /**
-   * Encrypts data using AES-256-CBC
+   * Derives a 256-bit key from the passphrase using SHA256
+   */
+  private static deriveKey(key: string): CryptoJS.lib.WordArray {
+    return CryptoJS.SHA256(key);
+  }
+
+  /**
+   * Creates a deterministic IV from the key only
+   */
+  private static createDeterministicIV(key: string): CryptoJS.lib.WordArray {
+    const hash = CryptoJS.SHA256(key + ':iv');
+    return CryptoJS.lib.WordArray.create(hash.words.slice(0, 4)); // Use first 16 bytes (128 bits)
+  }
+
+  /**
+   * Encrypts data using AES-256-CBC with deterministic key and IV
    * @param data The data to encrypt
    * @param key The encryption key
-   * @param config Optional configuration
    * @returns URL-safe encrypted string
    * @throws {DyFM_Error} if encryption fails
    */
-  static encrypt<T>(data: T, key: string, config?: CryptoConfig): string {
+  static encrypt<T>(data: T, key: string): string {
     try {
-      this.validateInput(data, key);
-      const finalConfig = { ...this.DEFAULT_CONFIG, ...config };
+      // Validate key
+      this.validateKey(key);
+
+      // Validate data
+      if (data === undefined || data === null) {
+        throw new DyFM_Error({
+          status: 401,
+          message: 'Data cannot be undefined or null',
+          errorCode: 'DyFM-CRY-DATA-NULL'
+        });
+      }
 
       // Convert data to string
       const dataStr = this.safeSerialize(data);
 
-      // Generate deterministic IV and salt based on data and key
-      const iv = this.generateIV(dataStr, key, finalConfig);
-      const salt = this.generateSalt(dataStr, key, finalConfig);
-
-      // Derive key using PBKDF2
-      const derivedKey = this.deriveKey(key, salt, finalConfig);
+      // Derive key and IV
+      const aesKey = this.deriveKey(key);
+      const iv = this.createDeterministicIV(key);
 
-      // Encrypt the data
-      const encrypted = CryptoJS.AES.encrypt(dataStr, derivedKey, {
+      // Encrypt the data with deterministic key and IV
+      const encrypted = CryptoJS.AES.encrypt(dataStr, aesKey, {
         iv: iv,
         mode: CryptoJS.mode.CBC,
         padding: CryptoJS.pad.Pkcs7
       });
 
-      // Combine IV + Salt + Ciphertext
-      const combined = iv.concat(salt).concat(encrypted.ciphertext);
-
       // Convert to URL-safe base64
-      return CryptoJS.enc.Base64.stringify(combined)
+      const base64 = encrypted.ciphertext.toString(CryptoJS.enc.Base64);
+      return base64
         .replace(/\+/g, '-')
         .replace(/\//g, '_')
         .replace(/=+$/, '');
@@ -190,57 +150,57 @@ export class DyFM_Crypto {
    * Decrypts data that was encrypted using encrypt()
    * @param encryptedData The encrypted data
    * @param key The decryption key
-   * @param config Optional configuration
    * @returns The decrypted data
    * @throws {DyFM_Error} if decryption fails
    */
-  static decrypt<T>(encryptedData: string, key: string, config?: CryptoConfig): T {
+  static decrypt<T>(encryptedData: string, key: string): T {
     try {
-      this.validateInput(encryptedData, key);
-      const finalConfig = { ...this.DEFAULT_CONFIG, ...config };
+      // Validate key
+      this.validateKey(key);
+
+      // Validate encrypted data
+      if (!encryptedData || typeof encryptedData !== 'string') {
+        throw new DyFM_Error({
+          status: 401,
+          message: 'Encrypted data is required and must be a string',
+          errorCode: 'DyFM-CRY-DATA-REQ'
+        });
+      }
 
       // Convert from URL-safe base64
-      const base64 = encryptedData
+      let base64 = encryptedData
         .replace(/-/g, '+')
         .replace(/_/g, '/');
 
-      // Parse the combined data
-      const combined = CryptoJS.enc.Base64.parse(base64);
-
-      // Validate minimum length (IV + Salt + minimum ciphertext)
-      const minLength = (finalConfig.ivLength + finalConfig.saltLength + 16) / 4; // 16 bytes minimum for ciphertext
-      if (combined.words.length < minLength) {
-        throw new Error('Invalid encrypted data length');
+      // Add padding if needed
+      const padLength = 4 - (base64.length % 4);
+      if (padLength < 4) {
+        base64 += '='.repeat(padLength);
       }
 
-      // Extract IV, salt, and ciphertext
-      const iv = CryptoJS.lib.WordArray.create(combined.words.slice(0, finalConfig.ivLength / 4));
-      const salt = CryptoJS.lib.WordArray.create(
-        combined.words.slice(
-          finalConfig.ivLength / 4,
-          (finalConfig.ivLength + finalConfig.saltLength) / 4
-        )
-      );
-      const ciphertext = CryptoJS.lib.WordArray.create(
-        combined.words.slice((finalConfig.ivLength + finalConfig.saltLength) / 4)
-      );
-
-      // Derive key using PBKDF2
-      const derivedKey = this.deriveKey(key, salt, finalConfig);
+      // Derive key and IV
+      const aesKey = this.deriveKey(key);
+      const iv = this.createDeterministicIV(key);
 
       // Decrypt the data
-      const decrypted = CryptoJS.AES.decrypt(
-        { ciphertext: ciphertext },
-        derivedKey,
-        {
-          iv: iv,
-          mode: CryptoJS.mode.CBC,
-          padding: CryptoJS.pad.Pkcs7
-        }
-      );
+      const encryptedWA = CryptoJS.enc.Base64.parse(base64);
+      const decrypted = CryptoJS.AES.decrypt({ ciphertext: encryptedWA }, aesKey, {
+        iv: iv,
+        mode: CryptoJS.mode.CBC,
+        padding: CryptoJS.pad.Pkcs7
+      });
 
       // Parse JSON
       const decryptedStr = decrypted.toString(CryptoJS.enc.Utf8);
+      
+      if (!decryptedStr) {
+        throw new DyFM_Error({
+          status: 401,
+          message: 'Failed to decrypt data - invalid key or corrupted data',
+          errorCode: 'DyFM-CRY-DEC-FAIL'
+        });
+      }
+
       return this.safeDeserialize<T>(decryptedStr);
     } catch (error) {
       throw new DyFM_Error({
@@ -250,27 +210,6 @@ export class DyFM_Crypto {
     }
   }
 
-  /**
-   * Generates a secure random key
-   * @param length Length of the key in bytes (default: 32)
-   * @returns A secure random key
-   */
-  static generateKey(length: number = 32): string {
-    return CryptoJS.lib.WordArray.random(length).toString();
-  }
-
-  /**
-   * Validates if a string is a valid encrypted data
-   * @param encryptedData The data to validate
-   * @returns true if the data appears to be valid encrypted data
-   */
-  static isValidEncryptedData(encryptedData: string): boolean {
-    if (!encryptedData || typeof encryptedData !== 'string') {
-      return false;
-    }
-    return /^[A-Za-z0-9\-_]+$/.test(encryptedData);
-  }
-
   /**
    * Gets default error settings
    */