@jeanharo98/typed-storage 0.1.6 → 0.1.7

package/README.md

@@ -224,7 +224,8 @@ const appStorage = createStorage(schema, options);
 | `version` | `number` | — | Current schema version — required for migrations |
 | `migrations` | `Record<number, (data) => data>` | — | Migration functions per version |
 | `compress` | `boolean` | `false` | Compresses data with LZ-string before storing |
-| `encrypt` | `boolean` | `false` | Shows a security warning — see note below |
+| `encrypt` | `boolean` | `false` | Obfuscates data with XOR + Base64 — see security note below |
+| `secret` | `string` | — | Required when `encrypt: true` — the obfuscation key |
 
 ---
 
@@ -279,27 +280,79 @@ appStorage.theme.remove();     // → 'theme changed to: dark' (initialValue)
 
 ---
 
-## 🔒 A note on encryption
+## 🔒 Encryption (XOR obfuscation)
 
-If you pass `encrypt: true`, typed-storage will display a warning explaining why encrypting values in `localStorage` is not a secure practice — the encryption key must live in the frontend and is accessible to anyone who inspects your code.
+`typed-storage` can obfuscate values using XOR + Base64 before storing them. This is **not real cryptography** — read this section carefully before using it.
 
-For sensitive data such as auth tokens or personal information, use **httpOnly cookies** set by your server:
+```typescript
+const secureStorage = createStorage({
+    token: ''
+}, {
+    encrypt: true,
+    secret: 'your-secret-key',  // required when encrypt is true
+    ttl: 3600000                // recommended — expire alongside your real token
+});
+
+secureStorage.token.set('eyJhbGciOiJIUzI1NiJ9.xxx.yyy');
+// Stored in localStorage as obfuscated text, not the readable JWT
+
+const token = secureStorage.token();
+// Automatically decrypted — returns the real JWT
+```
+
+### ⚠️ What this actually protects against
+
+```
+✅ Hides the value from casual inspection in DevTools/Application/Storage
+✅ Discourages non-technical users from reading or copying the value
+✅ Combined with ttl, expires alongside your backend token
+
+❌ Does NOT protect against a technical attacker
+❌ Does NOT protect against debugger breakpoints — the secret and
+   decrypted value are visible in memory while the app runs
+❌ Is NOT equivalent to real cryptography (AES, etc.)
+```
+
+### Why this limitation exists — and why no frontend library can fix it
+
+The `secret` you pass lives in your JavaScript code, which runs in the user's browser. No matter the algorithm used (XOR, AES, anything), **the key must be present in the frontend to decrypt the value**, which means it's always inspectable:
+
+```
+1. The secret travels safely over HTTPS — that's not the problem
+2. Once it reaches the browser, it must be used by your JS to decrypt
+3. Anyone with DevTools open can set a breakpoint where decryption
+   happens and read the secret and the decrypted value directly
+4. This is true even with industry-standard encryption (Web Crypto AES) —
+   the algorithm's strength doesn't matter if the key is exposed
+```
+
+This is a fundamental limitation of any frontend-only encryption — not a flaw specific to typed-storage's XOR implementation.
+
+### For real security with auth tokens
 
 ```typescript
 // In your backend (Express / NestJS):
 res.cookie('authToken', token, {
-  httpOnly: true,   // not accessible from JavaScript
-  secure: true,     // HTTPS only
-  sameSite: 'strict'
+    httpOnly: true,   // JavaScript cannot read this — ever
+    secure: true,     // HTTPS only
+    sameSite: 'strict'
 });
 ```
 
-typed-storage is designed for:
-- ✅ UI preferences (theme, language, font size)
-- ✅ Navigation state (last visited, sidebar open)
-- ✅ Non-sensitive user settings
-- ❌ Auth tokens → use httpOnly cookies
-- ❌ Passwords or financial data → never in localStorage
+httpOnly cookies are the only approach where the token never becomes accessible to JavaScript running in the browser — because the browser itself enforces the restriction, not your code.
+
+### When `encrypt` is still worth using
+
+```
+✅ You understand it's obfuscation, not security
+✅ You want to deter casual inspection, not block determined attackers
+✅ You're combining it with ttl so values expire predictably
+✅ The data isn't critical enough to justify httpOnly cookie infrastructure
+   (e.g. you're prototyping, or it's a low-stakes internal tool)
+
+❌ Don't rely on this alone for banking, healthcare, or any data where
+   a breach has real consequences — use httpOnly cookies on the backend
+```
 
 ---
 

package/dist/create-storage.js

@@ -17,24 +17,6 @@ export function createStorage(schema, options) {
     }
     const sto = options?.storage === 'session' ? sessionStorage : localStorage;
     registerPrefix(options?.prefix ?? '', sto);
-    if (options?.encrypt) {
-        console.warn(`
-⚠️  typed-storage: la opción encrypt está activada.
-
-Encriptar valores en localStorage no es seguro — 
-la clave vive en el frontend y cualquier dev puede accederla.
-
-Para datos sensibles usa:
-    ✅ httpOnly cookies (tokens, sesiones)
-    ✅ Variables de entorno en el servidor
-  
-typed-storage es ideal para:
-    ✅ Preferencias de UI (theme, language)
-    ✅ Estado de navegación
-    ❌ Tokens de autenticación
-    ❌ Datos financieros o personales sensibles
-        `);
-    }
     const result = [];
     let keys = Object.keys(schema);
     for (let key of keys) {

package/dist/storage-signal.js

@@ -1,5 +1,6 @@
 import LZString from 'lz-string';
 import { MemoryStorage } from "./memory-storage.js";
+import { xorEncrypt, xorDecrypt } from './xor.js';
 function safeParseJSON(value, fallback) {
     if (!value)
         return { value: fallback };
@@ -33,9 +34,17 @@ export function createStorageSignal(key, initialValue, options) {
         key = `${options.prefix}:${key}`;
     }
     const rawData = sto.getItem(key);
-    const savedData = options?.compress && rawData
+    let savedData = options?.compress && rawData
         ? LZString.decompress(rawData)
         : rawData;
+    if (options?.encrypt && options?.secret && savedData) {
+        try {
+            savedData = xorDecrypt(savedData, options.secret);
+        }
+        catch {
+            savedData = null;
+        }
+    }
     let currentValue;
     const listeners = [];
     function notify(value) {
@@ -64,9 +73,17 @@ export function createStorageSignal(key, initialValue, options) {
                     notify(initialValue);
                     return currentValue = initialValue;
                 }
-                const rawNewValue = options?.compress
+                let rawNewValue = options?.compress
                     ? LZString.decompress(event.newValue)
                     : event.newValue;
+                if (options?.encrypt && options?.secret) {
+                    try {
+                        rawNewValue = xorDecrypt(rawNewValue, options.secret);
+                    }
+                    catch {
+                        rawNewValue = '';
+                    }
+                }
                 const item = safeParseJSON(rawNewValue, initialValue);
                 notify(item.value);
                 return currentValue = item.value;
@@ -80,9 +97,12 @@ export function createStorageSignal(key, initialValue, options) {
             value: newValue,
             expiresAt: options?.ttl ? Date.now() + options.ttl : undefined
         });
-        const finalData = options?.compress
+        let finalData = options?.compress
             ? LZString.compress(dataToStore)
             : dataToStore;
+        if (options?.encrypt && options?.secret) {
+            finalData = xorEncrypt(finalData, options.secret);
+        }
         sto.setItem(key, finalData);
     };
     signalBase.reset = function () {

package/dist/types.d.ts

@@ -4,6 +4,7 @@ export interface StorageSignalOptions {
     ttl?: number;
     sync?: boolean;
     encrypt?: boolean;
+    secret?: string;
     version?: number;
     migrations?: Record<number, (data: any) => any>;
     compress?: boolean;

package/dist/xor.d.ts

@@ -0,0 +1,3 @@
+export declare function xorTransform(text: string, secret: string): string;
+export declare function xorEncrypt(text: string, secret: string): string;
+export declare function xorDecrypt(text: string, secret: string): string;

package/dist/xor.js

@@ -0,0 +1,14 @@
+export function xorTransform(text, secret) {
+    return text.split('').map((char, i) => {
+        const keyChar = secret[i % secret.length];
+        return String.fromCharCode(char.charCodeAt(0) ^ keyChar.charCodeAt(0));
+    }).join('');
+}
+export function xorEncrypt(text, secret) {
+    const xored = xorTransform(text, secret);
+    return btoa(xored);
+}
+export function xorDecrypt(text, secret) {
+    const xored = atob(text);
+    return xorTransform(xored, secret);
+}

package/index.html

@@ -5,41 +5,20 @@
 </head>
 <body>
     <script type="module">
-        import { createHeavyStorage } from './dist/index.js';
+        import { createStorage } from './dist/index.js';
 
-        const heavyStorage = createHeavyStorage({
-            documents: [],
-            userPhotos: []
+        const secureStorage = createStorage({
+            token: ''
         }, {
-            dbName: 'test-heavy-storage'
+            prefix: 'secure',
+            encrypt: true,
+            secret: 'mi-clave-secreta',
+            ttl: 3600000
         });
 
-        async function test() {
-            // Set
-            await heavyStorage.documents.set([
-                { id: 1, name: 'Documento 1' },
-                { id: 2, name: 'Documento 2' }
-            ]);
-            console.log('✅ Documentos guardados');
-
-            // Get
-            const docs = await heavyStorage.documents.get();
-            console.log('📄 Documentos leídos:', docs);
-
-            // onChange
-            heavyStorage.documents.onChange((newValue) => {
-                console.log('🔔 documents cambió a:', newValue);
-            });
-
-            await heavyStorage.documents.set([{ id: 3, name: 'Documento nuevo' }]);
-
-            // Remove
-            await heavyStorage.userPhotos.remove();
-            const photos = await heavyStorage.userPhotos.get();
-            console.log('🗑️ userPhotos después de remove:', photos);
-        }
-
-        test();
+        secureStorage.token.set('eyJhbGciOiJIUzI1NiJ9.test.jwt');
+        console.log('Valor leído:', secureStorage.token());
+        console.log('Valor en localStorage (debe estar ofuscado):', localStorage.getItem('secure:token'));
     </script>
 </body>
 </html>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jeanharo98/typed-storage",
-  "version": "0.1.6",
+  "version": "0.1.7",
   "description": "Type-safe localStorage with reactive signals",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/create-storage.ts

@@ -42,25 +42,6 @@ export function createStorage<T extends StorageSchema>(
     const sto = options?.storage === 'session' ? sessionStorage : localStorage;
     registerPrefix(options?.prefix ?? '', sto);
 
-    if ( options?.encrypt ) {
-        console.warn(`
-⚠️  typed-storage: la opción encrypt está activada.
-
-Encriptar valores en localStorage no es seguro — 
-la clave vive en el frontend y cualquier dev puede accederla.
-
-Para datos sensibles usa:
-    ✅ httpOnly cookies (tokens, sesiones)
-    ✅ Variables de entorno en el servidor
-  
-typed-storage es ideal para:
-    ✅ Preferencias de UI (theme, language)
-    ✅ Estado de navegación
-    ❌ Tokens de autenticación
-    ❌ Datos financieros o personales sensibles
-        `);
-    }
-
     const result: any = [];
 
     let keys = Object.keys(schema);

package/src/storage-signal.test.ts

@@ -118,4 +118,44 @@ describe('compress option', () => {
         
         expect(compressedSize).toBeLessThan(uncompressedSize);
     });
+});
+
+describe('encrypt option', () => {
+    beforeEach(() => localStorage.clear());
+
+    it('debe ofuscar el valor guardado en localStorage', () => {
+        const signal = createStorageSignal('token', '', {
+            encrypt: true,
+            secret: 'mi-clave'
+        });
+
+        signal.set('eyJhbGciOiJIUzI1NiJ9.test.jwt');
+
+        const rawStored = localStorage.getItem('token');
+        // El valor crudo NO debe contener el JWT en texto plano
+        expect(rawStored).not.toContain('eyJhbGciOiJIUzI1NiJ9');
+    });
+
+    it('debe desencriptar correctamente al leer', () => {
+        const signal = createStorageSignal('token', '', {
+            encrypt: true,
+            secret: 'mi-clave'
+        });
+
+        const originalValue = 'eyJhbGciOiJIUzI1NiJ9.test.jwt';
+        signal.set(originalValue);
+
+        expect(signal()).toBe(originalValue);
+    });
+
+    it('debe funcionar junto con TTL', () => {
+        const signal = createStorageSignal('token', '', {
+            encrypt: true,
+            secret: 'mi-clave',
+            ttl: 1000
+        });
+
+        signal.set('mi-token');
+        expect(signal()).toBe('mi-token');
+    });
 });

package/src/storage-signal.ts

@@ -6,6 +6,9 @@ import { StorageSignal, StorageSignalOptions } from "./types.js";
 // Memory
 import { MemoryStorage } from "./memory-storage.js";
 
+// Xor
+import { xorEncrypt, xorDecrypt } from './xor.js';
+
 // Interface
 interface StoredValue<T> {
     value: T;
@@ -66,9 +69,18 @@ export function createStorageSignal<T>(
     }
 
     const rawData = sto.getItem(key);
-    const savedData = options?.compress && rawData 
+    let savedData = options?.compress && rawData 
                             ? LZString.decompress(rawData) 
                             : rawData;
+
+    // Desencripta si encrypt está activo
+    if ( options?.encrypt && options?.secret && savedData ) {
+        try {
+            savedData = xorDecrypt(savedData, options.secret);
+        } catch {
+            savedData = null; // si falla desencriptar, trata como vacío
+        }
+    }
     let currentValue: T;
 
     const listeners: Array<(value: T) => void> = [];
@@ -106,9 +118,17 @@ export function createStorageSignal<T>(
                 } 
 
                 // Parseamos el nuevo valor
-                const rawNewValue = options?.compress 
+                let rawNewValue = options?.compress 
                                         ? LZString.decompress(event.newValue)
                                         : event.newValue;
+
+                if ( options?.encrypt && options?.secret ) {
+                    try {
+                        rawNewValue = xorDecrypt(rawNewValue, options.secret);
+                    } catch {
+                        rawNewValue = '';
+                    }
+                }
                 const item = safeParseJSON(rawNewValue, initialValue);
 
                 notify(item.value as T);
@@ -126,10 +146,14 @@ export function createStorageSignal<T>(
             expiresAt: options?.ttl ? Date.now() + options.ttl : undefined
         });
 
-        const finalData = options?.compress 
+        let finalData = options?.compress 
                                 ? LZString.compress(dataToStore) 
                                 : dataToStore;
 
+        if ( options?.encrypt && options?.secret ) {
+            finalData = xorEncrypt(finalData, options.secret);
+        }
+
         sto.setItem( key, finalData );
     }
 

package/src/types.ts

@@ -5,6 +5,7 @@ export interface StorageSignalOptions {
     ttl?: number;
     sync?: boolean;
     encrypt?: boolean;
+    secret?: string; // Requerido si el encrypt es true
     version?: number;
     migrations?: Record<number, ( data: any ) => any>;
     compress?: boolean;

package/src/xor.ts

@@ -0,0 +1,18 @@
+export function xorTransform ( text: string, secret: string ): string {
+    return text.split('').map((char, i) => {
+        const keyChar = secret[i % secret.length];
+        return String.fromCharCode(
+            char.charCodeAt(0) ^ keyChar.charCodeAt(0)
+        );
+    }).join('');
+}
+
+export function xorEncrypt ( text: string, secret: string ): string {
+    const xored = xorTransform(text, secret);
+    return btoa(xored);
+}
+
+export function xorDecrypt ( text: string, secret: string ): string {
+    const xored = atob(text);
+    return xorTransform(xored, secret);
+}