@lastshotlabs/bunshot 0.0.25 → 0.0.28

package/dist/src/lib/authConfig.d.ts

@@ -0,0 +1,532 @@
+import type { SamlProfile } from "../../packages/bunshot-auth/src/lib/saml";
+import type { EmailTemplate } from "../../packages/bunshot-auth/src/lib/emailTemplates";
+import type { DataEncryptionKey } from "../shared/lib/crypto";
+export type PrimaryField = "email" | "username" | "phone";
+export declare const setPrimaryField: (field: PrimaryField) => void;
+export declare const getPrimaryField: () => PrimaryField;
+export interface ConcealRegistrationConfig {
+    /**
+     * Called when a registration attempt is made for an email that already exists.
+     * Use to notify the existing user (e.g. "Someone tried to register with your email").
+     * Only valid when primaryField === "email" — startup throws otherwise.
+     */
+    onExistingAccount?: (identifier: string) => Promise<void>;
+}
+export declare const setConcealRegistrationConfig: (config: ConcealRegistrationConfig | null) => void;
+export declare const getConcealRegistrationConfig: () => ConcealRegistrationConfig | null;
+export interface EmailVerificationConfig {
+    /** Block login until email is verified. Defaults to false (soft gate — emailVerified returned in login response). */
+    required?: boolean;
+    /** Token time-to-live in seconds. Defaults to 86 400 (24 hours). */
+    tokenExpiry?: number;
+}
+export declare const setEmailVerificationConfig: (config: EmailVerificationConfig | null) => void;
+export declare const getEmailVerificationConfig: () => EmailVerificationConfig | null;
+export declare const getTokenExpiry: () => number;
+export interface PasswordResetConfig {
+    /** Token time-to-live in seconds. Defaults to 3 600 (1 hour). */
+    tokenExpiry?: number;
+}
+export declare const setPasswordResetConfig: (config: PasswordResetConfig | null) => void;
+export declare const getPasswordResetConfig: () => PasswordResetConfig | null;
+export declare const getResetTokenExpiry: () => number;
+export interface MagicLinkConfig {
+    /** Token time-to-live in seconds. Defaults to 900 (15 min). */
+    ttlSeconds?: number;
+    /** Base URL for the magic link (e.g. "https://app.com/auth/magic"). */
+    linkBaseUrl?: string;
+    /** Store backend for magic link tokens. Defaults to the sessions store. */
+    store?: "memory" | "redis" | "sqlite" | "mongo";
+}
+export declare const setMagicLinkConfig: (config: MagicLinkConfig | null) => void;
+export declare const getMagicLinkConfig: () => MagicLinkConfig | null;
+export declare const getMagicLinkTtl: () => number;
+export interface PasswordPolicyConfig {
+    /** Minimum password length. Defaults to 8. */
+    minLength?: number;
+    /** Require at least one letter (a-z or A-Z). Defaults to true. */
+    requireLetter?: boolean;
+    /** Require at least one digit (0-9). Defaults to true. */
+    requireDigit?: boolean;
+    /** Require at least one special character. Defaults to false. */
+    requireSpecial?: boolean;
+    /** Number of previous password hashes to remember. Prevents password reuse. Default: disabled (0). */
+    preventReuse?: number;
+}
+export declare const setPasswordPolicy: (config: PasswordPolicyConfig) => void;
+export declare const getPasswordPolicy: () => PasswordPolicyConfig;
+export declare const getPasswordPolicyPreventReuse: () => number;
+export interface AuthCookieConfig {
+    sameSite?: "Strict" | "Lax" | "None";
+    secure?: boolean;
+    domain?: string;
+    path?: string;
+    /** Max age in seconds. Default: 604800 (7 days). */
+    maxAge?: number;
+}
+export interface CsrfCookieConfig {
+    sameSite?: "Strict" | "Lax" | "None";
+    secure?: boolean;
+    domain?: string;
+    path?: string;
+    /** Max age in seconds. Default: 31536000 (1 year). */
+    maxAge?: number;
+}
+export declare function setAuthCookieConfig(c: AuthCookieConfig): void;
+export declare function getAuthCookieConfig(): AuthCookieConfig;
+export declare function setCsrfCookieConfig(c: CsrfCookieConfig): void;
+export declare function getCsrfCookieConfig(): CsrfCookieConfig;
+/** Minimal session policy shape stored in the singleton. Matches AuthSessionPolicyConfig in app.ts. */
+export interface SessionPolicySnapshot {
+    maxSessions?: number;
+    persistSessionMetadata?: boolean;
+    includeInactiveSessions?: boolean;
+    trackLastActive?: boolean;
+    absoluteTimeout?: number;
+    idleTimeout?: number;
+    onPasswordChange?: "revoke_others" | "revoke_all_and_reissue" | "none";
+}
+export declare const setMaxSessions: (n: number) => void;
+export declare const getMaxSessions: () => number;
+export declare const setPersistSessionMetadata: (v: boolean) => void;
+export declare const getPersistSessionMetadata: () => boolean;
+export declare const setIncludeInactiveSessions: (v: boolean) => void;
+export declare const getIncludeInactiveSessions: () => boolean;
+export declare const setTrackLastActive: (v: boolean) => void;
+export declare const getTrackLastActive: () => boolean;
+export declare function setSessionPolicyConfig(p: SessionPolicySnapshot): void;
+export declare function getSessionPolicyConfig(): SessionPolicySnapshot;
+export interface RefreshTokenConfig {
+    /** Access token expiry in seconds. Default: 900 (15 min). */
+    accessTokenExpiry?: number;
+    /** Refresh token expiry in seconds. Default: 2_592_000 (30 days). */
+    refreshTokenExpiry?: number;
+    /** Grace window in seconds where the old refresh token still works after rotation.
+     *  Prevents lockout when the client's network drops mid-refresh. Default: 30. */
+    rotationGraceSeconds?: number;
+}
+export declare const setRefreshTokenConfig: (config: RefreshTokenConfig | null) => void;
+export declare const getRefreshTokenConfig: () => RefreshTokenConfig | null;
+export declare const getAccessTokenExpiry: () => number;
+export declare const getRefreshTokenExpiry: () => number;
+export declare const getRotationGraceSeconds: () => number;
+export interface MfaEmailOtpConfig {
+    /** OTP code length. Default: 6. */
+    codeLength?: number;
+}
+export interface MfaWebAuthnConfig {
+    /** Relying Party ID - typically the domain (e.g. "example.com"). Required. */
+    rpId: string;
+    /** Relying Party name shown in browser prompts. Defaults to app name. */
+    rpName?: string;
+    /** Expected origin(s) - full origin URL(s) like "https://example.com". Required. */
+    origin: string | string[];
+    /** Supported attestation conveyance preference. Default: "none". */
+    attestationType?: "none" | "direct" | "enterprise";
+    /** Authenticator attachment preference. Default: undefined (allows both platform + cross-platform). */
+    authenticatorAttachment?: "platform" | "cross-platform";
+    /** User verification requirement. Default: "preferred". */
+    userVerification?: "required" | "preferred" | "discouraged";
+    /** Timeout for ceremonies in milliseconds. Default: 60000 (60s). */
+    timeout?: number;
+    /** Reject authentication when sign count goes backward (cloned key detection). Default: false (accept + warn). */
+    strictSignCount?: boolean;
+    /** Allow passwordless (first-factor) passkey login. When true, mounts POST /auth/passkey/login-options and POST /auth/passkey/login. Default: false. */
+    allowPasswordlessLogin?: boolean;
+    /** When true (default), a verified passkey login satisfies MFA - no subsequent TOTP/OTP prompt even if the user has MFA enabled. Set false to require MFA after passkey login. */
+    passkeyMfaBypass?: boolean;
+}
+export interface MfaConfig {
+    /** Issuer name shown in authenticator apps. Defaults to app name. */
+    issuer?: string;
+    /** TOTP algorithm. Default: "SHA1" (most compatible). */
+    algorithm?: "SHA1" | "SHA256" | "SHA512";
+    /** TOTP digits. Default: 6. */
+    digits?: number;
+    /** TOTP period in seconds. Default: 30. */
+    period?: number;
+    /** Number of recovery codes to generate. Default: 10. */
+    recoveryCodes?: number;
+    /** MFA challenge window in seconds. Default: 300 (5 min). */
+    challengeTtlSeconds?: number;
+    /** Email OTP configuration. When set, enables email-based MFA as an option. */
+    emailOtp?: MfaEmailOtpConfig;
+    /** WebAuthn/FIDO2 configuration. When set, enables security key MFA routes. */
+    webauthn?: MfaWebAuthnConfig;
+    /** When true, authenticated users must complete MFA setup before accessing non-auth endpoints. Default: false. */
+    required?: boolean;
+}
+export declare const setMfaConfig: (config: MfaConfig | null) => void;
+export declare const getMfaConfig: () => MfaConfig | null;
+export declare const getMfaIssuer: () => string;
+export declare const getMfaAlgorithm: () => string;
+export declare const getMfaDigits: () => number;
+export declare const getMfaPeriod: () => number;
+export declare const getMfaRecoveryCodeCount: () => number;
+export declare const getMfaChallengeTtl: () => number;
+export declare const getMfaEmailOtpConfig: () => MfaEmailOtpConfig | null;
+export declare const getMfaEmailOtpCodeLength: () => number;
+export declare const getMfaWebAuthnConfig: () => MfaWebAuthnConfig | null;
+export declare const getMfaRequired: () => boolean;
+export declare const getMfaWebAuthnAllowPasswordlessLogin: () => boolean;
+export declare const getMfaWebAuthnPasskeyMfaBypass: () => boolean;
+export declare const setCsrfEnabled: (v: boolean) => void;
+export declare const getCsrfEnabled: () => boolean;
+export interface SigningConfig {
+    /**
+     * HMAC secret. Defaults to JWT_SECRET_DEV/JWT_SECRET_PROD env var if omitted.
+     * Pass string[] to support key rotation - first element signs, all elements verify.
+     */
+    secret?: string | string[];
+    /** Sign/verify cookie values set via exported helpers. Default: false. */
+    cookies?: boolean;
+    /** Sign pagination cursor tokens to prevent client tampering. Default: false. */
+    cursors?: boolean;
+    /** HMAC-based stateless presigned URLs (no DB lookup). Default: false. */
+    presignedUrls?: boolean | {
+        defaultExpiry?: number;
+    };
+    /** Require clients to HMAC-sign requests (method+path+timestamp+body). Default: false. */
+    requestSigning?: boolean | {
+        tolerance?: number;
+        header?: string;
+        timestampHeader?: string;
+    };
+    /** Hash idempotency keys before storage. Default: false. */
+    idempotencyKeys?: boolean;
+    /** Bind sessions to client IP+UA fingerprint. Default: false. */
+    sessionBinding?: boolean | {
+        fields?: Array<"ip" | "ua" | "accept-language">;
+        onMismatch?: "unauthenticate" | "reject" | "log-only";
+    };
+}
+export declare const setSigningConfig: (config: SigningConfig | null) => void;
+export declare const getSigningConfig: () => SigningConfig | null;
+export declare const isSigningConfigured: () => boolean;
+/**
+ * Returns the active signing secret: signing.secret -> JWT_SECRET_PROD/DEV env var.
+ * Returns null when neither is configured - callers must handle this gracefully.
+ */
+export declare const getSigningSecret: () => string | string[] | null;
+export interface JwtConfig {
+    /** JWT issuer claim (`iss`). When set, added to all tokens and validated on verify. */
+    issuer?: string;
+    /** JWT audience claim (`aud`). When set, added to all tokens and validated on verify. */
+    audience?: string | string[];
+    /** JWT signing algorithm. Default: "HS256". Use "RS256" for OIDC. Requires OidcConfig when set to "RS256". */
+    algorithm?: "HS256" | "RS256";
+}
+export declare const setJwtConfig: (config: JwtConfig | null) => void;
+export declare const getJwtConfig: () => JwtConfig | null;
+export declare const getJwtIssuer: () => string | undefined;
+export declare const getJwtAudience: () => string | string[] | undefined;
+export interface BreachedPasswordConfig {
+    /** Block registration/reset when password is breached. Default: true. */
+    block?: boolean;
+    /** Minimum breach count to consider breached. Default: 1. */
+    minBreachCount?: number;
+    /** Request timeout in ms. Default: 3000. */
+    timeout?: number;
+    /** What to do when the HIBP API is unavailable. Default: "allow". */
+    onApiFailure?: "allow" | "block";
+}
+export declare const setBreachedPasswordConfig: (config: BreachedPasswordConfig | null) => void;
+export declare const getBreachedPasswordConfig: () => BreachedPasswordConfig | null;
+export interface OAuthReauthConfig {
+    /** Enable OAuth provider re-auth endpoints. Default: false. */
+    enabled?: boolean;
+    /**
+     * How to force re-authentication at the provider.
+     * - "login": force the user to re-enter credentials (default)
+     * - "consent": force a full consent screen (useful for Google/Microsoft)
+     * - "select_account": show account picker
+     */
+    promptType?: "login" | "consent" | "select_account";
+}
+export declare const setOAuthReauthConfig: (config: OAuthReauthConfig | null) => void;
+export declare const getOAuthReauthConfig: () => OAuthReauthConfig | null;
+export declare const getOAuthReauthEnabled: () => boolean;
+export declare const getOAuthReauthPromptType: () => "login" | "consent" | "select_account";
+export interface StepUpConfig {
+    /** Max age in seconds since last MFA verification. Default: 300 (5 min). */
+    maxAge?: number;
+}
+export declare const setStepUpConfig: (config: StepUpConfig | null) => void;
+export declare const getStepUpConfig: () => StepUpConfig | null;
+export declare const setCheckSuspensionOnIdentify: (v: boolean) => void;
+export declare const getCheckSuspensionOnIdentify: () => boolean;
+export declare const setCaptchaConfig: (config: import("../framework/lib/captcha").CaptchaConfig | null) => void;
+export declare const getCaptchaConfig: () => import("../../packages/bunshot-core/src/index.js").CaptchaConfig | null;
+export interface M2MConfig {
+    enabled?: boolean;
+    /** Access token expiry in seconds. Default: 3600 (1 hour). */
+    tokenExpiry?: number;
+    /** Allowed scopes for M2M clients. */
+    scopes?: string[];
+}
+export declare const setM2MConfig: (config: M2MConfig | null) => void;
+export declare const getM2MConfig: () => M2MConfig | null;
+export declare const getM2MTokenExpiry: () => number;
+export interface SamlConfig {
+    /** Service Provider entity ID (e.g. "https://yourapp.com/auth/saml"). */
+    entityId: string;
+    /** Assertion Consumer Service URL. */
+    acsUrl: string;
+    /** IdP metadata - XML string or URL. */
+    idpMetadata: string;
+    /** SP signing private key PEM. Optional. */
+    signingKey?: string;
+    /** SP signing certificate PEM. Optional. */
+    signingCert?: string;
+    /** Map IdP attribute names to profile fields. */
+    attributeMapping?: {
+        email?: string;
+        firstName?: string;
+        lastName?: string;
+        groups?: string;
+    };
+    /** Custom user lookup/creation. When provided, takes precedence over findOrCreateByProvider. */
+    onLogin?: (profile: SamlProfile) => Promise<{
+        userId: string;
+    }>;
+    /** Where to redirect after successful SAML login. Default: "/". */
+    postLoginRedirect?: string;
+}
+export declare const setSamlConfig: (config: SamlConfig | null) => void;
+export declare const getSamlConfig: () => SamlConfig | null;
+export interface OidcConfig {
+    enabled?: boolean;
+    /** JWT issuer - included in all tokens and OIDC discovery doc. Required. */
+    issuer: string;
+    /** RSA signing key. If not provided, a key pair is auto-generated on startup. */
+    signingKey?: {
+        privateKey: string;
+        publicKey: string;
+        kid?: string;
+    };
+    /** Previous signing keys for rotation (verification only). */
+    previousKeys?: Array<{
+        publicKey: string;
+        kid?: string;
+    }>;
+    /** Scopes advertised in the discovery document. Default: ["openid"]. */
+    scopes?: string[];
+    /** Token endpoint URL. Defaults to `${issuer}/oauth/token`. */
+    tokenEndpoint?: string;
+}
+export declare const setOidcConfig: (config: OidcConfig | null) => void;
+export declare const getOidcConfig: () => OidcConfig | null;
+export interface ScimConfig {
+    enabled?: boolean;
+    /** Bearer token(s) for SCIM endpoint authentication. Required. */
+    bearerTokens: string | string[];
+    /** Username mapping strategy. Default: "email". */
+    userMapping?: {
+        userName?: "email" | "username";
+    };
+    /** What to do when a user is deleted via SCIM. Default: "suspend". */
+    onDeprovision?: "suspend" | "delete" | ((userId: string) => Promise<void>);
+}
+export declare const setScimConfig: (config: ScimConfig | null) => void;
+export declare const getScimConfig: () => ScimConfig | null;
+export interface EmailTemplatesConfig {
+    /** App name used in all templates as {{appName}}. Falls back to the configured app name. */
+    appName?: string;
+    emailVerification?: Partial<EmailTemplate>;
+    passwordReset?: Partial<EmailTemplate>;
+    magicLink?: Partial<EmailTemplate>;
+    emailOtp?: Partial<EmailTemplate>;
+    welcomeEmail?: Partial<EmailTemplate>;
+    accountDeletion?: Partial<EmailTemplate>;
+    orgInvitation?: Partial<EmailTemplate>;
+}
+export declare const setEmailTemplatesConfig: (config: EmailTemplatesConfig | null) => void;
+export declare const getEmailTemplatesConfig: () => EmailTemplatesConfig | null;
+export interface BearerAuthClient {
+    /** Stable identifier for this API client (set on Hono context as `bearerClientId`). */
+    clientId: string;
+    /** The bearer token value. */
+    token: string;
+    /** Optional human-readable label (e.g. "CI/CD pipeline", "Mobile app"). */
+    description?: string;
+    /** When true, the token is rejected even if it matches. Soft-revoke without deletion. */
+    revoked?: boolean;
+}
+/**
+ * Bearer auth token config.
+ * - string: single token (legacy, env-var driven)
+ * - string[]: multiple tokens, no clientId tracking
+ * - BearerAuthClient[]: named clients with revocation and clientId context
+ */
+export type BearerAuthConfig = string | string[] | BearerAuthClient[];
+export interface HookContext {
+    ip?: string;
+    userAgent?: string;
+    requestId?: string;
+}
+export interface PostLoginResult {
+    customClaims?: Record<string, unknown>;
+}
+export interface AuthHooksConfig {
+    preRegister?: (data: {
+        identifier: string;
+    } & HookContext) => Promise<void>;
+    postRegister?: (data: {
+        userId: string;
+        identifier: string;
+    } & HookContext) => Promise<void>;
+    preLogin?: (data: {
+        identifier: string;
+    } & HookContext) => Promise<void>;
+    postLogin?: (data: {
+        userId: string;
+        sessionId: string;
+    } & HookContext) => Promise<PostLoginResult | void>;
+    prePasswordChange?: (data: {
+        userId: string;
+    } & HookContext) => Promise<void>;
+    postPasswordChange?: (data: {
+        userId: string;
+    } & HookContext) => Promise<void>;
+    preDeleteAccount?: (data: {
+        userId: string;
+    } & HookContext) => Promise<void>;
+    postDeleteAccount?: (data: {
+        userId: string;
+    } & HookContext) => Promise<void>;
+}
+export declare function setHooksConfig(h: AuthHooksConfig): void;
+export declare function getHooksConfig(): AuthHooksConfig;
+export interface AuthRateLimitConfig {
+    /** Max login failures per window before the account is locked. Default: 10 per 15 min. */
+    login?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max registration attempts per IP per window. Default: 5 per hour. */
+    register?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max email verification attempts per IP per window. Default: 10 per 15 min. */
+    verifyEmail?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max resend-verification attempts per user per window. Default: 3 per hour. */
+    resendVerification?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max forgot-password requests per IP per window. Default: 5 per 15 min. */
+    forgotPassword?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max reset-password attempts per IP per window. Default: 10 per 15 min. */
+    resetPassword?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max account deletion attempts per user per window. Default: 3 per hour. */
+    deleteAccount?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max MFA verification attempts per IP per window. Default: 10 per 15 min. */
+    mfaVerify?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /** Max MFA email OTP resend attempts per IP per window. Default: 5 per minute. */
+    mfaResend?: {
+        windowMs?: number;
+        max?: number;
+    };
+    /**
+     * Store backend for auth rate limit counters.
+     * Defaults to "redis" when Redis is enabled, otherwise "memory".
+     * Use "redis" for multi-instance deployments so limits are shared across servers.
+     */
+    store?: "memory" | "redis";
+    /** Credential stuffing detection. Tracks distinct accounts per IP and IPs per account. */
+    credentialStuffing?: {
+        maxAccountsPerIp?: {
+            count: number;
+            windowMs: number;
+        };
+        maxIpsPerAccount?: {
+            count: number;
+            windowMs: number;
+        };
+        onDetected?: (signal: {
+            type: "ip" | "account";
+            key: string;
+            count: number;
+        }) => void;
+    };
+}
+export interface AccountDeletionConfig {
+    /** Called before deletion. Throw to abort (e.g., active subscription check). */
+    onBeforeDelete?: (userId: string) => Promise<void>;
+    /** Called after auth data is deleted. Runs at execution time — query current state, not a snapshot. */
+    onAfterDelete?: (userId: string) => Promise<void>;
+    /** When true, deletion is queued as a BullMQ job instead of running synchronously. Requires Redis + BullMQ. */
+    queued?: boolean;
+    /** Grace period in seconds before queued deletion executes. Default: 0 (immediate). */
+    gracePeriod?: number;
+    /**
+     * When true, OAuth-only accounts (no password, no MFA) cannot delete their account via DELETE /auth/me
+     * because there is no verifiable factor. They must set a password or enable MFA first.
+     * When false (default), OAuth-only accounts can delete without verification.
+     */
+    requireVerification?: boolean;
+}
+export interface AuthSessionPolicyConfig {
+    /** Max simultaneous active sessions per user. Oldest is evicted when exceeded. Default: 6. */
+    maxSessions?: number;
+    /**
+     * Retain session metadata (IP, user-agent, timestamps) after a session expires or is deleted.
+     * Enables future novel-device/location detection. Default: true.
+     */
+    persistSessionMetadata?: boolean;
+    /**
+     * Include inactive (expired/deleted) sessions in GET /auth/sessions.
+     * Only meaningful when persistSessionMetadata is true. Default: false.
+     */
+    includeInactiveSessions?: boolean;
+    /**
+     * Update lastActiveAt on every authenticated request.
+     * Adds one DB write per auth'd request. Default: false.
+     * Automatically enabled when idleTimeout is set.
+     */
+    trackLastActive?: boolean;
+    /**
+     * Absolute session TTL in seconds. Sessions expire this long after creation regardless of activity.
+     * Default: 604800 (7 days). Also controls the auth cookie maxAge when not overridden by cookieConfig.
+     */
+    absoluteTimeout?: number;
+    /**
+     * Idle timeout in seconds. Sessions are revoked when lastActiveAt is older than this value.
+     * Requires trackLastActive to be meaningful — automatically enables it when set.
+     * Refresh token rotation counts as activity (rotateRefreshToken updates lastActiveAt).
+     */
+    idleTimeout?: number;
+    /**
+     * What to do with sessions after a successful password change via POST /auth/set-password.
+     * - "revoke_others" (default): revoke all sessions except the current one
+     * - "revoke_all_and_reissue": revoke all sessions, create a new session, return new token
+     * - "none": do nothing (not recommended)
+     */
+    onPasswordChange?: "revoke_others" | "revoke_all_and_reissue" | "none";
+}
+export type { DataEncryptionKey } from "../shared/lib/crypto";
+/**
+ * Parse data encryption keys from the BUNSHOT_DATA_ENCRYPTION_KEY env var.
+ * Env var format: comma-separated "keyId:base64key" pairs, first is active.
+ * Example: "v1:base64key1,v0:base64key0"
+ * Respects DEV/PROD split: BUNSHOT_DATA_ENCRYPTION_KEY_DEV / BUNSHOT_DATA_ENCRYPTION_KEY_PROD.
+ * Falls back to BUNSHOT_DATA_ENCRYPTION_KEY (no suffix).
+ * Returns [] when not set.
+ */
+export declare function getDataEncryptionKeys(): DataEncryptionKey[];