@naman_deep_singh/security 1.1.0 → 1.3.0

package/dist/esm/core/crypto/cryptoManager.js

@@ -0,0 +1,180 @@
+import { encrypt as functionalEncrypt, decrypt as functionalDecrypt, hmacSign as functionalHmacSign, hmacVerify as functionalHmacVerify, randomToken as functionalRandomToken } from './index';
+/**
+ * Default configuration
+ */
+const DEFAULT_CONFIG = {
+    defaultAlgorithm: 'aes-256-gcm',
+    defaultEncoding: 'utf8',
+    hmacAlgorithm: 'sha256'
+};
+/**
+ * CryptoManager - Class-based wrapper for all cryptographic operations
+ * Provides a consistent interface for encryption, decryption, HMAC generation, and secure random generation
+ */
+export class CryptoManager {
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+    }
+    /**
+     * Update configuration
+     */
+    updateConfig(config) {
+        this.config = { ...this.config, ...config };
+    }
+    /**
+     * Get current configuration
+     */
+    getConfig() {
+        return { ...this.config };
+    }
+    /**
+     * Encrypt data using the default or specified algorithm
+     */
+    encrypt(plaintext, key, options) {
+        // For now, use the basic encrypt function
+        // TODO: Enhance to support different algorithms and options
+        return functionalEncrypt(plaintext, key);
+    }
+    /**
+     * Decrypt data using the default or specified algorithm
+     */
+    decrypt(encryptedData, key, options) {
+        // For now, use the basic decrypt function
+        // TODO: Enhance to support different algorithms and options
+        return functionalDecrypt(encryptedData, key);
+    }
+    /**
+     * Generate HMAC signature
+     */
+    generateHmac(data, secret, options) {
+        // Use the basic HMAC sign function for now
+        // TODO: Add support for different algorithms
+        return functionalHmacSign(data, secret);
+    }
+    /**
+     * Generate cryptographically secure random bytes
+     */
+    generateSecureRandom(length, encoding = 'hex') {
+        // Use the basic random token function
+        return functionalRandomToken(length);
+    }
+    /**
+     * Verify HMAC signature
+     */
+    verifyHmac(data, secret, signature, options) {
+        // Use the basic HMAC verify function
+        return functionalHmacVerify(data, secret, signature);
+    }
+    /**
+     * Create a key derivation function using PBKDF2
+     */
+    deriveKey(password, salt, iterations = 100000, keyLength = 32) {
+        return new Promise((resolve, reject) => {
+            const crypto = require('crypto');
+            crypto.pbkdf2(password, salt, iterations, keyLength, 'sha256', (err, derivedKey) => {
+                if (err) {
+                    reject(err);
+                }
+                else {
+                    resolve(derivedKey.toString('hex'));
+                }
+            });
+        });
+    }
+    /**
+     * Hash data using SHA-256
+     */
+    sha256(data, encoding = 'hex') {
+        const crypto = require('crypto');
+        return crypto.createHash('sha256').update(data).digest(encoding);
+    }
+    /**
+     * Hash data using SHA-512
+     */
+    sha512(data, encoding = 'hex') {
+        const crypto = require('crypto');
+        return crypto.createHash('sha512').update(data).digest(encoding);
+    }
+    /**
+     * Generate a secure key pair for asymmetric encryption
+     */
+    generateKeyPair(options) {
+        return new Promise((resolve, reject) => {
+            const crypto = require('crypto');
+            const keyPair = crypto.generateKeyPairSync('rsa', {
+                modulusLength: options?.modulusLength || 2048,
+                publicKeyEncoding: options?.publicKeyEncoding || { type: 'spki', format: 'pem' },
+                privateKeyEncoding: options?.privateKeyEncoding || { type: 'pkcs8', format: 'pem' }
+            });
+            resolve(keyPair);
+        });
+    }
+    /**
+     * Encrypt data using RSA public key
+     */
+    rsaEncrypt(data, publicKey) {
+        return new Promise((resolve, reject) => {
+            const crypto = require('crypto');
+            const buffer = Buffer.from(data, 'utf8');
+            const encrypted = crypto.publicEncrypt(publicKey, buffer);
+            resolve(encrypted.toString('base64'));
+        });
+    }
+    /**
+     * Decrypt data using RSA private key
+     */
+    rsaDecrypt(encryptedData, privateKey) {
+        return new Promise((resolve, reject) => {
+            const crypto = require('crypto');
+            const buffer = Buffer.from(encryptedData, 'base64');
+            const decrypted = crypto.privateDecrypt(privateKey, buffer);
+            resolve(decrypted.toString('utf8'));
+        });
+    }
+    /**
+     * Create digital signature using RSA private key
+     */
+    rsaSign(data, privateKey, algorithm = 'sha256') {
+        return new Promise((resolve, reject) => {
+            const crypto = require('crypto');
+            const sign = crypto.createSign(algorithm);
+            sign.update(data);
+            sign.end();
+            try {
+                const signature = sign.sign(privateKey, 'base64');
+                resolve(signature);
+            }
+            catch (error) {
+                reject(error);
+            }
+        });
+    }
+    /**
+     * Verify digital signature using RSA public key
+     */
+    rsaVerify(data, signature, publicKey, algorithm = 'sha256') {
+        return new Promise((resolve, reject) => {
+            const crypto = require('crypto');
+            const verify = crypto.createVerify(algorithm);
+            verify.update(data);
+            verify.end();
+            try {
+                const isValid = verify.verify(publicKey, signature, 'base64');
+                resolve(isValid);
+            }
+            catch (error) {
+                reject(error);
+            }
+        });
+    }
+}
+/**
+ * Create a CryptoManager instance with default configuration
+ */
+export const createCryptoManager = (config) => {
+    return new CryptoManager(config);
+};
+/**
+ * Default CryptoManager instance
+ */
+export const cryptoManager = new CryptoManager();

package/dist/esm/core/crypto/index.d.ts

@@ -1,4 +1,5 @@
-export * from "./decrypt";
-export * from "./encrypt";
-export * from "./hmac";
-export * from "./random";
+export { decrypt } from "./decrypt";
+export { encrypt } from "./encrypt";
+export { hmacSign, hmacVerify } from "./hmac";
+export { randomToken, generateStrongPassword } from "./random";
+export * from "./cryptoManager";

package/dist/esm/core/crypto/index.js

@@ -1,4 +1,5 @@
-export * from "./decrypt";
-export * from "./encrypt";
-export * from "./hmac";
-export * from "./random";
+export { decrypt } from "./decrypt";
+export { encrypt } from "./encrypt";
+export { hmacSign, hmacVerify } from "./hmac";
+export { randomToken, generateStrongPassword } from "./random";
+export * from "./cryptoManager";

package/dist/esm/core/jwt/extractToken.d.ts

@@ -2,8 +2,8 @@ export interface TokenSources {
     header?: string | undefined | null;
     cookies?: Record<string, string> | undefined;
     query?: Record<string, string | undefined> | undefined;
-    body?: Record<string, any> | undefined;
-    wsMessage?: string | Record<string, any> | undefined;
+    body?: Record<string, unknown> | undefined;
+    wsMessage?: string | Record<string, unknown> | undefined;
 }
 /**
  * Universal token extractor

package/dist/esm/core/jwt/extractToken.js

@@ -20,7 +20,7 @@ export function extractToken(sources) {
     if (query?.token)
         return query.token;
     // 4. Body: { token: "" }
-    if (body?.token)
+    if (body?.token && typeof body.token === 'string')
         return body.token;
     // 5. WebSocket message extraction (NEW)
     if (wsMessage) {
@@ -30,12 +30,17 @@ export function extractToken(sources) {
             if (typeof wsMessage === "string") {
                 msg = JSON.parse(wsMessage);
             }
-            // Direct token
-            if (typeof msg.token === "string")
-                return msg.token;
-            // Nested token: { auth: { token: "" } }
-            if (msg.auth && typeof msg.auth.token === "string") {
-                return msg.auth.token;
+            // Ensure msg is an object before property access
+            if (typeof msg === 'object' && msg !== null) {
+                const m = msg;
+                if (typeof m['token'] === 'string')
+                    return m['token'];
+                const auth = m['auth'];
+                if (typeof auth === 'object' && auth !== null) {
+                    const a = auth;
+                    if (typeof a['token'] === 'string')
+                        return a['token'];
+                }
             }
         }
         catch {

package/dist/esm/core/jwt/generateTokens.d.ts

@@ -1,7 +1,4 @@
 import { Secret } from "jsonwebtoken";
-export interface TokenPair {
-    accessToken: string;
-    refreshToken: string;
-}
-export declare const generateTokens: (payload: object, accessSecret: Secret, refreshSecret: Secret, accessExpiry?: string | number, refreshExpiry?: string | number) => TokenPair;
-export declare function rotateRefreshToken(oldToken: string, secret: Secret): string;
+import { RefreshToken, TokenPair } from "./types";
+export declare const generateTokens: (payload: Record<string, unknown>, accessSecret: Secret, refreshSecret: Secret, accessExpiry?: string | number, refreshExpiry?: string | number) => TokenPair;
+export declare function rotateRefreshToken(oldToken: string, secret: Secret): RefreshToken;

package/dist/esm/core/jwt/generateTokens.js

@@ -1,9 +1,15 @@
 import { signToken } from "./signToken";
 import { verifyToken } from "./verify";
+// Helper function to create branded tokens
+const createBrandedToken = (token, _brand) => {
+    return token;
+};
 export const generateTokens = (payload, accessSecret, refreshSecret, accessExpiry = "15m", refreshExpiry = "7d") => {
+    const accessToken = signToken(payload, accessSecret, accessExpiry, { algorithm: "HS256" });
+    const refreshToken = signToken(payload, refreshSecret, refreshExpiry, { algorithm: "HS256" });
     return {
-        accessToken: signToken(payload, accessSecret, accessExpiry, { algorithm: "HS256" }),
-        refreshToken: signToken(payload, refreshSecret, refreshExpiry, { algorithm: "HS256" }),
+        accessToken: accessToken,
+        refreshToken: refreshToken,
     };
 };
 export function rotateRefreshToken(oldToken, secret) {
@@ -14,5 +20,6 @@ export function rotateRefreshToken(oldToken, secret) {
     const payload = { ...decoded };
     delete payload.iat;
     delete payload.exp;
-    return signToken(payload, secret, "7d");
+    const newToken = signToken(payload, secret, "7d");
+    return newToken;
 }

package/dist/esm/core/jwt/index.d.ts

@@ -3,5 +3,6 @@ export * from "./extractToken";
 export * from "./generateTokens";
 export * from "./parseDuration";
 export * from "./signToken";
+export * from "./types";
 export * from "./validateToken";
 export * from "./verify";

package/dist/esm/core/jwt/index.js

@@ -3,5 +3,6 @@ export * from "./extractToken";
 export * from "./generateTokens";
 export * from "./parseDuration";
 export * from "./signToken";
+export * from "./types";
 export * from "./validateToken";
 export * from "./verify";

package/dist/esm/core/jwt/jwtManager.d.ts

@@ -0,0 +1,66 @@
+import { JwtPayload, Secret } from "jsonwebtoken";
+import { ITokenManager, TokenPair, AccessToken, RefreshToken, JWTConfig, TokenValidationOptions } from "../../interfaces/jwt.interface";
+export declare class JWTManager implements ITokenManager {
+    private accessSecret;
+    private refreshSecret;
+    private accessExpiry;
+    private refreshExpiry;
+    private cache?;
+    constructor(config: JWTConfig);
+    /**
+     * Generate both access and refresh tokens
+     */
+    generateTokens(payload: Record<string, unknown>): Promise<TokenPair>;
+    /**
+     * Generate access token
+     */
+    generateAccessToken(payload: Record<string, unknown>): Promise<AccessToken>;
+    /**
+     * Generate refresh token
+     */
+    generateRefreshToken(payload: Record<string, unknown>): Promise<RefreshToken>;
+    /**
+     * Verify access token
+     */
+    verifyAccessToken(token: string): Promise<JwtPayload | string>;
+    /**
+     * Verify refresh token
+     */
+    verifyRefreshToken(token: string): Promise<JwtPayload | string>;
+    /**
+     * Decode token without verification
+     */
+    decodeToken(token: string, complete?: boolean): JwtPayload | string | null;
+    /**
+     * Extract token from Authorization header
+     */
+    extractTokenFromHeader(authHeader: string): string | null;
+    /**
+     * Validate token without throwing exceptions
+     */
+    validateToken(token: string, secret: Secret, options?: TokenValidationOptions): boolean;
+    /**
+     * Rotate refresh token
+     */
+    rotateRefreshToken(oldToken: string): Promise<RefreshToken>;
+    /**
+     * Check if token is expired
+     */
+    isTokenExpired(token: string): boolean;
+    /**
+     * Get token expiration date
+     */
+    getTokenExpiration(token: string): Date | null;
+    /**
+     * Clear token cache
+     */
+    clearCache(): void;
+    /**
+     * Get cache statistics
+     */
+    getCacheStats(): {
+        size: number;
+        maxSize: number;
+    } | null;
+    private validatePayload;
+}

package/dist/esm/core/jwt/jwtManager.js

@@ -0,0 +1,312 @@
+import jwt from "jsonwebtoken";
+import { signToken } from "./signToken";
+import { verifyToken, safeVerifyToken } from "./verify";
+import { BadRequestError, UnauthorizedError, ValidationError } from "@naman_deep_singh/errors-utils";
+// Simple LRU cache for token validation
+class TokenCache {
+    constructor(maxSize = 100, ttl = 5 * 60 * 1000) {
+        this.cache = new Map();
+        this.maxSize = maxSize;
+        this.ttl = ttl;
+    }
+    get(key) {
+        const entry = this.cache.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() - entry.timestamp > this.ttl) {
+            this.cache.delete(key);
+            return null;
+        }
+        // Move to end (most recently used)
+        this.cache.delete(key);
+        this.cache.set(key, entry);
+        return { valid: entry.valid, payload: entry.payload };
+    }
+    set(key, value) {
+        if (this.cache.has(key)) {
+            this.cache.delete(key);
+        }
+        else if (this.cache.size >= this.maxSize) {
+            // Remove least recently used (first item)
+            const firstKey = this.cache.keys().next().value;
+            if (firstKey !== undefined) {
+                this.cache.delete(firstKey);
+            }
+        }
+        this.cache.set(key, { ...value, timestamp: Date.now() });
+    }
+    clear() {
+        this.cache.clear();
+    }
+}
+export class JWTManager {
+    constructor(config) {
+        this.accessSecret = config.accessSecret;
+        this.refreshSecret = config.refreshSecret;
+        this.accessExpiry = config.accessExpiry || "15m";
+        this.refreshExpiry = config.refreshExpiry || "7d";
+        if (config.enableCaching) {
+            this.cache = new TokenCache(config.maxCacheSize || 100);
+        }
+    }
+    /**
+     * Generate both access and refresh tokens
+     */
+    async generateTokens(payload) {
+        try {
+            this.validatePayload(payload);
+            const accessToken = await this.generateAccessToken(payload);
+            const refreshToken = await this.generateRefreshToken(payload);
+            return {
+                accessToken,
+                refreshToken,
+            };
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to generate tokens");
+        }
+    }
+    /**
+     * Generate access token
+     */
+    async generateAccessToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = signToken(payload, this.accessSecret, this.accessExpiry, { algorithm: "HS256" });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to generate access token");
+        }
+    }
+    /**
+     * Generate refresh token
+     */
+    async generateRefreshToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, { algorithm: "HS256" });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to generate refresh token");
+        }
+    }
+    /**
+     * Verify access token
+     */
+    async verifyAccessToken(token) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new ValidationError("Access token must be a non-empty string");
+            }
+            const cacheKey = `access_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new UnauthorizedError("Access token is invalid or expired");
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = verifyToken(token, this.accessSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "TokenExpiredError") {
+                throw new UnauthorizedError("Access token has expired");
+            }
+            if (error instanceof Error && error.name === "JsonWebTokenError") {
+                throw new UnauthorizedError("Access token is invalid");
+            }
+            throw new UnauthorizedError("Failed to verify access token");
+        }
+    }
+    /**
+     * Verify refresh token
+     */
+    async verifyRefreshToken(token) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new ValidationError("Refresh token must be a non-empty string");
+            }
+            const cacheKey = `refresh_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new UnauthorizedError("Refresh token is invalid or expired");
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = verifyToken(token, this.refreshSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "TokenExpiredError") {
+                throw new UnauthorizedError("Refresh token has expired");
+            }
+            if (error instanceof Error && error.name === "JsonWebTokenError") {
+                throw new UnauthorizedError("Refresh token is invalid");
+            }
+            throw new UnauthorizedError("Failed to verify refresh token");
+        }
+    }
+    /**
+     * Decode token without verification
+     */
+    decodeToken(token, complete = false) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new ValidationError("Token must be a non-empty string");
+            }
+            return jwt.decode(token, { complete });
+        }
+        catch (error) {
+            if (error instanceof ValidationError) {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Extract token from Authorization header
+     */
+    extractTokenFromHeader(authHeader) {
+        try {
+            if (!authHeader || typeof authHeader !== "string") {
+                return null;
+            }
+            const parts = authHeader.split(" ");
+            if (parts.length !== 2 || parts[0] !== "Bearer") {
+                return null;
+            }
+            return parts[1];
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Validate token without throwing exceptions
+     */
+    validateToken(token, secret, options = {}) {
+        try {
+            if (!token || typeof token !== "string") {
+                return false;
+            }
+            const result = safeVerifyToken(token, secret);
+            return result.valid;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Rotate refresh token
+     */
+    async rotateRefreshToken(oldToken) {
+        try {
+            if (!oldToken || typeof oldToken !== "string") {
+                throw new ValidationError("Old refresh token must be a non-empty string");
+            }
+            const decoded = await this.verifyRefreshToken(oldToken);
+            if (typeof decoded === "string") {
+                throw new ValidationError("Invalid token payload — expected JWT payload object");
+            }
+            // Create new payload without issued/expired timestamps
+            const payload = { ...decoded };
+            delete payload.iat;
+            delete payload.exp;
+            // Generate new refresh token
+            const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
+            return newToken;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to rotate refresh token");
+        }
+    }
+    /**
+     * Check if token is expired
+     */
+    isTokenExpired(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return true;
+            }
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch {
+            return true;
+        }
+    }
+    /**
+     * Get token expiration date
+     */
+    getTokenExpiration(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return null;
+            }
+            return new Date(decoded.exp * 1000);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Clear token cache
+     */
+    clearCache() {
+        this.cache?.clear();
+    }
+    /**
+     * Get cache statistics
+     */
+    getCacheStats() {
+        if (!this.cache)
+            return null;
+        return {
+            size: this.cache.cache.size,
+            maxSize: this.cache.maxSize
+        };
+    }
+    // Private helper methods
+    validatePayload(payload) {
+        if (!payload || typeof payload !== "object") {
+            throw new ValidationError("Payload must be a non-null object");
+        }
+        if (Object.keys(payload).length === 0) {
+            throw new ValidationError("Payload cannot be empty");
+        }
+    }
+}

package/dist/esm/core/jwt/signToken.d.ts

@@ -1,2 +1,2 @@
 import { Secret, SignOptions } from "jsonwebtoken";
-export declare const signToken: (payload: Record<string, any>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;
+export declare const signToken: (payload: Record<string, unknown>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;