@naman_deep_singh/security 1.2.0 → 1.3.0

package/dist/esm/core/jwt/jwtManager.js

@@ -0,0 +1,312 @@
+import jwt from "jsonwebtoken";
+import { signToken } from "./signToken";
+import { verifyToken, safeVerifyToken } from "./verify";
+import { BadRequestError, UnauthorizedError, ValidationError } from "@naman_deep_singh/errors-utils";
+// Simple LRU cache for token validation
+class TokenCache {
+    constructor(maxSize = 100, ttl = 5 * 60 * 1000) {
+        this.cache = new Map();
+        this.maxSize = maxSize;
+        this.ttl = ttl;
+    }
+    get(key) {
+        const entry = this.cache.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() - entry.timestamp > this.ttl) {
+            this.cache.delete(key);
+            return null;
+        }
+        // Move to end (most recently used)
+        this.cache.delete(key);
+        this.cache.set(key, entry);
+        return { valid: entry.valid, payload: entry.payload };
+    }
+    set(key, value) {
+        if (this.cache.has(key)) {
+            this.cache.delete(key);
+        }
+        else if (this.cache.size >= this.maxSize) {
+            // Remove least recently used (first item)
+            const firstKey = this.cache.keys().next().value;
+            if (firstKey !== undefined) {
+                this.cache.delete(firstKey);
+            }
+        }
+        this.cache.set(key, { ...value, timestamp: Date.now() });
+    }
+    clear() {
+        this.cache.clear();
+    }
+}
+export class JWTManager {
+    constructor(config) {
+        this.accessSecret = config.accessSecret;
+        this.refreshSecret = config.refreshSecret;
+        this.accessExpiry = config.accessExpiry || "15m";
+        this.refreshExpiry = config.refreshExpiry || "7d";
+        if (config.enableCaching) {
+            this.cache = new TokenCache(config.maxCacheSize || 100);
+        }
+    }
+    /**
+     * Generate both access and refresh tokens
+     */
+    async generateTokens(payload) {
+        try {
+            this.validatePayload(payload);
+            const accessToken = await this.generateAccessToken(payload);
+            const refreshToken = await this.generateRefreshToken(payload);
+            return {
+                accessToken,
+                refreshToken,
+            };
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to generate tokens");
+        }
+    }
+    /**
+     * Generate access token
+     */
+    async generateAccessToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = signToken(payload, this.accessSecret, this.accessExpiry, { algorithm: "HS256" });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to generate access token");
+        }
+    }
+    /**
+     * Generate refresh token
+     */
+    async generateRefreshToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, { algorithm: "HS256" });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to generate refresh token");
+        }
+    }
+    /**
+     * Verify access token
+     */
+    async verifyAccessToken(token) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new ValidationError("Access token must be a non-empty string");
+            }
+            const cacheKey = `access_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new UnauthorizedError("Access token is invalid or expired");
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = verifyToken(token, this.accessSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "TokenExpiredError") {
+                throw new UnauthorizedError("Access token has expired");
+            }
+            if (error instanceof Error && error.name === "JsonWebTokenError") {
+                throw new UnauthorizedError("Access token is invalid");
+            }
+            throw new UnauthorizedError("Failed to verify access token");
+        }
+    }
+    /**
+     * Verify refresh token
+     */
+    async verifyRefreshToken(token) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new ValidationError("Refresh token must be a non-empty string");
+            }
+            const cacheKey = `refresh_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new UnauthorizedError("Refresh token is invalid or expired");
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = verifyToken(token, this.refreshSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "TokenExpiredError") {
+                throw new UnauthorizedError("Refresh token has expired");
+            }
+            if (error instanceof Error && error.name === "JsonWebTokenError") {
+                throw new UnauthorizedError("Refresh token is invalid");
+            }
+            throw new UnauthorizedError("Failed to verify refresh token");
+        }
+    }
+    /**
+     * Decode token without verification
+     */
+    decodeToken(token, complete = false) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new ValidationError("Token must be a non-empty string");
+            }
+            return jwt.decode(token, { complete });
+        }
+        catch (error) {
+            if (error instanceof ValidationError) {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Extract token from Authorization header
+     */
+    extractTokenFromHeader(authHeader) {
+        try {
+            if (!authHeader || typeof authHeader !== "string") {
+                return null;
+            }
+            const parts = authHeader.split(" ");
+            if (parts.length !== 2 || parts[0] !== "Bearer") {
+                return null;
+            }
+            return parts[1];
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Validate token without throwing exceptions
+     */
+    validateToken(token, secret, options = {}) {
+        try {
+            if (!token || typeof token !== "string") {
+                return false;
+            }
+            const result = safeVerifyToken(token, secret);
+            return result.valid;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Rotate refresh token
+     */
+    async rotateRefreshToken(oldToken) {
+        try {
+            if (!oldToken || typeof oldToken !== "string") {
+                throw new ValidationError("Old refresh token must be a non-empty string");
+            }
+            const decoded = await this.verifyRefreshToken(oldToken);
+            if (typeof decoded === "string") {
+                throw new ValidationError("Invalid token payload — expected JWT payload object");
+            }
+            // Create new payload without issued/expired timestamps
+            const payload = { ...decoded };
+            delete payload.iat;
+            delete payload.exp;
+            // Generate new refresh token
+            const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
+            return newToken;
+        }
+        catch (error) {
+            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to rotate refresh token");
+        }
+    }
+    /**
+     * Check if token is expired
+     */
+    isTokenExpired(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return true;
+            }
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch {
+            return true;
+        }
+    }
+    /**
+     * Get token expiration date
+     */
+    getTokenExpiration(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return null;
+            }
+            return new Date(decoded.exp * 1000);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Clear token cache
+     */
+    clearCache() {
+        this.cache?.clear();
+    }
+    /**
+     * Get cache statistics
+     */
+    getCacheStats() {
+        if (!this.cache)
+            return null;
+        return {
+            size: this.cache.cache.size,
+            maxSize: this.cache.maxSize
+        };
+    }
+    // Private helper methods
+    validatePayload(payload) {
+        if (!payload || typeof payload !== "object") {
+            throw new ValidationError("Payload must be a non-null object");
+        }
+        if (Object.keys(payload).length === 0) {
+            throw new ValidationError("Payload cannot be empty");
+        }
+    }
+}

package/dist/esm/core/password/passwordManager.d.ts

@@ -0,0 +1,29 @@
+import { IPasswordManager, PasswordConfig, PasswordValidationResult, HashedPassword, PasswordStrength } from "../../interfaces/password.interface";
+export declare class PasswordManager implements IPasswordManager {
+    private defaultConfig;
+    constructor(config?: PasswordConfig);
+    /**
+     * Hash a password asynchronously using bcrypt
+     */
+    hash(password: string, salt?: string): Promise<HashedPassword>;
+    /**
+     * Verify password against hash and salt
+     */
+    verify(password: string, hash: string, salt: string): Promise<boolean>;
+    /**
+     * Generate a random password
+     */
+    generate(length?: number, options?: PasswordConfig): string;
+    /**
+     * Validate password against configuration
+     */
+    validate(password: string, config?: PasswordConfig): PasswordValidationResult;
+    /**
+     * Check password strength
+     */
+    checkStrength(password: string): PasswordStrength;
+    /**
+     * Check if password hash needs upgrade (different salt rounds)
+     */
+    needsUpgrade(hash: string, currentConfig: PasswordConfig): boolean;
+}

package/dist/esm/core/password/passwordManager.js

@@ -0,0 +1,235 @@
+import bcrypt from "bcryptjs";
+import crypto from "crypto";
+import { ensureValidPassword, estimatePasswordEntropy } from "./utils";
+import { BadRequestError, ValidationError } from "@naman_deep_singh/errors-utils";
+export class PasswordManager {
+    constructor(config = {}) {
+        this.defaultConfig = {
+            saltRounds: 10,
+            minLength: 8,
+            maxLength: 128,
+            requireUppercase: true,
+            requireLowercase: true,
+            requireNumbers: true,
+            requireSpecialChars: false,
+            ...config
+        };
+    }
+    /**
+     * Hash a password asynchronously using bcrypt
+     */
+    async hash(password, salt) {
+        try {
+            ensureValidPassword(password);
+            // Validate password meets basic requirements
+            this.validate(password);
+            const saltRounds = this.defaultConfig.saltRounds;
+            let passwordSalt = salt;
+            if (!passwordSalt) {
+                passwordSalt = await bcrypt.genSalt(saltRounds);
+            }
+            const hash = await bcrypt.hash(password, passwordSalt);
+            return {
+                hash,
+                salt: passwordSalt
+            };
+        }
+        catch (error) {
+            if (error instanceof BadRequestError || error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError("Failed to hash password");
+        }
+    }
+    /**
+     * Verify password against hash and salt
+     */
+    async verify(password, hash, salt) {
+        try {
+            if (!password || !hash || !salt) {
+                return false;
+            }
+            // First verify with the provided salt
+            const isValid = await bcrypt.compare(password, hash);
+            // If invalid and different salt was used, try regenerating hash with new salt
+            if (!isValid && salt !== this.defaultConfig.saltRounds?.toString()) {
+                const newHash = await bcrypt.hash(password, salt);
+                return newHash === hash;
+            }
+            return isValid;
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    /**
+     * Generate a random password
+     */
+    generate(length = 16, options = {}) {
+        const config = { ...this.defaultConfig, ...options };
+        if (length < config.minLength || length > config.maxLength) {
+            throw new ValidationError(`Password length must be between ${config.minLength} and ${config.maxLength}`);
+        }
+        let charset = "abcdefghijklmnopqrstuvwxyz";
+        if (config.requireUppercase)
+            charset += "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+        if (config.requireNumbers)
+            charset += "0123456789";
+        if (config.requireSpecialChars)
+            charset += "!@#$%^&*()_+-=[]{}|;:,.<>?";
+        let password = "";
+        const randomBytes = crypto.randomBytes(length);
+        for (let i = 0; i < length; i++) {
+            password += charset[randomBytes[i] % charset.length];
+        }
+        // Ensure all requirements are met
+        if (config.requireUppercase && !/[A-Z]/.test(password)) {
+            password = password.replace(/[a-z]/, 'A');
+        }
+        if (config.requireLowercase && !/[a-z]/.test(password)) {
+            password = password.replace(/[A-Z]/, 'a');
+        }
+        if (config.requireNumbers && !/[0-9]/.test(password)) {
+            password = password.replace(/[A-Za-z]/, '0');
+        }
+        if (config.requireSpecialChars && !/[^A-Za-z0-9]/.test(password)) {
+            password = password.replace(/[A-Za-z0-9]/, '!');
+        }
+        return password;
+    }
+    /**
+     * Validate password against configuration
+     */
+    validate(password, config = {}) {
+        const finalConfig = { ...this.defaultConfig, ...config };
+        const errors = [];
+        // Basic validation
+        if (!password || typeof password !== "string") {
+            errors.push("Password must be a non-empty string");
+        }
+        // Length validation
+        if (password.length < finalConfig.minLength) {
+            errors.push(`Password must be at least ${finalConfig.minLength} characters long`);
+        }
+        if (password.length > finalConfig.maxLength) {
+            errors.push(`Password must not exceed ${finalConfig.maxLength} characters`);
+        }
+        // Complexity requirements
+        if (finalConfig.requireUppercase && !/[A-Z]/.test(password)) {
+            errors.push("Password must contain at least one uppercase letter");
+        }
+        if (finalConfig.requireLowercase && !/[a-z]/.test(password)) {
+            errors.push("Password must contain at least one lowercase letter");
+        }
+        if (finalConfig.requireNumbers && !/[0-9]/.test(password)) {
+            errors.push("Password must contain at least one number");
+        }
+        if (finalConfig.requireSpecialChars && !/[^A-Za-z0-9]/.test(password)) {
+            errors.push("Password must contain at least one special character");
+        }
+        // Custom rules
+        if (finalConfig.customRules) {
+            finalConfig.customRules.forEach(rule => {
+                if (!rule.test(password)) {
+                    errors.push(rule.message);
+                }
+            });
+        }
+        const strength = this.checkStrength(password);
+        const isValid = errors.length === 0;
+        return {
+            isValid,
+            errors,
+            strength
+        };
+    }
+    /**
+     * Check password strength
+     */
+    checkStrength(password) {
+        const entropy = estimatePasswordEntropy(password);
+        let score = 0;
+        const feedback = [];
+        const suggestions = [];
+        // Length scoring
+        if (password.length >= 8)
+            score++;
+        if (password.length >= 12)
+            score++;
+        if (password.length >= 16)
+            score++;
+        // Character variety scoring
+        if (/[a-z]/.test(password))
+            score++;
+        if (/[A-Z]/.test(password))
+            score++;
+        if (/[0-9]/.test(password))
+            score++;
+        if (/[^A-Za-z0-9]/.test(password))
+            score++;
+        // Common patterns deduction
+        if (/^[A-Za-z]+$/.test(password)) {
+            score--;
+            feedback.push("Consider adding numbers and symbols");
+        }
+        if (/^[0-9]+$/.test(password)) {
+            score -= 2;
+            feedback.push("Avoid using only numbers");
+        }
+        if (/([a-zA-Z0-9])\1{2,}/.test(password)) {
+            score--;
+            feedback.push("Avoid repeated characters");
+        }
+        if (/(?:012|123|234|345|456|567|678|789)/.test(password)) {
+            score--;
+            feedback.push("Avoid sequential patterns");
+        }
+        // Common passwords check
+        const commonPasswords = ['password', '123456', 'qwerty', 'admin', 'letmein'];
+        if (commonPasswords.some(common => password.toLowerCase().includes(common))) {
+            score = 0;
+            feedback.push("Avoid common passwords");
+        }
+        // Clamp score and determine label
+        score = Math.max(0, Math.min(4, score));
+        let label;
+        switch (score) {
+            case 0:
+                label = 'very-weak';
+                suggestions.push("Use a longer password with mixed characters");
+                break;
+            case 1:
+                label = 'weak';
+                suggestions.push("Add more character variety");
+                break;
+            case 2:
+                label = 'fair';
+                suggestions.push("Consider adding more length or character types");
+                break;
+            case 3:
+                label = 'good';
+                suggestions.push("Your password is reasonably secure");
+                break;
+            case 4:
+                label = 'strong';
+                suggestions.push("Your password is very secure");
+                break;
+            default:
+                label = 'very-weak';
+        }
+        return {
+            score,
+            label,
+            feedback,
+            suggestions
+        };
+    }
+    /**
+     * Check if password hash needs upgrade (different salt rounds)
+     */
+    needsUpgrade(hash, currentConfig) {
+        // Simple heuristic: if the hash doesn't match current salt rounds pattern
+        // In practice, you'd need to store the salt rounds with the hash
+        return false;
+    }
+}

package/dist/esm/index.d.ts

@@ -3,6 +3,7 @@ export * from "./core/jwt";
 export * from "./core/crypto";
 export { BadRequestError, UnauthorizedError, ValidationError, InternalServerError } from "@naman_deep_singh/errors-utils";
 import * as JWTUtils from "./core/jwt";
+import * as CryptoUtils from "./core/crypto";
 declare const _default: {
     decrypt: (data: string, secret: string) => string;
     encrypt: (text: string, secret: string) => string;
@@ -10,6 +11,9 @@ declare const _default: {
     hmacVerify: (message: string, secret: string, signature: string) => boolean;
     randomToken: (length?: number) => string;
     generateStrongPassword: (length?: number) => string;
+    CryptoManager: typeof CryptoUtils.CryptoManager;
+    createCryptoManager: (config?: CryptoUtils.CryptoManagerConfig) => CryptoUtils.CryptoManager;
+    cryptoManager: CryptoUtils.CryptoManager;
     decodeToken(token: string): null | string | import("node_modules/@types/jsonwebtoken").JwtPayload;
     decodeTokenStrict(token: string): import("node_modules/@types/jsonwebtoken").JwtPayload;
     extractToken(sources: JWTUtils.TokenSources): string | null;

package/dist/esm/interfaces/jwt.interface.d.ts

@@ -0,0 +1,47 @@
+import { JwtPayload, Secret } from "jsonwebtoken";
+export interface AccessToken extends String {
+    readonly __type: 'AccessToken';
+}
+export interface RefreshToken extends String {
+    readonly __type: 'RefreshToken';
+}
+export interface TokenPair {
+    accessToken: AccessToken;
+    refreshToken: RefreshToken;
+}
+export interface JWTConfig {
+    accessSecret: Secret;
+    refreshSecret: Secret;
+    accessExpiry?: string | number;
+    refreshExpiry?: string | number;
+    enableCaching?: boolean;
+    maxCacheSize?: number;
+}
+export interface TokenValidationOptions {
+    ignoreExpiration?: boolean;
+    ignoreNotBefore?: boolean;
+    audience?: string | string[];
+    issuer?: string;
+    algorithms?: string[];
+}
+export interface TokenGenerationOptions {
+    algorithm?: string;
+    expiresIn?: string | number;
+    audience?: string | string[];
+    issuer?: string;
+    subject?: string;
+    kid?: string;
+}
+export interface ITokenManager {
+    generateTokens(payload: Record<string, unknown>): Promise<TokenPair>;
+    generateAccessToken(payload: Record<string, unknown>): Promise<AccessToken>;
+    generateRefreshToken(payload: Record<string, unknown>): Promise<RefreshToken>;
+    verifyAccessToken(token: string): Promise<JwtPayload | string>;
+    verifyRefreshToken(token: string): Promise<JwtPayload | string>;
+    decodeToken(token: string, complete?: boolean): JwtPayload | string | null;
+    extractTokenFromHeader(authHeader: string): string | null;
+    validateToken(token: string, secret: Secret, options?: TokenValidationOptions): boolean;
+    rotateRefreshToken(oldToken: string): Promise<RefreshToken>;
+    isTokenExpired(token: string): boolean;
+    getTokenExpiration(token: string): Date | null;
+}

package/dist/esm/interfaces/jwt.interface.js

@@ -0,0 +1 @@
+export {};