npm - @naman_deep_singh/security - Versions diffs - 1.2.0 → 1.3.1 - Mend

@naman_deep_singh/security 1.2.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/README.md +355 -176
package/dist/cjs/core/crypto/cryptoManager.d.ts +111 -0
package/dist/cjs/core/crypto/cryptoManager.js +191 -0
package/dist/cjs/core/crypto/decrypt.js +6 -6
package/dist/cjs/core/crypto/encrypt.js +4 -4
package/dist/cjs/core/crypto/hmac.js +1 -1
package/dist/cjs/core/crypto/index.d.ts +5 -4
package/dist/cjs/core/crypto/index.js +12 -4
package/dist/cjs/core/crypto/random.js +2 -2
package/dist/cjs/core/jwt/decode.d.ts +1 -1
package/dist/cjs/core/jwt/decode.js +2 -2
package/dist/cjs/core/jwt/extractToken.js +7 -7
package/dist/cjs/core/jwt/generateTokens.d.ts +2 -2
package/dist/cjs/core/jwt/generateTokens.js +10 -6
package/dist/cjs/core/jwt/index.d.ts +8 -8
package/dist/cjs/core/jwt/jwtManager.d.ts +67 -0
package/dist/cjs/core/jwt/jwtManager.js +299 -0
package/dist/cjs/core/jwt/parseDuration.js +3 -3
package/dist/cjs/core/jwt/signToken.d.ts +1 -1
package/dist/cjs/core/jwt/signToken.js +7 -7
package/dist/cjs/core/jwt/types.d.ts +1 -1
package/dist/cjs/core/jwt/validateToken.d.ts +2 -2
package/dist/cjs/core/jwt/validateToken.js +3 -3
package/dist/cjs/core/jwt/verify.d.ts +3 -2
package/dist/cjs/core/password/hash.js +1 -1
package/dist/cjs/core/password/index.d.ts +3 -3
package/dist/cjs/core/password/passwordManager.d.ts +29 -0
package/dist/cjs/core/password/passwordManager.js +243 -0
package/dist/cjs/core/password/strength.d.ts +1 -1
package/dist/cjs/core/password/strength.js +4 -4
package/dist/cjs/core/password/utils.js +2 -2
package/dist/cjs/core/password/verify.js +1 -1
package/dist/cjs/index.d.ts +9 -5
package/dist/cjs/index.js +2 -2
package/dist/cjs/interfaces/jwt.interface.d.ts +47 -0
package/dist/cjs/interfaces/jwt.interface.js +2 -0
package/dist/cjs/interfaces/password.interface.d.ts +60 -0
package/dist/cjs/interfaces/password.interface.js +2 -0
package/dist/esm/core/crypto/cryptoManager.d.ts +111 -0
package/dist/esm/core/crypto/cryptoManager.js +186 -0
package/dist/esm/core/crypto/decrypt.js +7 -7
package/dist/esm/core/crypto/encrypt.js +5 -5
package/dist/esm/core/crypto/hmac.js +2 -2
package/dist/esm/core/crypto/index.d.ts +5 -4
package/dist/esm/core/crypto/index.js +5 -4
package/dist/esm/core/crypto/random.js +3 -3
package/dist/esm/core/jwt/decode.d.ts +1 -1
package/dist/esm/core/jwt/decode.js +3 -3
package/dist/esm/core/jwt/extractToken.js +7 -7
package/dist/esm/core/jwt/generateTokens.d.ts +2 -2
package/dist/esm/core/jwt/generateTokens.js +12 -8
package/dist/esm/core/jwt/index.d.ts +8 -8
package/dist/esm/core/jwt/index.js +8 -8
package/dist/esm/core/jwt/jwtManager.d.ts +67 -0
package/dist/esm/core/jwt/jwtManager.js +292 -0
package/dist/esm/core/jwt/parseDuration.js +3 -3
package/dist/esm/core/jwt/signToken.d.ts +1 -1
package/dist/esm/core/jwt/signToken.js +9 -9
package/dist/esm/core/jwt/types.d.ts +1 -1
package/dist/esm/core/jwt/validateToken.d.ts +2 -2
package/dist/esm/core/jwt/validateToken.js +3 -3
package/dist/esm/core/jwt/verify.d.ts +3 -2
package/dist/esm/core/jwt/verify.js +1 -1
package/dist/esm/core/password/hash.js +3 -3
package/dist/esm/core/password/index.d.ts +3 -3
package/dist/esm/core/password/index.js +3 -3
package/dist/esm/core/password/passwordManager.d.ts +29 -0
package/dist/esm/core/password/passwordManager.js +236 -0
package/dist/esm/core/password/strength.d.ts +1 -1
package/dist/esm/core/password/strength.js +5 -5
package/dist/esm/core/password/utils.js +4 -4
package/dist/esm/core/password/verify.js +2 -2
package/dist/esm/index.d.ts +9 -5
package/dist/esm/index.js +7 -7
package/dist/esm/interfaces/jwt.interface.d.ts +47 -0
package/dist/esm/interfaces/jwt.interface.js +1 -0
package/dist/esm/interfaces/password.interface.d.ts +60 -0
package/dist/esm/interfaces/password.interface.js +1 -0
package/dist/types/core/crypto/cryptoManager.d.ts +111 -0
package/dist/types/core/crypto/index.d.ts +5 -4
package/dist/types/core/jwt/decode.d.ts +1 -1
package/dist/types/core/jwt/generateTokens.d.ts +2 -2
package/dist/types/core/jwt/index.d.ts +8 -8
package/dist/types/core/jwt/jwtManager.d.ts +67 -0
package/dist/types/core/jwt/signToken.d.ts +1 -1
package/dist/types/core/jwt/types.d.ts +1 -1
package/dist/types/core/jwt/validateToken.d.ts +2 -2
package/dist/types/core/jwt/verify.d.ts +3 -2
package/dist/types/core/password/index.d.ts +3 -3
package/dist/types/core/password/passwordManager.d.ts +29 -0
package/dist/types/core/password/strength.d.ts +1 -1
package/dist/types/index.d.ts +9 -5
package/dist/types/interfaces/jwt.interface.d.ts +47 -0
package/dist/types/interfaces/password.interface.d.ts +60 -0
package/package.json +4 -3

package/dist/cjs/core/jwt/jwtManager.js ADDED Viewed

@@ -0,0 +1,299 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTManager = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const signToken_1 = require("./signToken");
+const verify_1 = require("./verify");
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+const js_extensions_1 = require("@naman_deep_singh/js-extensions");
+class JWTManager {
+    constructor(config) {
+        this.accessSecret = config.accessSecret;
+        this.refreshSecret = config.refreshSecret;
+        this.accessExpiry = config.accessExpiry || '15m';
+        this.refreshExpiry = config.refreshExpiry || '7d';
+        this.cacheTTL = 5 * 60 * 1000; // 5 minutes default TTL
+        if (config.enableCaching) {
+            this.cache = new js_extensions_1.LRUCache(config.maxCacheSize || 100);
+        }
+    }
+    /**
+     * Generate both access and refresh tokens
+     */
+    async generateTokens(payload) {
+        try {
+            this.validatePayload(payload);
+            const accessToken = await this.generateAccessToken(payload);
+            const refreshToken = await this.generateRefreshToken(payload);
+            return {
+                accessToken,
+                refreshToken,
+            };
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.BadRequestError ||
+                error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError('Failed to generate tokens');
+        }
+    }
+    /**
+     * Generate access token
+     */
+    async generateAccessToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = (0, signToken_1.signToken)(payload, this.accessSecret, this.accessExpiry, {
+                algorithm: 'HS256',
+            });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.BadRequestError ||
+                error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError('Failed to generate access token');
+        }
+    }
+    /**
+     * Generate refresh token
+     */
+    async generateRefreshToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = (0, signToken_1.signToken)(payload, this.refreshSecret, this.refreshExpiry, {
+                algorithm: 'HS256',
+            });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.BadRequestError ||
+                error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError('Failed to generate refresh token');
+        }
+    }
+    /**
+     * Verify access token
+     */
+    async verifyAccessToken(token) {
+        try {
+            if (!token || typeof token !== 'string') {
+                throw new errors_utils_1.ValidationError('Access token must be a non-empty string');
+            }
+            const cacheKey = `access_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
+                    if (!cached.valid) {
+                        throw new errors_utils_1.UnauthorizedError('Access token is invalid or expired');
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = (0, verify_1.verifyToken)(token, this.accessSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, {
+                    valid: true,
+                    payload: decoded,
+                    timestamp: Date.now(),
+                });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError ||
+                error instanceof errors_utils_1.UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === 'TokenExpiredError') {
+                throw new errors_utils_1.UnauthorizedError('Access token has expired');
+            }
+            if (error instanceof Error && error.name === 'JsonWebTokenError') {
+                throw new errors_utils_1.UnauthorizedError('Access token is invalid');
+            }
+            throw new errors_utils_1.UnauthorizedError('Failed to verify access token');
+        }
+    }
+    /**
+     * Verify refresh token
+     */
+    async verifyRefreshToken(token) {
+        try {
+            if (!token || typeof token !== 'string') {
+                throw new errors_utils_1.ValidationError('Refresh token must be a non-empty string');
+            }
+            const cacheKey = `refresh_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new errors_utils_1.UnauthorizedError('Refresh token is invalid or expired');
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = (0, verify_1.verifyToken)(token, this.refreshSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded, timestamp: Date.now() });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError ||
+                error instanceof errors_utils_1.UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === 'TokenExpiredError') {
+                throw new errors_utils_1.UnauthorizedError('Refresh token has expired');
+            }
+            if (error instanceof Error && error.name === 'JsonWebTokenError') {
+                throw new errors_utils_1.UnauthorizedError('Refresh token is invalid');
+            }
+            throw new errors_utils_1.UnauthorizedError('Failed to verify refresh token');
+        }
+    }
+    /**
+     * Decode token without verification
+     */
+    decodeToken(token, complete = false) {
+        try {
+            if (!token || typeof token !== 'string') {
+                throw new errors_utils_1.ValidationError('Token must be a non-empty string');
+            }
+            return jsonwebtoken_1.default.decode(token, { complete });
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Extract token from Authorization header
+     */
+    extractTokenFromHeader(authHeader) {
+        try {
+            if (!authHeader || typeof authHeader !== 'string') {
+                return null;
+            }
+            const parts = authHeader.split(' ');
+            if (parts.length !== 2 || parts[0] !== 'Bearer') {
+                return null;
+            }
+            return parts[1];
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Validate token without throwing exceptions
+     */
+    validateToken(token, secret, options = {}) {
+        try {
+            if (!token || typeof token !== 'string') {
+                return false;
+            }
+            const result = (0, verify_1.safeVerifyToken)(token, secret);
+            return result.valid;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Rotate refresh token
+     */
+    async rotateRefreshToken(oldToken) {
+        try {
+            if (!oldToken || typeof oldToken !== 'string') {
+                throw new errors_utils_1.ValidationError('Old refresh token must be a non-empty string');
+            }
+            const decoded = await this.verifyRefreshToken(oldToken);
+            if (typeof decoded === 'string') {
+                throw new errors_utils_1.ValidationError('Invalid token payload — expected JWT payload object');
+            }
+            // Create new payload without issued/expired timestamps
+            const payload = { ...decoded };
+            delete payload.iat;
+            delete payload.exp;
+            // Generate new refresh token
+            const newToken = (0, signToken_1.signToken)(payload, this.refreshSecret, this.refreshExpiry);
+            return newToken;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError ||
+                error instanceof errors_utils_1.UnauthorizedError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError('Failed to rotate refresh token');
+        }
+    }
+    /**
+     * Check if token is expired
+     */
+    isTokenExpired(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return true;
+            }
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch {
+            return true;
+        }
+    }
+    /**
+     * Get token expiration date
+     */
+    getTokenExpiration(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return null;
+            }
+            return new Date(decoded.exp * 1000);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Clear token cache
+     */
+    clearCache() {
+        this.cache?.clear();
+    }
+    /**
+     * Get cache statistics
+     */
+    getCacheStats() {
+        if (!this.cache)
+            return null;
+        // Note: LRUCache doesn't expose internal size, so we return maxSize only
+        return {
+            size: -1, // Size not available from LRUCache
+            maxSize: this.cache.maxSize,
+        };
+    }
+    // Private helper methods
+    validatePayload(payload) {
+        if (!payload || typeof payload !== 'object') {
+            throw new errors_utils_1.ValidationError('Payload must be a non-null object');
+        }
+        if (Object.keys(payload).length === 0) {
+            throw new errors_utils_1.ValidationError('Payload cannot be empty');
+        }
+    }
+}
+exports.JWTManager = JWTManager;

package/dist/cjs/core/jwt/parseDuration.js CHANGED Viewed

@@ -6,16 +6,16 @@ const TIME_UNITS = {
     m: 60,
     h: 3600,
     d: 86400,
-    w: 604800
+    w: 604800,
 };
 function parseDuration(input) {
-    if (typeof input === "number")
+    if (typeof input === 'number')
         return input;
     const regex = /(\d+)\s*(s|m|h|d|w)/gi;
     let totalSeconds = 0;
     let match;
     while ((match = regex.exec(input)) !== null) {
-        const value = parseInt(match[1], 10);
+        const value = Number.parseInt(match[1], 10);
         const unit = match[2].toLowerCase();
         if (!TIME_UNITS[unit]) {
             throw new Error(`Invalid time unit: ${unit}`);

package/dist/cjs/core/jwt/signToken.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { Secret, SignOptions } from "jsonwebtoken";
+import { type Secret, type SignOptions } from 'jsonwebtoken';
 export declare const signToken: (payload: Record<string, unknown>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;

package/dist/cjs/core/jwt/signToken.js CHANGED Viewed

@@ -6,21 +6,21 @@ const parseDuration_1 = require("./parseDuration");
 function getExpiryTimestamp(seconds) {
     return Math.floor(Date.now() / 1000) + seconds;
 }
-const signToken = (payload, secret, expiresIn = "1h", options = {}) => {
+const signToken = (payload, secret, expiresIn = '1h', options = {}) => {
     const seconds = (0, parseDuration_1.parseDuration)(expiresIn);
     if (!seconds || seconds < 10) {
-        throw new Error("Token expiry too small");
+        throw new Error('Token expiry too small');
     }
     const tokenPayload = {
-        ...payload
+        ...payload,
     };
-    if (!("exp" in payload))
+    if (!('exp' in payload))
         tokenPayload.exp = getExpiryTimestamp(seconds);
-    if (!("iat" in payload))
+    if (!('iat' in payload))
         tokenPayload.iat = Math.floor(Date.now() / 1000);
     return (0, jsonwebtoken_1.sign)(tokenPayload, secret, {
-        algorithm: "HS256",
-        ...options
+        algorithm: 'HS256',
+        ...options,
     });
 };
 exports.signToken = signToken;

package/dist/cjs/core/jwt/types.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { JwtPayload } from "jsonwebtoken";
+import type { JwtPayload } from 'jsonwebtoken';
 export interface AccessTokenBrand {
     readonly access: unique symbol;
 }

package/dist/cjs/core/jwt/validateToken.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
-import { JwtPayload } from "node_modules/@types/jsonwebtoken";
+import type { JwtPayload } from 'node_modules/@types/jsonwebtoken';
 export interface TokenRequirements {
     requiredFields?: string[];
     forbiddenFields?: string[];
-    validateTypes?: Record<string, "string" | "number" | "boolean">;
+    validateTypes?: Record<string, 'string' | 'number' | 'boolean'>;
 }
 export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): {
     valid: true;

package/dist/cjs/core/jwt/validateToken.js CHANGED Viewed

@@ -3,9 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateTokenPayload = validateTokenPayload;
 exports.isTokenExpired = isTokenExpired;
 function validateTokenPayload(payload, rules = {
-    requiredFields: ["exp", "iat"]
+    requiredFields: ['exp', 'iat'],
 }) {
-    const { requiredFields = [], forbiddenFields = [], validateTypes = {} } = rules;
+    const { requiredFields = [], forbiddenFields = [], validateTypes = {}, } = rules;
     // 1. Required fields
     for (const field of requiredFields) {
         if (!(field in payload)) {
@@ -24,7 +24,7 @@ function validateTokenPayload(payload, rules = {
         if (key in payload && typeof payload[key] !== expectedType) {
             return {
                 valid: false,
-                error: `Invalid type for ${key}. Expected ${expectedType}.`
+                error: `Invalid type for ${key}. Expected ${expectedType}.`,
             };
         }
     }

package/dist/cjs/core/jwt/verify.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
-import jwt, { Secret, JwtPayload } from "jsonwebtoken";
-import { VerificationResult } from "./types";
+import type jwt from 'jsonwebtoken';
+import { type JwtPayload, type Secret } from 'jsonwebtoken';
+import type { VerificationResult } from './types';
 /**
  * Verify token (throws if invalid or expired)
  */

package/dist/cjs/core/password/hash.js CHANGED Viewed

@@ -6,9 +6,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.hashPasswordSync = exports.hashPassword = void 0;
 exports.hashPasswordWithPepper = hashPasswordWithPepper;
 exports.hashPasswordWithPepperSync = hashPasswordWithPepperSync;
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
 const bcryptjs_1 = __importDefault(require("bcryptjs"));
 const utils_1 = require("./utils");
-const errors_utils_1 = require("@naman_deep_singh/errors-utils");
 /**
  * Hash a password asynchronously using bcrypt.
  */

package/dist/cjs/core/password/index.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
-export * from "./hash";
-export * from "./strength";
-export * from "./verify";
+export * from './hash';
+export * from './strength';
+export * from './verify';

package/dist/cjs/core/password/passwordManager.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import type { HashedPassword, IPasswordManager, PasswordConfig, PasswordStrength, PasswordValidationResult } from '../../interfaces/password.interface';
+export declare class PasswordManager implements IPasswordManager {
+    private defaultConfig;
+    constructor(config?: PasswordConfig);
+    /**
+     * Hash a password asynchronously using bcrypt
+     */
+    hash(password: string, salt?: string): Promise<HashedPassword>;
+    /**
+     * Verify password against hash and salt
+     */
+    verify(password: string, hash: string, salt: string): Promise<boolean>;
+    /**
+     * Generate a random password
+     */
+    generate(length?: number, options?: PasswordConfig): string;
+    /**
+     * Validate password against configuration
+     */
+    validate(password: string, config?: PasswordConfig): PasswordValidationResult;
+    /**
+     * Check password strength
+     */
+    checkStrength(password: string): PasswordStrength;
+    /**
+     * Check if password hash needs upgrade (different salt rounds)
+     */
+    needsUpgrade(hash: string, currentConfig: PasswordConfig): boolean;
+}