@naman_deep_singh/security 1.3.3 → 1.4.0

package/dist/esm/core/crypto/cryptoManager.js

@@ -1,3 +1,4 @@
+import { InternalServerError } from '@naman_deep_singh/errors-utils';
 import { decrypt as functionalDecrypt, encrypt as functionalEncrypt, hmacSign as functionalHmacSign, hmacVerify as functionalHmacVerify, randomToken as functionalRandomToken, } from './index';
 /**
  * Default configuration
@@ -31,17 +32,27 @@ export class CryptoManager {
      * Encrypt data using the default or specified algorithm
      */
     encrypt(plaintext, key, _options) {
-        // For now, use the basic encrypt function
-        // TODO: Enhance to support different algorithms and options
-        return functionalEncrypt(plaintext, key);
+        try {
+            return functionalEncrypt(plaintext, key);
+        }
+        catch (err) {
+            throw new InternalServerError(undefined, {
+                message: 'Encryption failed',
+            }, err instanceof Error ? err : undefined);
+        }
     }
     /**
      * Decrypt data using the default or specified algorithm
      */
     decrypt(encryptedData, key, _options) {
-        // For now, use the basic decrypt function
-        // TODO: Enhance to support different algorithms and options
-        return functionalDecrypt(encryptedData, key);
+        try {
+            return functionalDecrypt(encryptedData, key);
+        }
+        catch (err) {
+            throw new InternalServerError(undefined, {
+                message: 'Decryption failed',
+            }, err instanceof Error ? err : undefined);
+        }
     }
     /**
      * Generate HMAC signature
@@ -73,7 +84,9 @@ export class CryptoManager {
             const crypto = require('crypto');
             crypto.pbkdf2(password, salt, iterations, keyLength, 'sha256', (err, derivedKey) => {
                 if (err) {
-                    reject(err);
+                    reject(new InternalServerError(undefined, {
+                        message: 'Key derivation failed',
+                    }, err instanceof Error ? err : undefined));
                 }
                 else {
                     resolve(derivedKey.toString('hex'));
@@ -143,15 +156,17 @@ export class CryptoManager {
     rsaSign(data, privateKey, algorithm = 'sha256') {
         return new Promise((resolve, reject) => {
             const crypto = require('crypto');
-            const sign = crypto.createSign(algorithm);
-            sign.update(data);
-            sign.end();
             try {
+                const sign = crypto.createSign(algorithm);
+                sign.update(data);
+                sign.end();
                 const signature = sign.sign(privateKey, 'base64');
                 resolve(signature);
             }
-            catch (error) {
-                reject(error);
+            catch (err) {
+                reject(new InternalServerError(undefined, {
+                    message: 'RSA signing failed',
+                }, err instanceof Error ? err : undefined));
             }
         });
     }
@@ -161,15 +176,17 @@ export class CryptoManager {
     rsaVerify(data, signature, publicKey, algorithm = 'sha256') {
         return new Promise((resolve, reject) => {
             const crypto = require('crypto');
-            const verify = crypto.createVerify(algorithm);
-            verify.update(data);
-            verify.end();
             try {
+                const verify = crypto.createVerify(algorithm);
+                verify.update(data);
+                verify.end();
                 const isValid = verify.verify(publicKey, signature, 'base64');
                 resolve(isValid);
             }
-            catch (error) {
-                reject(error);
+            catch (err) {
+                reject(new InternalServerError(undefined, {
+                    message: 'RSA verification failed',
+                }, err instanceof Error ? err : undefined));
             }
         });
     }

package/dist/esm/core/jwt/decode.js

@@ -1,5 +1,6 @@
 // src/jwt/decodeToken.ts
 import { decode } from 'jsonwebtoken';
+import { BadRequestError } from '@naman_deep_singh/errors-utils';
 /**
  * Flexible decode
  * Returns: null | string | JwtPayload
@@ -15,7 +16,9 @@ export function decodeToken(token) {
 export function decodeTokenStrict(token) {
     const decoded = decode(token);
     if (!decoded || typeof decoded === 'string') {
-        throw new Error('Invalid JWT payload structure');
+        throw new BadRequestError({
+            message: 'Invalid JWT payload structure',
+        });
     }
     return decoded;
 }

package/dist/esm/core/jwt/generateTokens.js

@@ -1,5 +1,6 @@
 import { signToken } from './signToken';
 import { verifyToken } from './verify';
+import { TokenMalformedError } from '@naman_deep_singh/errors-utils';
 // Helper function to create branded tokens
 /* const createBrandedToken = <T extends string>(token: string, _brand: T): T => {
     return token as T
@@ -19,7 +20,9 @@ export const generateTokens = (payload, accessSecret, refreshSecret, accessExpir
 export function rotateRefreshToken(oldToken, secret) {
     const decoded = verifyToken(oldToken, secret);
     if (typeof decoded === 'string') {
-        throw new Error('Invalid token payload — expected JWT payload object');
+        throw new TokenMalformedError({
+            message: 'Invalid token payload — expected JWT payload object',
+        });
     }
     const payload = { ...decoded };
     delete payload.iat;

package/dist/esm/core/jwt/jwtManager.d.ts

@@ -1,5 +1,5 @@
 import { type JwtPayload, type Secret } from 'jsonwebtoken';
-import type { AccessToken, ITokenManager, JWTConfig, RefreshToken, TokenPair, TokenValidationOptions } from '../../interfaces/jwt.interface';
+import type { AccessToken, ITokenManager, JWTConfig, RefreshToken, TokenPair } from '../../interfaces/jwt.interface';
 export declare class JWTManager implements ITokenManager {
     private accessSecret;
     private refreshSecret;
@@ -8,60 +8,36 @@ export declare class JWTManager implements ITokenManager {
     private cache?;
     private cacheTTL;
     constructor(config: JWTConfig);
-    /**
-     * Generate both access and refresh tokens
-     */
+    /** Generate both access and refresh tokens */
     generateTokens(payload: Record<string, unknown>): Promise<TokenPair>;
-    /**
-     * Generate access token
-     */
+    /** Generate access token */
     generateAccessToken(payload: Record<string, unknown>): Promise<AccessToken>;
-    /**
-     * Generate refresh token
-     */
+    /** Generate refresh token */
     generateRefreshToken(payload: Record<string, unknown>): Promise<RefreshToken>;
-    /**
-     * Verify access token
-     */
-    verifyAccessToken(token: string): Promise<JwtPayload | string>;
-    /**
-     * Verify refresh token
-     */
-    verifyRefreshToken(token: string): Promise<JwtPayload | string>;
-    /**
-     * Decode token without verification
-     */
+    /** Verify access token */
+    verifyAccessToken(token: string): Promise<JwtPayload>;
+    /** Verify refresh token */
+    verifyRefreshToken(token: string): Promise<JwtPayload>;
+    /** Decode token without verification */
     decodeToken(token: string, complete?: boolean): JwtPayload | string | null;
-    /**
-     * Extract token from Authorization header
-     */
+    /** Extract token from Authorization header */
     extractTokenFromHeader(authHeader: string): string | null;
-    /**
-     * Validate token without throwing exceptions
-     */
-    validateToken(token: string, secret: Secret, _options?: TokenValidationOptions): boolean;
-    /**
-     * Rotate refresh token
-     */
+    /** Validate token without throwing exceptions */
+    validateToken(token: string, secret: Secret): boolean;
+    /** Rotate refresh token */
     rotateRefreshToken(oldToken: string): Promise<RefreshToken>;
-    /**
-     * Check if token is expired
-     */
+    /** Check if token is expired */
     isTokenExpired(token: string): boolean;
-    /**
-     * Get token expiration date
-     */
+    /** Get token expiration date */
     getTokenExpiration(token: string): Date | null;
-    /**
-     * Clear token cache
-     */
+    /** Clear token cache */
     clearCache(): void;
-    /**
-     * Get cache statistics
-     */
+    /** Get cache statistics */
     getCacheStats(): {
         size: number;
         maxSize: number;
     } | null;
+    /** Private helper methods */
     private validatePayload;
+    private verifyTokenWithCache;
 }

package/dist/esm/core/jwt/jwtManager.js

@@ -1,6 +1,6 @@
 import jwt from 'jsonwebtoken';
 import { signToken } from './signToken';
-import { safeVerifyToken, verifyToken } from './verify';
+import { safeVerifyToken } from './verify';
 import { BadRequestError, UnauthorizedError, ValidationError, } from '@naman_deep_singh/errors-utils';
 import { LRUCache } from '@naman_deep_singh/js-extensions';
 export class JWTManager {
@@ -9,288 +9,154 @@ export class JWTManager {
         this.refreshSecret = config.refreshSecret;
         this.accessExpiry = config.accessExpiry || '15m';
         this.refreshExpiry = config.refreshExpiry || '7d';
-        this.cacheTTL = 5 * 60 * 1000; // 5 minutes default TTL
+        this.cacheTTL = 5 * 60 * 1000; // 5 minutes
         if (config.enableCaching) {
             this.cache = new LRUCache(config.maxCacheSize || 100);
         }
     }
-    /**
-     * Generate both access and refresh tokens
-     */
+    /** Generate both access and refresh tokens */
     async generateTokens(payload) {
         try {
             this.validatePayload(payload);
             const accessToken = await this.generateAccessToken(payload);
             const refreshToken = await this.generateRefreshToken(payload);
-            return {
-                accessToken,
-                refreshToken,
-            };
+            return { accessToken, refreshToken };
         }
         catch (error) {
-            if (error instanceof BadRequestError ||
-                error instanceof ValidationError) {
+            if (error instanceof BadRequestError || error instanceof ValidationError)
                 throw error;
-            }
-            throw new BadRequestError('Failed to generate tokens');
+            throw new BadRequestError({ message: 'Failed to generate tokens' }, error instanceof Error ? error : undefined);
         }
     }
-    /**
-     * Generate access token
-     */
+    /** Generate access token */
     async generateAccessToken(payload) {
         try {
             this.validatePayload(payload);
-            const token = signToken(payload, this.accessSecret, this.accessExpiry, {
-                algorithm: 'HS256',
-            });
+            const token = signToken(payload, this.accessSecret, this.accessExpiry, { algorithm: 'HS256' });
             return token;
         }
         catch (error) {
-            if (error instanceof BadRequestError ||
-                error instanceof ValidationError) {
+            if (error instanceof BadRequestError || error instanceof ValidationError)
                 throw error;
-            }
-            throw new BadRequestError('Failed to generate access token');
+            throw new BadRequestError({ message: 'Failed to generate access token' }, error instanceof Error ? error : undefined);
         }
     }
-    /**
-     * Generate refresh token
-     */
+    /** Generate refresh token */
     async generateRefreshToken(payload) {
         try {
             this.validatePayload(payload);
-            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, {
-                algorithm: 'HS256',
-            });
+            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, { algorithm: 'HS256' });
             return token;
         }
         catch (error) {
-            if (error instanceof BadRequestError ||
-                error instanceof ValidationError) {
+            if (error instanceof BadRequestError || error instanceof ValidationError)
                 throw error;
-            }
-            throw new BadRequestError('Failed to generate refresh token');
+            throw new BadRequestError({ message: 'Failed to generate refresh token' }, error instanceof Error ? error : undefined);
         }
     }
-    /**
-     * Verify access token
-     */
+    /** Verify access token */
     async verifyAccessToken(token) {
-        try {
-            if (!token || typeof token !== 'string') {
-                throw new ValidationError('Access token must be a non-empty string');
-            }
-            const cacheKey = `access_${token}`;
-            if (this.cache) {
-                const cached = this.cache.get(cacheKey);
-                if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
-                    if (!cached.valid) {
-                        throw new UnauthorizedError('Access token is invalid or expired');
-                    }
-                    return cached.payload;
-                }
-            }
-            const decoded = verifyToken(token, this.accessSecret);
-            if (this.cache) {
-                this.cache.set(cacheKey, {
-                    valid: true,
-                    payload: decoded,
-                    timestamp: Date.now(),
-                });
-            }
-            return decoded;
-        }
-        catch (error) {
-            if (error instanceof ValidationError ||
-                error instanceof UnauthorizedError) {
-                throw error;
-            }
-            if (error instanceof Error && error.name === 'TokenExpiredError') {
-                throw new UnauthorizedError('Access token has expired');
-            }
-            if (error instanceof Error && error.name === 'JsonWebTokenError') {
-                throw new UnauthorizedError('Access token is invalid');
-            }
-            throw new UnauthorizedError('Failed to verify access token');
-        }
+        return this.verifyTokenWithCache(token, this.accessSecret, 'access');
     }
-    /**
-     * Verify refresh token
-     */
+    /** Verify refresh token */
     async verifyRefreshToken(token) {
-        try {
-            if (!token || typeof token !== 'string') {
-                throw new ValidationError('Refresh token must be a non-empty string');
-            }
-            const cacheKey = `refresh_${token}`;
-            if (this.cache) {
-                const cached = this.cache.get(cacheKey);
-                if (cached) {
-                    if (!cached.valid) {
-                        throw new UnauthorizedError('Refresh token is invalid or expired');
-                    }
-                    return cached.payload;
-                }
-            }
-            const decoded = verifyToken(token, this.refreshSecret);
-            if (this.cache) {
-                this.cache.set(cacheKey, {
-                    valid: true,
-                    payload: decoded,
-                    timestamp: Date.now(),
-                });
-            }
-            return decoded;
-        }
-        catch (error) {
-            if (error instanceof ValidationError ||
-                error instanceof UnauthorizedError) {
-                throw error;
-            }
-            if (error instanceof Error && error.name === 'TokenExpiredError') {
-                throw new UnauthorizedError('Refresh token has expired');
-            }
-            if (error instanceof Error && error.name === 'JsonWebTokenError') {
-                throw new UnauthorizedError('Refresh token is invalid');
-            }
-            throw new UnauthorizedError('Failed to verify refresh token');
-        }
+        return this.verifyTokenWithCache(token, this.refreshSecret, 'refresh');
     }
-    /**
-     * Decode token without verification
-     */
+    /** Decode token without verification */
     decodeToken(token, complete = false) {
-        try {
-            if (!token || typeof token !== 'string') {
-                throw new ValidationError('Token must be a non-empty string');
-            }
-            return jwt.decode(token, { complete });
-        }
-        catch (error) {
-            if (error instanceof ValidationError) {
-                throw error;
-            }
+        if (!token || typeof token !== 'string')
             return null;
-        }
+        return jwt.decode(token, { complete });
     }
-    /**
-     * Extract token from Authorization header
-     */
+    /** Extract token from Authorization header */
     extractTokenFromHeader(authHeader) {
-        try {
-            if (!authHeader || typeof authHeader !== 'string') {
-                return null;
-            }
-            const parts = authHeader.split(' ');
-            if (parts.length !== 2 || parts[0] !== 'Bearer') {
-                return null;
-            }
-            return parts[1];
-        }
-        catch {
+        if (!authHeader || typeof authHeader !== 'string')
             return null;
-        }
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0] !== 'Bearer')
+            return null;
+        return parts[1];
     }
-    /**
-     * Validate token without throwing exceptions
-     */
-    validateToken(token, secret, _options = {}) {
-        try {
-            if (!token || typeof token !== 'string') {
-                return false;
-            }
-            const result = safeVerifyToken(token, secret);
-            return result.valid;
-        }
-        catch {
+    /** Validate token without throwing exceptions */
+    validateToken(token, secret) {
+        if (!token || typeof token !== 'string')
             return false;
-        }
+        return safeVerifyToken(token, secret).valid;
     }
-    /**
-     * Rotate refresh token
-     */
+    /** Rotate refresh token */
     async rotateRefreshToken(oldToken) {
-        try {
-            if (!oldToken || typeof oldToken !== 'string') {
-                throw new ValidationError('Old refresh token must be a non-empty string');
-            }
-            const decoded = await this.verifyRefreshToken(oldToken);
-            if (typeof decoded === 'string') {
-                throw new ValidationError('Invalid token payload — expected JWT payload object');
-            }
-            // Create new payload without issued/expired timestamps
-            const payload = { ...decoded };
-            delete payload.iat;
-            delete payload.exp;
-            // Generate new refresh token
-            const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
-            return newToken;
-        }
-        catch (error) {
-            if (error instanceof ValidationError ||
-                error instanceof UnauthorizedError) {
-                throw error;
-            }
-            throw new BadRequestError('Failed to rotate refresh token');
-        }
+        if (!oldToken || typeof oldToken !== 'string') {
+            throw new ValidationError({ message: 'Old refresh token must be a non-empty string' });
+        }
+        const decoded = await this.verifyRefreshToken(oldToken);
+        const payload = { ...decoded };
+        delete payload.iat;
+        delete payload.exp;
+        const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
+        return newToken;
     }
-    /**
-     * Check if token is expired
-     */
+    /** Check if token is expired */
     isTokenExpired(token) {
         try {
             const decoded = this.decodeToken(token);
-            if (!decoded || !decoded.exp) {
+            if (!decoded || !decoded.exp)
                 return true;
-            }
-            const currentTime = Math.floor(Date.now() / 1000);
-            return decoded.exp < currentTime;
+            return decoded.exp < Math.floor(Date.now() / 1000);
         }
         catch {
             return true;
         }
     }
-    /**
-     * Get token expiration date
-     */
+    /** Get token expiration date */
     getTokenExpiration(token) {
         try {
             const decoded = this.decodeToken(token);
-            if (!decoded || !decoded.exp) {
+            if (!decoded || !decoded.exp)
                 return null;
-            }
             return new Date(decoded.exp * 1000);
         }
         catch {
             return null;
         }
     }
-    /**
-     * Clear token cache
-     */
+    /** Clear token cache */
     clearCache() {
         this.cache?.clear();
     }
-    /**
-     * Get cache statistics
-     */
+    /** Get cache statistics */
     getCacheStats() {
         if (!this.cache)
             return null;
-        // Note: LRUCache doesn't expose internal size, so we return maxSize only
-        return {
-            size: -1, // Size not available from LRUCache
-            maxSize: this.cache.maxSize,
-        };
+        return { size: -1, maxSize: this.cache.maxSize };
     }
-    // Private helper methods
+    /** Private helper methods */
     validatePayload(payload) {
         if (!payload || typeof payload !== 'object') {
-            throw new ValidationError('Payload must be a non-null object');
+            throw new ValidationError({ message: 'Payload must be a non-null object' });
         }
         if (Object.keys(payload).length === 0) {
-            throw new ValidationError('Payload cannot be empty');
+            throw new ValidationError({ message: 'Payload cannot be empty' });
         }
     }
+    async verifyTokenWithCache(token, secret, type) {
+        if (!token || typeof token !== 'string') {
+            throw new ValidationError({ message: `${type} token must be a non-empty string` });
+        }
+        const cacheKey = `${type}_${token}`;
+        if (this.cache) {
+            const cached = this.cache.get(cacheKey);
+            if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
+                if (!cached.valid)
+                    throw new UnauthorizedError({ message: `${type} token is invalid or expired` });
+                return cached.payload;
+            }
+        }
+        const { valid, payload, error } = safeVerifyToken(token, secret);
+        if (!valid || !payload || typeof payload === 'string') {
+            this.cache?.set(cacheKey, { valid: false, payload: {}, timestamp: Date.now() });
+            throw new UnauthorizedError({ message: `${type} token is invalid or expired`, cause: error });
+        }
+        this.cache?.set(cacheKey, { valid: true, payload, timestamp: Date.now() });
+        return payload;
+    }
 }

package/dist/esm/core/jwt/parseDuration.js

@@ -1,3 +1,4 @@
+import { ValidationError } from "@naman_deep_singh/errors-utils";
 const TIME_UNITS = {
     s: 1,
     m: 60,
@@ -15,12 +16,12 @@ export function parseDuration(input) {
         const value = Number.parseInt(match[1], 10);
         const unit = match[2].toLowerCase();
         if (!TIME_UNITS[unit]) {
-            throw new Error(`Invalid time unit: ${unit}`);
+            throw new ValidationError({ message: `Invalid time unit: ${unit}` });
         }
         totalSeconds += value * TIME_UNITS[unit];
     }
     if (totalSeconds === 0) {
-        throw new Error(`Invalid expiry format: "${input}"`);
+        throw new ValidationError({ message: `Invalid expiry format: "${input}"` });
     }
     return totalSeconds;
 }

package/dist/esm/core/jwt/signToken.js

@@ -1,12 +1,13 @@
 import { sign } from 'jsonwebtoken';
 import { parseDuration } from './parseDuration';
+import { ValidationError } from '@naman_deep_singh/errors-utils';
 function getExpiryTimestamp(seconds) {
     return Math.floor(Date.now() / 1000) + seconds;
 }
 export const signToken = (payload, secret, expiresIn = '1h', options = {}) => {
     const seconds = parseDuration(expiresIn);
     if (!seconds || seconds < 10) {
-        throw new Error('Token expiry too small');
+        throw new ValidationError({ message: 'Token expiry too small' });
     }
     const tokenPayload = {
         ...payload,

package/dist/esm/core/jwt/validateToken.d.ts

@@ -1,13 +1,16 @@
-import type { JwtPayload } from 'node_modules/@types/jsonwebtoken';
+import type { JwtPayload } from 'jsonwebtoken';
 export interface TokenRequirements {
     requiredFields?: string[];
     forbiddenFields?: string[];
     validateTypes?: Record<string, 'string' | 'number' | 'boolean'>;
 }
-export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): {
-    valid: true;
-} | {
-    valid: false;
-    error: string;
-};
+/**
+ * Validates a JWT payload according to the provided rules.
+ * Throws ValidationError if validation fails.
+ */
+export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): void;
+/**
+ * Checks if a JWT payload is expired.
+ * Returns true if expired or missing 'exp'.
+ */
 export declare function isTokenExpired(payload: JwtPayload): boolean;