@nest-boot/crypt 7.0.2 → 7.1.1

package/dist/crypt.module.d.ts

@@ -1,7 +1,9 @@
 import { type DynamicModule } from "@nestjs/common";
 import { ASYNC_OPTIONS_TYPE, ConfigurableModuleClass, OPTIONS_TYPE } from "./crypt.module-definition";
 /**
- * Module that provides encryption and decryption services using AES-256-GCM.
+ * Module that provides encryption and decryption services using JWE (A256GCMKW + A256GCM).
+ *
+ * Uses HKDF to derive a 32-byte key from the secret, so secrets of any length are accepted.
  *
  * @example
  * ```typescript
@@ -10,13 +12,17 @@ import { ASYNC_OPTIONS_TYPE, ConfigurableModuleClass, OPTIONS_TYPE } from "./cry
  * @Module({
  *   imports: [
  *     CryptModule.register({
- *       secret: 'your-secret-key',
- *       isGlobal: true,
+ *       secret: process.env.CRYPT_SECRET
  *     }),
  *   ],
  * })
  * export class AppModule {}
  * ```
+ *
+ * Generate a secure secret:
+ * ```bash
+ * node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))"
+ * ```
  */
 export declare class CryptModule extends ConfigurableModuleClass {
     /**

package/dist/crypt.module.js

@@ -10,8 +10,11 @@ exports.CryptModule = void 0;
 const common_1 = require("@nestjs/common");
 const crypt_module_definition_1 = require("./crypt.module-definition");
 const crypt_service_1 = require("./crypt.service");
+const estimate_entropy_1 = require("./utils/estimate-entropy");
 /**
- * Module that provides encryption and decryption services using AES-256-GCM.
+ * Module that provides encryption and decryption services using JWE (A256GCMKW + A256GCM).
+ *
+ * Uses HKDF to derive a 32-byte key from the secret, so secrets of any length are accepted.
  *
  * @example
  * ```typescript
@@ -20,13 +23,17 @@ const crypt_service_1 = require("./crypt.service");
  * @Module({
  *   imports: [
  *     CryptModule.register({
- *       secret: 'your-secret-key',
- *       isGlobal: true,
+ *       secret: process.env.CRYPT_SECRET
  *     }),
  *   ],
  * })
  * export class AppModule {}
  * ```
+ *
+ * Generate a secure secret:
+ * ```bash
+ * node -e "console.log(require('crypto').randomBytes(32).toString('base64url'))"
+ * ```
  */
 let CryptModule = class CryptModule extends crypt_module_definition_1.ConfigurableModuleClass {
     /**
@@ -49,6 +56,37 @@ let CryptModule = class CryptModule extends crypt_module_definition_1.Configurab
 exports.CryptModule = CryptModule;
 exports.CryptModule = CryptModule = __decorate([
     (0, common_1.Global)(),
-    (0, common_1.Module)({ providers: [crypt_service_1.CryptService], exports: [crypt_service_1.CryptService] })
+    (0, common_1.Module)({
+        providers: [
+            {
+                provide: crypt_service_1.CryptService,
+                inject: [{ token: crypt_module_definition_1.MODULE_OPTIONS_TOKEN, optional: true }],
+                useFactory: (options) => {
+                    const secret = options.secret ?? process.env.CRYPT_SECRET ?? process.env.APP_SECRET;
+                    if (!secret) {
+                        throw new Error("Crypt secret is required.\n" +
+                            "Set CRYPT_SECRET or APP_SECRET environment variable, or pass a secret option.\n" +
+                            "Generate a secure secret with:\n" +
+                            "  node -e \"console.log(require('crypto').randomBytes(32).toString('base64url'))\"");
+                    }
+                    if (secret.length < 32) {
+                        throw new Error("Crypt secret must be at least 32 characters long.\n" +
+                            "Set CRYPT_SECRET or APP_SECRET environment variable, or pass a secret option.\n" +
+                            "Generate a secure secret with:\n" +
+                            "  node -e \"console.log(require('crypto').randomBytes(32).toString('base64url'))\"");
+                    }
+                    if ((0, estimate_entropy_1.estimateEntropy)(secret) < 120) {
+                        throw new Error("Crypt secret appears low-entropy.\n" +
+                            "Use a randomly generated secret for production.\n" +
+                            "Generate a secure secret with:\n" +
+                            "  node -e \"console.log(require('crypto').randomBytes(32).toString('base64url'))\"");
+                    }
+                    crypt_service_1.CryptService.init(secret);
+                    return crypt_service_1.CryptService.instance;
+                },
+            },
+        ],
+        exports: [crypt_service_1.CryptService],
+    })
 ], CryptModule);
 //# sourceMappingURL=crypt.module.js.map

package/dist/crypt.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypt.module.js","sourceRoot":"","sources":["../src/crypt.module.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAAoE;AAEpE,uEAImC;AACnC,mDAA+C;AAE/C;;;;;;;;;;;;;;;;;GAiBG;AAGI,IAAM,WAAW,GAAjB,MAAM,WAAY,SAAQ,iDAAuB;IACtD;;;;OAIG;IACH,MAAM,CAAU,QAAQ,CAAC,OAA4B;QACnD,OAAO,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAU,aAAa,CAC3B,OAAkC;QAElC,OAAO,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;CACF,CAAA;AApBY,kCAAW;sBAAX,WAAW;IAFvB,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,SAAS,EAAE,CAAC,4BAAY,CAAC,EAAE,OAAO,EAAE,CAAC,4BAAY,CAAC,EAAE,CAAC;GAClD,WAAW,CAoBvB"}
+{"version":3,"file":"crypt.module.js","sourceRoot":"","sources":["../src/crypt.module.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAAoE;AAEpE,uEAKmC;AACnC,mDAA+C;AAE/C,+DAA2D;AAE3D;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AA8CI,IAAM,WAAW,GAAjB,MAAM,WAAY,SAAQ,iDAAuB;IACtD;;;;OAIG;IACH,MAAM,CAAU,QAAQ,CAAC,OAA4B;QACnD,OAAO,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAU,aAAa,CAC3B,OAAkC;QAElC,OAAO,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;CACF,CAAA;AApBY,kCAAW;sBAAX,WAAW;IA7CvB,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC;QACN,SAAS,EAAE;YACT;gBACE,OAAO,EAAE,4BAAY;gBACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,8CAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;gBACzD,UAAU,EAAE,CAAC,OAA2B,EAAE,EAAE;oBAC1C,MAAM,MAAM,GACV,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;oBAEvE,IAAI,CAAC,MAAM,EAAE,CAAC;wBACZ,MAAM,IAAI,KAAK,CACb,6BAA6B;4BAC3B,iFAAiF;4BACjF,kCAAkC;4BAClC,oFAAoF,CACvF,CAAC;oBACJ,CAAC;oBAED,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;wBACvB,MAAM,IAAI,KAAK,CACb,qDAAqD;4BACnD,iFAAiF;4BACjF,kCAAkC;4BAClC,oFAAoF,CACvF,CAAC;oBACJ,CAAC;oBAED,IAAI,IAAA,kCAAe,EAAC,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;wBAClC,MAAM,IAAI,KAAK,CACb,qCAAqC;4BACnC,mDAAmD;4BACnD,kCAAkC;4BAClC,oFAAoF,CACvF,CAAC;oBACJ,CAAC;oBAED,4BAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;oBAE1B,OAAO,4BAAY,CAAC,QAAQ,CAAC;gBAC/B,CAAC;aACF;SACF;QACD,OAAO,EAAE,CAAC,4BAAY,CAAC;KACxB,CAAC;GACW,WAAW,CAoBvB"}

package/dist/crypt.module.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/crypt.module.spec.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const testing_1 = require("@nestjs/testing");
+const _1 = require(".");
+const TEST_SECRET = "myTestSecretThatIsAtLeast32Chars!";
+describe("CryptModule", () => {
+    const originalEnv = process.env;
+    beforeEach(() => {
+        // Reset static instance before each test
+        _1.CryptService._instance = undefined;
+        // Reset environment variables
+        process.env = { ...originalEnv };
+        delete process.env.CRYPT_SECRET;
+        delete process.env.APP_SECRET;
+    });
+    afterAll(() => {
+        process.env = originalEnv;
+    });
+    describe("register", () => {
+        it("should throw error when secret is missing", async () => {
+            await expect(testing_1.Test.createTestingModule({
+                imports: [_1.CryptModule.register({})],
+            }).compile()).rejects.toThrow("Crypt secret is required.");
+        });
+        it("should use CRYPT_SECRET env when no secret option provided", async () => {
+            process.env.CRYPT_SECRET = TEST_SECRET;
+            const moduleRef = await testing_1.Test.createTestingModule({
+                imports: [_1.CryptModule.register({})],
+            }).compile();
+            const cryptService = moduleRef.get(_1.CryptService);
+            expect(cryptService).toBeDefined();
+        });
+        it("should use APP_SECRET env when no secret or CRYPT_SECRET provided", async () => {
+            process.env.APP_SECRET = TEST_SECRET;
+            const moduleRef = await testing_1.Test.createTestingModule({
+                imports: [_1.CryptModule.register({})],
+            }).compile();
+            const cryptService = moduleRef.get(_1.CryptService);
+            expect(cryptService).toBeDefined();
+        });
+        it("should throw error when secret is too short", async () => {
+            await expect(testing_1.Test.createTestingModule({
+                imports: [_1.CryptModule.register({ secret: "short" })],
+            }).compile()).rejects.toThrow("Crypt secret must be at least 32 characters long.");
+        });
+        it("should throw error when secret has low entropy", async () => {
+            // A secret that is 32 chars but low entropy (all same character)
+            const lowEntropySecret = "a".repeat(32);
+            await expect(testing_1.Test.createTestingModule({
+                imports: [_1.CryptModule.register({ secret: lowEntropySecret })],
+            }).compile()).rejects.toThrow("Crypt secret appears low-entropy.");
+        });
+    });
+    describe("registerAsync", () => {
+        it("should register module with async factory", async () => {
+            const moduleRef = await testing_1.Test.createTestingModule({
+                imports: [
+                    _1.CryptModule.registerAsync({
+                        useFactory: () => ({
+                            secret: TEST_SECRET,
+                        }),
+                    }),
+                ],
+            }).compile();
+            const cryptService = moduleRef.get(_1.CryptService);
+            expect(cryptService).toBeDefined();
+            const encrypted = await cryptService.encrypt("password");
+            const decrypted = await cryptService.decrypt(encrypted);
+            expect(decrypted).toBe("password");
+        });
+    });
+});
+//# sourceMappingURL=crypt.module.spec.js.map

package/dist/crypt.module.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypt.module.spec.js","sourceRoot":"","sources":["../src/crypt.module.spec.ts"],"names":[],"mappings":";;AAAA,6CAAuC;AAEvC,wBAA8C;AAE9C,MAAM,WAAW,GAAG,mCAAmC,CAAC;AAExD,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC;IAEhC,UAAU,CAAC,GAAG,EAAE;QACd,yCAAyC;QACxC,eAAoD,CAAC,SAAS,GAAG,SAAS,CAAC;QAC5E,8BAA8B;QAC9B,OAAO,CAAC,GAAG,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC;QACjC,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAChC,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,GAAG,EAAE;QACZ,OAAO,CAAC,GAAG,GAAG,WAAW,CAAC;IAC5B,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,UAAU,EAAE,GAAG,EAAE;QACxB,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,MAAM,CACV,cAAI,CAAC,mBAAmB,CAAC;gBACvB,OAAO,EAAE,CAAC,cAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;aACpC,CAAC,CAAC,OAAO,EAAE,CACb,CAAC,OAAO,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;YAC1E,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,WAAW,CAAC;YAEvC,MAAM,SAAS,GAAG,MAAM,cAAI,CAAC,mBAAmB,CAAC;gBAC/C,OAAO,EAAE,CAAC,cAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;aACpC,CAAC,CAAC,OAAO,EAAE,CAAC;YAEb,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAe,eAAY,CAAC,CAAC;YAE/D,MAAM,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mEAAmE,EAAE,KAAK,IAAI,EAAE;YACjF,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,WAAW,CAAC;YAErC,MAAM,SAAS,GAAG,MAAM,cAAI,CAAC,mBAAmB,CAAC;gBAC/C,OAAO,EAAE,CAAC,cAAW,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;aACpC,CAAC,CAAC,OAAO,EAAE,CAAC;YAEb,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAe,eAAY,CAAC,CAAC;YAE/D,MAAM,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,MAAM,CACV,cAAI,CAAC,mBAAmB,CAAC;gBACvB,OAAO,EAAE,CAAC,cAAW,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;aACrD,CAAC,CAAC,OAAO,EAAE,CACb,CAAC,OAAO,CAAC,OAAO,CAAC,mDAAmD,CAAC,CAAC;QACzE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,iEAAiE;YACjE,MAAM,gBAAgB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;YAExC,MAAM,MAAM,CACV,cAAI,CAAC,mBAAmB,CAAC;gBACvB,OAAO,EAAE,CAAC,cAAW,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;aAC9D,CAAC,CAAC,OAAO,EAAE,CACb,CAAC,OAAO,CAAC,OAAO,CAAC,mCAAmC,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,eAAe,EAAE,GAAG,EAAE;QAC7B,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,SAAS,GAAG,MAAM,cAAI,CAAC,mBAAmB,CAAC;gBAC/C,OAAO,EAAE;oBACP,cAAW,CAAC,aAAa,CAAC;wBACxB,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;4BACjB,MAAM,EAAE,WAAW;yBACpB,CAAC;qBACH,CAAC;iBACH;aACF,CAAC,CAAC,OAAO,EAAE,CAAC;YAEb,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAe,eAAY,CAAC,CAAC;YAE/D,MAAM,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;YAEnC,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;YACzD,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YACxD,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/crypt.service.d.ts

@@ -1,45 +1,79 @@
-import { CryptModuleOptions } from "./crypt-module-options.interface";
 /**
- * Service that provides encryption and decryption functionality using AES-256-GCM algorithm.
+ * Service that provides encryption and decryption functionality using JWE (JSON Web Encryption).
+ *
+ * Uses HKDF to derive a 32-byte key from the secret, then A256GCMKW for key management
+ * and A256GCM for content encryption. Accepts secrets of any length.
  *
  * @example
  * ```typescript
  * import { CryptService } from '@nest-boot/crypt';
  *
- * @Injectable()
- * export class MyService {
- *   constructor(private readonly cryptService: CryptService) {}
- *
- *   async encryptData(data: string): Promise<string> {
- *     return this.cryptService.encrypt(data);
- *   }
+ * // Initialize at application startup for static usage
+ * CryptService.init(process.env.CRYPT_SECRET);
  *
- *   async decryptData(encrypted: string): Promise<string> {
- *     return this.cryptService.decrypt(encrypted);
- *   }
- * }
+ * // Use static methods
+ * const encrypted = await CryptService.encrypt(data);
+ * const decrypted = await CryptService.decrypt(encrypted);
  * ```
  */
 export declare class CryptService {
-    #private;
+    private static _instance?;
+    /**
+     * Gets the static CryptService instance.
+     * @throws Error if CryptService has not been initialized via `init()`
+     * @returns The CryptService instance
+     */
+    static get instance(): CryptService;
+    /**
+     * Initializes the static CryptService instance with the given secret.
+     * Call this method at application startup to configure the default secret.
+     *
+     * @param secret - The secret key to use for encryption/decryption
+     *
+     * @example
+     * ```typescript
+     * // In your application bootstrap
+     * CryptService.init(process.env.CRYPT_SECRET);
+     * ```
+     */
+    static init(secret: string): void;
+    /**
+     * Encrypts a string value using the static instance.
+     * @param value - The plaintext string to encrypt
+     * @returns A JWE compact serialization string
+     * @throws Error if CryptService has not been initialized via `init()`
+     */
+    static encrypt(value: string): Promise<string>;
+    /**
+     * Decrypts a JWE string using the static instance.
+     * @param value - The JWE compact serialization string to decrypt
+     * @returns The decrypted plaintext string
+     * @throws Error if CryptService has not been initialized via `init()`
+     */
+    static decrypt(value: string): Promise<string>;
+    private readonly secret;
+    private derivedKeyPromise?;
     /**
      * Creates an instance of CryptService.
-     * @param options - Configuration options for the crypt service
-     * @throws Error if no secret is provided via options or environment variables
+     * @param secret - The secret key to use for encryption/decryption
+     */
+    constructor(secret: string);
+    /**
+     * Gets or creates the derived key asynchronously.
      */
-    constructor(options?: CryptModuleOptions);
+    private getDerivedKey;
     /**
-     * Encrypts a string value using AES-256-GCM algorithm.
+     * Encrypts a string value using JWE with A256GCMKW and A256GCM.
+     * The secret is first derived using HKDF-SHA256.
      * @param value - The plaintext string to encrypt
-     * @param secret - Optional secret key to use instead of the default
-     * @returns A base64-encoded encrypted string containing IV, auth tag, data, and salt
+     * @returns A JWE compact serialization string
      */
-    encrypt(value: string, secret?: string): Promise<string>;
+    encrypt(value: string): Promise<string>;
     /**
-     * Decrypts an encrypted string value.
-     * @param value - The base64-encoded encrypted string to decrypt
-     * @param secret - Optional secret key to use instead of the default
+     * Decrypts a JWE compact serialization string.
+     * The secret is first derived using HKDF-SHA256.
+     * @param value - The JWE string to decrypt
      * @returns The decrypted plaintext string
      */
-    decrypt(value: string, secret?: string): Promise<string>;
+    decrypt(value: string): Promise<string>;
 }

package/dist/crypt.service.js

@@ -1,130 +1,110 @@
 "use strict";
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-var __metadata = (this && this.__metadata) || function (k, v) {
-    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-};
-var __param = (this && this.__param) || function (paramIndex, decorator) {
-    return function (target, key) { decorator(target, key, paramIndex); }
-};
-var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
-    if (kind === "m") throw new TypeError("Private method is not writable");
-    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
-    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
-    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
-};
-var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
-    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
-    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
-    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
-};
-var _CryptService_instances, _CryptService_algorithm, _CryptService_encoding, _CryptService_keyByteLength, _CryptService_saltByteLength, _CryptService_viByteLength, _CryptService_secret, _CryptService_getKeyAndSalt;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CryptService = void 0;
-const common_1 = require("@nestjs/common");
-const crypto_1 = require("crypto");
-const util_1 = require("util");
-const crypt_module_definition_1 = require("./crypt.module-definition");
+const jose_1 = require("jose");
+const derive_key_1 = require("./utils/derive-key");
 /**
- * Service that provides encryption and decryption functionality using AES-256-GCM algorithm.
+ * Service that provides encryption and decryption functionality using JWE (JSON Web Encryption).
+ *
+ * Uses HKDF to derive a 32-byte key from the secret, then A256GCMKW for key management
+ * and A256GCM for content encryption. Accepts secrets of any length.
  *
  * @example
  * ```typescript
  * import { CryptService } from '@nest-boot/crypt';
  *
- * @Injectable()
- * export class MyService {
- *   constructor(private readonly cryptService: CryptService) {}
- *
- *   async encryptData(data: string): Promise<string> {
- *     return this.cryptService.encrypt(data);
- *   }
+ * // Initialize at application startup for static usage
+ * CryptService.init(process.env.CRYPT_SECRET);
  *
- *   async decryptData(encrypted: string): Promise<string> {
- *     return this.cryptService.decrypt(encrypted);
- *   }
- * }
+ * // Use static methods
+ * const encrypted = await CryptService.encrypt(data);
+ * const decrypted = await CryptService.decrypt(encrypted);
  * ```
  */
-let CryptService = class CryptService {
+class CryptService {
     /**
-     * Creates an instance of CryptService.
-     * @param options - Configuration options for the crypt service
-     * @throws Error if no secret is provided via options or environment variables
+     * Gets the static CryptService instance.
+     * @throws Error if CryptService has not been initialized via `init()`
+     * @returns The CryptService instance
      */
-    constructor(options = {}) {
-        _CryptService_instances.add(this);
-        _CryptService_algorithm.set(this, "aes-256-gcm");
-        _CryptService_encoding.set(this, "base64");
-        _CryptService_keyByteLength.set(this, 32);
-        _CryptService_saltByteLength.set(this, 16);
-        _CryptService_viByteLength.set(this, 16);
-        _CryptService_secret.set(this, void 0);
-        const secret = options.secret ?? process.env.CRYPT_SECRET ?? process.env.APP_SECRET;
-        if (!secret) {
-            throw new Error("Crypt secret is missing. Set CRYPT_SECRET or APP_SECRET or pass a secret option.");
+    static get instance() {
+        if (!this._instance) {
+            throw new Error("CryptService not initialized");
         }
-        __classPrivateFieldSet(this, _CryptService_secret, secret, "f");
+        return this._instance;
+    }
+    /**
+     * Initializes the static CryptService instance with the given secret.
+     * Call this method at application startup to configure the default secret.
+     *
+     * @param secret - The secret key to use for encryption/decryption
+     *
+     * @example
+     * ```typescript
+     * // In your application bootstrap
+     * CryptService.init(process.env.CRYPT_SECRET);
+     * ```
+     */
+    static init(secret) {
+        this._instance = new CryptService(secret);
+    }
+    /**
+     * Encrypts a string value using the static instance.
+     * @param value - The plaintext string to encrypt
+     * @returns A JWE compact serialization string
+     * @throws Error if CryptService has not been initialized via `init()`
+     */
+    static encrypt(value) {
+        return this.instance.encrypt(value);
+    }
+    /**
+     * Decrypts a JWE string using the static instance.
+     * @param value - The JWE compact serialization string to decrypt
+     * @returns The decrypted plaintext string
+     * @throws Error if CryptService has not been initialized via `init()`
+     */
+    static decrypt(value) {
+        return this.instance.decrypt(value);
+    }
+    /**
+     * Creates an instance of CryptService.
+     * @param secret - The secret key to use for encryption/decryption
+     */
+    constructor(secret) {
+        this.secret = secret;
+    }
+    /**
+     * Gets or creates the derived key asynchronously.
+     */
+    getDerivedKey() {
+        return (this.derivedKeyPromise ??= (0, derive_key_1.deriveKey)(this.secret));
     }
     /**
-     * Encrypts a string value using AES-256-GCM algorithm.
+     * Encrypts a string value using JWE with A256GCMKW and A256GCM.
+     * The secret is first derived using HKDF-SHA256.
      * @param value - The plaintext string to encrypt
-     * @param secret - Optional secret key to use instead of the default
-     * @returns A base64-encoded encrypted string containing IV, auth tag, data, and salt
+     * @returns A JWE compact serialization string
      */
-    async encrypt(value, secret) {
-        const { key, salt } = await __classPrivateFieldGet(this, _CryptService_instances, "m", _CryptService_getKeyAndSalt).call(this, secret ?? __classPrivateFieldGet(this, _CryptService_secret, "f"));
-        const iv = (0, crypto_1.randomBytes)(__classPrivateFieldGet(this, _CryptService_viByteLength, "f"));
-        const cipher = (0, crypto_1.createCipheriv)(__classPrivateFieldGet(this, _CryptService_algorithm, "f"), key, iv);
-        const data = Buffer.concat([cipher.update(value), cipher.final()]);
-        const tag = cipher.getAuthTag();
-        return Buffer.from(JSON.stringify({
-            iv: iv.toString(__classPrivateFieldGet(this, _CryptService_encoding, "f")),
-            tag: tag.toString(__classPrivateFieldGet(this, _CryptService_encoding, "f")),
-            data: data.toString(__classPrivateFieldGet(this, _CryptService_encoding, "f")),
-            salt: salt.toString(__classPrivateFieldGet(this, _CryptService_encoding, "f")),
-        })).toString(__classPrivateFieldGet(this, _CryptService_encoding, "f"));
+    async encrypt(value) {
+        const key = await this.getDerivedKey();
+        return await new jose_1.CompactEncrypt(new TextEncoder().encode(value))
+            .setProtectedHeader({ alg: "A256GCMKW", enc: "A256GCM" })
+            .encrypt(key);
     }
     /**
-     * Decrypts an encrypted string value.
-     * @param value - The base64-encoded encrypted string to decrypt
-     * @param secret - Optional secret key to use instead of the default
+     * Decrypts a JWE compact serialization string.
+     * The secret is first derived using HKDF-SHA256.
+     * @param value - The JWE string to decrypt
      * @returns The decrypted plaintext string
      */
-    async decrypt(value, secret) {
-        const payload = JSON.parse(Buffer.from(value, __classPrivateFieldGet(this, _CryptService_encoding, "f")).toString("utf8"));
-        const key = (await (0, util_1.promisify)(crypto_1.scrypt)(secret ?? __classPrivateFieldGet(this, _CryptService_secret, "f"), Buffer.from(payload.salt, __classPrivateFieldGet(this, _CryptService_encoding, "f")), __classPrivateFieldGet(this, _CryptService_keyByteLength, "f")));
-        const iv = Buffer.from(payload.iv, __classPrivateFieldGet(this, _CryptService_encoding, "f"));
-        const tag = Buffer.from(payload.tag, __classPrivateFieldGet(this, _CryptService_encoding, "f"));
-        const data = Buffer.from(payload.data, __classPrivateFieldGet(this, _CryptService_encoding, "f"));
-        const decipher = (0, crypto_1.createDecipheriv)(__classPrivateFieldGet(this, _CryptService_algorithm, "f"), key, iv);
-        decipher.setAuthTag(tag);
-        return Buffer.concat([decipher.update(data), decipher.final()]).toString("utf8");
+    async decrypt(value) {
+        const key = await this.getDerivedKey();
+        const { plaintext } = await (0, jose_1.compactDecrypt)(value, key, {
+            keyManagementAlgorithms: ["A256GCMKW"],
+            contentEncryptionAlgorithms: ["A256GCM"],
+        });
+        return new TextDecoder().decode(plaintext);
     }
-};
+}
 exports.CryptService = CryptService;
-_CryptService_algorithm = new WeakMap();
-_CryptService_encoding = new WeakMap();
-_CryptService_keyByteLength = new WeakMap();
-_CryptService_saltByteLength = new WeakMap();
-_CryptService_viByteLength = new WeakMap();
-_CryptService_secret = new WeakMap();
-_CryptService_instances = new WeakSet();
-_CryptService_getKeyAndSalt = async function _CryptService_getKeyAndSalt(secret) {
-    const salt = (0, crypto_1.randomBytes)(__classPrivateFieldGet(this, _CryptService_saltByteLength, "f"));
-    return {
-        key: (await (0, util_1.promisify)(crypto_1.scrypt)(secret, salt, __classPrivateFieldGet(this, _CryptService_keyByteLength, "f"))),
-        salt,
-    };
-};
-exports.CryptService = CryptService = __decorate([
-    (0, common_1.Injectable)(),
-    __param(0, (0, common_1.Optional)()),
-    __param(0, (0, common_1.Inject)(crypt_module_definition_1.MODULE_OPTIONS_TOKEN)),
-    __metadata("design:paramtypes", [Object])
-], CryptService);
 //# sourceMappingURL=crypt.service.js.map

package/dist/crypt.service.js.map

@@ -1 +1 @@
-{"version":3,"file":"crypt.service.js","sourceRoot":"","sources":["../src/crypt.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA8D;AAC9D,mCAMgB;AAChB,+BAAiC;AAEjC,uEAAiE;AAGjE;;;;;;;;;;;;;;;;;;;;GAoBG;AAEI,IAAM,YAAY,GAAlB,MAAM,YAAY;IAavB;;;;OAIG;IACH,YAGE,UAA8B,EAAE;;QApBzB,kCAAa,aAAa,EAAC;QAE3B,iCAAsB,QAAQ,EAAC;QAE/B,sCAAyB,EAAE,EAAC;QAE5B,uCAA0B,EAAE,EAAC;QAE7B,qCAAwB,EAAE,EAAC;QAE3B,uCAAgB;QAYvB,MAAM,MAAM,GACV,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAEvE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAC;QACJ,CAAC;QAED,uBAAA,IAAI,wBAAW,MAAM,MAAA,CAAC;IACxB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,MAAe;QAC1C,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,MAAM,uBAAA,IAAI,4DAAe,MAAnB,IAAI,EAAgB,MAAM,IAAI,uBAAA,IAAI,4BAAQ,CAAC,CAAC;QAExE,MAAM,EAAE,GAAG,IAAA,oBAAW,EAAC,uBAAA,IAAI,kCAAc,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,IAAA,uBAAc,EAAC,uBAAA,IAAI,+BAAW,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAExD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACnE,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEhC,OAAO,MAAM,CAAC,IAAI,CAChB,IAAI,CAAC,SAAS,CAAC;YACb,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,8BAAU,CAAC;YAC/B,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,uBAAA,IAAI,8BAAU,CAAC;YACjC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,uBAAA,IAAI,8BAAU,CAAC;YACnC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,uBAAA,IAAI,8BAAU,CAAC;SACpC,CAAC,CACH,CAAC,QAAQ,CAAC,uBAAA,IAAI,8BAAU,CAAC,CAAC;IAC7B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,MAAe;QAC1C,MAAM,OAAO,GACX,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,uBAAA,IAAI,8BAAU,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAElE,MAAM,GAAG,GAAG,CAAC,MAAM,IAAA,gBAAS,EAAC,eAAM,CAAC,CAClC,MAAM,IAAI,uBAAA,IAAI,4BAAQ,EACtB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,uBAAA,IAAI,8BAAU,CAAC,EACzC,uBAAA,IAAI,mCAAe,CACpB,CAAW,CAAC;QAEb,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,uBAAA,IAAI,8BAAU,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,uBAAA,IAAI,8BAAU,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,uBAAA,IAAI,8BAAU,CAAC,CAAC;QAEvD,MAAM,QAAQ,GAAG,IAAA,yBAAgB,EAAC,uBAAA,IAAI,+BAAW,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAE5D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAEzB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CACtE,MAAM,CACP,CAAC;IACJ,CAAC;CAcF,CAAA;AAtGY,oCAAY;;;;;;;;8BA0FvB,KAAK,sCAAgB,MAAc;IACjC,MAAM,IAAI,GAAG,IAAA,oBAAW,EAAC,uBAAA,IAAI,oCAAgB,CAAC,CAAC;IAE/C,OAAO;QACL,GAAG,EAAE,CAAC,MAAM,IAAA,gBAAS,EAAC,eAAM,CAAC,CAC3B,MAAM,EACN,IAAI,EACJ,uBAAA,IAAI,mCAAe,CACpB,CAAW;QACZ,IAAI;KACL,CAAC;AACJ,CAAC;uBArGU,YAAY;IADxB,IAAA,mBAAU,GAAE;IAoBR,WAAA,IAAA,iBAAQ,GAAE,CAAA;IACV,WAAA,IAAA,eAAM,EAAC,8CAAoB,CAAC,CAAA;;GApBpB,YAAY,CAsGxB"}
+{"version":3,"file":"crypt.service.js","sourceRoot":"","sources":["../src/crypt.service.ts"],"names":[],"mappings":";;;AAAA,+BAAsD;AAEtD,mDAA+C;AAE/C;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAa,YAAY;IAGvB;;;;OAIG;IACH,MAAM,KAAK,QAAQ;QACjB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,IAAI,CAAC,MAAc;QACxB,IAAI,CAAC,SAAS,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;IAC5C,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,OAAO,CAAC,KAAa;QAC1B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IACtC,CAAC;IAKD;;;OAGG;IACH,YAAY,MAAc;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;OAEG;IACK,aAAa;QACnB,OAAO,CAAC,IAAI,CAAC,iBAAiB,KAAK,IAAA,sBAAS,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAEvC,OAAO,MAAM,IAAI,qBAAc,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;aAC7D,kBAAkB,CAAC,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC;aACxD,OAAO,CAAC,GAAG,CAAC,CAAC;IAClB,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa;QACzB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAEvC,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAA,qBAAc,EAAC,KAAK,EAAE,GAAG,EAAE;YACrD,uBAAuB,EAAE,CAAC,WAAW,CAAC;YACtC,2BAA2B,EAAE,CAAC,SAAS,CAAC;SACzC,CAAC,CAAC;QAEH,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC;CACF;AApGD,oCAoGC"}