@nest-boot/crypt 7.0.2 → 7.1.1

package/dist/utils/derive-key.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Derives a 32-byte key using HKDF-SHA256 via Web Crypto API.
+ *
+ * @param secret - The input key material (any length)
+ * @returns A 32-byte (256-bit) derived key suitable for AES-256
+ */
+export declare function deriveKey(secret: string): Promise<Uint8Array>;

package/dist/utils/derive-key.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveKey = deriveKey;
+/**
+ * Derives a 32-byte key using HKDF-SHA256 via Web Crypto API.
+ *
+ * @param secret - The input key material (any length)
+ * @returns A 32-byte (256-bit) derived key suitable for AES-256
+ */
+async function deriveKey(secret) {
+    const enc = new TextEncoder();
+    const ikm = enc.encode(secret);
+    const salt = enc.encode("");
+    const info = enc.encode("");
+    return new Uint8Array(await crypto.subtle.deriveBits({
+        name: "HKDF",
+        hash: "SHA-256",
+        salt,
+        info,
+    }, await crypto.subtle.importKey("raw", ikm, "HKDF", false, ["deriveBits"]), 256));
+}
+//# sourceMappingURL=derive-key.js.map

package/dist/utils/derive-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-key.js","sourceRoot":"","sources":["../../src/utils/derive-key.ts"],"names":[],"mappings":";;AAMA,8BAkBC;AAxBD;;;;;GAKG;AACI,KAAK,UAAU,SAAS,CAAC,MAAc;IAC5C,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC;IAC9B,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAE5B,OAAO,IAAI,UAAU,CACnB,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAC5B;QACE,IAAI,EAAE,MAAM;QACZ,IAAI,EAAE,SAAS;QACf,IAAI;QACJ,IAAI;KACL,EACD,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,YAAY,CAAC,CAAC,EACxE,GAAG,CACJ,CACF,CAAC;AACJ,CAAC"}

package/dist/utils/estimate-entropy.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Estimates the entropy of a string in bits.
+ * This is a simple approximation that helps detect low-entropy secrets.
+ *
+ * @param str - The string to estimate entropy for
+ * @returns The estimated entropy in bits
+ */
+export declare function estimateEntropy(str: string): number;

package/dist/utils/estimate-entropy.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.estimateEntropy = estimateEntropy;
+/**
+ * Estimates the entropy of a string in bits.
+ * This is a simple approximation that helps detect low-entropy secrets.
+ *
+ * @param str - The string to estimate entropy for
+ * @returns The estimated entropy in bits
+ */
+function estimateEntropy(str) {
+    const unique = new Set(str).size;
+    if (unique === 0)
+        return 0;
+    return Math.log2(Math.pow(unique, str.length));
+}
+//# sourceMappingURL=estimate-entropy.js.map

package/dist/utils/estimate-entropy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"estimate-entropy.js","sourceRoot":"","sources":["../../src/utils/estimate-entropy.ts"],"names":[],"mappings":";;AAOA,0CAIC;AAXD;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;IACjC,IAAI,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAC3B,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC"}

package/dist/utils/estimate-entropy.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/estimate-entropy.spec.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const estimate_entropy_1 = require("./estimate-entropy");
+describe("estimateEntropy", () => {
+    it("should return 0 for empty string", () => {
+        expect((0, estimate_entropy_1.estimateEntropy)("")).toBe(0);
+    });
+    it("should return positive entropy for non-empty string", () => {
+        expect((0, estimate_entropy_1.estimateEntropy)("abc")).toBeGreaterThan(0);
+    });
+    it("should return higher entropy for more unique characters", () => {
+        const lowEntropy = (0, estimate_entropy_1.estimateEntropy)("aaa");
+        const highEntropy = (0, estimate_entropy_1.estimateEntropy)("abc");
+        expect(highEntropy).toBeGreaterThan(lowEntropy);
+    });
+});
+//# sourceMappingURL=estimate-entropy.spec.js.map

package/dist/utils/estimate-entropy.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"estimate-entropy.spec.js","sourceRoot":"","sources":["../../src/utils/estimate-entropy.spec.ts"],"names":[],"mappings":";;AAAA,yDAAqD;AAErD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,IAAA,kCAAe,EAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,CAAC,IAAA,kCAAe,EAAC,KAAK,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,UAAU,GAAG,IAAA,kCAAe,EAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,IAAA,kCAAe,EAAC,KAAK,CAAC,CAAC;QAC3C,MAAM,CAAC,WAAW,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/utils/is-jwe.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Checks if a string is a valid JWE (JSON Web Encryption) compact serialization.
+ *
+ * JWE compact serialization format:
+ * BASE64URL(UTF8(JWE Protected Header)) || '.' ||
+ * BASE64URL(JWE Encrypted Key) || '.' ||
+ * BASE64URL(JWE Initialization Vector) || '.' ||
+ * BASE64URL(JWE Ciphertext) || '.' ||
+ * BASE64URL(JWE Authentication Tag)
+ *
+ * @param value - The string to check
+ * @returns true if the string appears to be a valid JWE
+ */
+export declare function isJwe(value: string): boolean;

package/dist/utils/is-jwe.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isJwe = isJwe;
+/**
+ * Checks if a string is a valid JWE (JSON Web Encryption) compact serialization.
+ *
+ * JWE compact serialization format:
+ * BASE64URL(UTF8(JWE Protected Header)) || '.' ||
+ * BASE64URL(JWE Encrypted Key) || '.' ||
+ * BASE64URL(JWE Initialization Vector) || '.' ||
+ * BASE64URL(JWE Ciphertext) || '.' ||
+ * BASE64URL(JWE Authentication Tag)
+ *
+ * @param value - The string to check
+ * @returns true if the string appears to be a valid JWE
+ */
+function isJwe(value) {
+    // JWE compact serialization has exactly 5 parts
+    const parts = value.split(".");
+    if (parts.length !== 5) {
+        return false;
+    }
+    // Try to decode and validate the protected header (first part)
+    try {
+        const header = JSON.parse(Buffer.from(parts[0], "base64url").toString("utf8"));
+        // JWE header must have 'alg' and 'enc' fields
+        return (typeof header === "object" &&
+            header !== null &&
+            "alg" in header &&
+            "enc" in header &&
+            typeof header.alg === "string" &&
+            typeof header.enc === "string");
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=is-jwe.js.map

package/dist/utils/is-jwe.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"is-jwe.js","sourceRoot":"","sources":["../../src/utils/is-jwe.ts"],"names":[],"mappings":";;AAaA,sBAyBC;AAtCD;;;;;;;;;;;;GAYG;AACH,SAAgB,KAAK,CAAC,KAAa;IACjC,gDAAgD;IAChD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,+DAA+D;IAC/D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CACzC,CAAC;QAEb,8CAA8C;QAC9C,OAAO,CACL,OAAO,MAAM,KAAK,QAAQ;YAC1B,MAAM,KAAK,IAAI;YACf,KAAK,IAAI,MAAM;YACf,KAAK,IAAI,MAAM;YACf,OAAQ,MAA2B,CAAC,GAAG,KAAK,QAAQ;YACpD,OAAQ,MAA2B,CAAC,GAAG,KAAK,QAAQ,CACrD,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/utils/is-jwe.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/is-jwe.spec.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypt_service_1 = require("../crypt.service");
+const is_jwe_1 = require("./is-jwe");
+const TEST_SECRET = "myTestSecretThatIsAtLeast32Chars!";
+describe("isJwe", () => {
+    beforeAll(() => {
+        crypt_service_1.CryptService.init(TEST_SECRET);
+    });
+    it("should return true for valid JWE", async () => {
+        const encrypted = await crypt_service_1.CryptService.encrypt("test");
+        expect((0, is_jwe_1.isJwe)(encrypted)).toBe(true);
+    });
+    it("should return false for empty string", () => {
+        expect((0, is_jwe_1.isJwe)("")).toBe(false);
+    });
+    it("should return false for plain text", () => {
+        expect((0, is_jwe_1.isJwe)("hello world")).toBe(false);
+    });
+    it("should return false for string with 5 dots but invalid header", () => {
+        expect((0, is_jwe_1.isJwe)("a.b.c.d.e")).toBe(false);
+    });
+    it("should return false for string with valid base64 but missing alg/enc", () => {
+        // base64url of '{}'
+        const emptyHeader = Buffer.from("{}").toString("base64url");
+        expect((0, is_jwe_1.isJwe)(`${emptyHeader}.b.c.d.e`)).toBe(false);
+    });
+    it("should return false for string with only alg field", () => {
+        const headerWithAlg = Buffer.from('{"alg":"A256GCMKW"}').toString("base64url");
+        expect((0, is_jwe_1.isJwe)(`${headerWithAlg}.b.c.d.e`)).toBe(false);
+    });
+    it("should return false for string with only enc field", () => {
+        const headerWithEnc = Buffer.from('{"enc":"A256GCM"}').toString("base64url");
+        expect((0, is_jwe_1.isJwe)(`${headerWithEnc}.b.c.d.e`)).toBe(false);
+    });
+    it("should return true for string with both alg and enc fields", () => {
+        const validHeader = Buffer.from('{"alg":"A256GCMKW","enc":"A256GCM"}').toString("base64url");
+        expect((0, is_jwe_1.isJwe)(`${validHeader}.b.c.d.e`)).toBe(true);
+    });
+    it("should return false for JWT (wrong structure)", () => {
+        // JWT has only 3 parts
+        const jwtHeader = Buffer.from('{"alg":"HS256","typ":"JWT"}').toString("base64url");
+        expect((0, is_jwe_1.isJwe)(`${jwtHeader}.payload.signature`)).toBe(false);
+    });
+    it("should return false for non-string alg/enc values", () => {
+        const invalidHeader = Buffer.from('{"alg":123,"enc":"A256GCM"}').toString("base64url");
+        expect((0, is_jwe_1.isJwe)(`${invalidHeader}.b.c.d.e`)).toBe(false);
+    });
+});
+//# sourceMappingURL=is-jwe.spec.js.map

package/dist/utils/is-jwe.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"is-jwe.spec.js","sourceRoot":"","sources":["../../src/utils/is-jwe.spec.ts"],"names":[],"mappings":";;AAAA,oDAAgD;AAChD,qCAAiC;AAEjC,MAAM,WAAW,GAAG,mCAAmC,CAAC;AAExD,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE;IACrB,SAAS,CAAC,GAAG,EAAE;QACb,4BAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,SAAS,GAAG,MAAM,4BAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,CAAC,IAAA,cAAK,EAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,CAAC,IAAA,cAAK,EAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,MAAM,CAAC,IAAA,cAAK,EAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,CAAC,IAAA,cAAK,EAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,oBAAoB;QACpB,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,CAAC,IAAA,cAAK,EAAC,GAAG,WAAW,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,QAAQ,CAC/D,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,IAAA,cAAK,EAAC,GAAG,aAAa,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,aAAa,GACjB,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACzD,MAAM,CAAC,IAAA,cAAK,EAAC,GAAG,aAAa,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,qCAAqC,CACtC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACxB,MAAM,CAAC,IAAA,cAAK,EAAC,GAAG,WAAW,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,uBAAuB;QACvB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,QAAQ,CACnE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,IAAA,cAAK,EAAC,GAAG,SAAS,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,QAAQ,CACvE,WAAW,CACZ,CAAC;QACF,MAAM,CAAC,IAAA,cAAK,EAAC,GAAG,aAAa,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -1,8 +1,12 @@
 {
   "name": "@nest-boot/crypt",
-  "version": "7.0.2",
+  "version": "7.1.1",
   "description": "",
-  "author": "d4rkcr0w <me@d4rkcr0w.com>",
+  "author": {
+    "name": "Xudong Huang",
+    "email": "me@huangxudong.com",
+    "url": "https://www.huangxudong.com/"
+  },
   "homepage": "",
   "license": "MIT",
   "main": "dist/index.js",
@@ -15,24 +19,26 @@
     "templates"
   ],
   "devDependencies": {
-    "@nestjs/common": "^11.1.9",
-    "@nestjs/core": "^11.1.9",
-    "@nestjs/testing": "^11.1.9",
+    "@nestjs/common": "^11.1.11",
+    "@nestjs/core": "^11.1.11",
+    "@nestjs/testing": "^11.1.11",
     "@types/jest": "^29.5.14",
     "@types/node": "^22.18.6",
-    "eslint": "^9.36.0",
+    "eslint": "^9.39.2",
     "jest": "^29.7.0",
+    "jose": "^6.1.3",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.2",
     "ts-jest": "^29.4.4",
     "typescript": "^5.9.3",
     "@nest-boot/eslint-config": "^7.0.2",
-    "@nest-boot/eslint-plugin": "^7.0.3",
+    "@nest-boot/eslint-plugin": "^7.0.4",
     "@nest-boot/tsconfig": "^7.0.1"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.0",
     "@nestjs/core": "^11.0.0",
+    "jose": "^5.0.0 || ^6.0.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.0.0"
   },