@nivinjoseph/n-sec 6.0.3 → 7.0.1

package/.yarnrc.yml

@@ -1,3 +1,8 @@
+approvedGitRepositories:
+  - "**"
+
+enableScripts: false
+
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-4.0.2.cjs
+yarnPath: .yarn/releases/yarn-4.14.1.cjs

package/dist/api-security/claim.js

@@ -1,6 +1,8 @@
 import { given } from "@nivinjoseph/n-defensive";
 // public
 export class Claim {
+    _type;
+    _value;
     get type() { return this._type; }
     get value() { return this._value; }
     constructor(type, value) {

package/dist/api-security/claim.js.map

@@ -1 +1 @@
-{"version":3,"file":"claim.js","sourceRoot":"","sources":["../../src/api-security/claim.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAGjD,SAAS;AACT,MAAM,OAAO,KAAK;IAMd,IAAW,IAAI,KAAa,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAChD,IAAW,KAAK,KAAc,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAGnD,YAAmB,IAAY,EAAE,KAAc;QAE3C,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAEtD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;IAGM,MAAM,CAAC,KAAY;QAEtB,uEAAuE;QACvE,IAAI,KAAK,IAAI,IAAI;YACb,OAAO,KAAK,CAAC;QAEjB,IAAI,KAAK,KAAK,IAAI;YACd,OAAO,IAAI,CAAC;QAEhB,OAAO,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,CAAC;IAClE,CAAC;CACJ"}
+{"version":3,"file":"claim.js","sourceRoot":"","sources":["../../src/api-security/claim.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAGjD,SAAS;AACT,MAAM,OAAO,KAAK;IAEG,KAAK,CAAS;IACd,MAAM,CAAU;IAGjC,IAAW,IAAI,KAAa,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAChD,IAAW,KAAK,KAAc,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAGnD,YAAmB,IAAY,EAAE,KAAc;QAE3C,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAEtD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;IAGM,MAAM,CAAC,KAAY;QAEtB,uEAAuE;QACvE,IAAI,KAAK,IAAI,IAAI;YACb,OAAO,KAAK,CAAC;QAEjB,IAAI,KAAK,KAAK,IAAI;YACd,OAAO,IAAI,CAAC;QAEhB,OAAO,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,CAAC,KAAK,CAAC;IAClE,CAAC;CACJ"}

package/dist/api-security/claims-identity.js

@@ -1,6 +1,7 @@
 import { given } from "@nivinjoseph/n-defensive";
 // public
 export class ClaimsIdentity {
+    _claims;
     get claims() { return this._claims; }
     constructor(claims) {
         given(claims, "claims").ensureHasValue().ensureIsArray();

package/dist/api-security/claims-identity.js.map

@@ -1 +1 @@
-{"version":3,"file":"claims-identity.js","sourceRoot":"","sources":["../../src/api-security/claims-identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAIjD,SAAS;AACT,MAAM,OAAO,cAAc;IAKvB,IAAW,MAAM,KAA2B,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAGlE,YAAmB,MAA4B;QAE3C,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,aAAa,EAAE,CAAC;QAEzD,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAC/B,CAAC;IAGM,QAAQ,CAAC,KAAY;QAExB,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,CAAC;CACJ"}
+{"version":3,"file":"claims-identity.js","sourceRoot":"","sources":["../../src/api-security/claims-identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAIjD,SAAS;AACT,MAAM,OAAO,cAAc;IAEN,OAAO,CAAe;IAGvC,IAAW,MAAM,KAA2B,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAGlE,YAAmB,MAA4B;QAE3C,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,aAAa,EAAE,CAAC;QAEzD,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAC/B,CAAC;IAGM,QAAQ,CAAC,KAAY;QAExB,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,CAAC;CACJ"}

package/dist/api-security/expired-token-exception.js

@@ -2,6 +2,7 @@ import { Exception } from "@nivinjoseph/n-exception";
 import { given } from "@nivinjoseph/n-defensive";
 // public
 export class ExpiredTokenException extends Exception {
+    _token;
     get token() { return this._token; }
     constructor(token) {
         given(token, "token").ensureHasValue().ensureIsString();

package/dist/api-security/expired-token-exception.js.map

@@ -1 +1 @@
-{"version":3,"file":"expired-token-exception.js","sourceRoot":"","sources":["../../src/api-security/expired-token-exception.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAGjD,SAAS;AACT,MAAM,OAAO,qBAAsB,SAAQ,SAAS;IAKhD,IAAW,KAAK,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAGlD,YAAmB,KAAa;QAE5B,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,CAAC,UAAU,KAAK,eAAe,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;CACJ"}
+{"version":3,"file":"expired-token-exception.js","sourceRoot":"","sources":["../../src/api-security/expired-token-exception.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAGjD,SAAS;AACT,MAAM,OAAO,qBAAsB,SAAQ,SAAS;IAE/B,MAAM,CAAS;IAGhC,IAAW,KAAK,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAGlD,YAAmB,KAAa;QAE5B,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,CAAC,UAAU,KAAK,eAAe,CAAC,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;CACJ"}

package/dist/api-security/invalid-token-exception.js

@@ -2,6 +2,8 @@ import { Exception } from "@nivinjoseph/n-exception";
 import { given } from "@nivinjoseph/n-defensive";
 // public
 export class InvalidTokenException extends Exception {
+    _token;
+    _reason;
     get token() { return this._token; }
     get reason() { return this._reason; }
     constructor(token, reason) {

package/dist/api-security/invalid-token-exception.js.map

@@ -1 +1 @@
-{"version":3,"file":"invalid-token-exception.js","sourceRoot":"","sources":["../../src/api-security/invalid-token-exception.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAGjD,SAAS;AACT,MAAM,OAAO,qBAAsB,SAAQ,SAAS;IAMhD,IAAW,KAAK,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAClD,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAGpD,YAAmB,KAAa,EAAE,MAAc;QAE5C,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAE1D,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,CAAC,UAAU,KAAK,wBAAwB,MAAM,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;IAC1B,CAAC;CACJ"}
+{"version":3,"file":"invalid-token-exception.js","sourceRoot":"","sources":["../../src/api-security/invalid-token-exception.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAGjD,SAAS;AACT,MAAM,OAAO,qBAAsB,SAAQ,SAAS;IAE/B,MAAM,CAAS;IACf,OAAO,CAAS;IAGjC,IAAW,KAAK,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAClD,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAGpD,YAAmB,KAAa,EAAE,MAAc;QAE5C,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAE1D,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACrB,KAAK,CAAC,UAAU,KAAK,wBAAwB,MAAM,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;IAC1B,CAAC;CACJ"}

package/dist/api-security/json-web-token.d.ts

@@ -4,7 +4,7 @@ export declare class JsonWebToken {
     private readonly _issuer;
     private readonly _algType;
     private readonly _key;
-    private readonly _isfullKey;
+    private readonly _isFullKey;
     private readonly _expiry;
     private readonly _claims;
     get issuer(): string;

package/dist/api-security/json-web-token.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"json-web-token.d.ts","sourceRoot":"","sources":["../../src/api-security/json-web-token.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAU;IACnC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAU;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAe;IAGvC,IAAW,MAAM,IAAI,MAAM,CAAyB;IACpD,IAAW,OAAO,IAAI,OAAO,CAA0B;IACvD,IAAW,GAAG,IAAI,MAAM,CAAsB;IAC9C,IAAW,gBAAgB,IAAI,OAAO,CAA4B;IAClE,IAAW,MAAM,IAAI,MAAM,CAAyB;IACpD,IAAW,SAAS,IAAI,OAAO,CAAuC;IACtE,IAAW,MAAM,IAAI,aAAa,CAAC,KAAK,CAAC,CAAyB;IAGlE,OAAO;WAmBO,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAClF,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,YAAY;WAKzB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,YAAY;IAyEnG,OAAO,CAAC,MAAM,CAAC,SAAS;IAOjB,aAAa,IAAI,MAAM;IA0B9B,OAAO,CAAC,MAAM;CAMjB"}
+{"version":3,"file":"json-web-token.d.ts","sourceRoot":"","sources":["../../src/api-security/json-web-token.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAOnC,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAU;IACnC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAU;IACrC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAe;IAGvC,IAAW,MAAM,IAAI,MAAM,CAAyB;IACpD,IAAW,OAAO,IAAI,OAAO,CAA0B;IACvD,IAAW,GAAG,IAAI,MAAM,CAAsB;IAC9C,IAAW,gBAAgB,IAAI,OAAO,CAA4B;IAClE,IAAW,MAAM,IAAI,MAAM,CAAyB;IACpD,IAAW,SAAS,IAAI,OAAO,CAAuC;IACtE,IAAW,MAAM,IAAI,aAAa,CAAC,KAAK,CAAC,CAAyB;IAGlE,OAAO;WAmBO,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAClF,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,YAAY;WAKzB,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,YAAY;IAkGnG,OAAO,CAAC,MAAM,CAAC,SAAS;IAMjB,aAAa,IAAI,MAAM;IA0B9B,OAAO,CAAC,MAAM;CAMjB"}

package/dist/api-security/json-web-token.js

@@ -1,5 +1,6 @@
 import { given } from "@nivinjoseph/n-defensive";
 import { InvalidOperationException } from "@nivinjoseph/n-exception";
+import { timingSafeEqual } from "node:crypto";
 import { Hmac } from "./../crypto/hmac.js";
 import { AlgType } from "./alg-type.js";
 import { Claim } from "./claim.js";
@@ -8,10 +9,16 @@ import { InvalidTokenException } from "./invalid-token-exception.js";
 import { ExpiredTokenException } from "./expired-token-exception.js";
 // public
 export class JsonWebToken {
+    _issuer;
+    _algType;
+    _key;
+    _isFullKey;
+    _expiry;
+    _claims;
     get issuer() { return this._issuer; }
     get algType() { return this._algType; }
     get key() { return this._key; }
-    get canGenerateToken() { return this._isfullKey; }
+    get canGenerateToken() { return this._isFullKey; }
     get expiry() { return this._expiry; }
     get isExpired() { return this._expiry <= Date.now(); }
     get claims() { return this._claims; }
@@ -26,7 +33,7 @@ export class JsonWebToken {
         this._issuer = issuer.trim();
         this._algType = algType;
         this._key = key.trim();
-        this._isfullKey = isFullKey;
+        this._isFullKey = isFullKey;
         this._expiry = expiry;
         this._claims = [...claims];
     }
@@ -47,8 +54,21 @@ export class JsonWebToken {
         const headerString = tokenSplitted[0];
         const bodyString = tokenSplitted[1];
         const signature = tokenSplitted[2];
-        const header = JsonWebToken._toObject(headerString);
-        const body = JsonWebToken._toObject(bodyString);
+        let parsedHeader;
+        let parsedBody;
+        try {
+            parsedHeader = JsonWebToken._toObject(headerString);
+            parsedBody = JsonWebToken._toObject(bodyString);
+        }
+        catch {
+            throw new InvalidTokenException(token, "header or body could not be parsed");
+        }
+        if (parsedHeader == null || typeof parsedHeader !== "object" || Array.isArray(parsedHeader))
+            throw new InvalidTokenException(token, "header is not an object");
+        if (parsedBody == null || typeof parsedBody !== "object" || Array.isArray(parsedBody))
+            throw new InvalidTokenException(token, "body is not an object");
+        const header = parsedHeader;
+        const body = parsedBody;
         // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
         if (header.iss === undefined || header.iss === null)
             throw new InvalidTokenException(token, "iss was not present");
@@ -80,20 +100,25 @@ export class JsonWebToken {
         //         throw new InvalidTokenException(token, "signature could not be verified");  
         // }    
         const computedSignature = Hmac.create(key, headerString + "." + bodyString);
-        if (computedSignature !== signature)
+        const expected = Buffer.from(computedSignature, "utf8");
+        const provided = Buffer.from(signature, "utf8");
+        if (expected.length !== provided.length || !timingSafeEqual(expected, provided))
             throw new InvalidTokenException(token, "signature could not be verified");
+        const invalidBodyKeys = new Set(["__proto__", "constructor", "prototype"]);
         const claims = new Array();
-        for (const item in body)
-            claims.push(new Claim(item, body[item]));
+        for (const [type, value] of Object.entries(body)) {
+            if (invalidBodyKeys.has(type))
+                throw new InvalidTokenException(token, `body contains invalid key '${type}'`);
+            claims.push(new Claim(type, value));
+        }
         return new JsonWebToken(issuer, algType, key, false, header.exp, claims);
     }
     static _toObject(hex) {
         const json = Buffer.from(hex.toLowerCase(), "hex").toString("utf8");
-        const obj = JSON.parse(json);
-        return obj;
+        return JSON.parse(json);
     }
     generateToken() {
-        if (!this._isfullKey)
+        if (!this._isFullKey)
             throw new InvalidOperationException("generating token using an instance created from token");
         const header = {
             iss: this._issuer,

package/dist/api-security/json-web-token.js.map

@@ -1 +1 @@
-{"version":3,"file":"json-web-token.js","sourceRoot":"","sources":["../../src/api-security/json-web-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,uEAAuE;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAGrE,SAAS;AACT,MAAM,OAAO,YAAY;IAUrB,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,IAAW,OAAO,KAAc,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IACvD,IAAW,GAAG,KAAa,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9C,IAAW,gBAAgB,KAAc,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAClE,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,IAAW,SAAS,KAAc,OAAO,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACtE,IAAW,MAAM,KAA2B,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAGlE,YAAoB,MAAc,EAAE,OAAgB,EAAE,GAAW,EAAE,SAAkB,EAAE,MAAc,EACjG,MAAoB;QAEpB,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAC1D,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACjE,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACpD,KAAK,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,cAAc,EAAE,CAAC,eAAe,EAAE,CAAC;QACjE,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAC1D,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,aAAa,EAAE;aACnD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;QAElD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAC/B,CAAC;IAEM,MAAM,CAAC,UAAU,CAAC,MAAc,EAAE,OAAgB,EAAE,GAAW,EAAE,MAAc,EAClF,MAAoB;QAEpB,OAAO,IAAI,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACxE,CAAC;IAEM,MAAM,CAAC,SAAS,CAAC,MAAc,EAAE,OAAgB,EAAE,GAAW,EAAE,KAAa;QAEhF,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC;QACzC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACjE,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,cAAc,EAAE,CAAC;QACnC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC;QAEvC,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACjB,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAErB,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;YAC1B,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAEnC,MAAM,MAAM,GAAW,YAAY,CAAC,SAAS,CAAC,YAAY,CAAW,CAAC;QACtE,MAAM,IAAI,GAAQ,YAAY,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAErD,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;YAC/C,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;YACrB,MAAM,IAAI,qBAAqB,CAAC,KAAK,EACjC,2BAA2B,MAAM,sBAAsB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;QAE9E,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;YAC/C,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO;YACtB,MAAM,IAAI,qBAAqB,CAAC,KAAK,EACjC,2BAA2B,OAAO,sBAAsB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;QAE/E,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;YAC/C,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAC9B,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,cAAc,MAAM,CAAC,GAAG,cAAc,CAAC,CAAC;QAEnF,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;YACxB,MAAM,IAAI,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAE3C,gCAAgC;QAChC,IAAI;QACJ,uFAAuF;QACvF,2CAA2C;QAC3C,yFAAyF;QACzF,OAAO;QACP,OAAO;QACP,IAAI;QACJ,yGAAyG;QACzG,yBAAyB;QACzB,uFAAuF;QACvF,QAAQ;QAER,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,GAAG,GAAG,UAAU,CAAC,CAAC;QAC5E,IAAI,iBAAiB,KAAK,SAAS;YAC/B,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;QAE9E,MAAM,MAAM,GAAG,IAAI,KAAK,EAAS,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,IAAI;YACnB,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE7C,OAAO,IAAI,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC7E,CAAC;IAEO,MAAM,CAAC,SAAS,CAAC,GAAW;QAEhC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAW,CAAC;QACvC,OAAO,GAAG,CAAC;IACf,CAAC;IAEM,aAAa;QAEhB,IAAI,CAAC,IAAI,CAAC,UAAU;YAChB,MAAM,IAAI,yBAAyB,CAAC,uDAAuD,CAAC,CAAC;QAEjG,MAAM,MAAM,GAAW;YACnB,GAAG,EAAE,IAAI,CAAC,OAAO;YACjB,GAAG,EAAE,IAAI,CAAC,QAAQ;YAClB,GAAG,EAAE,IAAI,CAAC,OAAO;SACpB,CAAC;QAEF,MAAM,IAAI,GAAQ,EAAE,CAAC;QACrB,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAElD,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAEpE,iDAAiD;QACjD,oDAAoD;QACpD,+DAA+D;QAE/D,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAExD,MAAM,KAAK,GAAG,aAAa,GAAG,GAAG,GAAG,SAAS,CAAC;QAC9C,OAAO,KAAK,CAAC;IACjB,CAAC;IAEO,MAAM,CAAC,GAAW;QAEtB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC;IAC7B,CAAC;CACJ"}
+{"version":3,"file":"json-web-token.js","sourceRoot":"","sources":["../../src/api-security/json-web-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AACrE,uEAAuE;AACvE,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAGrE,SAAS;AACT,MAAM,OAAO,YAAY;IAEJ,OAAO,CAAS;IAChB,QAAQ,CAAU;IAClB,IAAI,CAAS;IACb,UAAU,CAAU;IACpB,OAAO,CAAS;IAChB,OAAO,CAAe;IAGvC,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,IAAW,OAAO,KAAc,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IACvD,IAAW,GAAG,KAAa,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9C,IAAW,gBAAgB,KAAc,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IAClE,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,IAAW,SAAS,KAAc,OAAO,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACtE,IAAW,MAAM,KAA2B,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IAGlE,YAAoB,MAAc,EAAE,OAAgB,EAAE,GAAW,EAAE,SAAkB,EAAE,MAAc,EACjG,MAAoB;QAEpB,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAC1D,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACjE,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACpD,KAAK,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,cAAc,EAAE,CAAC,eAAe,EAAE,CAAC;QACjE,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAC1D,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,aAAa,EAAE;aACnD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC;QAElD,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,UAAU,GAAG,SAAS,CAAC;QAC5B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAC/B,CAAC;IAEM,MAAM,CAAC,UAAU,CAAC,MAAc,EAAE,OAAgB,EAAE,GAAW,EAAE,MAAc,EAClF,MAAoB;QAEpB,OAAO,IAAI,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACxE,CAAC;IAEM,MAAM,CAAC,SAAS,CAAC,MAAc,EAAE,OAAgB,EAAE,GAAW,EAAE,KAAa;QAEhF,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC;QACzC,KAAK,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC,cAAc,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QACjE,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,cAAc,EAAE,CAAC;QACnC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC;QAEvC,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QACjB,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAErB,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC;YAC1B,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,MAAM,YAAY,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACtC,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACpC,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAEnC,IAAI,YAAqB,CAAC;QAC1B,IAAI,UAAmB,CAAC;QACxB,IACA,CAAC;YACG,YAAY,GAAG,YAAY,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YACpD,UAAU,GAAG,YAAY,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACpD,CAAC;QACD,MACA,CAAC;YACG,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,oCAAoC,CAAC,CAAC;QACjF,CAAC;QAED,IAAI,YAAY,IAAI,IAAI,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;YACvF,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,yBAAyB,CAAC,CAAC;QAEtE,IAAI,UAAU,IAAI,IAAI,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC;YACjF,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;QAEpE,MAAM,MAAM,GAAG,YAAsB,CAAC;QACtC,MAAM,IAAI,GAAG,UAAqC,CAAC;QAEnD,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;YAC/C,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;YACrB,MAAM,IAAI,qBAAqB,CAAC,KAAK,EACjC,2BAA2B,MAAM,sBAAsB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;QAE9E,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;YAC/C,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO;YACtB,MAAM,IAAI,qBAAqB,CAAC,KAAK,EACjC,2BAA2B,OAAO,sBAAsB,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC;QAE/E,uEAAuE;QACvE,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,IAAI;YAC/C,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;QAElE,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;YAC9B,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,cAAc,MAAM,CAAC,GAAG,cAAc,CAAC,CAAC;QAEnF,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE;YACxB,MAAM,IAAI,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAE3C,gCAAgC;QAChC,IAAI;QACJ,uFAAuF;QACvF,2CAA2C;QAC3C,yFAAyF;QACzF,OAAO;QACP,OAAO;QACP,IAAI;QACJ,yGAAyG;QACzG,yBAAyB;QACzB,uFAAuF;QACvF,QAAQ;QAER,MAAM,iBAAiB,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,YAAY,GAAG,GAAG,GAAG,UAAU,CAAC,CAAC;QAC5E,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;QAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC;YAC3E,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;QAE9E,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,IAAI,KAAK,EAAS,CAAC;QAClC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAChD,CAAC;YACG,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC;gBACzB,MAAM,IAAI,qBAAqB,CAAC,KAAK,EAAE,8BAA8B,IAAI,GAAG,CAAC,CAAC;YAClF,MAAM,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,IAAI,YAAY,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC7E,CAAC;IAEO,MAAM,CAAC,SAAS,CAAC,GAAW;QAEhC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEM,aAAa;QAEhB,IAAI,CAAC,IAAI,CAAC,UAAU;YAChB,MAAM,IAAI,yBAAyB,CAAC,uDAAuD,CAAC,CAAC;QAEjG,MAAM,MAAM,GAAW;YACnB,GAAG,EAAE,IAAI,CAAC,OAAO;YACjB,GAAG,EAAE,IAAI,CAAC,QAAQ;YAClB,GAAG,EAAE,IAAI,CAAC,OAAO;SACpB,CAAC;QAEF,MAAM,IAAI,GAAQ,EAAE,CAAC;QACrB,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAElD,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAEpE,iDAAiD;QACjD,oDAAoD;QACpD,+DAA+D;QAE/D,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAExD,MAAM,KAAK,GAAG,aAAa,GAAG,GAAG,GAAG,SAAS,CAAC;QAC9C,OAAO,KAAK,CAAC;IACjB,CAAC;IAEO,MAAM,CAAC,GAAW;QAEtB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACtD,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC;IAC7B,CAAC;CACJ"}

package/dist/api-security/security-token.js

@@ -1,5 +1,7 @@
 import { given } from "@nivinjoseph/n-defensive";
 export class SecurityToken {
+    _scheme;
+    _token;
     get scheme() { return this._scheme; }
     get token() { return this._token; }
     constructor(scheme, token) {

package/dist/api-security/security-token.js.map

@@ -1 +1 @@
-{"version":3,"file":"security-token.js","sourceRoot":"","sources":["../../src/api-security/security-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAEjD,MAAM,OAAO,aAAa;IAMtB,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,IAAW,KAAK,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAGlD,YAAmB,MAAc,EAAE,KAAa;QAE5C,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE;aACpD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAC3D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QAEtB,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE;aAClD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;IAGM,QAAQ;QAEX,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;IAC5C,CAAC;CACJ"}
+{"version":3,"file":"security-token.js","sourceRoot":"","sources":["../../src/api-security/security-token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AAEjD,MAAM,OAAO,aAAa;IAEL,OAAO,CAAS;IAChB,MAAM,CAAS;IAGhC,IAAW,MAAM,KAAa,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACpD,IAAW,KAAK,KAAa,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAGlD,YAAmB,MAAc,EAAE,KAAa;QAE5C,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE;aACpD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAC3D,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QAEtB,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE;aAClD,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,sBAAsB,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC;IACxB,CAAC;IAGM,QAAQ;QAEX,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;IAC5C,CAAC;CACJ"}

package/dist/bin.js

@@ -13,7 +13,7 @@ async function executeCommand(command) {
         // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
         case SupportedCommands.generateSymmetricKey:
             {
-                const key = await SymmetricEncryption.generateKey();
+                const key = SymmetricEncryption.generateKey();
                 console.log("SYMMETRIC KEY => ", key);
                 break;
             }

package/dist/bin.js.map

@@ -1 +1 @@
-{"version":3,"file":"bin.js","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":";AAEA,oDAAoD;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAEvE,IAAK,iBAGJ;AAHD,WAAK,iBAAiB;IAElB,oEAA+C,CAAA;AACnD,CAAC,EAHI,iBAAiB,KAAjB,iBAAiB,QAGrB;AAED,MAAM,uBAAuB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9G,KAAK,UAAU,cAAc,CAAC,OAA0B;IAEpD,+DAA+D;IAE/D,QAAQ,OAAO,EACf,CAAC;QACG,uEAAuE;QACvE,KAAK,iBAAiB,CAAC,oBAAoB;YACvC,CAAC;gBACG,MAAM,GAAG,GAAG,MAAM,mBAAmB,CAAC,WAAW,EAAE,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;gBACtC,MAAM;YACV,CAAC;QACL;YACI,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,6BAA6B,uBAAuB,GAAG,CAAC,CAAC;IAC1G,CAAC;AACL,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EACrB,CAAC;IACG,OAAO,CAAC,KAAK,CAAC,yDAAyD,uBAAuB,GAAG,CAAC,CAAC;IACnG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;AACxC,CAAC;AAED,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAsB,CAAC;AAE7C,cAAc,CAAC,OAAO,CAAC;KAClB,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;KAC3B,KAAK,CAAC,CAAC,CAAC,EAAE;IAEP,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"bin.js","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":";AAEA,oDAAoD;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,kCAAkC,CAAC;AAEvE,IAAK,iBAGJ;AAHD,WAAK,iBAAiB;IAElB,oEAA+C,CAAA;AACnD,CAAC,EAHI,iBAAiB,KAAjB,iBAAiB,QAGrB;AAED,MAAM,uBAAuB,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAE9G,KAAK,UAAU,cAAc,CAAC,OAA0B;IAEpD,+DAA+D;IAE/D,QAAQ,OAAO,EACf,CAAC;QACG,uEAAuE;QACvE,KAAK,iBAAiB,CAAC,oBAAoB;YACvC,CAAC;gBACG,MAAM,GAAG,GAAG,mBAAmB,CAAC,WAAW,EAAE,CAAC;gBAC9C,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,GAAG,CAAC,CAAC;gBACtC,MAAM;YACV,CAAC;QACL;YACI,OAAO,CAAC,KAAK,CAAC,oBAAoB,OAAO,6BAA6B,uBAAuB,GAAG,CAAC,CAAC;IAC1G,CAAC;AACL,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EACrB,CAAC;IACG,OAAO,CAAC,KAAK,CAAC,yDAAyD,uBAAuB,GAAG,CAAC,CAAC;IACnG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,mBAAmB;AACxC,CAAC;AAED,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAsB,CAAC;AAE7C,cAAc,CAAC,OAAO,CAAC;KAClB,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;KAC3B,KAAK,CAAC,CAAC,CAAC,EAAE;IAEP,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC,CAAC,CAAC"}

package/dist/crypto/hash.d.ts

@@ -1,6 +1,46 @@
 export declare class Hash {
     private constructor();
     static create(value: string): string;
+    /**
+     * @deprecated Unsafe for password storage. Uses a single round of
+     *   SHA-512, which a GPU can compute at billions of hashes/second —
+     *   leaked hashes can be brute-forced rapidly against any wordlist.
+     *   Additionally trims leading/trailing whitespace from both `value`
+     *   and `salt`, so inputs differing only in whitespace collide.
+     *
+     *   For password hashing, use {@link createForPassword} +
+     *   {@link verifyPassword} instead.
+     */
     static createUsingSalt(value: string, salt: string): string;
+    /**
+     * Derives a 64-byte hash from `password` and `salt` using scrypt with
+     * parameters N=2^15, r=8, p=1 (RFC 7914 recommended defaults). Suitable
+     * for password storage: slow and memory-hard, so leaked hashes resist
+     * GPU brute-force attacks far better than a plain SHA-512.
+     *
+     * Inputs are NOT trimmed — the exact bytes of `password` and `salt` are
+     * hashed. Two passwords differing only in whitespace produce different
+     * outputs.
+     *
+     * @param password - The password to hash. Hashed as UTF-8.
+     * @param salt - A per-user random value (recommended: ≥16 random bytes,
+     *   e.g. `randomBytes(16).toString("hex")`). Must be stored alongside
+     *   the hash so the same value can be passed on verification.
+     * @returns A 128-character uppercase hex string (64 bytes).
+     */
+    static createForPassword(password: string, salt: string): string;
+    /**
+     * Verifies a password against a hash previously produced by
+     * {@link createForPassword}. The comparison is constant-time, so
+     * timing cannot be used to learn how many leading bytes matched.
+     *
+     * @param password - The candidate password to verify. Hashed as UTF-8.
+     * @param salt - The same salt that was passed to
+     *   {@link createForPassword} when the stored hash was created.
+     * @param expectedHash - The previously-stored hash (hex string, any case).
+     * @returns `true` if the candidate matches; `false` if it doesn't,
+     *   if `expectedHash` is not valid hex, or if lengths differ.
+     */
+    static verifyPassword(password: string, salt: string, expectedHash: string): boolean;
 }
 //# sourceMappingURL=hash.d.ts.map

package/dist/crypto/hash.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAKA,qBAAa,IAAI;IAEb,OAAO;WAGO,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;WAU7B,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM;CAyBrE"}
+{"version":3,"file":"hash.d.ts","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAKA,qBAAa,IAAI;IAEb,OAAO;WAGO,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAU3C;;;;;;;;;OASG;WACW,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM;IA0BlE;;;;;;;;;;;;;;;OAeG;WACW,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM;IAcvE;;;;;;;;;;;OAWG;WACW,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;CAY9F"}

package/dist/crypto/hash.js

@@ -1,5 +1,5 @@
 import { given } from "@nivinjoseph/n-defensive";
-import { createHash } from "node:crypto";
+import { createHash, scryptSync, timingSafeEqual } from "node:crypto";
 // public
 export class Hash {
     constructor() { }
@@ -10,6 +10,16 @@ export class Hash {
         hash.update(value, "utf8");
         return hash.digest("hex").toUpperCase();
     }
+    /**
+     * @deprecated Unsafe for password storage. Uses a single round of
+     *   SHA-512, which a GPU can compute at billions of hashes/second —
+     *   leaked hashes can be brute-forced rapidly against any wordlist.
+     *   Additionally trims leading/trailing whitespace from both `value`
+     *   and `salt`, so inputs differing only in whitespace collide.
+     *
+     *   For password hashing, use {@link createForPassword} +
+     *   {@link verifyPassword} instead.
+     */
     static createUsingSalt(value, salt) {
         given(value, "value").ensureHasValue().ensureIsString();
         given(salt, "salt").ensureHasValue().ensureIsString();
@@ -27,5 +37,54 @@ export class Hash {
         const saltedValue = `${salt}${value}${valueReverse}${salt}${saltReverse}${salt}${valueReverse}`;
         return Hash.create(saltedValue);
     }
+    /**
+     * Derives a 64-byte hash from `password` and `salt` using scrypt with
+     * parameters N=2^15, r=8, p=1 (RFC 7914 recommended defaults). Suitable
+     * for password storage: slow and memory-hard, so leaked hashes resist
+     * GPU brute-force attacks far better than a plain SHA-512.
+     *
+     * Inputs are NOT trimmed — the exact bytes of `password` and `salt` are
+     * hashed. Two passwords differing only in whitespace produce different
+     * outputs.
+     *
+     * @param password - The password to hash. Hashed as UTF-8.
+     * @param salt - A per-user random value (recommended: ≥16 random bytes,
+     *   e.g. `randomBytes(16).toString("hex")`). Must be stored alongside
+     *   the hash so the same value can be passed on verification.
+     * @returns A 128-character uppercase hex string (64 bytes).
+     */
+    static createForPassword(password, salt) {
+        given(password, "password").ensureHasValue().ensureIsString();
+        given(salt, "salt").ensureHasValue().ensureIsString();
+        const derived = scryptSync(password, salt, 64, {
+            N: 1 << 15,
+            r: 8,
+            p: 1,
+            maxmem: 64 * 1024 * 1024
+        });
+        return derived.toString("hex").toUpperCase();
+    }
+    /**
+     * Verifies a password against a hash previously produced by
+     * {@link createForPassword}. The comparison is constant-time, so
+     * timing cannot be used to learn how many leading bytes matched.
+     *
+     * @param password - The candidate password to verify. Hashed as UTF-8.
+     * @param salt - The same salt that was passed to
+     *   {@link createForPassword} when the stored hash was created.
+     * @param expectedHash - The previously-stored hash (hex string, any case).
+     * @returns `true` if the candidate matches; `false` if it doesn't,
+     *   if `expectedHash` is not valid hex, or if lengths differ.
+     */
+    static verifyPassword(password, salt, expectedHash) {
+        given(password, "password").ensureHasValue().ensureIsString();
+        given(salt, "salt").ensureHasValue().ensureIsString();
+        given(expectedHash, "expectedHash").ensureHasValue().ensureIsString();
+        const computed = Buffer.from(Hash.createForPassword(password, salt), "hex");
+        const expected = Buffer.from(expectedHash, "hex");
+        if (computed.length !== expected.length)
+            return false;
+        return timingSafeEqual(computed, expected);
+    }
 }
 //# sourceMappingURL=hash.js.map

package/dist/crypto/hash.js.map

@@ -1 +1 @@
-{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,SAAS;AACT,MAAM,OAAO,IAAI;IAEb,gBAAwB,CAAC;IAGlB,MAAM,CAAC,MAAM,CAAC,KAAa;QAE9B,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAErB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,CAAC;IAEM,MAAM,CAAC,eAAe,CAAC,KAAa,EAAE,IAAY;QAErD,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAEtD,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACrB,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEnB,MAAM,OAAO,GAAG,CAAC,GAAW,EAAU,EAAE;YAEpC,IAAI,GAAG,GAAG,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;gBAC/B,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;YACvB,OAAO,GAAG,CAAC;QACf,CAAC,CAAC;QAEF,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAElC,8FAA8F;QAE9F,MAAM,WAAW,GAAG,GAAG,IAAI,GAAG,KAAK,GAAG,YAAY,GAAG,IAAI,GAAG,WAAW,GAAG,IAAI,GAAG,YAAY,EAAE,CAAC;QAEhG,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;CACJ"}
+{"version":3,"file":"hash.js","sourceRoot":"","sources":["../../src/crypto/hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0BAA0B,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGtE,SAAS;AACT,MAAM,OAAO,IAAI;IAEb,gBAAwB,CAAC;IAGlB,MAAM,CAAC,MAAM,CAAC,KAAa;QAE9B,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAErB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC3B,OAAO,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,CAAC;IAED;;;;;;;;;OASG;IACI,MAAM,CAAC,eAAe,CAAC,KAAa,EAAE,IAAY;QAErD,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACxD,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAEtD,KAAK,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QACrB,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEnB,MAAM,OAAO,GAAG,CAAC,GAAW,EAAU,EAAE;YAEpC,IAAI,GAAG,GAAG,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE;gBAC/B,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;YACvB,OAAO,GAAG,CAAC;QACf,CAAC,CAAC;QAEF,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAElC,8FAA8F;QAE9F,MAAM,WAAW,GAAG,GAAG,IAAI,GAAG,KAAK,GAAG,YAAY,GAAG,IAAI,GAAG,WAAW,GAAG,IAAI,GAAG,YAAY,EAAE,CAAC;QAEhG,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACpC,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,MAAM,CAAC,iBAAiB,CAAC,QAAgB,EAAE,IAAY;QAE1D,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAC9D,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAEtD,MAAM,OAAO,GAAG,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,EAAE;YAC3C,CAAC,EAAE,CAAC,IAAI,EAAE;YACV,CAAC,EAAE,CAAC;YACJ,CAAC,EAAE,CAAC;YACJ,MAAM,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC3B,CAAC,CAAC;QACH,OAAO,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACjD,CAAC;IAED;;;;;;;;;;;OAWG;IACI,MAAM,CAAC,cAAc,CAAC,QAAgB,EAAE,IAAY,EAAE,YAAoB;QAE7E,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAC9D,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QACtD,KAAK,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC,cAAc,EAAE,CAAC,cAAc,EAAE,CAAC;QAEtE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC;QAC5E,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YACnC,OAAO,KAAK,CAAC;QACjB,OAAO,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC/C,CAAC;CACJ"}

package/dist/crypto/symmetric-encryption.d.ts

@@ -1,7 +1,55 @@
 export declare class SymmetricEncryption {
     private constructor();
-    static generateKey(): Promise<string>;
-    static encrypt(key: string, value: string): Promise<string>;
-    static decrypt(key: string, value: string): string;
+    /**
+     * Generates a cryptographically random 256-bit key suitable for use with
+     * {@link encrypt} and {@link decrypt}.
+     *
+     * @returns A 64-character uppercase hex string (32 bytes) sourced from the
+     *   platform CSPRNG via Node's `crypto.randomBytes`.
+     */
+    static generateKey(): string;
+    /**
+     * Encrypts a UTF-8 string using AES-256-GCM with a fresh random 96-bit IV.
+     *
+     * The result is an authenticated ciphertext: any bit-flip, truncation, or
+     * substitution will cause {@link decrypt} to throw a {@link CryptoException}.
+     *
+     * @param key - A 64-character hex string (32 bytes) as produced by
+     *   {@link generateKey}. Case-insensitive.
+     * @param value - The plaintext to encrypt. Interpreted as UTF-8.
+     * @param aad - Optional Additional Authenticated Data. When supplied, its
+     *   UTF-8 bytes are bound into the auth tag but not stored in the output;
+     *   the exact same `aad` must be passed to {@link decrypt}, otherwise
+     *   decryption will fail. Use this to bind a ciphertext to its context
+     *   (e.g. `` `user:${userId}` ``) so a valid ciphertext from one record
+     *   cannot be substituted into another.
+     * @returns An uppercase hex string in the form `IV.CIPHERTEXT.TAG`, where
+     *   `IV` is 24 hex chars (12 bytes), `TAG` is 32 hex chars (16 bytes), and
+     *   `CIPHERTEXT` is the encrypted payload.
+     * @throws {CryptoException} If `key` is not exactly 64 hex characters.
+     */
+    static encrypt(key: string, value: string, aad?: string): string;
+    /**
+     * Decrypts a ciphertext produced by {@link encrypt} and returns the
+     * original UTF-8 plaintext. Integrity is verified via the GCM auth tag
+     * before the plaintext is returned — if verification fails, nothing is
+     * returned.
+     *
+     * @param key - The same 64-character hex key that was used to encrypt.
+     *   Case-insensitive.
+     * @param value - The ciphertext string in `IV.CIPHERTEXT.TAG` form as
+     *   produced by {@link encrypt}.
+     * @param aad - The same Additional Authenticated Data that was supplied
+     *   to {@link encrypt}, or omitted if none was supplied. Any mismatch
+     *   (wrong value, supplied here but not at encrypt, or vice versa) will
+     *   cause the auth tag check to fail.
+     * @returns The original plaintext decoded as UTF-8.
+     * @throws {CryptoException} If `key` is not exactly 64 hex characters,
+     *   if `value` is not in the expected `IV.CIPHERTEXT.TAG` format with
+     *   correct component lengths, or if the auth tag verification fails
+     *   (wrong key, tampered ciphertext, or mismatched `aad`).
+     */
+    static decrypt(key: string, value: string, aad?: string): string;
+    private static _decodeKey;
 }
 //# sourceMappingURL=symmetric-encryption.d.ts.map

package/dist/crypto/symmetric-encryption.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"symmetric-encryption.d.ts","sourceRoot":"","sources":["../../src/crypto/symmetric-encryption.ts"],"names":[],"mappings":"AAMA,qBAAa,mBAAmB;IAE5B,OAAO;WAGO,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;WAiB9B,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;WAmCpD,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM;CAkB5D"}
+{"version":3,"file":"symmetric-encryption.d.ts","sourceRoot":"","sources":["../../src/crypto/symmetric-encryption.ts"],"names":[],"mappings":"AAMA,qBAAa,mBAAmB;IAE5B,OAAO;IAGP;;;;;;OAMG;WACW,WAAW,IAAI,MAAM;IAKnC;;;;;;;;;;;;;;;;;;;OAmBG;WACW,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM;IAoBvE;;;;;;;;;;;;;;;;;;;OAmBG;WACW,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM;IAkCvE,OAAO,CAAC,MAAM,CAAC,UAAU;CAO5B"}

package/dist/crypto/symmetric-encryption.js

@@ -4,55 +4,101 @@ import { CryptoException } from "./crypto-exception.js";
 // public
 export class SymmetricEncryption {
     constructor() { }
+    /**
+     * Generates a cryptographically random 256-bit key suitable for use with
+     * {@link encrypt} and {@link decrypt}.
+     *
+     * @returns A 64-character uppercase hex string (32 bytes) sourced from the
+     *   platform CSPRNG via Node's `crypto.randomBytes`.
+     */
     static generateKey() {
-        return new Promise((resolve, reject) => {
-            randomBytes(32, (err, buf) => {
-                if (err) {
-                    reject(err);
-                    return;
-                }
-                resolve(buf.toString("hex").toUpperCase());
-            });
-        });
+        return randomBytes(32).toString("hex").toUpperCase();
     }
-    static encrypt(key, value) {
-        return new Promise((resolve, reject) => {
-            given(key, "key").ensureHasValue().ensureIsString();
-            given(value, "value").ensureHasValue().ensureIsString();
-            key = key.trim();
-            value = value.trim();
-            randomBytes(16, (err, buf) => {
-                if (err) {
-                    reject(err);
-                    return;
-                }
-                try {
-                    const iv = buf;
-                    const cipher = createCipheriv("AES-256-CBC", Buffer.from(key, "hex"), iv);
-                    let encrypted = cipher.update(value, "utf8", "hex");
-                    encrypted += cipher.final("hex");
-                    const cipherText = `${encrypted}.${iv.toString("hex")}`;
-                    resolve(cipherText.toUpperCase());
-                }
-                catch (error) {
-                    reject(error);
-                }
-            });
-        });
+    /**
+     * Encrypts a UTF-8 string using AES-256-GCM with a fresh random 96-bit IV.
+     *
+     * The result is an authenticated ciphertext: any bit-flip, truncation, or
+     * substitution will cause {@link decrypt} to throw a {@link CryptoException}.
+     *
+     * @param key - A 64-character hex string (32 bytes) as produced by
+     *   {@link generateKey}. Case-insensitive.
+     * @param value - The plaintext to encrypt. Interpreted as UTF-8.
+     * @param aad - Optional Additional Authenticated Data. When supplied, its
+     *   UTF-8 bytes are bound into the auth tag but not stored in the output;
+     *   the exact same `aad` must be passed to {@link decrypt}, otherwise
+     *   decryption will fail. Use this to bind a ciphertext to its context
+     *   (e.g. `` `user:${userId}` ``) so a valid ciphertext from one record
+     *   cannot be substituted into another.
+     * @returns An uppercase hex string in the form `IV.CIPHERTEXT.TAG`, where
+     *   `IV` is 24 hex chars (12 bytes), `TAG` is 32 hex chars (16 bytes), and
+     *   `CIPHERTEXT` is the encrypted payload.
+     * @throws {CryptoException} If `key` is not exactly 64 hex characters.
+     */
+    static encrypt(key, value, aad) {
+        given(key, "key").ensureHasValue().ensureIsString();
+        given(value, "value").ensureHasValue().ensureIsString();
+        if (aad != null)
+            given(aad, "aad").ensureIsString();
+        const keyBuf = SymmetricEncryption._decodeKey(key);
+        const iv = randomBytes(12);
+        const cipher = createCipheriv("aes-256-gcm", keyBuf, iv);
+        if (aad != null && aad.length > 0)
+            cipher.setAAD(Buffer.from(aad, "utf8"));
+        const ct = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+        const tag = cipher.getAuthTag();
+        return [iv.toString("hex"), ct.toString("hex"), tag.toString("hex")]
+            .join(".").toUpperCase();
     }
-    static decrypt(key, value) {
+    /**
+     * Decrypts a ciphertext produced by {@link encrypt} and returns the
+     * original UTF-8 plaintext. Integrity is verified via the GCM auth tag
+     * before the plaintext is returned — if verification fails, nothing is
+     * returned.
+     *
+     * @param key - The same 64-character hex key that was used to encrypt.
+     *   Case-insensitive.
+     * @param value - The ciphertext string in `IV.CIPHERTEXT.TAG` form as
+     *   produced by {@link encrypt}.
+     * @param aad - The same Additional Authenticated Data that was supplied
+     *   to {@link encrypt}, or omitted if none was supplied. Any mismatch
+     *   (wrong value, supplied here but not at encrypt, or vice versa) will
+     *   cause the auth tag check to fail.
+     * @returns The original plaintext decoded as UTF-8.
+     * @throws {CryptoException} If `key` is not exactly 64 hex characters,
+     *   if `value` is not in the expected `IV.CIPHERTEXT.TAG` format with
+     *   correct component lengths, or if the auth tag verification fails
+     *   (wrong key, tampered ciphertext, or mismatched `aad`).
+     */
+    static decrypt(key, value, aad) {
         given(key, "key").ensureHasValue().ensureIsString();
         given(value, "value").ensureHasValue().ensureIsString();
-        key = key.trim();
-        value = value.trim();
-        const splitted = value.split(".");
-        if (splitted.length !== 2)
-            throw new CryptoException("Invalid value.");
-        const iv = Buffer.from(splitted[1], "hex");
-        const deCipher = createDecipheriv("AES-256-CBC", Buffer.from(key, "hex"), iv);
-        let decrypted = deCipher.update(splitted[0], "hex", "utf8");
-        decrypted += deCipher.final("utf8");
-        return decrypted;
+        if (aad != null)
+            given(aad, "aad").ensureIsString();
+        const keyBuf = SymmetricEncryption._decodeKey(key);
+        const parts = value.split(".");
+        if (parts.length !== 3)
+            throw new CryptoException("Malformed ciphertext.");
+        const iv = Buffer.from(parts[0], "hex");
+        const ct = Buffer.from(parts[1], "hex");
+        const tag = Buffer.from(parts[2], "hex");
+        if (iv.length !== 12 || ct.length === 0 || tag.length !== 16)
+            throw new CryptoException("Malformed ciphertext.");
+        try {
+            const decipher = createDecipheriv("aes-256-gcm", keyBuf, iv);
+            if (aad != null && aad.length > 0)
+                decipher.setAAD(Buffer.from(aad, "utf8"));
+            decipher.setAuthTag(tag);
+            return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+        }
+        catch {
+            throw new CryptoException("Integrity check failed.");
+        }
+    }
+    static _decodeKey(key) {
+        const buf = Buffer.from(key, "hex");
+        if (buf.length !== 32 || buf.toString("hex").toUpperCase() !== key.toUpperCase())
+            throw new CryptoException("Key must be 64 hex characters (32 bytes).");
+        return buf;
     }
 }
 //# sourceMappingURL=symmetric-encryption.js.map