@oino-ts/hashid 0.0.11

package/README.md

@@ -0,0 +1,222 @@
+# OINO TS
+ OINO Is Not an ORM but it's trying to solve a similar problem for API development. Instead of mirroring your DB schema in code that needs manual updates, OINO will get the data schema from DBMS using SQL in real time. Every time your app starts, it has an updated data model which enables automatic (de)serialize SQL results to JSON/CSV and back. OINO works on the level below routing where you pass the method, URL ID, body and request parameters to the API-object. OINO will parse and validate the data against the data model and generate proper SQL for your DB. Because OINO knows how data is serialized (e.g. JSON), what column it belongs to (e.g. floating point number) and what the target database is, it knows how to parse, format and escape the value as valid SQL.
+ 
+ ```
+ const result:OINOApiResult = await api_orderdetails.doRequest("GET", id, body, params)
+ return new Response(result.modelset.writeString(OINOContentType.json))
+ ```
+ 
+
+ # GETTING STARTED
+ 
+ ### Setup
+ Install the `@oino-ts/core` npm package and necessary database packages and import them in your code.
+ ```
+ bun install @oino-ts/core
+ bun install @oino-ts/bunsqlite
+ ```
+ 
+ ```
+ import { OINODb, OINOApi, OINOFactory } from "@oino-ts/core";
+ import { OINODbBunSqlite } from "@oino-ts/bunsqlite"
+ ```
+ 
+ ### Register database and logger
+ Register your database implementation and logger (see [`OINOConsoleLog`](https://pragmatta.github.io/oino-ts/classes/core_src.OINOConsoleLog.html) how to implement your own)
+
+ ```
+ OINOLog.setLogger(new OINOConsoleLog())
+ OINOFactory.registerDb("OINODbBunSqlite", OINODbBunSqlite)
+ ```
+
+ ### Create a database
+ Creating a database connection [`OINODb`](https://pragmatta.github.io/oino-ts/classes/core_src_OINODb.OINODb.html) is done by passing [`OINODbParams`](https://pragmatta.github.io/oino-ts/types/core_src.OINODbParams.html) to the factory method. For [`OINODbBunSqlite`](https://pragmatta.github.io/oino-ts/classes/bunsqlite_OINODbBunSqlite.OINODbBunSqlite.html) that means a file url for the database file, for others network host, port, credentials etc.
+ ```
+ const db:OINODb = await OINOFactory.createDb( { type: "OINODbBunSqlite", url: "file://../localDb/northwind.sqlite" } )
+ ```
+
+ ### Create an API
+ From a database you can create an [`OINOApi`](https://pragmatta.github.io/oino-ts/classes/core_src_OINOApi.OINOApi.html) by passing [`OINOApiParams`](https://pragmatta.github.io/oino-ts/types/core_src.OINOApiParams.html) with table name and preferences to the factory method.
+ ```
+ const api_employees:OINOApi = await OINOFactory.createApi(db, { tableName: "Employees", excludeFields:["BirthDate"] })
+ ```
+
+ ### Pass HTTP requests to API
+ When you receive a HTTP request, just pass the method, URL ID, body and params to the correct API, which will parse and validate input and return results.
+
+ ```
+ const result:OINOApiResult = await api_orderdetails.doRequest("GET", id, body, params)
+ ```
+
+ ### Write results back to HTTP Response
+ The results for a GET request will contain [`OINOModelSet`](https://pragmatta.github.io/oino-ts/classes/core_src_OINOModelSet.OINOModelSet.html) data that can be written out as JSON or CSV as needed. For other requests result is just success or error with messages.
+ ```
+ return new Response(result.modelset.writeString(OINOContentType.json))
+ ```
+ 
+ 
+ # FEATURES
+ 
+ ## RESTfull
+ OINO maps HTTP methods GET/POST/PUT/DELETE to SQL operations SELECT/INSERT/UPDATE/DELETE. The GET/POST requests can be made without URL ID to get all rows or insert new ones and others target a single row using URL ID. 
+ 
+ ### HTTP GET
+ ```
+ Request and response:
+ > curl.exe -X GET http://localhost:3001/orderdetails/11077:77
+ [
+   {"_OINOID_":"11077:77","OrderID":11077,"ProductID":77,"UnitPrice":13,"Quantity":2,"Discount":0}
+ ]
+
+ SQL:
+ SELECT "OrderID","ProductID","UnitPrice","Quantity","Discount" FROM [OrderDetails] WHERE ("OrderID"=11077 AND "ProductID"=77);
+ ```
+
+ ### HTTP POST 
+ ```
+ Request and response:
+ > curl.exe -X POST http://localhost:3001/orderdetails -H "Content-Type: application/json" --data '[{\"OrderID\":11077,\"ProductID\":99,\"UnitPrice\":19,\"Quantity\":1,\"Discount\":0}]'
+ {"success":true,"statusCode":200,"statusMessage":"OK","messages":[]}
+
+ SQL:
+ INSERT INTO [OrderDetails] ("OrderID","ProductID","UnitPrice","Quantity","Discount") VALUES (11077,99,19,1,0);
+ ```
+
+ ### HTTP PUT
+ ```
+ Request and response:
+ > curl.exe -X PUT http://localhost:3001/orderdetails/11077:99 -H "Content-Type: application/json" --data '[{\"UnitPrice\":20}]'
+ {"success":true,"statusCode":200,"statusMessage":"OK","messages":[]}
+
+ SQL:
+ UPDATE [OrderDetails] SET "UnitPrice"=20 WHERE ("OrderID"=11077 AND "ProductID"=99);
+ ```
+ 
+ ### HTTP DELETE
+ ```
+ Request and response:
+ > curl.exe -X DELETE http://localhost:3001/orderdetails/11077:99
+ {"success":true,"statusCode":200,"statusMessage":"OK","messages":[]}
+
+ SQL:
+ DELETE FROM [OrderDetails] WHERE ("OrderID"=11077 AND "ProductID"=99);
+ ```
+  
+ ## Universal Serialization
+ OINO handles serialization of data to JSON/CSV/etc. and back based on the data model. It knows what columns exist, what is their data type and how to convert each to JSON/CSV and back. This allows also partial data to be sent, i.e. you can send only columns that need updating or even send extra columns and have them ignored.
+
+ ### Features
+ - Files can be sent to BLOB fields using BASE64 encoding.
+ - Datetimes are (optionally) normalized to ISO 8601 format.
+ - Extended JSON-encoding
+   - Unquoted literal `undefined` can be used to represent non-existent values (leaving property out works too but preserving structure might be easier e.g. when translating data).
+ - CSV
+   - Comma-separated, doublequotes.
+   - Unquoted literal `null` represents null values.
+   - Unquoted empty string represents undefined values.
+ - Form data
+   - Multipart-mixed and binary files not supported.
+   - Non-existent value line (i.e. nothing after the empty line) treated as a null value.
+ - Url-encoded
+   - No null values, missing properties treated as undefined.
+   - Multiple lines could be used to post multiple rows.
+
+
+ ## Database Abstraction
+ OINO functions as a database abstraction, providing a consistent interface for working with different databases. It abstracts out different conventions in connecting, making queries and formatting data.
+
+ Currently supported databases:
+ - Bun Sqlite through Bun native implementation
+ - Postgresql through [pg](https://www.npmjs.com/package/pg)-package
+ - Mariadb / Mysql-support through [mariadb](https://www.npmjs.com/package/mariadb)-package
+
+ ## Complex Keys
+ To support tables with multipart primary keys OINO generates a composite key `_OINOID_` that is included in the result and can be used as the REST ID. For example in the example above table `OrderDetails` has two primary keys `OrderID` and `ProductID` making the `_OINOID_` of form `11077:99`. 
+
+ ## Power Of SQL
+ Since OINO controls the SQL, WHERE-conditions can be defined with [`OINOSqlFilter`](https://pragmatta.github.io/oino-ts/classes/core_src.OINOSqlFilter.html) and order with [`OINOSqlOrder`](https://pragmatta.github.io/oino-ts/classes/core_src.OINOSqlOrder.html) that are passed as HTTP request parameters. No more API development where you make unique API endpoints for each filter that fetch all data with original API and filter in backend code. Every API can be filtered when and as needed without unnessecary data tranfer and utilizing SQL indexing when available.
+
+ ## Swagger Support
+ Swagger is great as long as the definitions are updated and with OINO you can automatically get a Swagger definition including a data model schema.
+ ```
+ if (url.pathname == "/swagger.json") {
+    return new Response(JSON.stringify(OINOSwagger.getApiDefinition(api_array)))
+ }
+ ```
+ ![Swagger definition with a data model schema](img/readme-swagger.png)
+
+ ## Node support
+ OINO is developped Typescript first but compiles to standard CommonJS and the NPM packages should work on either ESM / CommonJS. Checkout sample apps `readmeApp` (ESM) and `nodeApp` (CommonJS).
+
+ ## HTMX support
+ OINO is [htmx.org](https://htmx.org) friendly, allowing easy translation of [`OINODataRow`](https://pragmatta.github.io/oino-ts/types/core_src.OINODataRow.html) to HTML output using templates (cf. the [htmx sample app](https://github.com/pragmatta/oino-ts/tree/main/samples/htmxApp)).
+
+ ### Hashids
+ Autoinc numeric id's are very pragmatic and fit well with OINO (e.g. using a form without primary key fields to insert new rows with database assigned ids). However it's not always sensible to share information about the sequence. Hashids solve this by masking the original values by encrypting the ids using AES-128 and some randomness. Length of the hashid can be chosen from 12-32 characters where longer ids provide more security. However this should not be considereded a cryptographic solution for keeping ids secret but rather making it infeasible to iterate all ids.
+
+
+ # STATUS
+ OINO is currently a hobby project which should and should considered in alpha status. That also means compatibility breaking changes can be made without prior notice when architectual issues are discovered.
+
+ ## Beta
+ For a beta status following milestones are planned:
+
+ ### Realistic app
+ There needs to be a realistic app built on top of OINO to get a better grasp of the edge cases.
+
+ ### Security review
+ Handling of SQL-injection attacks needs a thorough review, what are the relevant attack vectors are for OINO and what protections are still needed.
+ 
+ ## Roadmap
+ Things that need to happen in some order before beta-status are at least following:
+ 
+ ### Support for views
+ Simple cases of views would work already in some databases but edge cases might get complicated. For example 
+ - How to handle a view which does not have a complete private key?
+ - What edge cases exist in updating views?
+
+ ### Batch updates
+ Supporting batch updates similar to batch inserts is slightly bending the RESTfull principles but would still be a useful optional feature.
+
+ ### Aggregation and limits
+ Similar to filtering and ordering, aggregation and limits can be implemented as HTTP request parameters telling what column is aggregated or used for ordering or how many results to return.
+
+ ### Streaming
+ One core idea is to be efficient in not making unnecessary copies of the data and minimizing garbage collection debt. This can be taken further by implementing streaming, allowing large dataset to be written to HTTP response as SQL result rows are received.
+
+ ### SQL generation callbacks
+ It would be useful to allow developer to validate / override SQL generation to cover cases OINO does not support or even workaround issues.
+
+ ### Transactions
+ Even though the basic case for OINO is executing SQL operations on individual rows, having an option to use SQL transactions could make sense at least for batch operations.
+
+
+ # HELP
+ 
+ ## Bug reports
+ Fixing bugs is a priority and getting good quality bug reports helps. It's recommended to use the sample Northwind database included with project to replicate issues or make an SQL script export of the relevant table.
+  
+ ## Feedback
+ Understanding and prioritizing the use cases for OINO is also important and feedback about how you'd use OINO is interesting. Feel free to raise issues and feature requests in Github, but understand that short term most of the effort goes towards reaching the beta stage.
+
+ ## Typescript / Javascript architecture
+ Typescript building with different targets and module-systemts and a ton of configuration is a complex domain and something I have little experience un so help in fixing problems and how thing ought to be done is appreciated.
+ 
+ # LINKS
+ - [Github repository](https://github.com/pragmatta/oino-ts)
+ - [NPM repository](https://www.npmjs.com/org/oino-ts) 
+
+ 
+ # ACKNOWLEDGEMENTS
+ 
+ ## Libraries
+ OINO uses the following open source libraries and npm packages and I would like to thank everyone for their contributions:
+ - Postgresql support by [node-postgres package](https://www.npmjs.com/package/pg)
+ - Mariadb / Mysql-support by [mariadb package](https://www.npmjs.com/package/mariadb)
+
+ ## Bun
+ OINO has been developed using the Bun runtime, not because of the speed improvements but for the first class Typescript support and integrated developper experience. Kudos on the bun team for making Typescript work more exiting again.
+ 
+ ## SQL Scripts
+ The SQL scripts for creating the sample Northwind database are based on [Google Code archive](https://code.google.com/archive/p/northwindextended/downloads) and have been further customized to ensure they would have identical data (in the scope of the automated testing).
+

package/dist/cjs/OINOHashid.js

@@ -0,0 +1,103 @@
+"use strict";
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OINOHashid = void 0;
+const node_crypto_1 = require("node:crypto");
+const base_x_1 = require("base-x");
+const HASHID_MIN_LENGTH = 12;
+const HASHID_MAX_LENGTH = 40;
+const HASHID_ALPHABET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+const hashidEncoder = (0, base_x_1.default)(HASHID_ALPHABET);
+/**
+ * Hashid implementation for OINO API:s for the purpose of making it infeasible to scan
+ * through numeric autoinc keys. It's not a solution to keeping the id secret in insecure
+ * channels, just making it hard enough to not iterate through the entire key space. Half
+ * of the the hashid length is nonce and half cryptotext, i.e. 16 char hashid 8 chars of
+ * base64 encoded nonce ~ 6 bytes or 48 bits of entropy.
+ *
+ */
+class OINOHashid {
+    _key;
+    _iv;
+    _domainId;
+    _minLength;
+    _randomIds;
+    /**
+     * Hashid constructor
+     *
+     * @param key AES128 key (32 char hex-string)
+     * @param domainId a sufficiently unique domain ID in which row-Id's are unique
+     * @param minLength minimum length of nonce and crypto
+     * @param randomIds whether hash values should remain static per row or random values
+     *
+     */
+    constructor(key, domainId, minLength = HASHID_MIN_LENGTH, randomIds = false) {
+        this._domainId = domainId;
+        if ((minLength < HASHID_MIN_LENGTH) || (minLength > HASHID_MAX_LENGTH)) {
+            throw Error("OINOHashid minLength needs to be between " + HASHID_MIN_LENGTH + " and " + HASHID_MAX_LENGTH + "!");
+        }
+        this._minLength = Math.ceil(minLength / 2);
+        if (key.length != 32) {
+            throw Error("OINOHashid key needs to be a 32 character hex-string!");
+        }
+        this._randomIds = randomIds;
+        this._key = Buffer.from(key, 'hex');
+        this._iv = new Buffer(16);
+    }
+    /**
+     * Encode given id value as a hashid either using random data or given seed value for nonce.
+     *
+     * @param id numeric value
+     * @param cellSeed a sufficiently unique seed for the current cell to keep hashids unique but persistent (e.g. fieldname + primarykey values)
+     *
+     */
+    encode(id, cellSeed = "") {
+        // if seed was given use it for pseudorandom chars, otherwise generate them
+        let random_chars = "";
+        if (this._randomIds) {
+            (0, node_crypto_1.randomFillSync)(this._iv, 0, 16);
+            random_chars = hashidEncoder.encode(this._iv); // this._iv.toString('base64url')
+        }
+        else {
+            const hmac_seed = (0, node_crypto_1.createHmac)('sha1', this._key);
+            hmac_seed.update(this._domainId + " " + cellSeed);
+            random_chars = hashidEncoder.encode(hmac_seed.digest()); // hmac_seed.digest('base64url')
+        }
+        const hmac = (0, node_crypto_1.createHmac)('sha1', this._key);
+        let iv_seed = random_chars.substring(0, this._minLength);
+        hmac.update(this._domainId + " " + iv_seed);
+        const iv_data = hmac.digest();
+        iv_data.copy(this._iv, 0, 0, 16);
+        let plaintext = id.toString();
+        if (plaintext.length < this._minLength) {
+            plaintext += " " + random_chars.substring(random_chars.length - (this._minLength - plaintext.length - 1));
+        }
+        const cipher = (0, node_crypto_1.createCipheriv)('aes-128-gcm', this._key, this._iv);
+        const cryptotext = hashidEncoder.encode(cipher.update(plaintext, 'utf8')) + hashidEncoder.encode(cipher.final());
+        return iv_seed + cryptotext;
+    }
+    /**
+     * Decode given hashid.
+     *
+     * @param hashid value
+     *
+     */
+    decode(hashid) {
+        // reproduce nonce from seed
+        const hmac = (0, node_crypto_1.createHmac)('sha1', this._key);
+        const iv_seed = hashid.substring(0, this._minLength);
+        hmac.update(this._domainId + " " + iv_seed);
+        const hash = hmac.digest();
+        hash.copy(this._iv, 0, 0, 16);
+        const cryptotext = hashid.substring(this._minLength);
+        const cryptobytes = new Buffer(hashidEncoder.decode(cryptotext));
+        const decipher = (0, node_crypto_1.createDecipheriv)('aes-128-gcm', this._key, this._iv);
+        const plaintext = decipher.update(cryptobytes, undefined, 'utf8'); //, cryptotext, 'base64url', 'utf8') 
+        return plaintext.split(" ")[0];
+    }
+}
+exports.OINOHashid = OINOHashid;

package/dist/cjs/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OINOHashid = void 0;
+var OINOHashid_js_1 = require("./OINOHashid.js");
+Object.defineProperty(exports, "OINOHashid", { enumerable: true, get: function () { return OINOHashid_js_1.OINOHashid; } });

package/dist/esm/OINOHashid.js

@@ -0,0 +1,99 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+import { createCipheriv, createDecipheriv, createHmac, randomFillSync } from 'node:crypto';
+import basex from 'base-x';
+const HASHID_MIN_LENGTH = 12;
+const HASHID_MAX_LENGTH = 40;
+const HASHID_ALPHABET = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+const hashidEncoder = basex(HASHID_ALPHABET);
+/**
+ * Hashid implementation for OINO API:s for the purpose of making it infeasible to scan
+ * through numeric autoinc keys. It's not a solution to keeping the id secret in insecure
+ * channels, just making it hard enough to not iterate through the entire key space. Half
+ * of the the hashid length is nonce and half cryptotext, i.e. 16 char hashid 8 chars of
+ * base64 encoded nonce ~ 6 bytes or 48 bits of entropy.
+ *
+ */
+export class OINOHashid {
+    _key;
+    _iv;
+    _domainId;
+    _minLength;
+    _randomIds;
+    /**
+     * Hashid constructor
+     *
+     * @param key AES128 key (32 char hex-string)
+     * @param domainId a sufficiently unique domain ID in which row-Id's are unique
+     * @param minLength minimum length of nonce and crypto
+     * @param randomIds whether hash values should remain static per row or random values
+     *
+     */
+    constructor(key, domainId, minLength = HASHID_MIN_LENGTH, randomIds = false) {
+        this._domainId = domainId;
+        if ((minLength < HASHID_MIN_LENGTH) || (minLength > HASHID_MAX_LENGTH)) {
+            throw Error("OINOHashid minLength needs to be between " + HASHID_MIN_LENGTH + " and " + HASHID_MAX_LENGTH + "!");
+        }
+        this._minLength = Math.ceil(minLength / 2);
+        if (key.length != 32) {
+            throw Error("OINOHashid key needs to be a 32 character hex-string!");
+        }
+        this._randomIds = randomIds;
+        this._key = Buffer.from(key, 'hex');
+        this._iv = new Buffer(16);
+    }
+    /**
+     * Encode given id value as a hashid either using random data or given seed value for nonce.
+     *
+     * @param id numeric value
+     * @param cellSeed a sufficiently unique seed for the current cell to keep hashids unique but persistent (e.g. fieldname + primarykey values)
+     *
+     */
+    encode(id, cellSeed = "") {
+        // if seed was given use it for pseudorandom chars, otherwise generate them
+        let random_chars = "";
+        if (this._randomIds) {
+            randomFillSync(this._iv, 0, 16);
+            random_chars = hashidEncoder.encode(this._iv); // this._iv.toString('base64url')
+        }
+        else {
+            const hmac_seed = createHmac('sha1', this._key);
+            hmac_seed.update(this._domainId + " " + cellSeed);
+            random_chars = hashidEncoder.encode(hmac_seed.digest()); // hmac_seed.digest('base64url')
+        }
+        const hmac = createHmac('sha1', this._key);
+        let iv_seed = random_chars.substring(0, this._minLength);
+        hmac.update(this._domainId + " " + iv_seed);
+        const iv_data = hmac.digest();
+        iv_data.copy(this._iv, 0, 0, 16);
+        let plaintext = id.toString();
+        if (plaintext.length < this._minLength) {
+            plaintext += " " + random_chars.substring(random_chars.length - (this._minLength - plaintext.length - 1));
+        }
+        const cipher = createCipheriv('aes-128-gcm', this._key, this._iv);
+        const cryptotext = hashidEncoder.encode(cipher.update(plaintext, 'utf8')) + hashidEncoder.encode(cipher.final());
+        return iv_seed + cryptotext;
+    }
+    /**
+     * Decode given hashid.
+     *
+     * @param hashid value
+     *
+     */
+    decode(hashid) {
+        // reproduce nonce from seed
+        const hmac = createHmac('sha1', this._key);
+        const iv_seed = hashid.substring(0, this._minLength);
+        hmac.update(this._domainId + " " + iv_seed);
+        const hash = hmac.digest();
+        hash.copy(this._iv, 0, 0, 16);
+        const cryptotext = hashid.substring(this._minLength);
+        const cryptobytes = new Buffer(hashidEncoder.decode(cryptotext));
+        const decipher = createDecipheriv('aes-128-gcm', this._key, this._iv);
+        const plaintext = decipher.update(cryptobytes, undefined, 'utf8'); //, cryptotext, 'base64url', 'utf8') 
+        return plaintext.split(" ")[0];
+    }
+}

package/dist/esm/index.js

@@ -0,0 +1 @@
+export { OINOHashid } from "./OINOHashid.js";

package/dist/types/OINOHashid.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Hashid implementation for OINO API:s for the purpose of making it infeasible to scan
+ * through numeric autoinc keys. It's not a solution to keeping the id secret in insecure
+ * channels, just making it hard enough to not iterate through the entire key space. Half
+ * of the the hashid length is nonce and half cryptotext, i.e. 16 char hashid 8 chars of
+ * base64 encoded nonce ~ 6 bytes or 48 bits of entropy.
+ *
+ */
+export declare class OINOHashid {
+    private _key;
+    private _iv;
+    private _domainId;
+    private _minLength;
+    private _randomIds;
+    /**
+     * Hashid constructor
+     *
+     * @param key AES128 key (32 char hex-string)
+     * @param domainId a sufficiently unique domain ID in which row-Id's are unique
+     * @param minLength minimum length of nonce and crypto
+     * @param randomIds whether hash values should remain static per row or random values
+     *
+     */
+    constructor(key: string, domainId: string, minLength?: number, randomIds?: boolean);
+    /**
+     * Encode given id value as a hashid either using random data or given seed value for nonce.
+     *
+     * @param id numeric value
+     * @param cellSeed a sufficiently unique seed for the current cell to keep hashids unique but persistent (e.g. fieldname + primarykey values)
+     *
+     */
+    encode(id: string, cellSeed?: string): string;
+    /**
+     * Decode given hashid.
+     *
+     * @param hashid value
+     *
+     */
+    decode(hashid: string): string;
+}

package/dist/types/index.d.ts

@@ -0,0 +1 @@
+export { OINOHashid } from "./OINOHashid.js";

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@oino-ts/hashid",
+  "version": "0.0.11",
+  "description": "OINO TS package for hashid's.",
+  "author": "Matias Kiviniemi (pragmatta)",
+  "license": "MPL-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pragmatta/oino-ts.git"
+  },
+  "keywords": [
+    "hashid",
+    "typescript",
+    "library"
+  ],
+  "main": "./dist/cjs/index.js",
+  "module": "./dist/esm/index.js",
+  "types": "./dist/types/index.d.ts",
+  "dependencies": {
+    "@types/node": "^20.12.7",
+    "@oino-ts/types": "^0.0.11",
+    "base-x": "5.0.0"
+  },
+  "devDependencies": {
+  },
+  "files": [
+    "src/*.ts",
+    "dist/cjs/*.js",
+    "dist/esm/*.js",
+    "dist/types/*.d.ts"
+  ]
+}

package/src/OINOHashid.test.ts

@@ -0,0 +1,48 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+import { expect, test } from "bun:test";
+
+import { OINOHashid } from "./OINOHashid";
+import { OINOLog, OINOConsoleLog, OINOLogLevel } from "@oino-ts/log"
+
+Math.random()
+
+OINOLog.setLogger(new OINOConsoleLog(OINOLogLevel.error))
+
+test("OINOHashId persistent", async () => {
+    for (let j=12; j<=40; j++) {
+        const hashid:OINOHashid = new OINOHashid('c7a87c6a5df870842eb6ef6d7937f0b4', 'OINOHashIdTestApp-persistent', j) 
+        let i:number = 1
+        let id:string = ''
+        while (i <= j) {
+            id += i % 10
+            const hashed_id = hashid.encode(id, '')
+            const id2 = hashid.decode(hashed_id)
+            // console.log("j: " + j + ", i: " + i + ", id: " + id + ", hashed_id: " + hashed_id + ", id2: " + id2)
+            expect(id).toMatch(id2)
+            i++
+        }
+    }
+    
+})
+    
+test("OINOHashId random", async () => {
+    for (let j=12; j<=40; j++) {
+        const hashid:OINOHashid = new OINOHashid('c7a87c6a5df870842eb6ef6d7937f0b4', 'OINOHashIdTestApp-random', j, true) 
+        let i:number = 1
+        let id:string = ''
+        while (i <= j) {
+            id += i % 10
+            const hashed_id = hashid.encode(id, '')
+            const id2 = hashid.decode(hashed_id)
+            // console.log("j: " + j + ", i: " + i + ", id: " + id + ", hashed_id: " + hashed_id + ", id2: " + id2)
+            expect(id).toMatch(id2)
+            i++
+        }
+    }
+    
+})

package/src/OINOHashid.ts

@@ -0,0 +1,113 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/.
+ */
+
+import { createCipheriv, createDecipheriv, createHmac, randomFillSync } from 'node:crypto';
+import basex from 'base-x'
+
+const HASHID_MIN_LENGTH:number = 12
+const HASHID_MAX_LENGTH:number = 40
+const HASHID_ALPHABET:string = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+const hashidEncoder = basex(HASHID_ALPHABET)
+
+/**
+ * Hashid implementation for OINO API:s for the purpose of making it infeasible to scan 
+ * through numeric autoinc keys. It's not a solution to keeping the id secret in insecure
+ * channels, just making it hard enough to not iterate through the entire key space. Half 
+ * of the the hashid length is nonce and half cryptotext, i.e. 16 char hashid 8 chars of 
+ * base64 encoded nonce ~ 6 bytes or 48 bits of entropy. 
+ *
+ */
+export class OINOHashid {
+
+    private _key:Buffer
+    private _iv:Buffer
+    private _domainId:string
+    private _minLength:number
+    private _randomIds
+
+    /**
+     * Hashid constructor
+     * 
+     * @param key AES128 key (32 char hex-string)
+     * @param domainId a sufficiently unique domain ID in which row-Id's are unique
+     * @param minLength minimum length of nonce and crypto
+     * @param randomIds whether hash values should remain static per row or random values 
+     * 
+     */
+    constructor (key: string, domainId:string, minLength:number = HASHID_MIN_LENGTH, randomIds:boolean = false) {
+        this._domainId = domainId
+        if ((minLength < HASHID_MIN_LENGTH) || (minLength > HASHID_MAX_LENGTH)) {
+            throw Error("OINOHashid minLength needs to be between " + HASHID_MIN_LENGTH + " and " + HASHID_MAX_LENGTH + "!")
+        }
+        this._minLength = Math.ceil(minLength/2)
+        if (key.length != 32) {
+            throw Error("OINOHashid key needs to be a 32 character hex-string!")
+        }
+        this._randomIds = randomIds
+        this._key = Buffer.from(key, 'hex')
+        this._iv = new Buffer(16)
+    }
+
+    /**
+     * Encode given id value as a hashid either using random data or given seed value for nonce.
+     * 
+     * @param id numeric value
+     * @param cellSeed a sufficiently unique seed for the current cell to keep hashids unique but persistent (e.g. fieldname + primarykey values)
+     * 
+     */
+    encode(id:string, cellSeed:string = ""):string {
+
+        // if seed was given use it for pseudorandom chars, otherwise generate them
+        let random_chars:string = ""
+        if (this._randomIds) {
+            randomFillSync(this._iv, 0, 16)
+            random_chars = hashidEncoder.encode(this._iv) // this._iv.toString('base64url')
+
+        } else {
+            const hmac_seed = createHmac('sha1', this._key)
+            hmac_seed.update(this._domainId + " " + cellSeed)
+            random_chars = hashidEncoder.encode(hmac_seed.digest()) // hmac_seed.digest('base64url')
+        }
+        const hmac = createHmac('sha1', this._key)
+        let iv_seed:string = random_chars.substring(0, this._minLength)
+        hmac.update(this._domainId + " " + iv_seed)
+        const iv_data:Buffer = hmac.digest()
+        iv_data.copy(this._iv, 0, 0, 16) 
+
+        let plaintext = id.toString()
+        if (plaintext.length < this._minLength) {
+            plaintext += " " + random_chars.substring(random_chars.length - (this._minLength - plaintext.length - 1))
+        }
+
+        const cipher = createCipheriv('aes-128-gcm', this._key, this._iv)
+        const cryptotext = hashidEncoder.encode(cipher.update(plaintext, 'utf8')) + hashidEncoder.encode(cipher.final())
+        return iv_seed + cryptotext
+    }
+
+    /**
+     * Decode given hashid.
+     * 
+     * @param hashid value
+     * 
+     */
+    decode(hashid:string):string {
+        // reproduce nonce from seed
+        const hmac = createHmac('sha1', this._key)
+        const iv_seed = hashid.substring(0, this._minLength)
+        hmac.update(this._domainId + " " + iv_seed)
+        const hash:Buffer = hmac.digest()
+        hash.copy(this._iv, 0, 0, 16)
+
+        const cryptotext:string = hashid.substring(this._minLength)
+        const cryptobytes:Buffer = new Buffer(hashidEncoder.decode(cryptotext))
+        const decipher = createDecipheriv('aes-128-gcm', this._key, this._iv)
+        const plaintext = decipher.update(cryptobytes, undefined, 'utf8') //, cryptotext, 'base64url', 'utf8') 
+        
+        return plaintext.split(" ")[0]
+    }
+
+
+}

package/src/index.ts

@@ -0,0 +1 @@
+export { OINOHashid } from "./OINOHashid.js"