@tstdl/base 0.93.178 → 0.93.180

package/testing/integration-setup.js

@@ -59,6 +59,7 @@ import { AuthenticationApiClient } from '../authentication/client/api.client.js'
 import { configureAuthenticationClient } from '../authentication/client/index.js';
 import { AuthenticationApiController, configureAuthenticationServer } from '../authentication/server/index.js';
 import { configurePostgresCircuitBreaker } from '../circuit-breaker/postgres/module.js';
+import { configureSecrets } from '../cryptography/module.js';
 import { configureDocumentManagement } from '../document-management/server/index.js';
 import { configureUndiciHttpClientAdapter } from '../http/client/adapters/undici.adapter.js';
 import { configureHttpClient } from '../http/client/index.js';
@@ -128,118 +129,140 @@ export async function setupIsolatedIntegrationTest(options = {}) {
         database: configParser.string('DATABASE_NAME', 'tstdl'),
         ...options.dbConfig,
     };
+    const schema = options.orm?.schema ?? 'test';
+    configureSecrets({ key: 'tstdl-unit-tests' });
     // 4. Configure ORM
     // We disable autoMigrate here because APPLICATION_INITIALIZER is not used in integration tests
     // We manually run migrations via bootstrapOrm below
     configureOrm({
-        repositoryConfig: { schema: options.orm?.schema ?? 'test' },
+        repositoryConfig: { schema },
         connection: dbConfig,
-        encryptionSecret: options.orm?.encryptionSecret,
         injector,
     });
     // 5. Database Resolution
     // We resolve the DB here to allow for immediate schema operations below
     const database = injector.resolve(Database);
-    await runMigrationSafely(database, async () => {
-        // 6. Schema Setup Helper
-        // Automatically create the schema if a specific one was requested
+    for (const provider of options.providers ?? []) {
+        injector.register(provider.provide, provider, { multi: provider.multi });
+    }
+    // 7. Optional Modules
+    if (options.modules?.messageBus ?? options.modules?.taskQueue ?? options.modules?.authentication ?? options.modules?.notification) {
+        configureLocalMessageBus({ injector });
+    }
+    if (options.modules?.taskQueue) {
+        configurePostgresTaskQueue({ injector });
+    }
+    if (options.modules?.circuitBreaker ?? options.modules?.taskQueue) {
+        configurePostgresCircuitBreaker({ injector });
+    }
+    if (options.modules?.rateLimiter ?? options.modules?.taskQueue ?? options.modules?.authentication) {
+        configurePostgresRateLimiter({ injector });
+    }
+    if (options.modules?.keyValueStore ?? options.modules?.authentication) {
+        configurePostgresKeyValueStore({ injector });
+    }
+    if (options.modules?.lock ?? options.modules?.authentication) {
+        configurePostgresLock({ injector });
+    }
+    if (options.modules?.signals ?? options.modules?.authentication ?? options.modules?.notification) {
+        configureDefaultSignalsImplementation();
+    }
+    if (options.modules?.audit ?? options.modules?.authentication) {
+        configureAudit({ injector });
+    }
+    if (options.modules?.authentication) {
+        configureSecrets({ key: 'test-secret', injector });
+        const fastHashDeriveOptions = {
+            algorithm: {
+                name: 'Argon2id',
+                memory: 1024, // 1 MiB
+                parallelism: 1,
+                passes: 1,
+            },
+        };
+        const fastTotpHashingOptions = {
+            codeHashAlgorithm: 'SHA-1',
+            recoveryCodeHashOptions: {
+                algorithm: fastHashDeriveOptions.algorithm,
+                length: 64,
+            },
+        };
+        configureAuthenticationServer({
+            serviceOptions: {
+                passwordHashing: fastHashDeriveOptions,
+                totp: fastTotpHashingOptions,
+                ...options.authentication?.options,
+            },
+            authenticationAncillaryService: options.authentication?.ancillaryService,
+            injector,
+        });
+    }
+    if (options.modules?.notification) {
+        configureNotification({ injector });
+    }
+    if (options.modules?.documentManagement) {
+        configureDocumentManagement({
+            ancillaryService: undefined, // Should be overridden by test if needed
+            authorizationService: undefined, // Should be overridden by test if needed
+            fileObjectStorageModule: 'docs',
+            fileUploadObjectStorageModule: 'uploads',
+            filePreviewObjectStorageModule: 'previews',
+            skipAi: true,
+            injector,
+        });
+    }
+    if (options.modules?.objectStorage) {
+        const bucketPerModule = options.s3?.bucketPerModule ?? configParser.boolean('S3_BUCKET_PER_MODULE', true);
+        configureS3ObjectStorage({
+            endpoint: options.s3?.endpoint ?? configParser.string('S3_ENDPOINT', 'http://127.0.0.1:19552'),
+            accessKey: options.s3?.accessKey ?? configParser.string('S3_ACCESS_KEY', 'tstdl-dev'),
+            secretKey: options.s3?.secretKey ?? configParser.string('S3_SECRET_KEY', 'tstdl-dev'),
+            bucket: bucketPerModule ? undefined : (options.s3?.bucket ?? configParser.string('S3_BUCKET', 'test-bucket')),
+            bucketPerModule,
+            region: options.s3?.region ?? configParser.string('S3_REGION', 'us-east-1'),
+            forcePathStyle: options.s3?.forcePathStyle ?? configParser.boolean('S3_FORCE_PATH_STYLE', true),
+            injector,
+        });
+    }
+    if (options.modules?.api ?? options.modules?.authentication) {
+        configureNodeHttpServer({ trustedProxiesCount: 0, injector });
+        configureApiServer({ controllers: [AuthenticationApiController], injector });
+        configureUndiciHttpClientAdapter({ injector });
+        configureAuthenticationClient({
+            authenticationApiClient: AuthenticationApiClient,
+            registerMiddleware: true,
+        }, injector);
+        if (options.modules.webServer ?? options.modules.api ?? options.modules.authentication) {
+            const port = options.api?.port ?? 0;
+            configureWebServerModule({ port, injector });
+        }
+    }
+    await runMigrationSafely(database, schema, async () => {
         if (isDefined(options.orm?.schema)) {
             await database.execute(sql `CREATE SCHEMA IF NOT EXISTS ${sql.identifier(options.orm.schema)}`);
         }
-        // 7. Optional Modules
-        if (options.modules?.messageBus ?? options.modules?.taskQueue ?? options.modules?.authentication ?? options.modules?.notification) {
-            configureLocalMessageBus({ injector });
-        }
-        if (options.modules?.taskQueue) {
-            configurePostgresTaskQueue({ injector });
-        }
-        if (options.modules?.circuitBreaker ?? options.modules?.taskQueue) {
-            configurePostgresCircuitBreaker({ injector });
-        }
-        if (options.modules?.rateLimiter ?? options.modules?.taskQueue) {
-            configurePostgresRateLimiter({ injector });
-        }
-        if (options.modules?.keyValueStore ?? options.modules?.authentication) {
-            configurePostgresKeyValueStore({ injector });
-        }
-        if (options.modules?.lock ?? options.modules?.authentication) {
-            configurePostgresLock({ injector });
-        }
-        if (options.modules?.signals ?? options.modules?.authentication ?? options.modules?.notification) {
-            configureDefaultSignalsImplementation();
-        }
-        if (options.modules?.audit ?? options.modules?.authentication) {
-            configureAudit({ injector });
-        }
-        if (options.modules?.authentication) {
-            configureAuthenticationServer({
-                serviceOptions: {
-                    secret: 'test-secret',
-                    hashIterations: 10,
-                    signingSecretsDerivationIterations: 10,
-                },
-                authenticationAncillaryService: options.authenticationAncillaryService,
-                injector,
-            });
-        }
-        if (options.modules?.notification) {
-            configureNotification({ injector });
-        }
-        if (options.modules?.documentManagement) {
-            configureDocumentManagement({
-                ancillaryService: undefined, // Should be overridden by test if needed
-                authorizationService: undefined, // Should be overridden by test if needed
-                fileObjectStorageModule: 'docs',
-                fileUploadObjectStorageModule: 'uploads',
-                filePreviewObjectStorageModule: 'previews',
-                skipAi: true,
-                injector,
-            });
-        }
         await runInInjectionContext(injector, bootstrapOrm);
-        if (options.modules?.objectStorage) {
-            const bucketPerModule = options.s3?.bucketPerModule ?? configParser.boolean('S3_BUCKET_PER_MODULE', true);
-            configureS3ObjectStorage({
-                endpoint: options.s3?.endpoint ?? configParser.string('S3_ENDPOINT', 'http://127.0.0.1:19552'),
-                accessKey: options.s3?.accessKey ?? configParser.string('S3_ACCESS_KEY', 'tstdl-dev'),
-                secretKey: options.s3?.secretKey ?? configParser.string('S3_SECRET_KEY', 'tstdl-dev'),
-                bucket: bucketPerModule ? undefined : (options.s3?.bucket ?? configParser.string('S3_BUCKET', 'test-bucket')),
-                bucketPerModule,
-                region: options.s3?.region ?? configParser.string('S3_REGION', 'us-east-1'),
-                forcePathStyle: options.s3?.forcePathStyle ?? configParser.boolean('S3_FORCE_PATH_STYLE', true),
-                injector,
-            });
-        }
-        if (options.modules?.api ?? options.modules?.authentication) {
-            configureNodeHttpServer({ trustedProxiesCount: 0, injector });
-            configureApiServer({ controllers: [AuthenticationApiController], injector });
-            configureUndiciHttpClientAdapter({ injector });
-            configureAuthenticationClient({
-                authenticationApiClient: AuthenticationApiClient,
-                registerMiddleware: true,
-            }, injector);
-            if (options.modules.webServer ?? options.modules.api ?? options.modules.authentication) {
-                const port = options.api?.port ?? 0;
-                configureWebServerModule({ port, injector });
-                const webServerModule = await injector.resolveAsync(WebServerModule);
-                const httpServer = await injector.resolveAsync(HttpServer);
-                void webServerModule.run();
-                // Wait for server to be listening
-                while (true) {
-                    try {
-                        if (isNotNull(httpServer.port)) {
-                            break;
-                        }
-                    }
-                    catch {
-                        // ignore
+    });
+    if (options.modules?.api ?? options.modules?.authentication) {
+        if (options.modules.webServer ?? options.modules.api ?? options.modules.authentication) {
+            const webServerModule = await injector.resolveAsync(WebServerModule);
+            const httpServer = await injector.resolveAsync(HttpServer);
+            void webServerModule.run();
+            // Wait for server to be listening
+            while (true) {
+                try {
+                    if (isNotNull(httpServer.port)) {
+                        break;
                     }
-                    await new Promise((resolve) => setTimeout(resolve, 10));
                 }
-                configureHttpClient({ baseUrl: options.api?.baseUrl ?? `http://localhost:${httpServer.port}`, injector });
+                catch {
+                    // ignore
+                }
+                await new Promise((resolve) => setTimeout(resolve, 10));
             }
+            configureHttpClient({ baseUrl: options.api?.baseUrl ?? `http://localhost:${httpServer.port}`, injector });
         }
-    });
+    }
     return { injector, database };
 }
 export const integrationTest = baseTest.extend({
@@ -358,8 +381,8 @@ export async function dropTables(database, schema, tables) {
 /**
  * Helper to run a migration safely with a database advisory lock to prevent race conditions.
  */
-async function runMigrationSafely(database, migration) {
-    const lockName = 'tstdl:migration';
+async function runMigrationSafely(database, schema, migration) {
+    const lockName = `tstdl:migration:${schema}`;
     await runWithAdvisoryLock(database, lockName, migration);
 }
 async function runWithAdvisoryLock(database, lockName, fn) {

package/utils/alphabet.d.ts

@@ -8,6 +8,7 @@ export declare const Alphabet: {
     readonly UpperCaseNumbers: "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
     readonly LowerUpperCaseNumbers: "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
     readonly ZBase32: "ybndrfg8ejkmcpqxot1uwisza345h769";
+    readonly Base32: "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
     readonly LowerCaseHex: "0123456789abcdef";
     readonly UpperCaseHex: "0123456789ABCDEF";
 };

package/utils/alphabet.js

@@ -8,6 +8,7 @@ export const Alphabet = defineEnum('Alphabet', {
     UpperCaseNumbers: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789',
     LowerUpperCaseNumbers: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789',
     ZBase32: 'ybndrfg8ejkmcpqxot1uwisza345h769',
+    Base32: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567',
     LowerCaseHex: '0123456789abcdef',
     UpperCaseHex: '0123456789ABCDEF',
 });

package/utils/base32.d.ts

@@ -0,0 +1,4 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: ok */
+import type { BinaryData } from '../types/index.js';
+export declare function encodeBase32(buffer: BinaryData, padding?: boolean): string;
+export declare function decodeBase32(input: string): Uint8Array<ArrayBuffer>;

package/utils/base32.js

@@ -0,0 +1,49 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: ok */
+import { Alphabet } from './alphabet.js';
+import { toUint8Array } from './binary.js';
+import { assertDefined } from './type-guards.js';
+const alphabet = Alphabet.Base32;
+const charValueMap = new Map(alphabet.split('').map((char, index) => [char, index]));
+export function encodeBase32(buffer, padding = true) {
+    const byteView = toUint8Array(buffer);
+    let result = '';
+    let bits = 0;
+    let value = 0;
+    for (let i = 0; i < byteView.byteLength; i++) {
+        value = (value << 8) | byteView[i];
+        bits += 8;
+        while (bits >= 5) {
+            const quantum = (value >>> (bits - 5)) & 31;
+            result += alphabet[quantum];
+            bits -= 5;
+        }
+    }
+    if (bits > 0) {
+        result += alphabet[(value << (5 - bits)) & 31];
+    }
+    if (padding) {
+        while (result.length % 8 !== 0) {
+            result += '=';
+        }
+    }
+    return result;
+}
+export function decodeBase32(input) {
+    const cleanedInput = input.replace(/=/g, '').toUpperCase();
+    const bytes = new Uint8Array((cleanedInput.length * 5 / 8) | 0);
+    let bits = 0;
+    let value = 0;
+    let byteIndex = 0;
+    for (let i = 0; i < cleanedInput.length; i++) {
+        const char = cleanedInput[i];
+        const charValue = charValueMap.get(char);
+        assertDefined(charValue, `Invalid base32 character at index ${i}.`);
+        value = (value << 5) | charValue;
+        bits += 5;
+        if (bits >= 8) {
+            bytes[byteIndex++] = (value >>> (bits - 8)) & 255;
+            bits -= 8;
+        }
+    }
+    return bytes;
+}

package/utils/base64.d.ts

@@ -12,5 +12,3 @@ export declare function encodeBase64Url(array: BinaryData, bytesOffset?: number,
 export declare function decodeBase64Url(base64Url: string): Uint8Array<ArrayBuffer>;
 export declare function base64ToBase64Url(input: string): string;
 export declare function base64UrlToBase64(input: string): string;
-export declare function utf8ArrayToString(bytes: Uint8Array): string;
-export declare function stringToUtf8Array(string: string): Uint8Array<ArrayBuffer>;

package/utils/base64.js

@@ -44,14 +44,14 @@ export function decodeBase64Url(base64Url) {
 }
 export function base64ToBase64Url(input) {
     return input
-        .replace(/=/ug, '')
-        .replace(/\+/ug, '-')
-        .replace(/\//ug, '_');
+        .replace(/=/g, '')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_');
 }
 export function base64UrlToBase64(input) {
     return input.padEnd(input.length + ((4 - (input.length % 4)) % 4), '=')
-        .replace(/-/ug, '+')
-        .replace(/_/ug, '/');
+        .replace(/-/g, '+')
+        .replace(/_/g, '/');
 }
 function encodeBase64Fallback(data) {
     const bytes = toUint8Array(data);
@@ -69,7 +69,7 @@ function encodeBase64Fallback(data) {
     return base64.substring(0, base64.length - 2 + nMod3) + (nMod3 == 2 ? '' : nMod3 == 1 ? '=' : '==');
 }
 function decodeBase64Fallback(base64, blockSize) {
-    const clearedBase64 = base64.replace(/[^A-Za-z0-9+/]/ug, '');
+    const clearedBase64 = base64.replace(/[^A-Za-z0-9+/]/g, '');
     const inputLength = clearedBase64.length;
     const outputLength = isDefined(blockSize) ? Math.ceil(((inputLength * 3) + 1 >> 2) / blockSize) * blockSize : (inputLength * 3) + 1 >> 2;
     const bytes = new Uint8Array(outputLength);
@@ -87,70 +87,6 @@ function decodeBase64Fallback(base64, blockSize) {
     }
     return bytes;
 }
-export function utf8ArrayToString(bytes) {
-    let string = '';
-    for (let index = 0; index < bytes.length; index++) {
-        const byte = bytes[index];
-        const charCode = byte > 251 && byte < 254 && index + 5 < bytes.length
-            ? ((byte - 252) * 1073741824) + (bytes[++index] - 128 << 24) + (bytes[++index] - 128 << 18) + (bytes[++index] - 128 << 12) + (bytes[++index] - 128 << 6) + bytes[++index] - 128
-            : byte > 247 && byte < 252 && index + 4 < bytes.length
-                ? (byte - 248 << 24) + (bytes[++index] - 128 << 18) + (bytes[++index] - 128 << 12) + (bytes[++index] - 128 << 6) + bytes[++index] - 128
-                : byte > 239 && byte < 248 && index + 3 < bytes.length
-                    ? (byte - 240 << 18) + (bytes[++index] - 128 << 12) + (bytes[++index] - 128 << 6) + bytes[++index] - 128
-                    : byte > 223 && byte < 240 && index + 2 < bytes.length
-                        ? (byte - 224 << 12) + (bytes[++index] - 128 << 6) + bytes[++index] - 128
-                        : byte > 191 && byte < 224 && index + 1 < bytes.length
-                            ? (byte - 192 << 6) + bytes[++index] - 128
-                            : byte;
-        string += String.fromCharCode(charCode);
-    }
-    return string;
-}
-export function stringToUtf8Array(string) {
-    let bytesLength = 0;
-    for (let i = 0; i < string.length; i++) {
-        const char = string.charCodeAt(i);
-        bytesLength += char < 0x80 ? 1 : char < 0x800 ? 2 : char < 0x10000 ? 3 : char < 0x200000 ? 4 : char < 0x4000000 ? 5 : 6;
-    }
-    const bytes = new Uint8Array(bytesLength);
-    for (let byteIndex = 0, charIndex = 0; byteIndex < bytesLength; charIndex++) {
-        const char = string.charCodeAt(charIndex);
-        if (char < 128) {
-            bytes[byteIndex++] = char;
-        }
-        else if (char < 0x800) {
-            bytes[byteIndex++] = 192 + (char >>> 6);
-            bytes[byteIndex++] = 128 + (char & 63);
-        }
-        else if (char < 0x10000) {
-            bytes[byteIndex++] = 224 + (char >>> 12);
-            bytes[byteIndex++] = 128 + ((char >>> 6) & 63);
-            bytes[byteIndex++] = 128 + (char & 63);
-        }
-        else if (char < 0x200000) {
-            bytes[byteIndex++] = 240 + (char >>> 18);
-            bytes[byteIndex++] = 128 + ((char >>> 12) & 63);
-            bytes[byteIndex++] = 128 + ((char >>> 6) & 63);
-            bytes[byteIndex++] = 128 + (char & 63);
-        }
-        else if (char < 0x4000000) {
-            bytes[byteIndex++] = 248 + (char >>> 24);
-            bytes[byteIndex++] = 128 + ((char >>> 18) & 63);
-            bytes[byteIndex++] = 128 + ((char >>> 12) & 63);
-            bytes[byteIndex++] = 128 + ((char >>> 6) & 63);
-            bytes[byteIndex++] = 128 + (char & 63);
-        }
-        else {
-            bytes[byteIndex++] = 252 + (char >>> 30);
-            bytes[byteIndex++] = 128 + ((char >>> 24) & 63);
-            bytes[byteIndex++] = 128 + ((char >>> 18) & 63);
-            bytes[byteIndex++] = 128 + ((char >>> 12) & 63);
-            bytes[byteIndex++] = 128 + ((char >>> 6) & 63);
-            bytes[byteIndex++] = 128 + (char & 63);
-        }
-    }
-    return bytes;
-}
 function uint6ToBase64(nUint6) {
     return nUint6 < 26
         ? nUint6 + 65

package/utils/equals.d.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: low level */
 import type { BinaryData } from '../types/index.js';
 import type { Comparator } from './sort.js';
 export interface Equals<T = unknown> {
@@ -29,9 +30,18 @@ export declare function equals(a: any, b: any, options?: EqualsOptions, __intern
 export declare function binaryEquals(bufferA: BinaryData, bufferB: BinaryData): boolean;
 /**
  * Compares two buffers in a way that is resistant to timing attacks.
- * @param untrusted The first buffer to compare. It's length is used to determine the iterations of the comparison. This should be the untrusted input to minimize information leakage.
- * @param trusted The second buffer to compare. This should be the secret.
+ * It short-circuits on length mismatch. So length is not a secret.
+ * @param a The first buffer to compare.
+ * @param b The second buffer to compare.
  * @returns True if the buffers are equal, false otherwise.
  */
-export declare function timingSafeBinaryEquals(untrusted: BinaryData, trusted: BinaryData): boolean;
+export declare function timingSafeBinaryEquals(a: BinaryData, b: BinaryData): boolean;
+/**
+ * Compares two strings in a way that is resistant to timing attacks.
+ * It short-circuits on length mismatch. So length is not a secret.
+ * @param a The first string to compare. Its length is used to determine the iterations of the comparison.
+ * @param b The second string to compare. This should be the secret.
+ * @returns True if the strings are equal, false otherwise.
+ */
+export declare function timingSafeStringEquals(a: string, b: string): boolean;
 export {};

package/utils/equals.js

@@ -1,6 +1,8 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: low level */
 import { toArray } from './array/array.js';
 import { toUint8Array } from './binary.js';
 import { compareByValue } from './comparison.js';
+import { encodeUtf8 } from './encoding.js';
 import { sort } from './iterable-helpers/sort.js';
 import { objectKeys } from './object/object.js';
 import { isArray, isDefined, isNotNull, isNull } from './type-guards.js';
@@ -116,17 +118,35 @@ export function binaryEquals(bufferA, bufferB) {
 }
 /**
  * Compares two buffers in a way that is resistant to timing attacks.
- * @param untrusted The first buffer to compare. It's length is used to determine the iterations of the comparison. This should be the untrusted input to minimize information leakage.
- * @param trusted The second buffer to compare. This should be the secret.
+ * It short-circuits on length mismatch. So length is not a secret.
+ * @param a The first buffer to compare.
+ * @param b The second buffer to compare.
  * @returns True if the buffers are equal, false otherwise.
  */
-export function timingSafeBinaryEquals(untrusted, trusted) {
-    const a = toUint8Array(untrusted, false);
-    const b = toUint8Array(trusted, false);
-    const compareTarget = (a.length > b.length) ? a : b;
-    let diff = a.length ^ b.length;
-    for (let i = 0; i < a.length; i++) {
-        diff |= a[i] ^ compareTarget[i];
+export function timingSafeBinaryEquals(a, b) {
+    const aArray = toUint8Array(a, false);
+    const bArray = toUint8Array(b, false);
+    if (aArray.length != bArray.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < aArray.length; i++) {
+        diff |= aArray[i] ^ bArray[i];
     }
     return diff == 0;
 }
+/**
+ * Compares two strings in a way that is resistant to timing attacks.
+ * It short-circuits on length mismatch. So length is not a secret.
+ * @param a The first string to compare. Its length is used to determine the iterations of the comparison.
+ * @param b The second string to compare. This should be the secret.
+ * @returns True if the strings are equal, false otherwise.
+ */
+export function timingSafeStringEquals(a, b) {
+    if (a.length != b.length) {
+        return false;
+    }
+    const aBytes = encodeUtf8(a);
+    const bBytes = encodeUtf8(b);
+    return timingSafeBinaryEquals(aBytes, bBytes);
+}

package/utils/index.d.ts

@@ -2,6 +2,7 @@ export * from './alphabet.js';
 export * from './any-iterable-iterator.js';
 export * from './async-iterator-iterable-iterator.js';
 export * from './backoff.js';
+export * from './base32.js';
 export * from './base64.js';
 export * from './benchmark.js';
 export * from './binary-search.js';
@@ -11,7 +12,6 @@ export * from './comparison.js';
 export * from './compression.js';
 export * from './config-parser.js';
 export * from './crc32.js';
-export * from './cryptography.js';
 export * from './date-time.js';
 export * from './encoding.js';
 export * from './enum.js';
@@ -23,7 +23,6 @@ export * from './format.js';
 export * from './helpers.js';
 export * from './html-link-utils.js';
 export * from './image.js';
-export * from './jwt.js';
 export * from './map.js';
 export * from './math.js';
 export * from './merge.js';

package/utils/index.js

@@ -2,6 +2,7 @@ export * from './alphabet.js';
 export * from './any-iterable-iterator.js';
 export * from './async-iterator-iterable-iterator.js';
 export * from './backoff.js';
+export * from './base32.js';
 export * from './base64.js';
 export * from './benchmark.js';
 export * from './binary-search.js';
@@ -11,7 +12,6 @@ export * from './comparison.js';
 export * from './compression.js';
 export * from './config-parser.js';
 export * from './crc32.js';
-export * from './cryptography.js';
 export * from './date-time.js';
 export * from './encoding.js';
 export * from './enum.js';
@@ -23,7 +23,6 @@ export * from './format.js';
 export * from './helpers.js';
 export * from './html-link-utils.js';
 export * from './image.js';
-export * from './jwt.js';
 export * from './map.js';
 export * from './math.js';
 export * from './merge.js';

package/utils/random.d.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: low level */
 /**
  * Generate cryptographically secure random bytes
  *

package/utils/random.js

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: low level */
 import { Alphabet } from './alphabet.js';
 const bufferSize = 20480;
 const bufferBypassThreshold = (bufferSize / 2) + 1;
@@ -31,16 +32,21 @@ export function getRandomBytes(count, allowUnsafe = false) {
  * @param alphabet alphabet to choose characters from. Defaults to {@link Alphabet.LowerUpperCaseNumbers}
  */
 export function getRandomString(length, alphabet = Alphabet.LowerUpperCaseNumbers) {
-    let result = '';
     if (length < 1) {
-        return result;
+        return '';
     }
-    const bytes = getRandomBytes(length * Uint16Array.BYTES_PER_ELEMENT, true);
-    const values = new Uint16Array(bytes.buffer, bytes.byteOffset, length);
-    const factor = alphabet.length / (2 ** (Uint16Array.BYTES_PER_ELEMENT * 8));
-    for (let i = 0; i < length; i++) {
-        const index = Math.floor(values[i] * factor);
-        result += alphabet[index];
+    const alphabetLength = alphabet.length;
+    const mask = (2 << (31 - Math.clz32(alphabetLength - 1))) - 1;
+    const step = Math.ceil((1.6 * mask * length) / alphabetLength);
+    let result = '';
+    while (result.length < length) {
+        const bytes = getRandomBytes(step, true);
+        for (let i = 0; i < bytes.length && result.length < length; i++) {
+            const byte = bytes[i] & mask;
+            if (byte < alphabetLength) {
+                result += alphabet[byte];
+            }
+        }
     }
     return result;
 }

package/authentication/errors/secret-requirements.error.d.ts

@@ -1,5 +0,0 @@
-import { CustomError } from '../../errors/custom.error.js';
-export declare class SecretRequirementsError extends CustomError {
-    static readonly errorName = "SecretRequirementsError";
-    constructor(message?: string);
-}

package/authentication/models/authentication-credentials.model.d.ts

@@ -1,10 +0,0 @@
-import { TenantEntity, type Uuid } from '../../orm/index.js';
-export declare class AuthenticationCredentials extends TenantEntity {
-    subjectId: Uuid;
-    /** The version of the hash algorithm used. */
-    hashVersion: number;
-    /** The salt used to hash the secret. */
-    salt: Uint8Array<ArrayBuffer>;
-    /** The hashed secret. */
-    hash: Uint8Array<ArrayBuffer>;
-}

package/authentication/models/secret-check-result.model.d.ts

@@ -1,3 +0,0 @@
-import { PasswordCheckResult } from '../../password/password-check-result.model.js';
-export declare class SecretCheckResult extends PasswordCheckResult {
-}