@tuturuuu/utils 0.0.2 → 0.6.0

package/src/encryption/__tests__/field-encryption.test.ts

@@ -0,0 +1,232 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+import { decryptField, encryptField } from '../encryption-service';
+import { generateWorkspaceKey } from './test-helpers';
+
+describe('encryption-service', () => {
+  // ============================================================================
+  // Field Encryption/Decryption Tests
+  // ============================================================================
+  describe('field encryption/decryption', () => {
+    let workspaceKey: Buffer;
+
+    beforeEach(() => {
+      workspaceKey = generateWorkspaceKey();
+    });
+
+    it('should encrypt and decrypt string field correctly', () => {
+      const plaintext = 'Team Meeting';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle empty strings', () => {
+      const ciphertext = encryptField('', workspaceKey);
+      expect(ciphertext).toBe('');
+
+      const decrypted = decryptField('', workspaceKey);
+      expect(decrypted).toBe('');
+    });
+
+    it('should handle Unicode characters (Vietnamese)', () => {
+      const plaintext = 'Cuộc họp nhóm buổi sáng';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle emoji', () => {
+      const plaintext = '🎉 Birthday Party 🎂';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle long text', () => {
+      const plaintext =
+        'This is a very long description that contains multiple sentences. '.repeat(
+          100
+        );
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should produce different ciphertext for same plaintext (random IV)', () => {
+      const plaintext = 'Same text';
+      const ciphertext1 = encryptField(plaintext, workspaceKey);
+      const ciphertext2 = encryptField(plaintext, workspaceKey);
+
+      expect(ciphertext1).not.toBe(ciphertext2);
+    });
+
+    it('should fail decryption with wrong key and return original (backward compat)', () => {
+      const wrongKey = generateWorkspaceKey();
+      const ciphertext = encryptField('Secret', workspaceKey);
+
+      // With the new try-catch, it returns original ciphertext for backward compatibility
+      const result = decryptField(ciphertext, wrongKey);
+      expect(result).toBe(ciphertext);
+    });
+
+    it('should fail decryption when ciphertext is tampered and return original', () => {
+      const plaintext = 'Sensitive Meeting Notes';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+
+      // Tamper with a byte in the middle of the ciphertext
+      const midIndex = Math.floor(ciphertext.length / 2);
+      const originalChar = ciphertext[midIndex];
+      // Guarantee the new char is different from the original
+      const tamperedChar = originalChar === 'A' ? 'B' : 'A';
+      const tamperedCiphertext =
+        ciphertext.slice(0, midIndex) +
+        tamperedChar +
+        ciphertext.slice(midIndex + 1);
+
+      // Ensure we actually changed something
+      expect(tamperedCiphertext).not.toBe(ciphertext);
+      expect(tamperedCiphertext.length).toBe(ciphertext.length);
+
+      // With try-catch wrapper, should return original ciphertext
+      const result = decryptField(tamperedCiphertext, workspaceKey);
+      expect(result).toBe(tamperedCiphertext);
+    });
+
+    it('should handle special characters', () => {
+      const plaintext = '!@#$%^&*()_+-=[]{}|;:\'",.<>?/\\`~';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle newlines and tabs', () => {
+      const plaintext = 'Line 1\nLine 2\tTabbed\rCarriage return';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle mixed languages', () => {
+      const plaintext = 'English 日本語 العربية עברית';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle null bytes', () => {
+      const plaintext = 'Before\x00After';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+  });
+
+  // ============================================================================
+  // Key Validation Tests
+  // ============================================================================
+  describe('key validation', () => {
+    it('should throw error for non-Buffer workspace key', () => {
+      expect(() => {
+        encryptField('test', 'not-a-buffer' as unknown as Buffer);
+      }).toThrow('Invalid workspaceKey: expected Buffer, got string');
+    });
+
+    it('should throw error for wrong key length', () => {
+      const shortKey = Buffer.alloc(16); // 128 bits instead of 256
+
+      expect(() => {
+        encryptField('test', shortKey);
+      }).toThrow(
+        'Invalid workspaceKey: expected 32 bytes for AES-256, got 16 bytes'
+      );
+    });
+
+    it('should throw error for too long key', () => {
+      const longKey = Buffer.alloc(64); // 512 bits
+
+      expect(() => {
+        encryptField('test', longKey);
+      }).toThrow(
+        'Invalid workspaceKey: expected 32 bytes for AES-256, got 64 bytes'
+      );
+    });
+
+    it('should accept valid 32-byte key', () => {
+      const validKey = generateWorkspaceKey();
+      expect(() => {
+        encryptField('test', validKey);
+      }).not.toThrow();
+    });
+
+    it('should throw for null workspace key', () => {
+      expect(() => {
+        encryptField('test', null as unknown as Buffer);
+      }).toThrow('Invalid workspaceKey: expected Buffer, got object');
+    });
+
+    it('should throw for undefined workspace key', () => {
+      expect(() => {
+        encryptField('test', undefined as unknown as Buffer);
+      }).toThrow('Invalid workspaceKey: expected Buffer, got undefined');
+    });
+
+    it('should throw for array workspace key', () => {
+      expect(() => {
+        encryptField('test', [1, 2, 3] as unknown as Buffer);
+      }).toThrow('Invalid workspaceKey: expected Buffer, got object');
+    });
+  });
+
+  // ============================================================================
+  // Decryption Error Handling Tests
+  // ============================================================================
+  describe('decryption error handling', () => {
+    let workspaceKey: Buffer;
+
+    beforeEach(() => {
+      workspaceKey = generateWorkspaceKey();
+    });
+
+    it('should return original for too-short ciphertext', () => {
+      const shortCiphertext = 'abc'; // Too short to be valid encrypted data
+
+      const result = decryptField(shortCiphertext, workspaceKey);
+      expect(result).toBe(shortCiphertext);
+    });
+
+    it('should return original for invalid base64', () => {
+      // Invalid base64 will decode to something short
+      const invalidBase64 = '!!!invalid!!!';
+
+      const result = decryptField(invalidBase64, workspaceKey);
+      expect(result).toBe(invalidBase64);
+    });
+
+    it('should return original for corrupted auth tag', () => {
+      const plaintext = 'Secret data';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+
+      // Corrupt the last few characters (auth tag area)
+      const corrupted = `${ciphertext.slice(0, -4)}XXXX`;
+
+      const result = decryptField(corrupted, workspaceKey);
+      expect(result).toBe(corrupted);
+    });
+
+    it('should handle extremely long ciphertext gracefully', () => {
+      const plaintext = 'x'.repeat(100000);
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+  });
+});

package/src/encryption/__tests__/key-generation.test.ts

@@ -0,0 +1,30 @@
+import { describe, expect, it } from 'vitest';
+import { generateWorkspaceKey } from '../encryption-service';
+
+describe('encryption-service', () => {
+  describe('generateWorkspaceKey', () => {
+    it('should generate a 256-bit key', () => {
+      const key = generateWorkspaceKey();
+      expect(key).toBeInstanceOf(Buffer);
+      expect(key.length).toBe(32); // 256 bits = 32 bytes
+    });
+
+    it('should generate unique keys each time', () => {
+      const key1 = generateWorkspaceKey();
+      const key2 = generateWorkspaceKey();
+      expect(key1.equals(key2)).toBe(false);
+    });
+
+    it('should generate cryptographically random keys', () => {
+      // Generate multiple keys and ensure they have reasonable entropy
+      const keys: Buffer[] = [];
+      for (let i = 0; i < 10; i++) {
+        keys.push(generateWorkspaceKey());
+      }
+
+      // All keys should be unique
+      const uniqueKeys = new Set(keys.map((k) => k.toString('hex')));
+      expect(uniqueKeys.size).toBe(10);
+    });
+  });
+});

package/src/encryption/__tests__/performance-edge-cases.test.ts

@@ -0,0 +1,187 @@
+import { beforeEach, describe, expect, it } from 'vitest';
+import {
+  decryptCalendarEventFields,
+  decryptField,
+  decryptWorkspaceKey,
+  encryptCalendarEventFields,
+  encryptField,
+  encryptWorkspaceKey,
+} from '../encryption-service';
+import {
+  generateWorkspaceKey,
+  setupEncryptionEnv,
+  TEST_MASTER_KEY,
+} from './test-helpers';
+
+const SCRYPT_COVERAGE_TIMEOUT_MS = 30_000;
+
+describe('encryption-service', () => {
+  setupEncryptionEnv();
+
+  // ============================================================================
+  // Concurrency and Performance Tests
+  // ============================================================================
+  describe('concurrency and performance', () => {
+    it('should handle concurrent encryptions', async () => {
+      const workspaceKey = generateWorkspaceKey();
+      const plaintexts = Array.from({ length: 100 }, (_, i) => `Message ${i}`);
+
+      const encryptions = plaintexts.map((pt) =>
+        Promise.resolve(encryptField(pt, workspaceKey))
+      );
+      const ciphertexts = await Promise.all(encryptions);
+
+      // All ciphertexts should be unique
+      const uniqueCiphertexts = new Set(ciphertexts);
+      expect(uniqueCiphertexts.size).toBe(100);
+
+      // All should decrypt correctly
+      ciphertexts.forEach((ct, i) => {
+        const decrypted = decryptField(ct, workspaceKey);
+        expect(decrypted).toBe(`Message ${i}`);
+      });
+    });
+
+    it('should handle concurrent key generations', async () => {
+      const generations = Array.from({ length: 100 }, () =>
+        Promise.resolve(generateWorkspaceKey())
+      );
+      const keys = await Promise.all(generations);
+
+      // All keys should be unique
+      const uniqueKeys = new Set(keys.map((k) => k.toString('hex')));
+      expect(uniqueKeys.size).toBe(100);
+
+      // All should be valid 32-byte keys
+      keys.forEach((key) => {
+        expect(key.length).toBe(32);
+      });
+    });
+
+    it(
+      'should benefit from key derivation cache',
+      async () => {
+        const workspaceKey = generateWorkspaceKey();
+
+        // Verify cache is working: multiple calls complete without error
+        // and produce valid encrypted output (deterministic check instead of timing)
+        const encrypted1 = await encryptWorkspaceKey(
+          workspaceKey,
+          TEST_MASTER_KEY
+        );
+        const encrypted2 = await encryptWorkspaceKey(
+          workspaceKey,
+          TEST_MASTER_KEY
+        );
+
+        // Both should be valid base64 strings
+        expect(encrypted1).toMatch(/^[A-Za-z0-9+/]+=*$/);
+        expect(encrypted2).toMatch(/^[A-Za-z0-9+/]+=*$/);
+
+        // Each encryption produces different ciphertext (random IV)
+        expect(encrypted1).not.toBe(encrypted2);
+
+        // Both should decrypt to the same key
+        const decrypted1 = await decryptWorkspaceKey(
+          encrypted1,
+          TEST_MASTER_KEY
+        );
+        const decrypted2 = await decryptWorkspaceKey(
+          encrypted2,
+          TEST_MASTER_KEY
+        );
+        expect(decrypted1.equals(workspaceKey)).toBe(true);
+        expect(decrypted2.equals(workspaceKey)).toBe(true);
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+  });
+
+  // ============================================================================
+  // Edge Cases and Boundary Tests
+  // ============================================================================
+  describe('edge cases', () => {
+    let workspaceKey: Buffer;
+
+    beforeEach(() => {
+      workspaceKey = generateWorkspaceKey();
+    });
+
+    it('should handle maximum safe string length', () => {
+      // Test with a reasonably large string (1MB)
+      const largePlaintext = 'a'.repeat(1024 * 1024);
+      const ciphertext = encryptField(largePlaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(largePlaintext);
+    });
+
+    it('should handle single character', () => {
+      const plaintext = 'x';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle only whitespace', () => {
+      const plaintext = '   \t\n   ';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle extremely long location', () => {
+      const event = {
+        title: 'Meeting',
+        description: 'Desc',
+        location: 'Room '.repeat(10000),
+      };
+
+      const encrypted = encryptCalendarEventFields(event, workspaceKey);
+      const decrypted = decryptCalendarEventFields(encrypted, workspaceKey);
+
+      expect(decrypted.location).toBe(event.location);
+    });
+
+    it('should handle HTML content', () => {
+      const plaintext = '<script>alert("xss")</script><b>Bold</b>';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle JSON content', () => {
+      const plaintext = JSON.stringify({
+        key: 'value',
+        nested: { array: [1, 2, 3] },
+      });
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+      expect(JSON.parse(decrypted)).toEqual({
+        key: 'value',
+        nested: { array: [1, 2, 3] },
+      });
+    });
+
+    it('should handle URL content', () => {
+      const plaintext = 'https://example.com/path?query=value&other=123#hash';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+
+    it('should handle markdown content', () => {
+      const plaintext = '# Heading\n\n**bold** _italic_ `code`\n\n- list item';
+      const ciphertext = encryptField(plaintext, workspaceKey);
+      const decrypted = decryptField(ciphertext, workspaceKey);
+
+      expect(decrypted).toBe(plaintext);
+    });
+  });
+});

package/src/encryption/__tests__/test-helpers.ts

@@ -0,0 +1,22 @@
+import { afterEach, beforeEach } from 'vitest';
+import { generateWorkspaceKey } from '../encryption-service';
+
+export const TEST_MASTER_KEY = 'test-master-key-for-unit-testing-only';
+
+export function setupEncryptionEnv() {
+  let originalEnv: string | undefined;
+
+  beforeEach(() => {
+    originalEnv = process.env.ENCRYPTION_MASTER_KEY;
+  });
+
+  afterEach(() => {
+    if (originalEnv !== undefined) {
+      process.env.ENCRYPTION_MASTER_KEY = originalEnv;
+    } else {
+      delete process.env.ENCRYPTION_MASTER_KEY;
+    }
+  });
+}
+
+export { generateWorkspaceKey };

package/src/encryption/__tests__/workspace-key-encryption.test.ts

@@ -0,0 +1,129 @@
+import { describe, expect, it } from 'vitest';
+import {
+  decryptWorkspaceKey,
+  encryptWorkspaceKey,
+} from '../encryption-service';
+import {
+  generateWorkspaceKey,
+  setupEncryptionEnv,
+  TEST_MASTER_KEY,
+} from './test-helpers';
+
+const SCRYPT_COVERAGE_TIMEOUT_MS = 30_000;
+
+describe('encryption-service', () => {
+  setupEncryptionEnv();
+
+  describe('workspace key encryption/decryption', () => {
+    it(
+      'should encrypt and decrypt workspace key correctly',
+      async () => {
+        const originalKey = generateWorkspaceKey();
+        const encryptedKey = await encryptWorkspaceKey(
+          originalKey,
+          TEST_MASTER_KEY
+        );
+
+        expect(encryptedKey).toBeTruthy();
+        expect(typeof encryptedKey).toBe('string');
+
+        const decryptedKey = await decryptWorkspaceKey(
+          encryptedKey,
+          TEST_MASTER_KEY
+        );
+        expect(decryptedKey.equals(originalKey)).toBe(true);
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+
+    it(
+      'should produce different ciphertext for same key (random IV)',
+      async () => {
+        const key = generateWorkspaceKey();
+        const encrypted1 = await encryptWorkspaceKey(key, TEST_MASTER_KEY);
+        const encrypted2 = await encryptWorkspaceKey(key, TEST_MASTER_KEY);
+
+        expect(encrypted1).not.toBe(encrypted2);
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+
+    it(
+      'should fail decryption with wrong master key',
+      async () => {
+        const key = generateWorkspaceKey();
+        const encryptedKey = await encryptWorkspaceKey(key, TEST_MASTER_KEY);
+
+        await expect(
+          decryptWorkspaceKey(encryptedKey, 'wrong-master-key')
+        ).rejects.toThrow();
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+
+    it(
+      'should handle different master key lengths',
+      async () => {
+        const key = generateWorkspaceKey();
+
+        // Short master key
+        const shortMasterKey = 'short';
+        const encrypted1 = await encryptWorkspaceKey(key, shortMasterKey);
+        const decrypted1 = await decryptWorkspaceKey(
+          encrypted1,
+          shortMasterKey
+        );
+        expect(decrypted1.equals(key)).toBe(true);
+
+        // Long master key
+        const longMasterKey = 'a'.repeat(256);
+        const encrypted2 = await encryptWorkspaceKey(key, longMasterKey);
+        const decrypted2 = await decryptWorkspaceKey(encrypted2, longMasterKey);
+        expect(decrypted2.equals(key)).toBe(true);
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+
+    it(
+      'should produce valid base64 encoded output',
+      async () => {
+        const key = generateWorkspaceKey();
+        const encrypted = await encryptWorkspaceKey(key, TEST_MASTER_KEY);
+
+        // Should be valid base64
+        expect(() => Buffer.from(encrypted, 'base64')).not.toThrow();
+
+        // Decoded buffer should have minimum length (IV + ciphertext + authTag)
+        const decoded = Buffer.from(encrypted, 'base64');
+        expect(decoded.length).toBeGreaterThanOrEqual(12 + 32 + 16); // IV + key + tag
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+
+    it(
+      'should fail on corrupted encrypted key',
+      async () => {
+        const key = generateWorkspaceKey();
+        const encrypted = await encryptWorkspaceKey(key, TEST_MASTER_KEY);
+
+        // Corrupt the encrypted data by modifying the auth tag (last 16 bytes)
+        // This guarantees decryption will fail because AES-GCM uses auth tag for integrity
+        const decoded = Buffer.from(encrypted, 'base64');
+        // Flip bits in the auth tag (last 16 bytes) - decoded is guaranteed to have min size
+        const lastIdx = decoded.length - 1;
+        const secondLastIdx = decoded.length - 2;
+        decoded.writeUInt8(decoded.readUInt8(lastIdx) ^ 0xff, lastIdx);
+        decoded.writeUInt8(
+          decoded.readUInt8(secondLastIdx) ^ 0xff,
+          secondLastIdx
+        );
+        const corrupted = decoded.toString('base64');
+
+        await expect(
+          decryptWorkspaceKey(corrupted, TEST_MASTER_KEY)
+        ).rejects.toThrow();
+      },
+      SCRYPT_COVERAGE_TIMEOUT_MS
+    );
+  });
+});