npm - authhero - Versions diffs - 8.2.1 → 8.3.0 - Mend

authhero 8.2.1 → 8.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/authhero.cjs +105 -105
package/dist/authhero.d.ts +313 -245
package/dist/authhero.mjs +6391 -6337
package/dist/stats.html +1 -1
package/dist/tsconfig.types.tsbuildinfo +1 -1
package/dist/types/adapters/createEncryptedDataAdapter.d.ts +40 -0
package/dist/types/adapters/index.d.ts +4 -2
package/dist/types/index.d.ts +225 -225
package/dist/types/utils/field-encryption.d.ts +30 -0
package/package.json +3 -3

package/dist/types/adapters/createEncryptedDataAdapter.d.ts CHANGED Viewed

@@ -1,4 +1,19 @@
 import { DataAdapters } from "@authhero/adapter-interfaces";
+import { KeyRing } from "../utils/field-encryption";
+/**
+ * Resolves which key id (if any) a tenant's secrets are encrypted under.
+ * Returning `undefined` uses the ring's default key and produces legacy,
+ * untagged `enc:v1:` ciphertext — byte-compatible with the single-key adapter.
+ *
+ * The canonical use: tag rows owned by the control plane tenant with a
+ * control-plane-only key id, so the same database can hold a tenant's own
+ * secrets (default key) alongside inherited control plane secrets the tenant
+ * operator cannot decrypt.
+ */
+export type EncryptKeyIdResolver = (tenantId: string) => string | undefined;
+interface EncryptionOptions {
+    resolveEncryptKeyId?: EncryptKeyIdResolver;
+}
 /**
  * Wraps a DataAdapters instance so that sensitive credential fields are
  * transparently encrypted on write and decrypted on read. Only the adapters
@@ -16,3 +31,28 @@ import { DataAdapters } from "@authhero/adapter-interfaces";
  * Private keys (keys.pkcs7, dkim_private_key) are intentionally NOT covered.
  */
 export declare function createEncryptedDataAdapter(data: DataAdapters, key: CryptoKey): DataAdapters;
+/**
+ * Like {@link createEncryptedDataAdapter}, but encrypts each tenant's secrets
+ * under a key selected from a {@link KeyRing}. On read, the key is chosen from
+ * the id embedded in the ciphertext, so a single database can mix values
+ * encrypted under different keys.
+ *
+ * `options.resolveEncryptKeyId(tenantId)` decides which key id new ciphertext is
+ * tagged with. Return `undefined` for the ring's default key (legacy untagged
+ * form). The intended use is to tag control plane tenant rows with a
+ * control-plane-only key id so an inheriting tenant can hold the inherited
+ * secrets at rest without being able to decrypt them.
+ *
+ * @example
+ * ```typescript
+ * const adapters = createEncryptedDataAdapterWithKeyRing(base, {
+ *   default: tenantKey,
+ *   keys: { cp: controlPlaneKey },
+ * }, {
+ *   resolveEncryptKeyId: (tenantId) =>
+ *     tenantId === CONTROL_PLANE_TENANT_ID ? "cp" : undefined,
+ * });
+ * ```
+ */
+export declare function createEncryptedDataAdapterWithKeyRing(data: DataAdapters, ring: KeyRing, options?: EncryptionOptions): DataAdapters;
+export {};

package/dist/types/adapters/index.d.ts CHANGED Viewed

@@ -1,3 +1,5 @@
 export * from "./cache";
-export { createEncryptedDataAdapter } from "./createEncryptedDataAdapter";
-export { loadEncryptionKey, encryptField, decryptField, isEncrypted, } from "../utils/field-encryption";
+export { createEncryptedDataAdapter, createEncryptedDataAdapterWithKeyRing, } from "./createEncryptedDataAdapter";
+export type { EncryptKeyIdResolver } from "./createEncryptedDataAdapter";
+export { loadEncryptionKey, encryptField, decryptField, encryptFieldWithRing, decryptFieldWithRing, parseKeyId, isEncrypted, } from "../utils/field-encryption";
+export type { KeyRing } from "../utils/field-encryption";