authhero 8.2.1 → 8.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authhero.cjs +105 -105
- package/dist/authhero.d.ts +313 -245
- package/dist/authhero.mjs +6391 -6337
- package/dist/stats.html +1 -1
- package/dist/tsconfig.types.tsbuildinfo +1 -1
- package/dist/types/adapters/createEncryptedDataAdapter.d.ts +40 -0
- package/dist/types/adapters/index.d.ts +4 -2
- package/dist/types/index.d.ts +225 -225
- package/dist/types/utils/field-encryption.d.ts +30 -0
- package/package.json +3 -3
|
@@ -1,6 +1,24 @@
|
|
|
1
1
|
declare const PREFIX = "enc:v1:";
|
|
2
2
|
export type EncryptedField = `${typeof PREFIX}${string}`;
|
|
3
3
|
export declare function isEncrypted(value: string): value is EncryptedField;
|
|
4
|
+
/**
|
|
5
|
+
* A set of AES-256-GCM keys addressable by id. `default` decrypts (and by
|
|
6
|
+
* default encrypts) legacy unkeyed `enc:v1:` values; `keys[id]` handles values
|
|
7
|
+
* tagged with that id (`enc:v1:<id>:`).
|
|
8
|
+
*
|
|
9
|
+
* This is what lets a single database hold ciphertext under more than one key —
|
|
10
|
+
* e.g. a WFP tenant's own secrets under the tenant key and inherited control
|
|
11
|
+
* plane secrets under a control-plane-only key the tenant operator never holds.
|
|
12
|
+
*/
|
|
13
|
+
export interface KeyRing {
|
|
14
|
+
default: CryptoKey;
|
|
15
|
+
keys?: Record<string, CryptoKey>;
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* The key id a keyed value was encrypted under, or `undefined` for a legacy
|
|
19
|
+
* unkeyed value (or a non-encrypted plaintext).
|
|
20
|
+
*/
|
|
21
|
+
export declare function parseKeyId(value: string): string | undefined;
|
|
4
22
|
/**
|
|
5
23
|
* Imports a base64-encoded 32-byte key as an AES-256-GCM CryptoKey. Throws if
|
|
6
24
|
* the decoded key is not exactly 32 bytes so a misconfigured secret fails loudly
|
|
@@ -18,4 +36,16 @@ export declare function encryptField(plaintext: string, key: CryptoKey): Promise
|
|
|
18
36
|
* prefixed value cannot be decrypted (wrong key or corrupted ciphertext).
|
|
19
37
|
*/
|
|
20
38
|
export declare function decryptField(value: string, key: CryptoKey): Promise<string>;
|
|
39
|
+
/**
|
|
40
|
+
* Encrypts a value using a key ring, optionally tagging it with `keyId` so the
|
|
41
|
+
* same key is selected on read. With no `keyId` the value is encrypted under the
|
|
42
|
+
* ring's default key and is byte-compatible with `encryptField` (legacy form).
|
|
43
|
+
*/
|
|
44
|
+
export declare function encryptFieldWithRing(plaintext: string, ring: KeyRing, keyId?: string): Promise<EncryptedField>;
|
|
45
|
+
/**
|
|
46
|
+
* Decrypts a value using a key ring, selecting the key from the id embedded in
|
|
47
|
+
* the ciphertext (or the default key for legacy unkeyed values). Plaintext
|
|
48
|
+
* values (no `enc:v1:` prefix) are returned unchanged.
|
|
49
|
+
*/
|
|
50
|
+
export declare function decryptFieldWithRing(value: string, ring: KeyRing): Promise<string>;
|
|
21
51
|
export {};
|
package/package.json
CHANGED
|
@@ -11,7 +11,7 @@
|
|
|
11
11
|
"type": "git",
|
|
12
12
|
"url": "https://github.com/markusahlstrand/authhero"
|
|
13
13
|
},
|
|
14
|
-
"version": "8.
|
|
14
|
+
"version": "8.3.0",
|
|
15
15
|
"files": [
|
|
16
16
|
"dist"
|
|
17
17
|
],
|
|
@@ -83,8 +83,8 @@
|
|
|
83
83
|
"sanitize-html": "^2.17.4",
|
|
84
84
|
"xstate": "^5.31.1",
|
|
85
85
|
"@authhero/adapter-interfaces": "3.1.1",
|
|
86
|
-
"@authhero/
|
|
87
|
-
"@authhero/
|
|
86
|
+
"@authhero/proxy": "0.7.1",
|
|
87
|
+
"@authhero/saml": "0.4.2"
|
|
88
88
|
},
|
|
89
89
|
"peerDependencies": {
|
|
90
90
|
"@authhero/widget": "^0.1.0",
|