npm - core-mb - Versions diffs - 1.0.0 → 1.0.2 - Mend

core-mb 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/src/aes.helper.ts DELETED Viewed

@@ -1,101 +0,0 @@
-import * as crypto from "crypto";
-export type PhoneCipherRecord = {
-  // Base64 strings suitable for storage in text columns
-  ciphertext: string; // Encrypted phone number
-  iv: string; // Initialization Vector (nonce) for GCM (12 bytes recommended)
-  authTag: string; // Authentication tag returned by GCM (ensures integrity)
-  hmacIndex: string; // HMAC-SHA256(phoneNormalized) for search/dedup
-};
-const aesKeyB64 = process.env.PHONE_AES_KEY;
-const hmacKeyB64 = process.env.PHONE_HMAC_KEY;
-if (!aesKeyB64 || !hmacKeyB64) {
-  throw new Error(
-    "PHONE_AES_KEY and PHONE_HMAC_KEY must be set (base64-encoded)."
-  );
-}
-const aesKey = Buffer.from(aesKeyB64, "base64");
-const hmacKey = Buffer.from(hmacKeyB64, "base64");
-/** Normalize to a consistent representation (approx. E.164-like):
- * - Keep leading '+' if present
- * - Remove spaces, dashes, parentheses
- * - Remove any non-digit characters except leading '+'
- * - You can adapt to your locale/validation as needed
- */
-function normalize(phoneRaw: string): string {
-  if (!phoneRaw) return "";
-  const trimmed = phoneRaw.trim();
-  const hasPlus = trimmed.startsWith("+");
-  const digitsOnly = trimmed.replace(/[^\d]/g, "");
-  return hasPlus ? `+${digitsOnly}` : digitsOnly; // store either "+855123..." or "0123..."
-}
-/** Create an HMAC index for lookups without revealing the number.
- * Store this alongside the encrypted data and index it in the DB.
- */
-function hmacIndex(phoneRaw: string): string {
-  const normalized = normalize(phoneRaw);
-  const h = crypto.createHmac("sha256", hmacKey);
-  h.update(normalized, "utf8");
-  return h.digest("base64");
-}
-/** Encrypt a phone number using AES-256-GCM.
- * Returns base64-encoded ciphertext, iv and authTag suitable for storage.
- */
-function encrypt(
-  phoneRaw: string
-): Omit<PhoneCipherRecord, "hmacIndex"> & { hmacIndex: string } {
-  const normalized = normalize(phoneRaw);
-  // 12-byte IV is recommended for GCM
-  const iv = crypto.randomBytes(12);
-  const cipher = crypto.createCipheriv("aes-256-gcm", aesKey, iv);
-  // Optional: bind additional data (AAD), e.g., tenant ID to prevent cross-tenant swaps
-  // cipher.setAAD(Buffer.from(tenantId, 'utf8'));
-  const ciphertextBuf = Buffer.concat([
-    cipher.update(normalized, "utf8"),
-    cipher.final(),
-  ]);
-  const authTag = cipher.getAuthTag();
-  return {
-    ciphertext: ciphertextBuf.toString("base64"),
-    iv: iv.toString("base64"),
-    authTag: authTag.toString("base64"),
-    hmacIndex: hmacIndex(normalized),
-  };
-}
-/** Decrypt a previously stored record. Throws if tampered.
- * Returns the normalized phone string.
- */
-function decrypt(
-  record: Pick<PhoneCipherRecord, "ciphertext" | "iv" | "authTag">
-): string {
-  const iv = Buffer.from(record.iv, "base64");
-  const authTag = Buffer.from(record.authTag, "base64");
-  const ciphertext = Buffer.from(record.ciphertext, "base64");
-  const decipher = crypto.createDecipheriv("aes-256-gcm", aesKey, iv);
-  // If you used setAAD on encrypt, you MUST set the same AAD here
-  // decipher.setAAD(Buffer.from(tenantId, 'utf8'));
-  decipher.setAuthTag(authTag);
-  const plaintext = Buffer.concat([
-    decipher.update(ciphertext),
-    decipher.final(),
-  ]).toString("utf8");
-  return plaintext; // normalized phone
-}