lemon-core 4.1.15 → 4.2.0

package/dist/engine/utilities.js

@@ -15,13 +15,23 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 }) : function(o, v) {
     o["default"] = v;
 });
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -49,291 +59,11 @@ const COLORS = {
  * - various functions
  */
 class Utilities {
+    _$;
+    log;
+    err;
+    name;
     constructor(_$) {
-        /**
-         * parse float by decimal point 2
-         */
-        this.F2 = (x, mode = 'round') => this.FN(x, 2, mode);
-        /**
-         * parse float by decimal point 3
-         */
-        this.F3 = (x, mode = 'round') => this.FN(x, 3, mode);
-        /**
-         * convert and cut string like `abcd....z`
-         */
-        this.S = (_, h, t = 32, delim = '...') => [typeof _ == 'string' ? _ : `${this.json(_) || ''}`]
-            .map(s => h && s.length > h + t
-            ? s.substring(0, h) + delim + (s.length > h + t ? s.substring(s.length - t) : '')
-            : s)
-            .join('');
-        /**
-         * group as qs
-         */
-        this.qs = {
-            /**
-             * parse qs string
-             */
-            parse: (q) => this.qs_parse(q),
-            /**
-             * stringify qs object
-             */
-            stringify: (q) => this.qs_stringify(q),
-        };
-        /**
-         * get crypto object.
-         *
-         * @deprecated since nodejs22, use `crypto2` instead.
-         */
-        this.crypto = (passwd, algorithm) => {
-            algorithm = algorithm || 'aes-256-ctr';
-            const MAGIC = 'LM!#';
-            /**
-             * Simulate OpenSSL's EVP_BytesToKey method
-             */
-            const evpBytesToKey = (password, keyLen, ivLen) => {
-                let data = Buffer.alloc(0);
-                let prev = Buffer.alloc(0);
-                while (data.length < keyLen + ivLen) {
-                    const hash = crypto_1.default.createHash('md5');
-                    hash.update(Buffer.concat([prev, password]));
-                    prev = hash.digest();
-                    data = Buffer.concat([data, prev]);
-                }
-                return {
-                    key: data.slice(0, keyLen),
-                    iv: data.slice(keyLen, keyLen + ivLen),
-                };
-            };
-            const getKeyIV = () => {
-                const passwordBuf = Buffer.from(passwd, 'binary');
-                const keyLen = 32; // for aes-256
-                const ivLen = 16; // AES block size
-                return evpBytesToKey(passwordBuf, keyLen, ivLen);
-            };
-            return new (class {
-                constructor() {
-                    /** @deprecated since nodejs22 */
-                    this.encrypt = (val) => {
-                        val = val === undefined ? null : val;
-                        // msg = msg && typeof msg == 'object' ? JSON_TAG+JSON.stringify(msg) : msg;
-                        //* 어느 데이터 타입이든 저장하기 위해서, object로 만든다음, 암호화 시킨다.
-                        const msg = JSON.stringify({ alg: algorithm, val: val });
-                        const buffer = Buffer.from(`${MAGIC}${msg || ''}`, 'utf8');
-                        const { key, iv } = getKeyIV();
-                        const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
-                        const crypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
-                        return crypted.toString(1 ? 'base64' : 'utf8');
-                    };
-                    /** @deprecated since nodejs22 */
-                    this.decrypt = (msg) => {
-                        const buffer = Buffer.from(`${msg || ''}`, 'base64');
-                        const { key, iv } = getKeyIV();
-                        const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
-                        const decrypted = Buffer.concat([decipher.update(buffer), decipher.final()]);
-                        const dec = decrypted.toString('utf8');
-                        if (!dec.startsWith(MAGIC))
-                            throw new Error('400 INVALID PASSWD - invalid magic string!');
-                        const data = dec.slice(MAGIC.length);
-                        if (data && !data.startsWith('{') && !data.endsWith('}'))
-                            throw new Error('400 INVALID PASSWD - invalid json string!');
-                        const $msg = JSON.parse(data) || {};
-                        return $msg.val;
-                    };
-                }
-            })();
-        };
-        /**
-         * get crypto2 object (w/ Cipheriv).
-         * - to avoid `(node:66818) Warning: Use Cipheriv for counter mode of aes-256-ctr`
-         *
-         * @param passwd    password to crypt
-         * @param algorithm (default as `aes-256-ctr`)
-         * @param ivNumb    iv number to populate. (default as 0, or -1 use random)
-         * @param magic     magic string to verify (default `LM!#`)
-         */
-        this.crypto2 = (passwd, algorithm, ivNumb, magic) => {
-            algorithm = algorithm || 'aes-256-ctr';
-            const MAGIC = magic === undefined ? 'LM!#' : `${magic || ''}`;
-            const iv = Buffer.from(Array.prototype.map.call(Buffer.alloc(16), () => {
-                return ivNumb === undefined ? 0 : ivNumb === -1 ? Math.floor(Math.random() * 256) : ivNumb;
-            }));
-            return new (class {
-                constructor() {
-                    this.encrypt = (val) => {
-                        val = val === undefined ? null : val;
-                        //* use json string to support all data-type
-                        const msg = JSON.stringify({ alg: algorithm, val: val });
-                        const buffer = Buffer.from(`${MAGIC}${msg || ''}`, 'utf8');
-                        const key = Buffer.concat([Buffer.from(passwd)], Buffer.alloc(32).length);
-                        const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
-                        const crypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
-                        return crypted.toString('base64');
-                    };
-                    this.decrypt = (msg) => {
-                        const buffer = Buffer.from(`${msg || ''}`, 'base64');
-                        const key = Buffer.concat([Buffer.from(passwd)], Buffer.alloc(32).length);
-                        const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
-                        const dec = Buffer.concat([decipher.update(buffer), decipher.final()]).toString('utf8');
-                        if (!dec.startsWith(MAGIC))
-                            throw new Error(`400 INVALID PASSWD - invalid magic string!`);
-                        const data = dec.substr(MAGIC.length);
-                        if (data && !data.startsWith('{') && !data.endsWith('}'))
-                            throw new Error('400 INVALID PASSWD - invalid json string!');
-                        const $msg = JSON.parse(data) || {};
-                        return $msg.val;
-                    };
-                }
-            })();
-        };
-        /**
-         * get crypto3 object (with nonce + timestamp based IV).
-         *
-         * format details, see `crypto3` tests.
-         * 1. nonce = random hex string with length 13 (like `a1b2c3d4e5f67`)
-         * 2. head = `LM!#${VERSION}:${nonce}:${timestamp}` -> base64 encode with constant length 48 (no padding)
-         * 3. body = JSON({d: data}) -> encrypted by AES-256-CTR with key = passwd
-         * 4. final = [head, body].join('')
-         *
-         * @param passwd    password to crypt
-         * @param algorithm (default as `aes-256-ctr`)
-         */
-        this.crypto3 = (passwd, algorithm) => {
-            algorithm = algorithm || 'aes-256-ctr';
-            const MAGIC = 'LM!#';
-            const VERSION = 'V003';
-            const HEAD_B64_LEN = 48; // 36 bytes -> 48 base64 (no padding)
-            const errScope = `crypto3(${algorithm}#${VERSION})`;
-            const key = Buffer.concat([Buffer.from(passwd)], Buffer.alloc(32).length);
-            const hmac = (data, sig) => this.hmac(data, sig, 'sha256', 'hex');
-            const currentMs = () => this.current_time_ms(); // 13 digits timestamp
-            const makeNonce = () => this.uuid().replace(/-/g, '').substring(0, 13); // 13 chars (52-bit entropy)
-            return new (class {
-                constructor() {
-                    this.encrypt = (val, options) => {
-                        var _a, _b;
-                        val = val === undefined ? null : val;
-                        const nonce = (_a = options === null || options === void 0 ? void 0 : options.nonce) !== null && _a !== void 0 ? _a : makeNonce();
-                        const timestamp = String((_b = options === null || options === void 0 ? void 0 : options.current) !== null && _b !== void 0 ? _b : currentMs()).padStart(13, '0');
-                        const iv = Buffer.from(hmac(`${nonce}:${timestamp}`, passwd).substring(0, 32), 'hex'); // AES IV must be 16 bytes.
-                        const buffer = Buffer.from(JSON.stringify({ d: val }), 'utf8');
-                        const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
-                        const crypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
-                        const headRaw = `${MAGIC}${VERSION}:${nonce}:${timestamp}`;
-                        const head = Buffer.from(headRaw).toString('base64');
-                        const body = crypted.toString('base64');
-                        return [head, body].join('');
-                    };
-                    this.decrypt = (msg, options) => {
-                        var _a;
-                        if (!msg)
-                            throw new Error(`@msg (string) is required - ${errScope}`);
-                        if (msg.length < HEAD_B64_LEN)
-                            throw new Error(`400 INVALID DATA - data too short! @${errScope}`);
-                        // 1. decode base64 header (48 chars -> 36 bytes)
-                        const headBase64 = msg.substring(0, HEAD_B64_LEN);
-                        const head = Buffer.from(headBase64, 'base64').toString('utf8');
-                        if (head.length !== 36)
-                            throw new Error(`400 INVALID DATA - invalid header! @${errScope}`);
-                        // 2. validate magic and version
-                        if (!head.startsWith(MAGIC))
-                            throw new Error(`400 INVALID MAGIC - invalid magic! @${errScope}`);
-                        const version = head.substring(4, 8);
-                        if (version !== VERSION)
-                            throw new Error(`400 INVALID VERSION - expected ${VERSION}, got ${version}! @${errScope}`);
-                        // 3. parse nonce, timestamp (format: LM!#V003:nonce:timestamp)
-                        const [, nonce, timestamp] = head.substring(8).split(':');
-                        if (!nonce || nonce.length !== 13)
-                            throw new Error(`400 INVALID DATA - invalid nonce! @${errScope}`);
-                        if (!timestamp || !/^\d+$/.test(timestamp))
-                            throw new Error(`400 INVALID DATA - invalid timestamp! @${errScope}`);
-                        if ((options === null || options === void 0 ? void 0 : options.maxAge) !== undefined) {
-                            const current = (_a = options === null || options === void 0 ? void 0 : options.current) !== null && _a !== void 0 ? _a : currentMs();
-                            if (current - parseInt(timestamp, 10) > options.maxAge)
-                                throw new Error(`400 INVALID DATA - expired timestamp! @${errScope}`);
-                        }
-                        // 4. decrypt
-                        const iv = Buffer.from(hmac(`${nonce}:${timestamp}`, passwd).substring(0, 32), 'hex');
-                        const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
-                        const dec = Buffer.concat([
-                            decipher.update(Buffer.from(msg.substring(HEAD_B64_LEN), 'base64')),
-                            decipher.final(),
-                        ]).toString('utf8');
-                        if (!dec.startsWith('{') || !dec.endsWith('}'))
-                            throw new Error(`400 INVALID PASSWD - invalid json string @${errScope}`);
-                        const $msg = JSON.parse(dec) || {};
-                        return $msg === null || $msg === void 0 ? void 0 : $msg.d;
-                    };
-                }
-            })();
-        };
-        /**
-         * encrypt shorthand using crypto3
-         */
-        this.encrypt = (data, secret, options) => {
-            return this.crypto3(secret).encrypt(data, options);
-        };
-        /**
-         * decrypt shorthand using crypto3
-         */
-        this.decrypt = (data, secret, options) => {
-            return this.crypto3(secret).decrypt(data, options);
-        };
-        /**
-         * builder for `JWTHelper`
-         * @param passcode string for verification.
-         * @param current_ms (optional) current time in millisecond (required to verify `exp`)
-         */
-        this.jwt = (passcode, current_ms) => {
-            const $U = this;
-            /**
-             * main class.
-             */
-            return new (class JWTHelper {
-                constructor() {
-                    /**
-                     * use `jsonwebtoken` directly.
-                     */
-                    this.$ = jsonwebtoken_1.default;
-                    /**
-                     * encode object to token string
-                     * - Synchronous Sign with default (HS256: HMAC SHA256)
-                     *
-                     * @param data object
-                     * @param algorithm algorithm to use
-                     */
-                    this.encode = (data, algorithm = 'HS256') => {
-                        data = current_ms ? Object.assign(Object.assign({}, data), { iat: Math.floor(current_ms / 1000) }) : data;
-                        const token = jsonwebtoken_1.default.sign(data, passcode, { algorithm });
-                        return token;
-                    };
-                    /**
-                     * decode token string
-                     *
-                     * @param token string
-                     */
-                    this.decode = (token, options) => {
-                        const N = jsonwebtoken_1.default.decode(token, options);
-                        return N;
-                    };
-                    /**
-                     * verify token
-                     * - Synchronous Verify with default (HS256: HMAC SHA256)
-                     *
-                     * @param token
-                     * @param algorithm
-                     * @throws `jwt expired` if exp has expired!.
-                     */
-                    this.verify = (token, algorithm = 'HS256') => {
-                        const verified = jsonwebtoken_1.default.verify(token, passcode, { algorithms: [algorithm] });
-                        const cur = $U.N(current_ms, 0);
-                        const exp = $U.N(verified === null || verified === void 0 ? void 0 : verified.exp, 0) * 1000;
-                        if (cur > 0 && exp > 0 && exp < current_ms)
-                            throw new Error(`jwt expired at ${$U.ts(exp)}`);
-                        return verified;
-                    };
-                }
-            })();
-        };
         this._$ = _$;
         this.log = _$.log;
         this.err = _$.err;
@@ -651,6 +381,22 @@ class Utilities {
         const val3 = val2 / div;
         return val3;
     }
+    /**
+     * parse float by decimal point 2
+     */
+    F2 = (x, mode = 'round') => this.FN(x, 2, mode);
+    /**
+     * parse float by decimal point 3
+     */
+    F3 = (x, mode = 'round') => this.FN(x, 3, mode);
+    /**
+     * convert and cut string like `abcd....z`
+     */
+    S = (_, h, t = 32, delim = '...') => [typeof _ == 'string' ? _ : `${this.json(_) || ''}`]
+        .map(s => h && s.length > h + t
+        ? s.substring(0, h) + delim + (s.length > h + t ? s.substring(s.length - t) : '')
+        : s)
+        .join('');
     /**
      * remove internal properties which starts with _ or $
      */
@@ -727,6 +473,7 @@ class Utilities {
      */
     isEqual(obj1, obj2) {
         const keys = Object.keys;
+        const toString = Object.prototype.toString;
         function tagTester(name) {
             return function (obj) {
                 return toString.call(obj) === '[object ' + name + ']';
@@ -919,7 +666,8 @@ class Utilities {
      */
     md5(data, digest) {
         digest = digest === undefined ? 'hex' : digest;
-        return crypto_1.default.createHash('md5').update(data).digest(digest);
+        const _digest = digest === 'latin1' ? 'binary' : digest;
+        return crypto_1.default.createHash('md5').update(data).digest(_digest);
     }
     /**
      * get hmac hash
@@ -928,7 +676,8 @@ class Utilities {
         KEY = KEY || 'XENI';
         encoding = encoding || 'base64';
         algorithm = algorithm || 'sha256';
-        return crypto_1.default.createHmac(algorithm, KEY).update(data).digest(encoding);
+        const _encoding = encoding === 'latin1' ? 'binary' : encoding;
+        return crypto_1.default.createHmac(algorithm, KEY).update(data).digest(_encoding);
     }
     /**
      * parse query-string.
@@ -959,6 +708,265 @@ class Utilities {
         const param = query_string_1.default.stringify(query);
         return param;
     }
+    /**
+     * group as qs
+     */
+    qs = {
+        /**
+         * parse qs string
+         */
+        parse: (q) => this.qs_parse(q),
+        /**
+         * stringify qs object
+         */
+        stringify: (q) => this.qs_stringify(q),
+    };
+    /**
+     * get crypto object.
+     *
+     * @deprecated since nodejs22, use `crypto2` instead.
+     */
+    crypto = (passwd, algorithm) => {
+        algorithm = algorithm || 'aes-256-ctr';
+        const MAGIC = 'LM!#';
+        /**
+         * Simulate OpenSSL's EVP_BytesToKey method
+         */
+        const evpBytesToKey = (password, keyLen, ivLen) => {
+            let data = Buffer.alloc(0);
+            let prev = Buffer.alloc(0);
+            while (data.length < keyLen + ivLen) {
+                const hash = crypto_1.default.createHash('md5');
+                hash.update(Buffer.concat([prev, password]));
+                prev = hash.digest();
+                data = Buffer.concat([data, prev]);
+            }
+            return {
+                key: data.slice(0, keyLen),
+                iv: data.slice(keyLen, keyLen + ivLen),
+            };
+        };
+        const getKeyIV = () => {
+            const passwordBuf = Buffer.from(passwd, 'binary');
+            const keyLen = 32; // for aes-256
+            const ivLen = 16; // AES block size
+            return evpBytesToKey(passwordBuf, keyLen, ivLen);
+        };
+        return new (class {
+            /** @deprecated since nodejs22 */
+            encrypt = (val) => {
+                val = val === undefined ? null : val;
+                // msg = msg && typeof msg == 'object' ? JSON_TAG+JSON.stringify(msg) : msg;
+                //* 어느 데이터 타입이든 저장하기 위해서, object로 만든다음, 암호화 시킨다.
+                const msg = JSON.stringify({ alg: algorithm, val: val });
+                const buffer = Buffer.from(`${MAGIC}${msg || ''}`, 'utf8');
+                const { key, iv } = getKeyIV();
+                const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
+                const crypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
+                return crypted.toString(1 ? 'base64' : 'utf8');
+            };
+            /** @deprecated since nodejs22 */
+            decrypt = (msg) => {
+                const buffer = Buffer.from(`${msg || ''}`, 'base64');
+                const { key, iv } = getKeyIV();
+                const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
+                const decrypted = Buffer.concat([decipher.update(buffer), decipher.final()]);
+                const dec = decrypted.toString('utf8');
+                if (!dec.startsWith(MAGIC))
+                    throw new Error('400 INVALID PASSWD - invalid magic string!');
+                const data = dec.slice(MAGIC.length);
+                if (data && !data.startsWith('{') && !data.endsWith('}'))
+                    throw new Error('400 INVALID PASSWD - invalid json string!');
+                const $msg = JSON.parse(data) || {};
+                return $msg.val;
+            };
+        })();
+    };
+    /**
+     * get crypto2 object (w/ Cipheriv).
+     * - to avoid `(node:66818) Warning: Use Cipheriv for counter mode of aes-256-ctr`
+     *
+     * @param passwd    password to crypt
+     * @param algorithm (default as `aes-256-ctr`)
+     * @param ivNumb    iv number to populate. (default as 0, or -1 use random)
+     * @param magic     magic string to verify (default `LM!#`)
+     */
+    crypto2 = (passwd, algorithm, ivNumb, magic) => {
+        algorithm = algorithm || 'aes-256-ctr';
+        const MAGIC = magic === undefined ? 'LM!#' : `${magic || ''}`;
+        const iv = Buffer.from(Array.prototype.map.call(Buffer.alloc(16), () => {
+            return ivNumb === undefined ? 0 : ivNumb === -1 ? Math.floor(Math.random() * 256) : ivNumb;
+        }));
+        return new (class {
+            encrypt = (val) => {
+                val = val === undefined ? null : val;
+                //* use json string to support all data-type
+                const msg = JSON.stringify({ alg: algorithm, val: val });
+                const buffer = Buffer.from(`${MAGIC}${msg || ''}`, 'utf8');
+                const key = Buffer.concat([Buffer.from(passwd)], Buffer.alloc(32).length);
+                const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
+                const crypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
+                return crypted.toString('base64');
+            };
+            decrypt = (msg) => {
+                const buffer = Buffer.from(`${msg || ''}`, 'base64');
+                const key = Buffer.concat([Buffer.from(passwd)], Buffer.alloc(32).length);
+                const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
+                const dec = Buffer.concat([decipher.update(buffer), decipher.final()]).toString('utf8');
+                if (!dec.startsWith(MAGIC))
+                    throw new Error(`400 INVALID PASSWD - invalid magic string!`);
+                const data = dec.substr(MAGIC.length);
+                if (data && !data.startsWith('{') && !data.endsWith('}'))
+                    throw new Error('400 INVALID PASSWD - invalid json string!');
+                const $msg = JSON.parse(data) || {};
+                return $msg.val;
+            };
+        })();
+    };
+    /**
+     * get crypto3 object (with nonce + timestamp based IV).
+     *
+     * format details, see `crypto3` tests.
+     * 1. nonce = random hex string with length 13 (like `a1b2c3d4e5f67`)
+     * 2. head = `LM!#${VERSION}:${nonce}:${timestamp}` -> base64 encode with constant length 48 (no padding)
+     * 3. body = JSON({d: data}) -> encrypted by AES-256-CTR with key = passwd
+     * 4. final = [head, body].join('')
+     *
+     * @param passwd    password to crypt
+     * @param algorithm (default as `aes-256-ctr`)
+     */
+    crypto3 = (passwd, algorithm) => {
+        algorithm = algorithm || 'aes-256-ctr';
+        const MAGIC = 'LM!#';
+        const VERSION = 'V003';
+        const HEAD_B64_LEN = 48; // 36 bytes -> 48 base64 (no padding)
+        const errScope = `crypto3(${algorithm}#${VERSION})`;
+        const key = Buffer.concat([Buffer.from(passwd)], Buffer.alloc(32).length);
+        const hmac = (data, sig) => this.hmac(data, sig, 'sha256', 'hex');
+        const currentMs = () => this.current_time_ms(); // 13 digits timestamp
+        const makeNonce = () => this.uuid().replace(/-/g, '').substring(0, 13); // 13 chars (52-bit entropy)
+        return new (class {
+            encrypt = (val, options) => {
+                val = val === undefined ? null : val;
+                const nonce = options?.nonce ?? makeNonce();
+                const timestamp = String(options?.current ?? currentMs()).padStart(13, '0');
+                const iv = Buffer.from(hmac(`${nonce}:${timestamp}`, passwd).substring(0, 32), 'hex'); // AES IV must be 16 bytes.
+                const buffer = Buffer.from(JSON.stringify({ d: val }), 'utf8');
+                const cipher = crypto_1.default.createCipheriv(algorithm, key, iv);
+                const crypted = Buffer.concat([cipher.update(buffer), cipher.final()]);
+                const headRaw = `${MAGIC}${VERSION}:${nonce}:${timestamp}`;
+                const head = Buffer.from(headRaw).toString('base64');
+                const body = crypted.toString('base64');
+                return [head, body].join('');
+            };
+            decrypt = (msg, options) => {
+                if (!msg)
+                    throw new Error(`@msg (string) is required - ${errScope}`);
+                if (msg.length < HEAD_B64_LEN)
+                    throw new Error(`400 INVALID DATA - data too short! @${errScope}`);
+                // 1. decode base64 header (48 chars -> 36 bytes)
+                const headBase64 = msg.substring(0, HEAD_B64_LEN);
+                const head = Buffer.from(headBase64, 'base64').toString('utf8');
+                if (head.length !== 36)
+                    throw new Error(`400 INVALID DATA - invalid header! @${errScope}`);
+                // 2. validate magic and version
+                if (!head.startsWith(MAGIC))
+                    throw new Error(`400 INVALID MAGIC - invalid magic! @${errScope}`);
+                const version = head.substring(4, 8);
+                if (version !== VERSION)
+                    throw new Error(`400 INVALID VERSION - expected ${VERSION}, got ${version}! @${errScope}`);
+                // 3. parse nonce, timestamp (format: LM!#V003:nonce:timestamp)
+                const [, nonce, timestamp] = head.substring(8).split(':');
+                if (!nonce || nonce.length !== 13)
+                    throw new Error(`400 INVALID DATA - invalid nonce! @${errScope}`);
+                if (!timestamp || !/^\d+$/.test(timestamp))
+                    throw new Error(`400 INVALID DATA - invalid timestamp! @${errScope}`);
+                if (options?.maxAge !== undefined) {
+                    const current = options?.current ?? currentMs();
+                    if (current - parseInt(timestamp, 10) > options.maxAge)
+                        throw new Error(`400 INVALID DATA - expired timestamp! @${errScope}`);
+                }
+                // 4. decrypt
+                const iv = Buffer.from(hmac(`${nonce}:${timestamp}`, passwd).substring(0, 32), 'hex');
+                const decipher = crypto_1.default.createDecipheriv(algorithm, key, iv);
+                const dec = Buffer.concat([
+                    decipher.update(Buffer.from(msg.substring(HEAD_B64_LEN), 'base64')),
+                    decipher.final(),
+                ]).toString('utf8');
+                if (!dec.startsWith('{') || !dec.endsWith('}'))
+                    throw new Error(`400 INVALID PASSWD - invalid json string @${errScope}`);
+                const $msg = JSON.parse(dec) || {};
+                return $msg?.d;
+            };
+        })();
+    };
+    /**
+     * encrypt shorthand using crypto3
+     */
+    encrypt = (data, secret, options) => {
+        return this.crypto3(secret).encrypt(data, options);
+    };
+    /**
+     * decrypt shorthand using crypto3
+     */
+    decrypt = (data, secret, options) => {
+        return this.crypto3(secret).decrypt(data, options);
+    };
+    /**
+     * builder for `JWTHelper`
+     * @param passcode string for verification.
+     * @param current_ms (optional) current time in millisecond (required to verify `exp`)
+     */
+    jwt = (passcode, current_ms) => {
+        const $U = this;
+        /**
+         * main class.
+         */
+        return new (class JWTHelper {
+            constructor() { }
+            /**
+             * use `jsonwebtoken` directly.
+             */
+            $ = jsonwebtoken_1.default;
+            /**
+             * encode object to token string
+             * - Synchronous Sign with default (HS256: HMAC SHA256)
+             *
+             * @param data object
+             * @param algorithm algorithm to use
+             */
+            encode = (data, algorithm = 'HS256') => {
+                data = current_ms ? { ...data, iat: Math.floor(current_ms / 1000) } : data;
+                const token = jsonwebtoken_1.default.sign(data, passcode, { algorithm });
+                return token;
+            };
+            /**
+             * decode token string
+             *
+             * @param token string
+             */
+            decode = (token, options) => {
+                const N = jsonwebtoken_1.default.decode(token, options);
+                return N;
+            };
+            /**
+             * verify token
+             * - Synchronous Verify with default (HS256: HMAC SHA256)
+             *
+             * @param token
+             * @param algorithm
+             * @throws `jwt expired` if exp has expired!.
+             */
+            verify = (token, algorithm = 'HS256') => {
+                const verified = jsonwebtoken_1.default.verify(token, passcode, { algorithms: [algorithm] });
+                const cur = $U.N(current_ms, 0);
+                const exp = $U.N(verified?.exp, 0) * 1000;
+                if (cur > 0 && exp > 0 && exp < current_ms)
+                    throw new Error(`jwt expired at ${$U.ts(exp)}`);
+                return verified;
+            };
+        })();
+    };
     /**
      * get UUID as `uuid.v4()`
      */