livekit-client 2.15.7 → 2.15.9

package/src/api/WebSocketStream.ts

@@ -0,0 +1,118 @@
+// https://github.com/CarterLi/websocketstream-polyfill
+import { sleep } from '../room/utils';
+
+export interface WebSocketConnection<T extends ArrayBuffer | string = ArrayBuffer | string> {
+  readable: ReadableStream<T>;
+  writable: WritableStream<T>;
+  protocol: string;
+  extensions: string;
+}
+
+export interface WebSocketCloseInfo {
+  closeCode?: number;
+  reason?: string;
+}
+
+export interface WebSocketStreamOptions {
+  protocols?: string[];
+  signal?: AbortSignal;
+}
+
+/**
+ * [WebSocket](https://developer.mozilla.org/en-US/docs/Web/API/WebSocket) with [Streams API](https://developer.mozilla.org/en-US/docs/Web/API/Streams_API)
+ *
+ * @see https://web.dev/websocketstream/
+ */
+export class WebSocketStream<T extends ArrayBuffer | string = ArrayBuffer | string> {
+  readonly url: string;
+
+  readonly opened: Promise<WebSocketConnection<T>>;
+
+  readonly closed: Promise<WebSocketCloseInfo>;
+
+  readonly close: (closeInfo?: WebSocketCloseInfo) => void;
+
+  get readyState(): number {
+    return this.ws.readyState;
+  }
+
+  private ws: WebSocket;
+
+  constructor(url: string, options: WebSocketStreamOptions = {}) {
+    if (options.signal?.aborted) {
+      throw new DOMException('This operation was aborted', 'AbortError');
+    }
+
+    this.url = url;
+
+    const ws = new WebSocket(url, options.protocols ?? []);
+    ws.binaryType = 'arraybuffer';
+    this.ws = ws;
+
+    const closeWithInfo = ({ closeCode: code, reason }: WebSocketCloseInfo = {}) =>
+      ws.close(code, reason);
+
+    this.opened = new Promise((resolve, reject) => {
+      ws.onopen = () => {
+        resolve({
+          readable: new ReadableStream<T>({
+            start(controller) {
+              ws.onmessage = ({ data }) => controller.enqueue(data);
+              ws.onerror = (e) => controller.error(e);
+            },
+            cancel: closeWithInfo,
+          }),
+          writable: new WritableStream<T>({
+            write(chunk) {
+              ws.send(chunk);
+            },
+            abort() {
+              ws.close();
+            },
+            close: closeWithInfo,
+          }),
+          protocol: ws.protocol,
+          extensions: ws.extensions,
+        });
+        ws.removeEventListener('error', reject);
+      };
+      ws.addEventListener('error', reject);
+    });
+
+    this.closed = new Promise<WebSocketCloseInfo>((resolve, reject) => {
+      const rejectHandler = async () => {
+        const closePromise = new Promise<CloseEvent>((res) => {
+          if (ws.readyState === WebSocket.CLOSED) return;
+          else {
+            ws.addEventListener(
+              'close',
+              (closeEv: CloseEvent) => {
+                res(closeEv);
+              },
+              { once: true },
+            );
+          }
+        });
+        const reason = await Promise.race([sleep(250), closePromise]);
+        if (!reason) {
+          reject(new Error('Encountered unspecified websocket error without a timely close event'));
+        } else {
+          // if we can infer the close reason from the close event then resolve the promise, we don't need to throw
+          resolve(reason);
+        }
+      };
+      ws.onclose = ({ code, reason }) => {
+        resolve({ closeCode: code, reason });
+        ws.removeEventListener('error', rejectHandler);
+      };
+
+      ws.addEventListener('error', rejectHandler);
+    });
+
+    if (options.signal) {
+      options.signal.onabort = () => ws.close();
+    }
+
+    this.close = closeWithInfo;
+  }
+}

package/src/api/utils.ts

@@ -1,3 +1,4 @@
+import { SignalResponse } from '@livekit/protocol';
 import { toHttpUrl, toWebsocketUrl } from '../room/utils';
 
 export function createRtcUrl(url: string, searchParams: URLSearchParams) {
@@ -21,3 +22,12 @@ function appendUrlPath(urlObj: URL, path: string) {
   urlObj.pathname = `${ensureTrailingSlash(urlObj.pathname)}${path}`;
   return urlObj.toString();
 }
+
+export function parseSignalResponse(value: ArrayBuffer | string) {
+  if (typeof value === 'string') {
+    return SignalResponse.fromJson(JSON.parse(value), { ignoreUnknownFields: true });
+  } else if (value instanceof ArrayBuffer) {
+    return SignalResponse.fromBinary(new Uint8Array(value));
+  }
+  throw new Error(`could not decode websocket message: ${typeof value}`);
+}

package/src/connectionHelper/checks/publishVideo.ts

@@ -46,6 +46,11 @@ export class PublishVideoCheck extends Checker {
     const video = document.createElement('video');
     video.srcObject = stream;
     video.muted = true;
+    video.autoplay = true;
+    video.playsInline = true;
+    // For iOS Safari
+    video.setAttribute('playsinline', 'true');
+    document.body.appendChild(video);
 
     await new Promise<void>((resolve) => {
       video.onplay = () => {

package/src/connectionHelper/checks/turn.ts

@@ -13,6 +13,7 @@ export class TURNCheck extends Checker {
       maxRetries: 0,
       e2eeEnabled: false,
       websocketTimeout: 15_000,
+      singlePeerConnection: false,
     });
 
     let hasTLS = false;

package/src/connectionHelper/checks/webrtc.ts

@@ -38,7 +38,7 @@ export class WebRTCCheck extends Checker {
         }
       };
 
-      if (this.room.engine.pcManager) {
+      if (this.room.engine.pcManager?.subscriber) {
         this.room.engine.pcManager.subscriber.onIceCandidateError = (ev) => {
           if (ev instanceof RTCPeerConnectionIceErrorEvent) {
             this.appendWarning(

package/src/connectionHelper/checks/websocket.ts

@@ -18,6 +18,7 @@ export class WebSocketCheck extends Checker {
       maxRetries: 0,
       e2eeEnabled: false,
       websocketTimeout: 15_000,
+      singlePeerConnection: false,
     });
     this.appendMessage(`Connected to server, version ${joinRes.serverVersion}.`);
     if (joinRes.serverInfo?.edition === ServerInfo_Edition.Cloud && joinRes.serverInfo?.region) {

package/src/e2ee/E2eeManager.ts

@@ -11,15 +11,19 @@ import type RemoteTrack from '../room/track/RemoteTrack';
 import type { Track } from '../room/track/Track';
 import type { VideoCodec } from '../room/track/options';
 import { mimeTypeToVideoCodecString } from '../room/track/utils';
-import { isLocalTrack, isSafariBased, isVideoTrack } from '../room/utils';
+import { Future, isLocalTrack, isSafariBased, isVideoTrack } from '../room/utils';
 import type { BaseKeyProvider } from './KeyProvider';
 import { E2EE_FLAG } from './constants';
 import { type E2EEManagerCallbacks, EncryptionEvent, KeyProviderEvent } from './events';
 import type {
+  DecryptDataRequestMessage,
+  DecryptDataResponseMessage,
   E2EEManagerOptions,
   E2EEWorkerMessage,
   EnableMessage,
   EncodeMessage,
+  EncryptDataRequestMessage,
+  EncryptDataResponseMessage,
   InitMessage,
   KeyInfo,
   RTPVideoMapMessage,
@@ -35,8 +39,17 @@ import { isE2EESupported, isScriptTransformSupported } from './utils';
 export interface BaseE2EEManager {
   setup(room: Room): void;
   setupEngine(engine: RTCEngine): void;
+  isEnabled: boolean;
+  isDataChannelEncryptionEnabled: boolean;
   setParticipantCryptorEnabled(enabled: boolean, participantIdentity: string): void;
   setSifTrailer(trailer: Uint8Array): void;
+  encryptData(data: Uint8Array): Promise<EncryptDataResponseMessage['data']>;
+  handleEncryptedData(
+    payload: Uint8Array,
+    iv: Uint8Array,
+    participantIdentity: string,
+    keyIndex: number,
+  ): Promise<DecryptDataResponseMessage['data']>;
   on<E extends keyof E2EEManagerCallbacks>(event: E, listener: E2EEManagerCallbacks[E]): this;
 }
 
@@ -55,11 +68,26 @@ export class E2EEManager
 
   private keyProvider: BaseKeyProvider;
 
-  constructor(options: E2EEManagerOptions) {
+  private decryptDataRequests: Map<string, Future<DecryptDataResponseMessage['data']>> = new Map();
+
+  private encryptDataRequests: Map<string, Future<EncryptDataResponseMessage['data']>> = new Map();
+
+  private dataChannelEncryptionEnabled: boolean;
+
+  constructor(options: E2EEManagerOptions, dcEncryptionEnabled: boolean) {
     super();
     this.keyProvider = options.keyProvider;
     this.worker = options.worker;
     this.encryptionEnabled = false;
+    this.dataChannelEncryptionEnabled = dcEncryptionEnabled;
+  }
+
+  get isEnabled(): boolean {
+    return this.encryptionEnabled;
+  }
+
+  get isDataChannelEncryptionEnabled(): boolean {
+    return this.isEnabled && this.dataChannelEncryptionEnabled;
   }
 
   /**
@@ -160,6 +188,19 @@ export class E2EEManager
           data.keyIndex,
         );
         break;
+
+      case 'decryptDataResponse':
+        const decryptFuture = this.decryptDataRequests.get(data.uuid);
+        if (decryptFuture?.resolve) {
+          decryptFuture.resolve(data);
+        }
+        break;
+      case 'encryptDataResponse':
+        const encryptFuture = this.encryptDataRequests.get(data.uuid);
+        if (encryptFuture?.resolve) {
+          encryptFuture.resolve(data as EncryptDataResponseMessage['data']);
+        }
+        break;
       default:
         break;
     }
@@ -250,6 +291,57 @@ export class E2EEManager
       );
   }
 
+  async encryptData(data: Uint8Array): Promise<EncryptDataResponseMessage['data']> {
+    if (!this.worker) {
+      throw Error('could not encrypt data, worker is missing');
+    }
+    const uuid = crypto.randomUUID();
+    const msg: EncryptDataRequestMessage = {
+      kind: 'encryptDataRequest',
+      data: {
+        uuid,
+        payload: data,
+        participantIdentity: this.room!.localParticipant.identity,
+      },
+    };
+    const future = new Future<EncryptDataResponseMessage['data']>();
+    future.onFinally = () => {
+      this.encryptDataRequests.delete(uuid);
+    };
+    this.encryptDataRequests.set(uuid, future);
+    this.worker.postMessage(msg);
+    return future!.promise!;
+  }
+
+  handleEncryptedData(
+    payload: Uint8Array,
+    iv: Uint8Array,
+    participantIdentity: string,
+    keyIndex: number,
+  ) {
+    if (!this.worker) {
+      throw Error('could not handle encrypted data, worker is missing');
+    }
+    const uuid = crypto.randomUUID();
+    const msg: DecryptDataRequestMessage = {
+      kind: 'decryptDataRequest',
+      data: {
+        uuid,
+        payload,
+        iv,
+        participantIdentity,
+        keyIndex,
+      },
+    };
+    const future = new Future<DecryptDataResponseMessage['data']>();
+    future.onFinally = () => {
+      this.decryptDataRequests.delete(uuid);
+    };
+    this.decryptDataRequests.set(uuid, future);
+    this.worker.postMessage(msg);
+    return future.promise;
+  }
+
   private postRatchetRequest(participantIdentity?: string, keyIndex?: number) {
     if (!this.worker) {
       throw Error('could not ratchet key, worker is missing');

package/src/e2ee/types.ts

@@ -109,6 +109,44 @@ export interface InitAck extends BaseMessage {
   };
 }
 
+export interface DecryptDataRequestMessage extends BaseMessage {
+  kind: 'decryptDataRequest';
+  data: {
+    uuid: string;
+    payload: Uint8Array;
+    iv: Uint8Array;
+    participantIdentity: string;
+    keyIndex: number;
+  };
+}
+
+export interface DecryptDataResponseMessage extends BaseMessage {
+  kind: 'decryptDataResponse';
+  data: {
+    uuid: string;
+    payload: Uint8Array;
+  };
+}
+
+export interface EncryptDataRequestMessage extends BaseMessage {
+  kind: 'encryptDataRequest';
+  data: {
+    uuid: string;
+    payload: Uint8Array;
+    participantIdentity: string;
+  };
+}
+
+export interface EncryptDataResponseMessage extends BaseMessage {
+  kind: 'encryptDataResponse';
+  data: {
+    uuid: string;
+    payload: Uint8Array;
+    iv: Uint8Array;
+    keyIndex: number;
+  };
+}
+
 export type E2EEWorkerMessage =
   | InitMessage
   | SetKeyMessage
@@ -121,7 +159,11 @@ export type E2EEWorkerMessage =
   | RatchetRequestMessage
   | RatchetMessage
   | SifTrailerMessage
-  | InitAck;
+  | InitAck
+  | DecryptDataRequestMessage
+  | DecryptDataResponseMessage
+  | EncryptDataRequestMessage
+  | EncryptDataResponseMessage;
 
 export type KeySet = { material: CryptoKey; encryptionKey: CryptoKey };
 
@@ -150,6 +192,7 @@ export type E2EEManagerOptions = {
   keyProvider: BaseKeyProvider;
   worker: Worker;
 };
+
 export type E2EEOptions =
   | E2EEManagerOptions
   | {

package/src/e2ee/utils.ts

@@ -1,3 +1,4 @@
+import { type DataPacket, EncryptedPacketPayload } from '@livekit/protocol';
 import { ENCRYPTION_ALGORITHM } from './constants';
 
 export function isE2EESupported() {
@@ -176,3 +177,18 @@ export function writeRbsp(data_in: Uint8Array): Uint8Array {
   }
   return new Uint8Array(dataOut);
 }
+
+export function asEncryptablePacket(packet: DataPacket): EncryptedPacketPayload | undefined {
+  if (
+    packet.value?.case !== 'sipDtmf' &&
+    packet.value?.case !== 'metrics' &&
+    packet.value?.case !== 'speaker' &&
+    packet.value?.case !== 'transcription' &&
+    packet.value?.case !== 'encryptedPacket'
+  ) {
+    return new EncryptedPacketPayload({
+      value: packet.value,
+    });
+  }
+  return undefined;
+}

package/src/e2ee/worker/DataCryptor.test.ts

@@ -0,0 +1,271 @@
+import { describe, expect, it, vitest } from 'vitest';
+import { IV_LENGTH, KEY_PROVIDER_DEFAULTS } from '../constants';
+import type { KeyProviderOptions } from '../types';
+import { createKeyMaterialFromString } from '../utils';
+import { DataCryptor } from './DataCryptor';
+import { ParticipantKeyHandler } from './ParticipantKeyHandler';
+
+function prepareParticipantTestKeys(
+  participantIdentity: string,
+  partialKeyProviderOptions: Partial<KeyProviderOptions>,
+): ParticipantKeyHandler {
+  const keyProviderOptions = { ...KEY_PROVIDER_DEFAULTS, ...partialKeyProviderOptions };
+  return new ParticipantKeyHandler(participantIdentity, keyProviderOptions);
+}
+
+describe('DataCryptor', () => {
+  const participantIdentity = 'testParticipant';
+
+  describe('encrypt', () => {
+    it('throws error when no key set', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      await expect(DataCryptor.encrypt(data, keys)).rejects.toThrow('No key set found');
+    });
+
+    it('encrypts data successfully with key', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+      const result = await DataCryptor.encrypt(plainData, keys);
+
+      expect(result.payload).toBeInstanceOf(Uint8Array);
+      expect(result.iv).toBeInstanceOf(Uint8Array);
+      expect(result.iv.length).toBe(IV_LENGTH);
+      expect(result.keyIndex).toBe(1);
+      expect(result.payload).not.toEqual(plainData);
+      expect(result.payload.length).toBeGreaterThan(0);
+    });
+
+    it('generates different IV for each encryption', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      const result1 = await DataCryptor.encrypt(data, keys);
+      const result2 = await DataCryptor.encrypt(data, keys);
+
+      expect(result1.iv).not.toEqual(result2.iv);
+      expect(result1.payload).not.toEqual(result2.payload);
+    });
+
+    it('uses correct key index from key handler', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 5);
+
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+      const result = await DataCryptor.encrypt(data, keys);
+
+      expect(result.keyIndex).toBe(5);
+    });
+  });
+
+  describe('decrypt', () => {
+    it('throws error when no key set for index', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+      const iv = new Uint8Array(IV_LENGTH);
+
+      await expect(DataCryptor.decrypt(data, iv, keys, 1)).rejects.toThrow('No key set found');
+    });
+
+    it('decrypts data successfully with correct key', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]);
+
+      // First encrypt the data
+      const encrypted = await DataCryptor.encrypt(plainData, keys);
+
+      // Then decrypt it
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(plainData);
+    });
+
+    it('fails to decrypt with incorrect key', async () => {
+      const keys1 = prepareParticipantTestKeys('participant1', {});
+      const keys2 = prepareParticipantTestKeys('participant2', {});
+
+      await keys1.setKey(await createKeyMaterialFromString('correct-key'), 1);
+      await keys2.setKey(await createKeyMaterialFromString('wrong-key'), 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      // Encrypt with first key
+      const encrypted = await DataCryptor.encrypt(plainData, keys1);
+
+      // Try to decrypt with second (wrong) key
+      await expect(
+        DataCryptor.decrypt(encrypted.payload, encrypted.iv, keys2, encrypted.keyIndex),
+      ).rejects.toThrow();
+    });
+
+    it('handles ratcheting when enabled', async () => {
+      const senderKeys = prepareParticipantTestKeys('sender', {
+        ratchetWindowSize: 2,
+      });
+      const receiverKeys = prepareParticipantTestKeys('receiver', {
+        ratchetWindowSize: 2,
+      });
+
+      // Both start with the same initial key
+      const initialMaterial = await createKeyMaterialFromString('test-key');
+      await senderKeys.setKey(initialMaterial, 1);
+      await receiverKeys.setKey(initialMaterial, 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      // Sender ratchets their key forward
+      await senderKeys.ratchetKey(1, false);
+
+      // Sender encrypts data with the ratcheted key
+      const encrypted = await DataCryptor.encrypt(plainData, senderKeys);
+
+      // Receiver should be able to decrypt by automatically ratcheting their key
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        receiverKeys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(plainData);
+    });
+
+    it('respects ratchet window size limit', async () => {
+      // Create a scenario where we have valid encrypted data that requires ratcheting but it's disabled
+      const senderKeys = prepareParticipantTestKeys('sender', {
+        ratchetWindowSize: 10, // Large window for sender
+      });
+      const receiverKeys = prepareParticipantTestKeys('receiver', {
+        ratchetWindowSize: 1, // No ratcheting allowed for receiver
+      });
+
+      // Both start with the same initial key
+      const initialMaterial = await createKeyMaterialFromString('test-key');
+      await senderKeys.setKey(initialMaterial, 1);
+      await receiverKeys.setKey(initialMaterial, 1);
+
+      const plainData = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+
+      // Sender ratchets their key forward once
+      await senderKeys.ratchetKey(1);
+      await senderKeys.ratchetKey(1);
+
+      // Sender encrypts data with the ratcheted key
+      const encrypted = await DataCryptor.encrypt(plainData, senderKeys);
+
+      // Receiver should fail to decrypt with invalid key because ratcheting is limited (window size 1)
+      await expect(
+        DataCryptor.decrypt(encrypted.payload, encrypted.iv, receiverKeys, encrypted.keyIndex),
+      ).rejects.toThrow('valid key missing for participant');
+    });
+
+    it('throws CryptorError when ratcheting disabled and decryption fails', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {
+        ratchetWindowSize: 0,
+      });
+
+      await keys.setKey(await createKeyMaterialFromString('test-key'), 1);
+
+      const invalidData = new Uint8Array([99, 98, 97, 96, 95, 94, 93, 92]);
+      const iv = new Uint8Array(IV_LENGTH);
+      crypto.getRandomValues(iv);
+
+      await expect(DataCryptor.decrypt(invalidData, iv, keys, 1)).rejects.toThrow(
+        'Decryption failed',
+      );
+    });
+  });
+
+  describe('round-trip encryption/decryption', () => {
+    it('encrypts and decrypts data correctly', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('round-trip-key'), 2);
+
+      const originalData = new Uint8Array([
+        1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,
+        26, 27, 28, 29, 30, 31, 32,
+      ]);
+
+      const encrypted = await DataCryptor.encrypt(originalData, keys);
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(originalData);
+    });
+
+    it('handles empty data', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('empty-data-key'), 1);
+
+      const emptyData = new Uint8Array(0);
+
+      const encrypted = await DataCryptor.encrypt(emptyData, keys);
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(emptyData);
+    });
+
+    it('handles large data', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('large-data-key'), 1);
+
+      const largeData = new Uint8Array(1024);
+      for (let i = 0; i < largeData.length; i++) {
+        largeData[i] = i % 256;
+      }
+
+      const encrypted = await DataCryptor.encrypt(largeData, keys);
+      const decrypted = await DataCryptor.decrypt(
+        encrypted.payload,
+        encrypted.iv,
+        keys,
+        encrypted.keyIndex,
+      );
+
+      expect(decrypted.payload).toEqual(largeData);
+    });
+  });
+
+  describe('IV generation', () => {
+    it('generates unique IVs with performance.now() timestamp', async () => {
+      const keys = prepareParticipantTestKeys(participantIdentity, {});
+      await keys.setKey(await createKeyMaterialFromString('iv-test-key'), 1);
+
+      const data = new Uint8Array([1, 2, 3, 4]);
+
+      vitest.useFakeTimers();
+      const time1 = 1000;
+      vitest.setSystemTime(time1);
+      const result1 = await DataCryptor.encrypt(data, keys);
+
+      vitest.setSystemTime(2000);
+      const result2 = await DataCryptor.encrypt(data, keys);
+
+      vitest.useRealTimers();
+
+      // IVs should be different due to different timestamps and sendCount
+      expect(result1.iv).not.toEqual(result2.iv);
+    });
+  });
+});