mvc-common-toolkit 1.43.9 → 1.43.11

package/src/pkg/encryption-helper.spec.ts

@@ -0,0 +1,423 @@
+import { expect } from "chai";
+import {
+  encrypt,
+  decrypt,
+  encryptWithTwoFactors,
+  decryptWithTwoFactors,
+} from "./encryption-helper";
+
+describe("encryption helper", () => {
+  describe("single factor encryption", () => {
+    it("should encrypt and decrypt text correctly", () => {
+      const plaintext = "Hello, World!";
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const decrypted = decrypt(encrypted, password);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle empty string", () => {
+      const plaintext = "";
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const decrypted = decrypt(encrypted, password);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle special characters and unicode", () => {
+      const plaintext = "Hello 世界! 🚀 测试";
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const decrypted = decrypt(encrypted, password);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle long text", () => {
+      const plaintext = "A".repeat(1000);
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const decrypted = decrypt(encrypted, password);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should produce different ciphertext for same plaintext with different passwords", () => {
+      const plaintext = "Hello, World!";
+      const password1 = "password1";
+      const password2 = "password2";
+
+      const encrypted1 = encrypt(plaintext, password1);
+      const encrypted2 = encrypt(plaintext, password2);
+
+      expect(encrypted1.ciphertext).to.not.equal(encrypted2.ciphertext);
+    });
+
+    it("should produce different ciphertext for same plaintext and password (due to random salt/iv)", () => {
+      const plaintext = "Hello, World!";
+      const password = "my-secret-password";
+
+      const encrypted1 = encrypt(plaintext, password);
+      const encrypted2 = encrypt(plaintext, password);
+
+      expect(encrypted1.ciphertext).to.not.equal(encrypted2.ciphertext);
+      expect(encrypted1.iv).to.not.equal(encrypted2.iv);
+      expect(encrypted1.salt).to.not.equal(encrypted2.salt);
+    });
+
+    it("should fail decryption with wrong password", () => {
+      const plaintext = "Hello, World!";
+      const correctPassword = "correct-password";
+      const wrongPassword = "wrong-password";
+
+      const encrypted = encrypt(plaintext, correctPassword);
+
+      expect(() => decrypt(encrypted, wrongPassword)).to.throw();
+    });
+
+    it("should fail decryption with corrupted payload", () => {
+      const plaintext = "Hello, World!";
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const corruptedPayload = {
+        ...encrypted,
+        ciphertext: "corrupted-ciphertext",
+      };
+
+      expect(() => decrypt(corruptedPayload, password)).to.throw();
+    });
+
+    it("should fail decryption with corrupted auth tag", () => {
+      const plaintext = "Hello, World!";
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const corruptedPayload = {
+        ...encrypted,
+        tag: "corrupted-tag",
+      };
+
+      expect(() => decrypt(corruptedPayload, password)).to.throw();
+    });
+
+    it("should have correct payload structure", () => {
+      const plaintext = "Hello, World!";
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+
+      expect(encrypted).to.have.property("iv");
+      expect(encrypted).to.have.property("salt");
+      expect(encrypted).to.have.property("ciphertext");
+      expect(encrypted).to.have.property("tag");
+
+      expect(encrypted.iv).to.be.a("string");
+      expect(encrypted.salt).to.be.a("string");
+      expect(encrypted.ciphertext).to.be.a("string");
+      expect(encrypted.tag).to.be.a("string");
+
+      // Check that hex strings are valid
+      expect(encrypted.iv).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.salt).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.ciphertext).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.tag).to.match(/^[0-9a-f]+$/);
+    });
+  });
+
+  describe("two factor encryption", () => {
+    it("should encrypt and decrypt text correctly with two factors", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const decrypted = decryptWithTwoFactors(
+        encrypted,
+        userPassword,
+        serverSecret
+      );
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle empty string with two factors", () => {
+      const plaintext = "";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const decrypted = decryptWithTwoFactors(
+        encrypted,
+        userPassword,
+        serverSecret
+      );
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle special characters and unicode with two factors", () => {
+      const plaintext = "Hello 世界! 🚀 测试";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const decrypted = decryptWithTwoFactors(
+        encrypted,
+        userPassword,
+        serverSecret
+      );
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle long text with two factors", () => {
+      const plaintext = "A".repeat(1000);
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const decrypted = decryptWithTwoFactors(
+        encrypted,
+        userPassword,
+        serverSecret
+      );
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should produce different ciphertext for same plaintext with different factors", () => {
+      const plaintext = "Hello, World!";
+      const userPassword1 = "user1";
+      const userPassword2 = "user2";
+      const serverSecret = "server-secret";
+
+      const encrypted1 = encryptWithTwoFactors(
+        plaintext,
+        userPassword1,
+        serverSecret
+      );
+      const encrypted2 = encryptWithTwoFactors(
+        plaintext,
+        userPassword2,
+        serverSecret
+      );
+
+      expect(encrypted1.ciphertext).to.not.equal(encrypted2.ciphertext);
+    });
+
+    it("should produce different ciphertext for same plaintext and factors (due to random salt/iv)", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted1 = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const encrypted2 = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+
+      expect(encrypted1.ciphertext).to.not.equal(encrypted2.ciphertext);
+      expect(encrypted1.iv).to.not.equal(encrypted2.iv);
+      expect(encrypted1.saltUser).to.not.equal(encrypted2.saltUser);
+      expect(encrypted1.saltServer).to.not.equal(encrypted2.saltServer);
+    });
+
+    it("should fail decryption with wrong user password", () => {
+      const plaintext = "Hello, World!";
+      const correctUserPassword = "correct-user-password";
+      const wrongUserPassword = "wrong-user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        correctUserPassword,
+        serverSecret
+      );
+
+      expect(() =>
+        decryptWithTwoFactors(encrypted, wrongUserPassword, serverSecret)
+      ).to.throw();
+    });
+
+    it("should fail decryption with wrong server secret", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const correctServerSecret = "correct-server-secret";
+      const wrongServerSecret = "wrong-server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        correctServerSecret
+      );
+
+      expect(() =>
+        decryptWithTwoFactors(encrypted, userPassword, wrongServerSecret)
+      ).to.throw();
+    });
+
+    it("should fail decryption with corrupted payload", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const corruptedPayload = {
+        ...encrypted,
+        ciphertext: "corrupted-ciphertext",
+      };
+
+      expect(() =>
+        decryptWithTwoFactors(corruptedPayload, userPassword, serverSecret)
+      ).to.throw();
+    });
+
+    it("should fail decryption with corrupted auth tag", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const corruptedPayload = {
+        ...encrypted,
+        tag: "corrupted-tag",
+      };
+
+      expect(() =>
+        decryptWithTwoFactors(corruptedPayload, userPassword, serverSecret)
+      ).to.throw();
+    });
+
+    it("should have correct payload structure for two factors", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+
+      expect(encrypted).to.have.property("iv");
+      expect(encrypted).to.have.property("saltUser");
+      expect(encrypted).to.have.property("saltServer");
+      expect(encrypted).to.have.property("ciphertext");
+      expect(encrypted).to.have.property("tag");
+
+      expect(encrypted.iv).to.be.a("string");
+      expect(encrypted.saltUser).to.be.a("string");
+      expect(encrypted.saltServer).to.be.a("string");
+      expect(encrypted.ciphertext).to.be.a("string");
+      expect(encrypted.tag).to.be.a("string");
+
+      // Check that hex strings are valid
+      expect(encrypted.iv).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.saltUser).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.saltServer).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.ciphertext).to.match(/^[0-9a-f]+$/);
+      expect(encrypted.tag).to.match(/^[0-9a-f]+$/);
+    });
+
+    it("should be secure against known plaintext attacks", () => {
+      const plaintext = "Hello, World!";
+      const userPassword = "user-password";
+      const serverSecret = "server-secret";
+
+      const encrypted1 = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+      const encrypted2 = encryptWithTwoFactors(
+        plaintext,
+        userPassword,
+        serverSecret
+      );
+
+      // Even with same plaintext and factors, ciphertext should be different
+      expect(encrypted1.ciphertext).to.not.equal(encrypted2.ciphertext);
+      expect(encrypted1.iv).to.not.equal(encrypted2.iv);
+    });
+  });
+
+  describe("edge cases and error handling", () => {
+    it("should handle very long passwords", () => {
+      const plaintext = "Hello, World!";
+      const longPassword = "A".repeat(1000);
+
+      const encrypted = encrypt(plaintext, longPassword);
+      const decrypted = decrypt(encrypted, longPassword);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle very short passwords", () => {
+      const plaintext = "Hello, World!";
+      const shortPassword = "a";
+
+      const encrypted = encrypt(plaintext, shortPassword);
+      const decrypted = decrypt(encrypted, shortPassword);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle passwords with special characters", () => {
+      const plaintext = "Hello, World!";
+      const specialPassword = "!@#$%^&*()_+-=[]{}|;':\",./<>?";
+
+      const encrypted = encrypt(plaintext, specialPassword);
+      const decrypted = decrypt(encrypted, specialPassword);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+
+    it("should handle binary data as string", () => {
+      const plaintext = Buffer.from([0x00, 0x01, 0x02, 0x03, 0x04]).toString(
+        "utf8"
+      );
+      const password = "my-secret-password";
+
+      const encrypted = encrypt(plaintext, password);
+      const decrypted = decrypt(encrypted, password);
+
+      expect(decrypted).to.equal(plaintext);
+    });
+  });
+});

package/src/pkg/encryption-helper.ts

@@ -0,0 +1,155 @@
+import {
+  randomBytes,
+  pbkdf2Sync,
+  createCipheriv,
+  createDecipheriv,
+} from "crypto";
+
+const PBKDF2_ITERATIONS = 310_000; // adjust upward over time
+const KEY_LEN = 32; // 256-bit AES key
+const IV_LEN = 12; // standard for GCM
+const SALT_LEN = 16; // at least 16 bytes
+
+interface EncryptedPayload {
+  iv: string; // hex
+  salt: string; // hex
+  ciphertext: string;
+  tag: string; // auth tag (hex)
+}
+
+interface EncryptedPayload2FA {
+  iv: string;
+  saltUser: string;
+  saltServer: string;
+  ciphertext: string;
+  tag: string;
+}
+
+/**
+ * Encrypt a UTF-8 string using password-based AES-256-GCM
+ */
+export function encrypt(text: string, password: string): EncryptedPayload {
+  const salt = randomBytes(SALT_LEN);
+  const key = pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, KEY_LEN, "sha256");
+
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+
+  const ciphertext = Buffer.concat([
+    cipher.update(text, "utf8"),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+
+  return {
+    iv: iv.toString("hex"),
+    salt: salt.toString("hex"),
+    ciphertext: ciphertext.toString("hex"),
+    tag: tag.toString("hex"),
+  };
+}
+
+/**
+ * Decrypt payload produced by `encrypt`
+ */
+export function decrypt(payload: EncryptedPayload, password: string): string {
+  const { iv, salt, ciphertext, tag } = payload;
+
+  const key = pbkdf2Sync(
+    Buffer.from(password),
+    Buffer.from(salt, "hex"),
+    PBKDF2_ITERATIONS,
+    KEY_LEN,
+    "sha256"
+  );
+
+  const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(iv, "hex"));
+  decipher.setAuthTag(Buffer.from(tag, "hex"));
+
+  const plaintext = Buffer.concat([
+    decipher.update(Buffer.from(ciphertext, "hex")),
+    decipher.final(),
+  ]);
+
+  return plaintext.toString("utf8");
+}
+
+function deriveKey(password: string, salt: Buffer): Buffer {
+  return pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, KEY_LEN, "sha256");
+}
+
+export function encryptWithTwoFactors(
+  plaintext: string,
+  userPassword: string,
+  serverSecret: string
+): EncryptedPayload2FA {
+  const saltUser = randomBytes(SALT_LEN);
+  const saltServer = randomBytes(SALT_LEN);
+
+  const userKey = deriveKey(userPassword, saltUser);
+  const serverKey = deriveKey(serverSecret, saltServer);
+
+  // Final AES key: XOR of both keys
+  const finalKey = Buffer.alloc(KEY_LEN);
+  for (let i = 0; i < KEY_LEN; i++) {
+    finalKey[i] = userKey[i] ^ serverKey[i];
+  }
+
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv("aes-256-gcm", finalKey, iv);
+
+  const ciphertext = Buffer.concat([
+    cipher.update(plaintext, "utf8"),
+    cipher.final(),
+  ]);
+  const tag = cipher.getAuthTag();
+
+  // Cleanup sensitive buffers
+  userKey.fill(0);
+  serverKey.fill(0);
+  finalKey.fill(0);
+
+  return {
+    iv: iv.toString("hex"),
+    saltUser: saltUser.toString("hex"),
+    saltServer: saltServer.toString("hex"),
+    ciphertext: ciphertext.toString("hex"),
+    tag: tag.toString("hex"),
+  };
+}
+
+export function decryptWithTwoFactors(
+  payload: EncryptedPayload2FA,
+  userPassword: string,
+  serverSecret: string
+): string {
+  const userKey = deriveKey(userPassword, Buffer.from(payload.saltUser, "hex"));
+  const serverKey = deriveKey(
+    serverSecret,
+    Buffer.from(payload.saltServer, "hex")
+  );
+
+  const finalKey = Buffer.alloc(KEY_LEN);
+  for (let i = 0; i < KEY_LEN; i++) {
+    finalKey[i] = userKey[i] ^ serverKey[i];
+  }
+
+  const decipher = createDecipheriv(
+    "aes-256-gcm",
+    finalKey,
+    Buffer.from(payload.iv, "hex")
+  );
+  decipher.setAuthTag(Buffer.from(payload.tag, "hex"));
+
+  const plaintext = Buffer.concat([
+    decipher.update(Buffer.from(payload.ciphertext, "hex")),
+    decipher.final(),
+  ]);
+
+  // Cleanup sensitive buffers
+  userKey.fill(0);
+  serverKey.fill(0);
+  finalKey.fill(0);
+
+  return plaintext.toString("utf8");
+}

package/src/pkg/filter-helper.spec.ts

@@ -0,0 +1,105 @@
+import { expect } from "chai";
+
+import { FILTER_OPERATOR } from "../constants";
+import { IFilter } from "../interfaces";
+import { toSimpleMongooseFilter } from "./filter-helper";
+
+describe("filter helper", () => {
+  describe("simple mongoose filter", () => {
+    it("should parse simple equal filters correctly", () => {
+      const filters: IFilter[] = [
+        {
+          field: "name",
+          operator: FILTER_OPERATOR.EQUAL,
+          value: "andy",
+        },
+        {
+          field: "email",
+          operator: FILTER_OPERATOR.EQUAL,
+          value: "andy@gmail.com",
+        },
+      ];
+
+      const parsedFilter = toSimpleMongooseFilter(filters);
+
+      expect(parsedFilter.name).to.be.equal("andy");
+      expect(parsedFilter.email).to.be.equal("andy@gmail.com");
+    });
+
+    it("should parse more complex filters correctly", () => {
+      const filters: IFilter[] = [
+        {
+          field: "name",
+          operator: FILTER_OPERATOR.INS_STARTS_WITH,
+          value: "andy",
+        },
+        {
+          field: "email",
+          operator: FILTER_OPERATOR.INS_ENDS_WITH,
+          value: "andy@gmail.com",
+        },
+        {
+          field: "age",
+          operator: FILTER_OPERATOR.IN,
+          value: [20, 30, 40],
+        },
+      ];
+
+      const parsedFilter = toSimpleMongooseFilter(filters);
+
+      expect(parsedFilter.name).to.be.deep.equal({
+        $regex: "^andy.*$",
+        $options: "i",
+      });
+
+      expect(parsedFilter.email).to.be.deep.equal({
+        $regex: ".*andy@gmail.com$",
+        $options: "i",
+      });
+
+      expect(parsedFilter.age).to.be.deep.equal([20, 30, 40]);
+    });
+
+    it("should parse OR operator correctly", () => {
+      const filters: IFilter[] = [
+        {
+          field: null,
+          operator: FILTER_OPERATOR.OR,
+          value: [
+            {
+              field: "name",
+              operator: FILTER_OPERATOR.EQUAL,
+              value: "andy",
+            },
+            {
+              field: "name",
+              operator: FILTER_OPERATOR.EQUAL,
+              value: "devstic",
+            },
+          ] as IFilter[],
+        },
+        {
+          field: "email",
+          operator: FILTER_OPERATOR.INS_LIKE,
+          value: "andy@gmail.com",
+        },
+      ];
+
+      const parsedFilter = toSimpleMongooseFilter(filters);
+
+      expect(parsedFilter.$or).to.be.deep.equal([
+        {
+          name: "andy",
+        },
+        {
+          name: "devstic",
+        },
+      ]);
+
+      expect(parsedFilter.email).to.be.deep.equal({
+        $regex: ".*andy@gmail.com.*",
+        $options: "i",
+      });
+    });
+  });
+});