n8n-nodes-redactor 3.0.1

package/dist/nodes/PiiRedactor/__tests__/encryption.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/nodes/PiiRedactor/__tests__/encryption.test.js

@@ -0,0 +1,200 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const encryption_1 = require("../encryption");
+const vault_1 = require("../vault");
+describe('Encryption Engine', () => {
+    const testData = '{"sessionId":"test","entries":{},"createdAt":"2026-01-01T00:00:00Z","ttl":3600000}';
+    test('encrypt then decrypt returns original data', () => {
+        const encrypted = (0, encryption_1.encryptVaultData)(testData, 'my-secret-passphrase');
+        const decrypted = (0, encryption_1.decryptVaultData)(encrypted, 'my-secret-passphrase');
+        expect(decrypted).toBe(testData);
+    });
+    test('encrypted data starts with version byte 0x01', () => {
+        const encrypted = (0, encryption_1.encryptVaultData)(testData, 'pass');
+        expect(encrypted[0]).toBe(0x01);
+        expect((0, encryption_1.isEncryptedVault)(encrypted)).toBe(true);
+        expect((0, encryption_1.isPlaintextVault)(encrypted)).toBe(false);
+    });
+    test('plaintext JSON is detected correctly', () => {
+        const plain = Buffer.from(testData, 'utf-8');
+        expect((0, encryption_1.isPlaintextVault)(plain)).toBe(true);
+        expect((0, encryption_1.isEncryptedVault)(plain)).toBe(false);
+    });
+    test('wrong passphrase throws error', () => {
+        const encrypted = (0, encryption_1.encryptVaultData)(testData, 'correct-pass');
+        expect(() => (0, encryption_1.decryptVaultData)(encrypted, 'wrong-pass')).toThrow('decryption failed');
+    });
+    test('tampered ciphertext throws error', () => {
+        const encrypted = (0, encryption_1.encryptVaultData)(testData, 'pass');
+        // Flip a byte in the ciphertext
+        encrypted[encrypted.length - 1] ^= 0xFF;
+        expect(() => (0, encryption_1.decryptVaultData)(encrypted, 'pass')).toThrow();
+    });
+    test('truncated data throws error', () => {
+        const encrypted = (0, encryption_1.encryptVaultData)(testData, 'pass');
+        const truncated = encrypted.subarray(0, 10);
+        expect(() => (0, encryption_1.decryptVaultData)(truncated, 'pass')).toThrow('too short');
+    });
+    test('different passphrases produce different ciphertext', () => {
+        const e1 = (0, encryption_1.encryptVaultData)(testData, 'pass1');
+        const e2 = (0, encryption_1.encryptVaultData)(testData, 'pass2');
+        expect(e1.equals(e2)).toBe(false);
+    });
+    test('same passphrase produces different ciphertext (random IV)', () => {
+        const e1 = (0, encryption_1.encryptVaultData)(testData, 'same-pass');
+        const e2 = (0, encryption_1.encryptVaultData)(testData, 'same-pass');
+        expect(e1.equals(e2)).toBe(false);
+        // But both decrypt to the same data
+        expect((0, encryption_1.decryptVaultData)(e1, 'same-pass')).toBe(testData);
+        expect((0, encryption_1.decryptVaultData)(e2, 'same-pass')).toBe(testData);
+    });
+    test('empty buffer returns false for both checks', () => {
+        expect((0, encryption_1.isEncryptedVault)(Buffer.alloc(0))).toBe(false);
+        expect((0, encryption_1.isPlaintextVault)(Buffer.alloc(0))).toBe(false);
+    });
+});
+describe('FileVault with Encryption', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'vault-enc-test-'));
+    });
+    afterEach(() => {
+        try {
+            fs.rmSync(testDir, { recursive: true, force: true });
+        }
+        catch { /* ignore */ }
+    });
+    test('encrypted vault: save and reload', () => {
+        const vault = new vault_1.FileVault(testDir, 'my-secret');
+        vault.getOrCreateSession('enc-test', 0);
+        vault.addEntry('enc-test', {
+            token: '[EMAIL_0]',
+            original: 'secret@company.com',
+            patternLabel: 'EMAIL',
+            category: 'contact',
+            createdAt: new Date().toISOString(),
+        });
+        vault.save('enc-test');
+        // New vault instance with same passphrase should read it
+        const vault2 = new vault_1.FileVault(testDir, 'my-secret');
+        const session = vault2.getSession('enc-test');
+        expect(session).not.toBeNull();
+        expect(session.entries['[EMAIL_0]'].original).toBe('secret@company.com');
+    });
+    test('wrong passphrase cannot read vault', () => {
+        const vault = new vault_1.FileVault(testDir, 'correct-pass');
+        vault.getOrCreateSession('secure', 0);
+        vault.addEntry('secure', {
+            token: '[SSN_0]',
+            original: '123-45-6789',
+            patternLabel: 'SSN',
+            category: 'identity',
+            createdAt: new Date().toISOString(),
+        });
+        vault.save('secure');
+        // Different passphrase should NOT read the data
+        const vault2 = new vault_1.FileVault(testDir, 'wrong-pass');
+        const session = vault2.getSession('secure');
+        expect(session).toBeNull();
+    });
+    test('no passphrase cannot read encrypted vault', () => {
+        const vault = new vault_1.FileVault(testDir, 'my-secret');
+        vault.getOrCreateSession('protected', 0);
+        vault.save('protected');
+        // No passphrase — cannot read encrypted file
+        const vault2 = new vault_1.FileVault(testDir);
+        const session = vault2.getSession('protected');
+        expect(session).toBeNull();
+    });
+    test('vault without passphrase writes plaintext', () => {
+        const vault = new vault_1.FileVault(testDir);
+        vault.getOrCreateSession('plain', 0);
+        vault.save('plain');
+        // Should be readable without passphrase
+        const vault2 = new vault_1.FileVault(testDir);
+        const session = vault2.getSession('plain');
+        expect(session).not.toBeNull();
+    });
+    test('tenant A cannot read tenant B vault (different passphrases)', () => {
+        // Tenant A
+        const vaultA = new vault_1.FileVault(testDir, 'tenant-A-secret');
+        vaultA.getOrCreateSession('tenant-a-data', 0);
+        vaultA.addEntry('tenant-a-data', {
+            token: '[NAME_0]',
+            original: 'Alice Smith',
+            patternLabel: 'PERSON',
+            category: 'identity',
+            createdAt: new Date().toISOString(),
+        });
+        vaultA.save('tenant-a-data');
+        // Tenant B tries to read Tenant A's vault
+        const vaultB = new vault_1.FileVault(testDir, 'tenant-B-secret');
+        const sessionB = vaultB.getSession('tenant-a-data');
+        // MUST be null — cross-tenant isolation
+        expect(sessionB).toBeNull();
+        // Tenant A can still read their own vault
+        const vaultA2 = new vault_1.FileVault(testDir, 'tenant-A-secret');
+        const sessionA = vaultA2.getSession('tenant-a-data');
+        expect(sessionA).not.toBeNull();
+        expect(sessionA.entries['[NAME_0]'].original).toBe('Alice Smith');
+    });
+    test('encrypted vault file on disk is not human-readable', () => {
+        const vault = new vault_1.FileVault(testDir, 'encrypt-me');
+        vault.getOrCreateSession('secret-session', 0);
+        vault.addEntry('secret-session', {
+            token: '[CC_0]',
+            original: '4532-0151-1283-0366',
+            patternLabel: 'CREDIT_CARD',
+            category: 'financial',
+            createdAt: new Date().toISOString(),
+        });
+        vault.save('secret-session');
+        // Read raw file from disk
+        const files = fs.readdirSync(testDir).filter((f) => f.startsWith('vault_'));
+        expect(files.length).toBe(1);
+        const rawContent = fs.readFileSync(path.join(testDir, files[0]));
+        // Raw content should NOT contain the original PII
+        const asString = rawContent.toString('utf-8');
+        expect(asString).not.toContain('4532-0151-1283-0366');
+        expect(asString).not.toContain('secret-session');
+        expect(asString).not.toContain('CREDIT_CARD');
+        // First byte should be the version marker
+        expect(rawContent[0]).toBe(0x01);
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/engine.test.d.ts

@@ -0,0 +1 @@
+export {};