partner_react_native_sdk 0.1.8 → 1.0.1

package/src/helpers/network/APICall.tsx

@@ -2,14 +2,14 @@
 import NetworkManager from './network_manager';
 import { HeaderManager } from '../utils/headerManager';
 
-// import {
-//   generateAESKey,
-//   exportAESKeyBase64,
-//   encryptAESKeyWithRSA,
-//   encryptAES,
-//   decryptAES,
-//   getWebsiteKey,
-// } from './Encryption';
+import {
+  generateAESKey,
+  exportAESKeyBase64,
+  encryptAESKeyWithRSA,
+  encryptAES,
+  decryptAES,
+  getWebsiteKey,
+} from './Encryption';
 
 export class APICall {
   private networkManager: NetworkManager = new NetworkManager();
@@ -24,7 +24,7 @@ export class APICall {
       encrypted?: boolean;
     }
   ): Promise<any> {
-    const { body, headers, encrypted = false } = options || {};
+    const { body, headers, encrypted = true } = options || {};
     try {
       const response = encrypted
         ? await this._callAPIEncrypt(method, apiUrl, body, headers)
@@ -55,96 +55,101 @@ export class APICall {
       headers: mergedHeaders,
     });
   }
-
-  // ----------------- ENCRYPTED CALL -----------------
+  // ----------------- ENCRYPTED CALL (quick-crypto) -----------------
   private async _callAPIEncrypt(
     method: string,
     apiUrl: string,
     body?: Record<string, any>,
     headers?: Record<string, any>
   ): Promise<any> {
-    // 1) Generate ephemeral AES-256 key
-    //   const aesKey = await generateAESKey();
-    //   // 2) Export AES key bytes -> Base64 (for RSA input)
-    //   const aesKeyBase64 = await exportAESKeyBase64(aesKey);
-    //   // 3) Fetch server public key (cached) and RSA-wrap the AES key
-    //   const websiteKey = await getWebsiteKey(); // { kid, public, expiry }
-    //   const rsaEncryptedKey = await encryptAESKeyWithRSA(
-    //     aesKeyBase64,
-    //     websiteKey.public
-    //   );
-    //   // 4) Encrypt payload with AES-GCM -> Base64(IV||CT||TAG)
-    //   const encryptedPayload = await encryptAES(
-    //     JSON.stringify(body ?? {}),
-    //     aesKey
-    //   );
-    //   // 5) Merge headers (stringify all values)
-    //   const baseHeaders = await this.headerManager.generateHeaders();
-    //   const mergedHeaders: Record<string, string> = {
-    //     ...Object.fromEntries(
-    //       Object.entries(baseHeaders).map(([k, v]) => [k, String(v)])
-    //     ),
-    //     ...(headers
-    //       ? Object.fromEntries(
-    //           Object.entries(headers).map(([k, v]) => [k, String(v)])
-    //         )
-    //       : {}),
-    //   };
-    //   // 6) Add encryption headers
-    //   const encryptedHeaders: Record<string, string> = {
-    //     'Content-Type': 'application/json;charset=utf-8',
-    //     'Accept': 'application/json',
-    //     ...mergedHeaders,
-    //     'kid': websiteKey.kid ?? '',
-    //     'key': rsaEncryptedKey ?? '',
-    //   };
-    //   // 7) Make the encrypted request with { encrypted: "<blob>" }
-    //   const response = await this.networkManager.request({
-    //     url: apiUrl,
-    //     method,
-    //     body: { encrypted: encryptedPayload },
-    //     headers: encryptedHeaders,
-    //   });
-    //   // 8) Decrypt response if it has { encrypted }
-    //   const decrypted = await APICall.handleDecryptedResponse(response, aesKey);
-    //   if (decrypted != null) {
-    //     if (response) {
-    //       response.data = decrypted;
-    //     }
-    //   }
-    //   return response;
-    // }
-    // // ----------------- RESPONSE DECRYPT -----------------
-    // static async handleDecryptedResponse(
-    //   response: any,
-    //   aesKey: CryptoKey
-    // ): Promise<Record<string, any> | null> {
-    //   try {
-    //     if (!response) return null;
-    //     const raw = response.data;
-    //     // Accept string or object
-    //     const data: Record<string, any> =
-    //       typeof raw === 'string' ? JSON.parse(raw) : (raw as any);
-    //     if (!data || typeof data !== 'object' || !('encrypted' in data)) {
-    //       // no encrypted field, return null to signal "not decrypted"
-    //       return null;
-    //     }
-    //     const encryptedPayload = String(data.encrypted ?? '');
-    //     if (!encryptedPayload) return null;
-    //     const decryptedJson = await decryptAES(encryptedPayload, aesKey);
-    //     try {
-    //       const obj = JSON.parse(decryptedJson);
-    //       if (obj && typeof obj === 'object') {
-    //         return obj as Record<string, any>;
-    //       }
-    //       return null;
-    //     } catch {
-    //       // decrypted payload wasn't valid JSON
-    //       return null;
-    //     }
-    //   } catch {
-    //     return null;
-    //   }
-    // }
+    // 1) Generate ephemeral AES-256 key (Uint8Array)
+    const aesKey = generateAESKey(); // Uint8Array (32 bytes)
+
+    // 2) Export AES key bytes -> Base64 (for RSA input)
+    const aesKeyBase64 = exportAESKeyBase64(aesKey); // string
+
+    // 3) Fetch server public key (cached) and RSA-wrap the AES key
+    const websiteKey = await getWebsiteKey(); // { kid, public, expiry }
+    const rsaEncryptedKey = encryptAESKeyWithRSA(
+      aesKeyBase64,
+      websiteKey.public
+    ); // string
+
+    // 4) Encrypt payload with AES-GCM -> Base64(IV||CT||TAG)
+    const encryptedPayload = encryptAES(JSON.stringify(body ?? {}), aesKey); // string
+
+    // 5) Merge headers (stringify all values)
+    const baseHeaders = await this.headerManager.generateHeaders();
+    const mergedHeaders: Record<string, string> = {
+      ...Object.fromEntries(
+        Object.entries(baseHeaders).map(([k, v]) => [k, String(v)])
+      ),
+      ...(headers
+        ? Object.fromEntries(
+            Object.entries(headers).map(([k, v]) => [k, String(v)])
+          )
+        : {}),
+    };
+
+    // 6) Add encryption headers
+    const encryptedHeaders: Record<string, string> = {
+      'Content-Type': 'application/json;charset=utf-8',
+      'Accept': 'application/json',
+      ...mergedHeaders,
+      'encryption_kid': websiteKey.kid ?? '',
+      'key': rsaEncryptedKey ?? '',
+    };
+
+    // 7) Make the encrypted request with { encrypted: "<blob>" }
+    const response = await this.networkManager.request({
+      url: apiUrl,
+      method,
+      body: { encrypted: encryptedPayload },
+      headers: encryptedHeaders,
+    });
+
+    // 8) Decrypt response if it has { encrypted }
+    const decrypted = APICall.handleDecryptedResponse(response, aesKey);
+    if (decrypted != null) {
+      response!.data = decrypted;
+    }
+    return response;
+  }
+
+  // ----------------- RESPONSE DECRYPT (quick-crypto) -----------------
+  static handleDecryptedResponse(
+    response: any,
+    aesKey: Uint8Array
+  ): Record<string, any> | null {
+    try {
+      if (!response) return null;
+
+      const raw = response.data;
+      // Accept string or object
+      const data: Record<string, any> =
+        typeof raw === 'string' ? JSON.parse(raw) : (raw as any);
+
+      if (!data || typeof data !== 'object' || !('encrypted' in data)) {
+        // no encrypted field, return null to signal "not decrypted"
+        return null;
+      }
+
+      const encryptedPayload = String(data.encrypted ?? '');
+      if (!encryptedPayload) return null;
+
+      const decryptedJson = decryptAES(encryptedPayload, aesKey); // sync
+
+      try {
+        const obj = JSON.parse(decryptedJson);
+        return obj && typeof obj === 'object'
+          ? (obj as Record<string, any>)
+          : null;
+      } catch {
+        // decrypted payload wasn't valid JSON
+        return null;
+      }
+    } catch {
+      return null;
+    }
   }
 }

package/src/helpers/network/Encryption.tsx

@@ -1,239 +1,179 @@
-// // Encryption.tsx
-// // Tested with RN 0.73+.
-
-// import AsyncStorage from '@react-native-async-storage/async-storage';
-// import { v4 as uuidv4 } from 'uuid';
-// import * as base64js from 'base64-js';
-// import { ServiceNames } from '../ServiceNames';
-
-// type WebsiteKey = {
-//   kid: string;
-//   public: string; // PEM
-//   expiry: string; // ISO8601
-// };
-
-// const KEY_WEB = 'KEY_WEB';
-// const KEY_WEB_EXPIRY = 'KEY_WEB_EXPIRY';
-
-// const GCM_NONCE_LEN = 12; // 12-byte IV
-// const GCM_TAG_LEN = 16; // 16-byte auth tag
-// const AES_KEY_LEN = 256; // bits
-
-// // ---------- Base64 helpers ----------
-// const bytesToB64 = (bytes: Uint8Array): string => base64js.fromByteArray(bytes);
-
-// const b64ToBytes = (b64: string): Uint8Array => base64js.toByteArray(b64);
-
-// // ---------- UTF-8 helpers ----------
-// const utf8Encode = (s: string): Uint8Array => new TextEncoder().encode(s);
-
-// const utf8Decode = (bytes: Uint8Array): string =>
-//   new TextDecoder().decode(bytes);
-
-// // ---------- AES-256-GCM ----------
-
-// /** Generate a random AES-256-GCM CryptoKey (extractable for raw export). */
-// export async function generateAESKey(): Promise<CryptoKey> {
-//   return await crypto.subtle.generateKey(
-//     { name: 'AES-GCM', length: AES_KEY_LEN },
-//     true, // extractable to raw for Base64 export
-//     ['encrypt', 'decrypt']
-//   );
-// }
-
-// /** Export AES key bytes → Base64 (to match your RSA input). */
-// export async function exportAESKeyBase64(key: CryptoKey): Promise<string> {
-//   const raw = new Uint8Array(await crypto.subtle.exportKey('raw', key));
-//   return bytesToB64(raw);
-// }
-
-// /**
-//  * Encrypt plaintext with AES-GCM and return Base64( IV || ciphertext || tag )
-//  * Exactly matches your Flutter packing:
-//  * - IV: 12 bytes
-//  * - SubtleCrypto returns ciphertext||tag; we prepend IV and then Base64 the whole blob.
-//  */
-// export async function encryptAES(
-//   plaintext: string,
-//   key: CryptoKey
-// ): Promise<string> {
-//   const iv = crypto.getRandomValues(new Uint8Array(GCM_NONCE_LEN));
-//   const ptBytes = utf8Encode(plaintext);
-
-//   const ctWithTag = new Uint8Array(
-//     await crypto.subtle.encrypt(
-//       { name: 'AES-GCM', iv }, // 96-bit nonce
-//       key,
-//       ptBytes
-//     )
-//   );
-//   // Pack IV || (ciphertext||tag)
-//   const out = new Uint8Array(iv.length + ctWithTag.length);
-//   out.set(iv, 0);
-//   out.set(ctWithTag, iv.length);
-//   return bytesToB64(out);
-// }
-
-// /**
-//  * Decrypt Base64( IV || ciphertext || tag ) to plaintext.
-//  * Splits IV (12), tag (16) and feeds ciphertext||tag to AES-GCM.
-//  */
-// export async function decryptAES(
-//   b64Data: string,
-//   key: CryptoKey
-// ): Promise<string> {
-//   const data = b64ToBytes(b64Data);
-//   if (data.length < GCM_NONCE_LEN + GCM_TAG_LEN + 1) {
-//     throw new Error('Invalid GCM payload length');
-//   }
-//   const iv = data.slice(0, GCM_NONCE_LEN);
-//   const ctPlusTag = data.slice(GCM_NONCE_LEN); // subtle needs ciphertext||tag
-//   const pt = new Uint8Array(
-//     await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ctPlusTag)
-//   );
-//   return utf8Decode(pt);
-// }
-
-// // ---------- RSA-OAEP (SHA-256) ----------
-
-// /** Parse PEM public key and import as CryptoKey (RSA-OAEP with SHA-256). */
-// async function importRsaPublicKeyFromPem(pem: string): Promise<CryptoKey> {
-//   // Tolerate PEMs with/without headers
-//   const clean = pem
-//     .replace(/-----BEGIN PUBLIC KEY-----/g, '')
-//     .replace(/-----END PUBLIC KEY-----/g, '')
-//     .replace(/\s+/g, '');
-//   const der = b64ToBytes(clean);
-//   return await crypto.subtle.importKey(
-//     'spki',
-//     der,
-//     { name: 'RSA-OAEP', hash: 'SHA-256' },
-//     false,
-//     ['encrypt']
-//   );
-// }
-
-// /**
-//  * RSA-OAEP(SHA-256) encrypts the UTF-8 bytes of the **Base64(AES key)** string.
-//  * Returns Base64 ciphertext.
-//  */
-// export async function encryptAESKeyWithRSA(
-//   aesKeyBase64: string,
-//   publicKeyPem: string
-// ): Promise<string> {
-//   const pub = await importRsaPublicKeyFromPem(publicKeyPem);
-//   const data = utf8Encode(aesKeyBase64);
-//   const enc = new Uint8Array(
-//     await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, pub, data)
-//   );
-//   return bytesToB64(enc);
-// }
-
-// // ---------- Website key fetch / cache ----------
-
-// /**
-//  * Fetches & caches the server public key.
-//  * Accepts two shapes (same as your Flutter):
-//  *  A) { "<kid>": { kid, public, expiry } }
-//  *  B) { kid, public, expiry }
-//  */
-// export async function getWebsiteKey(): Promise<WebsiteKey> {
-//   const cachedJson = await AsyncStorage.getItem(KEY_WEB);
-//   const cachedExpiry = await AsyncStorage.getItem(KEY_WEB_EXPIRY);
-
-//   if (cachedJson && cachedExpiry) {
-//     try {
-//       const expiry = new Date(cachedExpiry);
-//       if (new Date() < expiry) {
-//         return JSON.parse(cachedJson) as WebsiteKey;
-//       }
-//     } catch {
-//       // ignore and refetch
-//     }
-//   }
-//   const txnId = uuidv4();
-//   const resp = await fetch(ServiceNames.WEBSITE_KEYS, {
-//     method: 'GET',
-//     headers: {
-//       'X-Txn-ID': txnId,
-//     },
-//   });
-
-//   if (!resp.ok) {
-//     throw new Error(`Website keys fetch failed: ${resp.status}`);
-//   }
-//   const raw = await resp.json();
-//   console.log('Fetched website key', { txnId, raw });
-
-//   let obj: any;
-//   if (
-//     raw &&
-//     typeof raw === 'object' &&
-//     !(
-//       Object.prototype.hasOwnProperty.call(raw, 'kid') &&
-//       (Object.prototype.hasOwnProperty.call(raw, 'public') ||
-//         Object.prototype.hasOwnProperty.call(raw, 'public_key'))
-//     )
-//   ) {
-//     // Assume single-entry map keyed by KID
-//     const values = Object.values(raw);
-//     if (!values.length || typeof values[0] !== 'object') {
-//       throw new Error('Unexpected keyset response shape');
-//     }
-//     obj = values[0];
-//   } else {
-//     obj = raw;
-//   }
-
-//   const kid: string | undefined = obj.kid ?? obj.KID;
-//   const publicKey: string | undefined = obj.public ?? obj.public_key;
-//   const expiry: string | undefined = obj.expiry ?? obj.exp ?? obj.expiresAt;
-
-//   if (!kid || !publicKey || !expiry) {
-//     throw new Error('Missing kid/public/expiry in website key response');
-//   }
-
-//   const normalized: WebsiteKey = { kid, public: publicKey, expiry };
-
-//   await AsyncStorage.setItem(KEY_WEB, JSON.stringify(normalized));
-//   await AsyncStorage.setItem(KEY_WEB_EXPIRY, expiry);
-
-//   return normalized;
-// }
-
-// // ---------- Optional: Hybrid helpers (one-liners) ----------
-
-// export type HybridEnvelope = {
-//   kid: string;
-//   rsaWrappedAESKey: string; // Base64 RSA(OAEP) of Base64(AES key)
-//   cipherData: string; // Base64( IV || ciphertext || tag )
-// };
-
-// export async function encryptHybrid(
-//   plaintext: string
-// ): Promise<HybridEnvelope> {
-//   // 1) fetch server key
-//   const { kid, public: publicPem } = await getWebsiteKey();
-
-//   // 2) generate AES key & encrypt data
-//   const aesKey = await generateAESKey();
-//   const cipherData = await encryptAES(plaintext, aesKey);
-
-//   // 3) export AES key to Base64 and RSA-wrap it
-//   const aesKeyB64 = await exportAESKeyBase64(aesKey);
-//   const rsaWrappedAESKey = await encryptAESKeyWithRSA(aesKeyB64, publicPem);
-
-//   return { kid, rsaWrappedAESKey, cipherData };
-// }
-
-// /**
-//  * Decrypt using an already-imported AES key (symmetric path).
-//  * Use this for local decrypts (e.g., testing) or when the server sends you encrypted data
-//  * and you already have the AES key.
-//  */
-// export async function decryptHybridLocal(
-//   cipherData: string,
-//   aesKey: CryptoKey
-// ): Promise<string> {
-//   return await decryptAES(cipherData, aesKey);
-// }
+// Encryption.ts
+import AsyncStorage from '@react-native-async-storage/async-storage';
+import { v4 as uuidv4 } from 'uuid';
+import * as base64js from 'base64-js';
+import { ServiceNames } from '../ServiceNames';
+
+import crypto from 'react-native-quick-crypto';
+import { Buffer } from '@craftzdog/react-native-buffer';
+
+const {
+  randomBytes,
+  createCipheriv,
+  createDecipheriv,
+  publicEncrypt,
+  constants,
+  createPublicKey,
+} = crypto;
+
+type WebsiteKey = { kid: string; public: string; expiry: string };
+
+const KEY_WEB = 'KEY_WEB';
+const KEY_WEB_EXPIRY = 'KEY_WEB_EXPIRY';
+const GCM_NONCE_LEN = 12; // 12-byte IV
+const GCM_TAG_LEN = 16; // 16-byte tag
+const AES_KEY_LEN_BYTES = 32; // 256 bits
+
+// --- small utils ---
+const bytesToB64 = (u8: Uint8Array) => base64js.fromByteArray(u8);
+const b64ToBytes = (b64: string) => base64js.toByteArray(b64);
+
+// ---------- AES-256-GCM ----------
+
+/** Generate random 32-byte AES key */
+export function generateAESKey(): Uint8Array {
+  return new Uint8Array(randomBytes(AES_KEY_LEN_BYTES));
+}
+
+/** Export AES key bytes -> Base64 (for RSA input) */
+export function exportAESKeyBase64(keyBytes: Uint8Array): string {
+  return bytesToB64(keyBytes);
+}
+
+/** Encrypt plaintext -> Base64( IV || ciphertext || tag ) */
+export function encryptAES(plaintext: string, keyBytes: Uint8Array): string {
+  const iv = new Uint8Array(randomBytes(GCM_NONCE_LEN));
+  const cipher = createCipheriv(
+    'aes-256-gcm',
+    Buffer.from(keyBytes),
+    Buffer.from(iv)
+  );
+
+  const ct1 = cipher.update(plaintext, 'utf8');
+  const ct2 = cipher.final();
+  const ciphertext = Buffer.concat([ct1, ct2]);
+
+  const tag = cipher.getAuthTag(); // 16 bytes
+
+  const out = new Uint8Array(iv.length + ciphertext.length + tag.length);
+  out.set(iv, 0);
+  out.set(ciphertext, iv.length);
+  out.set(tag, iv.length + ciphertext.length);
+
+  return bytesToB64(out);
+}
+
+/** Decrypt Base64( IV || ciphertext || tag ) -> plaintext */
+export function decryptAES(b64Data: string, keyBytes: Uint8Array): string {
+  const data = b64ToBytes(b64Data);
+  if (data.length < GCM_NONCE_LEN + GCM_TAG_LEN + 1) {
+    throw new Error('Invalid GCM payload length');
+  }
+  const iv = data.slice(0, GCM_NONCE_LEN);
+  const tag = data.slice(data.length - GCM_TAG_LEN);
+  const ct = data.slice(GCM_NONCE_LEN, data.length - GCM_TAG_LEN);
+
+  const decipher = createDecipheriv(
+    'aes-256-gcm',
+    Buffer.from(keyBytes),
+    Buffer.from(iv)
+  );
+  decipher.setAuthTag(Buffer.from(tag));
+
+  const pt1 = decipher.update(Buffer.from(ct));
+  const pt2 = decipher.final();
+  return Buffer.concat([pt1, pt2]).toString('utf8');
+}
+
+// ---------- RSA-OAEP (SHA-256) ----------
+
+/** RSA-OAEP(SHA-256) encrypt UTF-8 bytes of Base64(AES key) -> Base64 ciphertext */
+export function encryptAESKeyWithRSA(
+  aesKeyBase64: string,
+  publicKeyPem: string
+): string {
+  const buf = Buffer.from(aesKeyBase64, 'utf8');
+  const enc = publicEncrypt(
+    {
+      key: publicKeyPem,
+      padding: constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: 'sha256',
+    },
+    buf
+  );
+  return enc.toString('base64');
+}
+
+// ---------- Website key fetch / cache ----------
+
+export async function getWebsiteKey(): Promise<WebsiteKey> {
+  // const cachedJson = await AsyncStorage.getItem(KEY_WEB);
+  // const cachedExpiry = await AsyncStorage.getItem(KEY_WEB_EXPIRY);
+  // if (cachedJson && cachedExpiry) {
+  //   try {
+  //     if (new Date() < new Date(cachedExpiry)) {
+  //       return JSON.parse(cachedJson) as WebsiteKey;
+  //     }
+  //   } catch {
+  //     /* ignore */
+  //   }
+  // }
+
+  // const txnId = uuidv4();
+  const resp = await fetch(ServiceNames.WEBSITE_KEYS, {
+    method: 'GET',
+    // headers: { 'X-Txn-ID': txnId },
+  });
+  if (!resp.ok) throw new Error(`Website keys fetch failed: ${resp.status}`);
+
+  const raw = await resp.json();
+  console.log('Website keys response:', raw);
+  let obj: any;
+  if (
+    raw &&
+    typeof raw === 'object' &&
+    !(
+      Object.prototype.hasOwnProperty.call(raw, 'kid') &&
+      (Object.prototype.hasOwnProperty.call(raw, 'public') ||
+        Object.prototype.hasOwnProperty.call(raw, 'public_key'))
+    )
+  ) {
+    const values = Object.values(raw);
+    if (!values.length || typeof values[0] !== 'object') {
+      throw new Error('Unexpected keyset response shape');
+    }
+    obj = values[0];
+  } else {
+    obj = raw;
+  }
+
+  const kid: string | undefined = obj.kid ?? obj.KID;
+  const publicKey: string | undefined = obj.public ?? obj.public_key;
+  const expiry: string | undefined = obj.expiry ?? obj.exp ?? obj.expiresAt;
+  if (!kid || !publicKey || !expiry)
+    throw new Error('Missing kid/public/expiry');
+
+  const normalized: WebsiteKey = { kid, public: publicKey, expiry };
+  await AsyncStorage.setItem(KEY_WEB, JSON.stringify(normalized));
+  await AsyncStorage.setItem(KEY_WEB_EXPIRY, expiry);
+  return normalized;
+}
+
+// ---------- Optional: one-liners ----------
+
+export type HybridEnvelope = {
+  kid: string;
+  rsaWrappedAESKey: string; // Base64 RSA(OAEP) of Base64(AES key)
+  cipherData: string; // Base64( IV || ciphertext || tag )
+};
+
+export async function encryptHybrid(
+  plaintext: string
+): Promise<HybridEnvelope> {
+  const { kid, public: publicPem } = await getWebsiteKey();
+  const aesKey = generateAESKey();
+  const cipherData = encryptAES(plaintext, aesKey);
+  const aesKeyB64 = exportAESKeyBase64(aesKey);
+  const rsaWrappedAESKey = encryptAESKeyWithRSA(aesKeyB64, publicPem);
+  return { kid, rsaWrappedAESKey, cipherData };
+}