stegdoc 4.0.0 → 5.0.1

package/src/lib/compression.js

@@ -1,115 +1,177 @@
-const zlib = require('zlib');
-
-/**
- * MIME types that are already compressed - no benefit from additional compression
- */
-const COMPRESSED_MIMES = new Set([
-  // Archives
-  'application/zip',
-  'application/x-7z-compressed',
-  'application/x-rar-compressed',
-  'application/gzip',
-  'application/x-gzip',
-  'application/x-bzip2',
-  'application/x-xz',
-  'application/x-tar',
-  'application/x-lzip',
-  'application/x-lzma',
-  'application/zstd',
-
-  // Images (lossy compressed)
-  'image/jpeg',
-  'image/png',
-  'image/gif',
-  'image/webp',
-  'image/avif',
-  'image/heic',
-  'image/heif',
-  'image/jxl',
-
-  // Audio
-  'audio/mpeg', // mp3
-  'audio/ogg',
-  'audio/flac',
-  'audio/aac',
-  'audio/mp4',
-  'audio/x-m4a',
-  'audio/opus',
-
-  // Video
-  'video/mp4',
-  'video/webm',
-  'video/x-matroska', // mkv
-  'video/quicktime', // mov
-  'video/x-msvideo', // avi
-  'video/mpeg',
-
-  // Documents (OOXML are zip-based)
-  'application/vnd.openxmlformats-officedocument.wordprocessingml.document', // docx
-  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', // xlsx
-  'application/vnd.openxmlformats-officedocument.presentationml.presentation', // pptx
-  'application/pdf',
-  'application/epub+zip',
-]);
-
-/**
- * Check if a file type is already compressed
- * @param {string|null} mime - MIME type from file-type detection
- * @returns {boolean}
- */
-function isCompressedMime(mime) {
-  return mime ? COMPRESSED_MIMES.has(mime) : false;
-}
-
-/**
- * Compress data using gzip
- * @param {Buffer} buffer - Data to compress
- * @returns {Promise<Buffer>} Compressed data
- */
-function compress(buffer) {
-  return new Promise((resolve, reject) => {
-    zlib.gzip(buffer, { level: 9 }, (err, result) => {
-      if (err) reject(err);
-      else resolve(result);
-    });
-  });
-}
-
-/**
- * Decompress gzip data
- * @param {Buffer} buffer - Compressed data
- * @returns {Promise<Buffer>} Decompressed data
- */
-function decompress(buffer) {
-  return new Promise((resolve, reject) => {
-    zlib.gunzip(buffer, (err, result) => {
-      if (err) reject(err);
-      else resolve(result);
-    });
-  });
-}
-
-/**
- * Create a streaming gzip compression transform
- * @returns {zlib.Gzip} Gzip transform stream
- */
-function createCompressStream() {
-  return zlib.createGzip({ level: 9 });
-}
-
-/**
- * Create a streaming gunzip decompression transform
- * @returns {zlib.Gunzip} Gunzip transform stream
- */
-function createDecompressStream() {
-  return zlib.createGunzip();
-}
-
-module.exports = {
-  isCompressedMime,
-  compress,
-  decompress,
-  createCompressStream,
-  createDecompressStream,
-  COMPRESSED_MIMES,
-};
+const zlib = require('zlib');
+
+// ─── Brotli Compression (v5+) ──────────────────────────────────────────────
+
+/**
+ * Compress data using Brotli (best compression, used in v5+)
+ * @param {Buffer} buffer - Data to compress
+ * @returns {Promise<Buffer>} Compressed data
+ */
+function compressBrotli(buffer) {
+  return new Promise((resolve, reject) => {
+    zlib.brotliCompress(buffer, {
+      params: {
+        [zlib.constants.BROTLI_PARAM_QUALITY]: zlib.constants.BROTLI_MAX_QUALITY,
+      },
+    }, (err, result) => {
+      if (err) reject(err);
+      else resolve(result);
+    });
+  });
+}
+
+/**
+ * Decompress Brotli data
+ * @param {Buffer} buffer - Compressed data
+ * @returns {Promise<Buffer>} Decompressed data
+ */
+function decompressBrotli(buffer) {
+  return new Promise((resolve, reject) => {
+    zlib.brotliDecompress(buffer, (err, result) => {
+      if (err) reject(err);
+      else resolve(result);
+    });
+  });
+}
+
+/**
+ * Create a streaming Brotli compression transform
+ * @param {number} [quality] - Compression quality (0-11, default 11)
+ * @returns {zlib.BrotliCompress} Brotli transform stream
+ */
+function createBrotliCompressStream(quality) {
+  const q = quality !== undefined ? quality : zlib.constants.BROTLI_MAX_QUALITY;
+  return zlib.createBrotliCompress({
+    params: {
+      [zlib.constants.BROTLI_PARAM_QUALITY]: q,
+    },
+  });
+}
+
+/**
+ * Create a streaming Brotli decompression transform
+ * @returns {zlib.BrotliDecompress} Brotli transform stream
+ */
+function createBrotliDecompressStream() {
+  return zlib.createBrotliDecompress();
+}
+
+// ─── Gzip Compression (v3/v4 legacy) ───────────────────────────────────────
+
+/**
+ * MIME types that are already compressed - no benefit from additional compression
+ */
+const COMPRESSED_MIMES = new Set([
+  // Archives
+  'application/zip',
+  'application/x-7z-compressed',
+  'application/x-rar-compressed',
+  'application/gzip',
+  'application/x-gzip',
+  'application/x-bzip2',
+  'application/x-xz',
+  'application/x-tar',
+  'application/x-lzip',
+  'application/x-lzma',
+  'application/zstd',
+
+  // Images (lossy compressed)
+  'image/jpeg',
+  'image/png',
+  'image/gif',
+  'image/webp',
+  'image/avif',
+  'image/heic',
+  'image/heif',
+  'image/jxl',
+
+  // Audio
+  'audio/mpeg', // mp3
+  'audio/ogg',
+  'audio/flac',
+  'audio/aac',
+  'audio/mp4',
+  'audio/x-m4a',
+  'audio/opus',
+
+  // Video
+  'video/mp4',
+  'video/webm',
+  'video/x-matroska', // mkv
+  'video/quicktime', // mov
+  'video/x-msvideo', // avi
+  'video/mpeg',
+
+  // Documents (OOXML are zip-based)
+  'application/vnd.openxmlformats-officedocument.wordprocessingml.document', // docx
+  'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet', // xlsx
+  'application/vnd.openxmlformats-officedocument.presentationml.presentation', // pptx
+  'application/pdf',
+  'application/epub+zip',
+]);
+
+/**
+ * Check if a file type is already compressed
+ * @param {string|null} mime - MIME type from file-type detection
+ * @returns {boolean}
+ */
+function isCompressedMime(mime) {
+  return mime ? COMPRESSED_MIMES.has(mime) : false;
+}
+
+/**
+ * Compress data using gzip
+ * @param {Buffer} buffer - Data to compress
+ * @returns {Promise<Buffer>} Compressed data
+ */
+function compress(buffer) {
+  return new Promise((resolve, reject) => {
+    zlib.gzip(buffer, { level: 9 }, (err, result) => {
+      if (err) reject(err);
+      else resolve(result);
+    });
+  });
+}
+
+/**
+ * Decompress gzip data
+ * @param {Buffer} buffer - Compressed data
+ * @returns {Promise<Buffer>} Decompressed data
+ */
+function decompress(buffer) {
+  return new Promise((resolve, reject) => {
+    zlib.gunzip(buffer, (err, result) => {
+      if (err) reject(err);
+      else resolve(result);
+    });
+  });
+}
+
+/**
+ * Create a streaming gzip compression transform
+ * @returns {zlib.Gzip} Gzip transform stream
+ */
+function createCompressStream() {
+  return zlib.createGzip({ level: 9 });
+}
+
+/**
+ * Create a streaming gunzip decompression transform
+ * @returns {zlib.Gunzip} Gunzip transform stream
+ */
+function createDecompressStream() {
+  return zlib.createGunzip();
+}
+
+module.exports = {
+  isCompressedMime,
+  compress,
+  decompress,
+  createCompressStream,
+  createDecompressStream,
+  compressBrotli,
+  decompressBrotli,
+  createBrotliCompressStream,
+  createBrotliDecompressStream,
+  COMPRESSED_MIMES,
+};

package/src/lib/crypto.js

@@ -1,172 +1,172 @@
-const crypto = require('crypto');
-
-// AES-256-GCM Configuration
-const ALGORITHM = 'aes-256-gcm';
-const KEY_LENGTH = 32; // 256 bits
-const IV_LENGTH = 12; // 96 bits (recommended for GCM)
-const SALT_LENGTH = 16; // 128 bits
-const AUTH_TAG_LENGTH = 16; // 128 bits
-const PBKDF2_ITERATIONS = 100000;
-
-/**
- * Derive a key from password using PBKDF2
- * @param {string} password - User password
- * @param {Buffer} salt - Salt for key derivation
- * @returns {Buffer} Derived key
- */
-function deriveKey(password, salt) {
-  return crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha256');
-}
-
-/**
- * Encrypt plaintext using AES-256-GCM
- * @param {string} plaintext - Data to encrypt
- * @param {string} password - User password
- * @returns {object} { ciphertext, iv, salt, authTag } - all as base64 strings
- */
-function encrypt(plaintext, password) {
-  // Generate random salt and IV
-  const salt = crypto.randomBytes(SALT_LENGTH);
-  const iv = crypto.randomBytes(IV_LENGTH);
-
-  // Derive key from password
-  const key = deriveKey(password, salt);
-
-  // Create cipher and encrypt
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
-    authTagLength: AUTH_TAG_LENGTH,
-  });
-
-  let ciphertext = cipher.update(plaintext, 'utf8', 'base64');
-  ciphertext += cipher.final('base64');
-
-  // Get authentication tag
-  const authTag = cipher.getAuthTag();
-
-  return {
-    ciphertext,
-    iv: iv.toString('base64'),
-    salt: salt.toString('base64'),
-    authTag: authTag.toString('base64'),
-  };
-}
-
-/**
- * Decrypt ciphertext using AES-256-GCM
- * @param {string} ciphertext - Encrypted data (base64)
- * @param {string} password - User password
- * @param {string} ivBase64 - Initialization vector (base64)
- * @param {string} saltBase64 - Salt used for key derivation (base64)
- * @param {string} authTagBase64 - Authentication tag (base64)
- * @returns {string} Decrypted plaintext
- * @throws {Error} If decryption fails (wrong password or tampered data)
- */
-function decrypt(ciphertext, password, ivBase64, saltBase64, authTagBase64) {
-  // Convert from base64
-  const iv = Buffer.from(ivBase64, 'base64');
-  const salt = Buffer.from(saltBase64, 'base64');
-  const authTag = Buffer.from(authTagBase64, 'base64');
-
-  // Derive key from password
-  const key = deriveKey(password, salt);
-
-  // Create decipher
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
-    authTagLength: AUTH_TAG_LENGTH,
-  });
-
-  // Set auth tag for verification
-  decipher.setAuthTag(authTag);
-
-  try {
-    let plaintext = decipher.update(ciphertext, 'base64', 'utf8');
-    plaintext += decipher.final('utf8');
-    return plaintext;
-  } catch (error) {
-    throw new Error('Decryption failed: Invalid password or corrupted data');
-  }
-}
-
-/**
- * Pack encryption metadata into a single string for storage
- * @param {object} encryptionData - { iv, salt, authTag }
- * @returns {string} Packed string (iv:salt:authTag in base64)
- */
-function packEncryptionMeta(encryptionData) {
-  return `${encryptionData.iv}:${encryptionData.salt}:${encryptionData.authTag}`;
-}
-
-/**
- * Unpack encryption metadata from storage string
- * @param {string} packed - Packed string (iv:salt:authTag)
- * @returns {object} { iv, salt, authTag }
- */
-function unpackEncryptionMeta(packed) {
-  const [iv, salt, authTag] = packed.split(':');
-  if (!iv || !salt || !authTag) {
-    throw new Error('Invalid encryption metadata format');
-  }
-  return { iv, salt, authTag };
-}
-
-/**
- * Generate a random salt for key derivation (one per encode session)
- * @returns {Buffer} Random salt
- */
-function generateSalt() {
-  return crypto.randomBytes(SALT_LENGTH);
-}
-
-/**
- * Create a streaming encrypt cipher for per-part encryption.
- * Each call generates a unique IV. The salt should be shared across parts.
- * Call getAuthTag() AFTER the cipher stream has ended (after .final()).
- * @param {string} password - User password
- * @param {Buffer} salt - Salt buffer (shared across parts in a session)
- * @returns {object} { stream, iv, salt, getAuthTag }
- */
-function createEncryptStream(password, salt) {
-  const iv = crypto.randomBytes(IV_LENGTH);
-  const key = deriveKey(password, salt);
-  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
-    authTagLength: AUTH_TAG_LENGTH,
-  });
-  return {
-    stream: cipher,
-    iv: iv.toString('base64'),
-    salt: salt.toString('base64'),
-    getAuthTag: () => cipher.getAuthTag().toString('base64'),
-  };
-}
-
-/**
- * Create a streaming decrypt decipher for per-part decryption.
- * Auth tag is set immediately and verified on .final().
- * @param {string} password - User password
- * @param {string} ivBase64 - IV (base64)
- * @param {string} saltBase64 - Salt (base64)
- * @param {string} authTagBase64 - Auth tag (base64)
- * @returns {crypto.Decipher} Decipher transform stream
- */
-function createDecryptStream(password, ivBase64, saltBase64, authTagBase64) {
-  const iv = Buffer.from(ivBase64, 'base64');
-  const salt = Buffer.from(saltBase64, 'base64');
-  const authTag = Buffer.from(authTagBase64, 'base64');
-  const key = deriveKey(password, salt);
-  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
-    authTagLength: AUTH_TAG_LENGTH,
-  });
-  decipher.setAuthTag(authTag);
-  return decipher;
-}
-
-module.exports = {
-  encrypt,
-  decrypt,
-  deriveKey,
-  packEncryptionMeta,
-  unpackEncryptionMeta,
-  generateSalt,
-  createEncryptStream,
-  createDecryptStream,
-};
+const crypto = require('crypto');
+
+// AES-256-GCM Configuration
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits (recommended for GCM)
+const SALT_LENGTH = 16; // 128 bits
+const AUTH_TAG_LENGTH = 16; // 128 bits
+const PBKDF2_ITERATIONS = 100000;
+
+/**
+ * Derive a key from password using PBKDF2
+ * @param {string} password - User password
+ * @param {Buffer} salt - Salt for key derivation
+ * @returns {Buffer} Derived key
+ */
+function deriveKey(password, salt) {
+  return crypto.pbkdf2Sync(password, salt, PBKDF2_ITERATIONS, KEY_LENGTH, 'sha256');
+}
+
+/**
+ * Encrypt plaintext using AES-256-GCM
+ * @param {string} plaintext - Data to encrypt
+ * @param {string} password - User password
+ * @returns {object} { ciphertext, iv, salt, authTag } - all as base64 strings
+ */
+function encrypt(plaintext, password) {
+  // Generate random salt and IV
+  const salt = crypto.randomBytes(SALT_LENGTH);
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  // Derive key from password
+  const key = deriveKey(password, salt);
+
+  // Create cipher and encrypt
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  let ciphertext = cipher.update(plaintext, 'utf8', 'base64');
+  ciphertext += cipher.final('base64');
+
+  // Get authentication tag
+  const authTag = cipher.getAuthTag();
+
+  return {
+    ciphertext,
+    iv: iv.toString('base64'),
+    salt: salt.toString('base64'),
+    authTag: authTag.toString('base64'),
+  };
+}
+
+/**
+ * Decrypt ciphertext using AES-256-GCM
+ * @param {string} ciphertext - Encrypted data (base64)
+ * @param {string} password - User password
+ * @param {string} ivBase64 - Initialization vector (base64)
+ * @param {string} saltBase64 - Salt used for key derivation (base64)
+ * @param {string} authTagBase64 - Authentication tag (base64)
+ * @returns {string} Decrypted plaintext
+ * @throws {Error} If decryption fails (wrong password or tampered data)
+ */
+function decrypt(ciphertext, password, ivBase64, saltBase64, authTagBase64) {
+  // Convert from base64
+  const iv = Buffer.from(ivBase64, 'base64');
+  const salt = Buffer.from(saltBase64, 'base64');
+  const authTag = Buffer.from(authTagBase64, 'base64');
+
+  // Derive key from password
+  const key = deriveKey(password, salt);
+
+  // Create decipher
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+
+  // Set auth tag for verification
+  decipher.setAuthTag(authTag);
+
+  try {
+    let plaintext = decipher.update(ciphertext, 'base64', 'utf8');
+    plaintext += decipher.final('utf8');
+    return plaintext;
+  } catch (error) {
+    throw new Error('Decryption failed: Invalid password or corrupted data');
+  }
+}
+
+/**
+ * Pack encryption metadata into a single string for storage
+ * @param {object} encryptionData - { iv, salt, authTag }
+ * @returns {string} Packed string (iv:salt:authTag in base64)
+ */
+function packEncryptionMeta(encryptionData) {
+  return `${encryptionData.iv}:${encryptionData.salt}:${encryptionData.authTag}`;
+}
+
+/**
+ * Unpack encryption metadata from storage string
+ * @param {string} packed - Packed string (iv:salt:authTag)
+ * @returns {object} { iv, salt, authTag }
+ */
+function unpackEncryptionMeta(packed) {
+  const [iv, salt, authTag] = packed.split(':');
+  if (!iv || !salt || !authTag) {
+    throw new Error('Invalid encryption metadata format');
+  }
+  return { iv, salt, authTag };
+}
+
+/**
+ * Generate a random salt for key derivation (one per encode session)
+ * @returns {Buffer} Random salt
+ */
+function generateSalt() {
+  return crypto.randomBytes(SALT_LENGTH);
+}
+
+/**
+ * Create a streaming encrypt cipher for per-part encryption.
+ * Each call generates a unique IV. The salt should be shared across parts.
+ * Call getAuthTag() AFTER the cipher stream has ended (after .final()).
+ * @param {string} password - User password
+ * @param {Buffer} salt - Salt buffer (shared across parts in a session)
+ * @returns {object} { stream, iv, salt, getAuthTag }
+ */
+function createEncryptStream(password, salt) {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const key = deriveKey(password, salt);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  return {
+    stream: cipher,
+    iv: iv.toString('base64'),
+    salt: salt.toString('base64'),
+    getAuthTag: () => cipher.getAuthTag().toString('base64'),
+  };
+}
+
+/**
+ * Create a streaming decrypt decipher for per-part decryption.
+ * Auth tag is set immediately and verified on .final().
+ * @param {string} password - User password
+ * @param {string} ivBase64 - IV (base64)
+ * @param {string} saltBase64 - Salt (base64)
+ * @param {string} authTagBase64 - Auth tag (base64)
+ * @returns {crypto.Decipher} Decipher transform stream
+ */
+function createDecryptStream(password, ivBase64, saltBase64, authTagBase64) {
+  const iv = Buffer.from(ivBase64, 'base64');
+  const salt = Buffer.from(saltBase64, 'base64');
+  const authTag = Buffer.from(authTagBase64, 'base64');
+  const key = deriveKey(password, salt);
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(authTag);
+  return decipher;
+}
+
+module.exports = {
+  encrypt,
+  decrypt,
+  deriveKey,
+  packEncryptionMeta,
+  unpackEncryptionMeta,
+  generateSalt,
+  createEncryptStream,
+  createDecryptStream,
+};