timebasedcipher 3.0.1 → 3.0.3

package/README.md

@@ -1,187 +1,147 @@
 # timebasedcipher
 
-A lightweight, isomorphic (**Node + Browser**) library for **time-based rotating AES encryption with integrity protection**.
+A lightweight, isomorphic (**Node.js 18+ and modern browsers**) library
+for **time-based rotating AES-256-GCM encryption with integrity
+validation**.
 
-Built with [`crypto-js`](https://www.npmjs.com/package/crypto-js), this package provides:
+This implementation uses the **Web Crypto API** and provides:
 
-- **Time-based rotating AES-256 keys**
-- **AES-256-CBC encryption**
-  -️ **HMAC-SHA256 integrity & tamper detection**
-- **Application-level domain separation (`appName`)**
-- Works in **Node.js and browser environments**
+- Time-based rotating AES-256 keys derived using HKDF-SHA256
+- Authenticated encryption using AES-256-GCM
+- Encrypted signature validation
+- Works in both Node.js (v18+) and modern browser environments
+- No external crypto dependencies
 
 ---
 
 ## Installation
 
 ```bash
-npm install timebasedcipher crypto-js
+npm install timebasedcipher
 # or
-yarn add timebasedcipher crypto-js
+yarn add timebasedcipher
 # or
-pnpm add timebasedcipher crypto-js
+pnpm add timebasedcipher
 ```
 
+Node.js 18+ is required for native Web Crypto support.
+
 ---
 
 ## Quick Start
 
 ```ts
-import { generateKey, encrypt, decrypt } from "timebasedcipher";
+import { encrypt, decrypt } from "timebasedcipher";
 
-const sharedSecret = "mySuperSecret";
+const secret = "mySuperSecret";
 const intervalSeconds = 60; // key rotates every 60 seconds
 
-// Generate a rotating key
-const key = generateKey(sharedSecret, intervalSeconds);
+const data = { user: "TestUser", role: "admin", timestamp: Date.now() };
 
-// Encrypt data
-const data = { user: "Deb", role: "admin", timestamp: Date.now() };
-const cipher = encrypt(data, key);
+// Encrypt
+const cipher = await encrypt(data, secret, intervalSeconds);
 
-// Decrypt data
-const decrypted = decrypt(cipher, key);
+// Decrypt
+const decrypted = await decrypt(cipher, secret, intervalSeconds);
 
 console.log(decrypted);
 ```
 
-Works seamlessly in both **Node.js** and **browser** environments.
-
 ---
 
-## Function Reference
-
----
-
-### `generateKey(sharedSecretOrJwt: string, interval: number): string`
-
-Generates a **SHA-256–derived rotating key** that changes every `interval` seconds.
-
-- The input can be a **shared secret** or a **JWT string**
-- JWTs are treated as **opaque entropy**
-- **JWT validation (exp, signature)** is expected to be handled upstream
-
-#### Parameters
-
-| Name                | Type     | Description                   |
-| ------------------- | -------- | ----------------------------- |
-| `sharedSecretOrJwt` | `string` | A shared secret or JWT string |
-| `interval`          | `number` | Rotation interval in seconds  |
-
-#### Returns
-
-- `string` — 64-character hex string (32-byte AES-256 key)
-
-#### Key Derivation
-
-```text
-SHA256(`${secretInput}:${timeSlot}`)
-```
+## API Reference
 
-Where:
+### encrypt`<T>`{=html}(data: T, secret: string, intervalSeconds: number): Promise`<string>`{=html}
 
-```text
-timeSlot = floor(Date.now() / (interval * 1000) + 1000)
-```
+Encrypts JSON-serializable data using a time-rotating AES-256-GCM key.
 
 ---
 
-### `encrypt(data: any, encryptionKeyHex: string, appName?: string): string`
+| Name              | Type     | Description                           |
+| ----------------- | -------- | ------------------------------------- |
+| `data`            | `any`    | JSON-serializable value               |
+| `secret`          | `string` | Shared secret used for key derivation |
+| `intervalSeconds` | `number` | Key rotation interval in seconds      |
 
-Encrypts data using **AES-256-CBC** and appends an **HMAC-SHA256** for integrity.
+---
 
-#### Parameters
+**Returns**
 
-| Name                   | Type     | Description                        |
-| ---------------------- | -------- | ---------------------------------- |
-| `data`                 | `any`    | Any JSON-serializable value        |
-| `encryptionKeyHex`     | `string` | 64-char hex key from `generateKey` |
-| `appName` _(optional)_ | `string` | Application context                |
+`Promise<string>` --- Ciphertext string.
 
-#### Returns
+---
 
-A ciphertext string in the format:
+### decrypt`<T>`{=html}(payload: string, secret: string, intervalSeconds: number): Promise`<T>`{=html}
 
-```text
-cipherHex:ivHex:hmacHex
-```
+Decrypts and validates ciphertext produced by `encrypt`.
 
 ---
 
-### `decrypt(cipherText: string, encryptionKeyHex: string, appName?: string): any`
-
-Decrypts and verifies ciphertext produced by `encrypt`.
-
-#### Parameters
+| Name              | Type     | Description                               |
+| ----------------- | -------- | ----------------------------------------- |
+| `payload`         | `string` | Encrypted string (`sigCipher:iv:data:iv`) |
+| `secret`          | `string` | Same shared secret used during encryption |
+| `intervalSeconds` | `number` | Same rotation interval used during        |
 
-| Name                   | Type     | Description                                  |
-| ---------------------- | -------- | -------------------------------------------- |
-| `cipherText`           | `string` | Encrypted string (`cipherHex:ivHex:hmacHex`) |
-| `encryptionKeyHex`     | `string` | Same key used during encryption              |
-| `appName` _(optional)_ | `string` | Must match encryption appName                |
+---
 
-#### Returns
+**Returns**
 
-- Original decrypted JavaScript value (parsed from JSON)
+`Promise<T>` --- Decrypted JavaScript value.
 
-#### Throws
+**Throws**
 
 - `Error("Invalid cipher format")`
-- `Error("Invalid HMAC: ciphertext may be tampered")`
-- `Error("Unable to decrypt")`
+- `Error("Invalid signature")`
+- Decryption errors if authentication fails
 
 ---
 
-## Application Context (`appName`)
-
-`appName` provides **cryptographic domain separation**.
+## Key Derivation
 
-- Prevents ciphertexts from being reused across apps
-- Prevents MAC key reuse
+Keys are derived using:
 
-### Example
+- HKDF with SHA-256
+- Salt = current time slot
+- Info = "time-based-encryption"
 
-```ts
-const key = generateKey(secret, 60);
+Time slot calculation:
 
-const cipher = encrypt(data, key, "billing-service");
-const plain = decrypt(cipher, key, "billing-service");
-```
+    timeSlot = floor(Date.now() / (intervalSeconds * 1000))
 
-Using a different `appName` will **fail decryption**.
+A new encryption key is automatically derived for each time window.
 
 ---
 
-## Browser + Node Compatibility
+## Security Model
 
-| Environment     | Supported | Notes                      |
-| --------------- | --------- | -------------------------- |
-| Node.js         | ✅        | Uses `crypto-js`           |
-| Browser         | ✅        | Fully supported            |
-| React / Next.js | ✅        | Works client & server-side |
+- Uses AES-256-GCM (authenticated encryption)
+- Provides built-in integrity and tamper detection
+- Includes encrypted signature validation
+- No manual HMAC required (GCM provides authentication)
+- Requires loosely synchronized clocks between encrypting and
+  decrypting systems
 
 ---
 
-## Security Notes
+## Environment Support
 
-- Uses **Encrypt-then-MAC** (AES + HMAC) — secure against tampering
-- `appName` ensures **cross-application isolation**
-- JWTs are treated as entropy only — **authentication must happen elsewhere**
-- Do **not** embed secrets in frontend code
-- Requires roughly synchronized clocks
+| Name              | Supported |
+| ----------------- | --------- |
+| `Node.js 18+`     | Yes       |
+| `Modern Browsers` | Yes       |
+| `React / Next.js` | Yes       |
 
 ---
 
 ## Requirements
 
-- Node.js ≥ 14 or modern browser
-- `crypto-js` dependency
+- Node.js 18+ or modern browser with Web Crypto API
+- No external cryptography libraries required
 
 ---
 
 ## License
 
-MIT License © 2026
-[**Deb Kalyan Mohanty**](https://github.com/debkalyanmohanty)
-
----
+MIT License © 2026\
+[Deb Kalyan Mohanty](https://github.com/debkalyanmohanty)

package/dist/cipher.d.ts

@@ -0,0 +1,81 @@
+import { RuntimeEnv } from "./cryptoProvider";
+/**
+ * Options controlling encryption and decryption behavior.
+ */
+export interface CipherOptions {
+    /**
+     * Runtime environment override.
+     *
+     * @default "auto"
+     *
+     * @example
+     * encrypt(data, secret, 60, { env: "node" })
+     */
+    env?: RuntimeEnv;
+    /**
+     * Token expiration time in seconds.
+     * Defaults to intervalSeconds if not provided.
+     *
+     * @example
+     * encrypt(data, secret, 60, { ttlSeconds: 300 })
+     */
+    ttlSeconds?: number;
+    /**
+     * Allowed clock drift tolerance in seconds.
+     *
+     * @default 30
+     *
+     * @example
+     * decrypt(token, secret, 60, { clockToleranceSeconds: 60 })
+     */
+    clockToleranceSeconds?: number;
+    /**
+     * Custom signature used to validate token purpose/domain.
+     *
+     * @example
+     * encrypt(data, secret, 60, { signature: "auth-session" })
+     */
+    signature?: string;
+}
+/**
+ * Encrypts JSON data into a secure token.
+ *
+ * @template T
+ * @param data Data to encrypt
+ * @param secret Shared secret
+ * @param intervalSeconds Key rotation interval
+ * @param options Optional settings
+ *
+ * @returns Secure encrypted token
+ *
+ * @example
+ * const token = await encrypt(
+ *   { userId: 1 },
+ *   "super-secret",
+ *   60,
+ *   { signature: "auth-session", ttlSeconds: 300 }
+ * )
+ */
+export declare function encrypt<T>(data: T, secret: string, intervalSeconds: number, options?: CipherOptions): Promise<string>;
+/**
+ * Decrypts a token and validates signature, expiration, and replay.
+ *
+ * @template T
+ * @param token Encrypted token
+ * @param secret Shared secret
+ * @param intervalSeconds Rotation interval
+ * @param options Validation options
+ *
+ * @returns Decrypted data
+ *
+ * @throws Error if token invalid, expired, replayed, or signature mismatch
+ *
+ * @example
+ * const data = await decrypt(
+ *   token,
+ *   "super-secret",
+ *   60,
+ *   { signature: "auth-session" }
+ * )
+ */
+export declare function decrypt<T>(token: string, secret: string, intervalSeconds: number, options?: CipherOptions): Promise<T>;

package/dist/cipher.js

@@ -0,0 +1,174 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+const cryptoProvider_1 = require("./cryptoProvider");
+const encoder = new TextEncoder();
+const decoder = new TextDecoder();
+/**
+ * Converts ArrayBuffer → Base64URL string.
+ *
+ * @example
+ * const encoded = b64url(buffer)
+ */
+function b64url(buffer) {
+    return Buffer.from(buffer)
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+/**
+ * Converts Base64URL → ArrayBuffer.
+ *
+ * @example
+ * const buffer = fromB64url(encoded)
+ */
+function fromB64url(str) {
+    const pad = str.length % 4 ? "=".repeat(4 - (str.length % 4)) : "";
+    const base64 = str.replace(/-/g, "+").replace(/_/g, "/") + pad;
+    return Uint8Array.from(Buffer.from(base64, "base64")).buffer;
+}
+/**
+ * Cache for derived keys to improve performance.
+ */
+const keyCache = new Map();
+/**
+ * Derives AES-256-GCM key using HKDF.
+ *
+ * @param cryptoObj Web Crypto instance
+ * @param secret Shared secret
+ * @param timeSlot Rotation slot
+ *
+ * @example
+ * const key = await deriveKey(crypto, "secret", 12345)
+ */
+async function deriveKey(cryptoObj, secret, timeSlot) {
+    const cacheKey = `${secret}:${timeSlot}`;
+    if (keyCache.has(cacheKey))
+        return keyCache.get(cacheKey);
+    const baseKey = await cryptoObj.subtle.importKey("raw", encoder.encode(secret), { name: "HKDF" }, false, ["deriveKey"]);
+    const key = await cryptoObj.subtle.deriveKey({
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: encoder.encode(String(timeSlot)),
+        info: encoder.encode("time-based-encryption"),
+    }, baseKey, { name: "AES-GCM", length: 256 }, false, ["encrypt", "decrypt"]);
+    keyCache.set(cacheKey, key);
+    if (keyCache.size > 50)
+        keyCache.clear();
+    return key;
+}
+/**
+ * In-memory nonce store for replay protection.
+ */
+const nonceStore = new Set();
+/**
+ * Validates nonce uniqueness.
+ *
+ * @throws Error if nonce already used
+ */
+function checkReplay(nonce) {
+    if (nonceStore.has(nonce)) {
+        throw new Error("Replay attack detected");
+    }
+    nonceStore.add(nonce);
+    if (nonceStore.size > 1000)
+        nonceStore.clear();
+}
+/**
+ * Encrypts JSON data into a secure token.
+ *
+ * @template T
+ * @param data Data to encrypt
+ * @param secret Shared secret
+ * @param intervalSeconds Key rotation interval
+ * @param options Optional settings
+ *
+ * @returns Secure encrypted token
+ *
+ * @example
+ * const token = await encrypt(
+ *   { userId: 1 },
+ *   "super-secret",
+ *   60,
+ *   { signature: "auth-session", ttlSeconds: 300 }
+ * )
+ */
+async function encrypt(data, secret, intervalSeconds, options = {}) {
+    var _a, _b;
+    const cryptoObj = await (0, cryptoProvider_1.getCrypto)(options.env);
+    const now = Math.floor(Date.now() / 1000);
+    const ttl = (_a = options.ttlSeconds) !== null && _a !== void 0 ? _a : intervalSeconds;
+    const signature = (_b = options.signature) !== null && _b !== void 0 ? _b : "default-signature";
+    const payload = {
+        sig: signature,
+        iat: now,
+        exp: now + ttl,
+        nonce: cryptoObj.randomUUID(),
+        data,
+    };
+    const timeSlot = Math.floor(now / intervalSeconds);
+    const key = await deriveKey(cryptoObj, secret, timeSlot);
+    const iv = cryptoObj.getRandomValues(new Uint8Array(12));
+    const cipher = await cryptoObj.subtle.encrypt({ name: "AES-GCM", iv }, key, encoder.encode(JSON.stringify(payload)));
+    return `v1.${b64url(cipher)}.${b64url(iv.buffer)}`;
+}
+/**
+ * Decrypts a token and validates signature, expiration, and replay.
+ *
+ * @template T
+ * @param token Encrypted token
+ * @param secret Shared secret
+ * @param intervalSeconds Rotation interval
+ * @param options Validation options
+ *
+ * @returns Decrypted data
+ *
+ * @throws Error if token invalid, expired, replayed, or signature mismatch
+ *
+ * @example
+ * const data = await decrypt(
+ *   token,
+ *   "super-secret",
+ *   60,
+ *   { signature: "auth-session" }
+ * )
+ */
+async function decrypt(token, secret, intervalSeconds, options = {}) {
+    var _a, _b;
+    const cryptoObj = await (0, cryptoProvider_1.getCrypto)(options.env);
+    const expectedSignature = (_a = options.signature) !== null && _a !== void 0 ? _a : "default-signature";
+    const [version, cipherB64, ivB64] = token.split(".");
+    if (version !== "v1")
+        throw new Error("Unsupported token version");
+    const iv = fromB64url(ivB64);
+    const cipher = fromB64url(cipherB64);
+    const now = Math.floor(Date.now() / 1000);
+    const tolerance = (_b = options.clockToleranceSeconds) !== null && _b !== void 0 ? _b : 30;
+    const timeSlots = [
+        Math.floor(now / intervalSeconds),
+        Math.floor((now - tolerance) / intervalSeconds),
+        Math.floor((now + tolerance) / intervalSeconds),
+    ];
+    let payload = null;
+    for (const slot of timeSlots) {
+        try {
+            const key = await deriveKey(cryptoObj, secret, slot);
+            const plain = await cryptoObj.subtle.decrypt({ name: "AES-GCM", iv }, key, cipher);
+            payload = JSON.parse(decoder.decode(plain));
+            break;
+        }
+        catch { }
+    }
+    if (!payload)
+        throw new Error("Unable to decrypt token");
+    if (payload.sig !== expectedSignature) {
+        throw new Error("Invalid token signature");
+    }
+    if (payload.exp + tolerance < now) {
+        throw new Error("Token expired");
+    }
+    checkReplay(payload.nonce);
+    return payload.data;
+}

package/dist/cryptoProvider.d.ts

@@ -0,0 +1,8 @@
+export type RuntimeEnv = "auto" | "browser" | "node";
+/**
+ * Returns a Web Crypto compatible Crypto object depending on runtime.
+ *
+ * - Browser → window.crypto
+ * - Node 18+ → node:crypto webcrypto
+ */
+export declare function getCrypto(env?: RuntimeEnv): Promise<Crypto>;

package/dist/cryptoProvider.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getCrypto = getCrypto;
+/**
+ * Returns a Web Crypto compatible Crypto object depending on runtime.
+ *
+ * - Browser → window.crypto
+ * - Node 18+ → node:crypto webcrypto
+ */
+async function getCrypto(env = "auto") {
+    // Browser detection
+    if (env === "browser" || (env === "auto" && typeof window !== "undefined")) {
+        if (!globalThis.crypto) {
+            throw new Error("Web Crypto API not available in browser");
+        }
+        return globalThis.crypto;
+    }
+    // Node detection
+    if (env === "node" || env === "auto") {
+        try {
+            const nodeCrypto = await import("node:crypto");
+            return nodeCrypto.webcrypto;
+        }
+        catch {
+            throw new Error("Web Crypto API not available in Node.js (requires Node 18+)");
+        }
+    }
+    throw new Error("Unable to detect runtime crypto environment");
+}

package/dist/index.d.ts

@@ -1,38 +1,2 @@
-/**
- * Generate a time-based rotating key using SHA-256.
- *
- * The key is derived as:
- *   SHA256(`${secretInput}:${timeSlot}`)
- *
- * Notes:
- * - If `sharedSecretOrJwt` is a JWT, it is treated as opaque input
- * - JWT validation (signature / exp) is assumed to be handled elsewhere
- * - This function is purely a key-derivation utility
- */
-export declare const generateKey: (sharedSecretOrJwt: string, interval: number) => string;
-/**
- * Encrypt arbitrary data using:
- *   - AES-256-CBC (confidentiality)
- *   - HMAC-SHA256 (integrity & authenticity)
- *
- * Cipher format:
- *   cipherHex:ivHex:hmacHex
- *
- * `appName`:
- *   - Included ONLY in HMAC key derivation
- *   - Ensures ciphertexts are bound to an application context
- *   - Must match during decryption
- */
-export declare const encrypt: (data: any, encryptionKeyHex: string, appName?: string) => string;
-/**
- * Decrypt data encrypted by {@link encrypt}.
- *
- * Steps:
- *   1. Parse cipher format
- *   2. Recompute and verify HMAC (tamper detection)
- *   3. Decrypt AES-256-CBC
- *   4. Parse JSON payload
- *
- * `appName` MUST match the value used during encryption.
- */
-export declare const decrypt: (cipherText: string, encryptionKeyHex: string, appName?: string) => unknown;
+export * from "./cipher";
+export * from "./cryptoProvider";

package/dist/index.js

@@ -1,134 +1,18 @@
 "use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.decrypt = exports.encrypt = exports.generateKey = void 0;
-const crypto_js_1 = __importDefault(require("crypto-js"));
-/**
- * Decode the payload of a JWT without verifying its signature.
- * Used only to read the `exp` claim (seconds since epoch).
- *
- * ⚠️ This does NOT verify authenticity — only structure and expiry.
- */
-const decodeJwtPayload = (token) => {
-    const parts = token.split(".");
-    if (parts.length < 2) {
-        throw new Error("Invalid JWT: missing payload part");
-    }
-    const base64Url = parts[1];
-    const base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
-    const wordArray = crypto_js_1.default.enc.Base64.parse(base64);
-    const json = wordArray.toString(crypto_js_1.default.enc.Utf8);
-    try {
-        return JSON.parse(json);
-    }
-    catch {
-        throw new Error("Invalid JWT payload JSON");
-    }
-};
-/**
- * Derive a dedicated HMAC key from the encryption key.
- *
- * `appName` acts as cryptographic context (domain separation):
- *   - Different apps using the same encryption key will NOT share MAC keys
- *   - Prevents cross-application replay or substitution attacks
- *
- * Default appName = "timebasedcipher" for backward compatibility.
- */
-const deriveHmacKeyHex = (encryptionKeyHex, appName = "timebasedcipher") => {
-    return crypto_js_1.default.SHA256(`${appName}-hmac:${encryptionKeyHex}`).toString(crypto_js_1.default.enc.Hex);
-};
-/**
- * Generate a time-based rotating key using SHA-256.
- *
- * The key is derived as:
- *   SHA256(`${secretInput}:${timeSlot}`)
- *
- * Notes:
- * - If `sharedSecretOrJwt` is a JWT, it is treated as opaque input
- * - JWT validation (signature / exp) is assumed to be handled elsewhere
- * - This function is purely a key-derivation utility
- */
-const generateKey = (sharedSecretOrJwt, interval) => {
-    const timeSlot = Math.floor(Date.now() / (interval * 1000) + 1000);
-    const input = `${sharedSecretOrJwt}:${timeSlot}`;
-    return crypto_js_1.default.SHA256(input).toString(crypto_js_1.default.enc.Hex);
-};
-exports.generateKey = generateKey;
-/**
- * Encrypt arbitrary data using:
- *   - AES-256-CBC (confidentiality)
- *   - HMAC-SHA256 (integrity & authenticity)
- *
- * Cipher format:
- *   cipherHex:ivHex:hmacHex
- *
- * `appName`:
- *   - Included ONLY in HMAC key derivation
- *   - Ensures ciphertexts are bound to an application context
- *   - Must match during decryption
- */
-const encrypt = (data, encryptionKeyHex, appName = "timebasedcipher") => {
-    const json = JSON.stringify(data);
-    try {
-        const key = crypto_js_1.default.enc.Hex.parse(encryptionKeyHex);
-        const iv = crypto_js_1.default.lib.WordArray.random(16);
-        const encrypted = crypto_js_1.default.AES.encrypt(json, key, { iv });
-        const cipherHex = encrypted.ciphertext.toString(crypto_js_1.default.enc.Hex);
-        const ivHex = iv.toString(crypto_js_1.default.enc.Hex);
-        // Derive MAC key using encryption key + appName context
-        const hmacKeyHex = deriveHmacKeyHex(encryptionKeyHex, appName);
-        const hmacKey = crypto_js_1.default.enc.Hex.parse(hmacKeyHex);
-        const mac = crypto_js_1.default.HmacSHA256(`${cipherHex}:${ivHex}`, hmacKey).toString(crypto_js_1.default.enc.Hex);
-        return `${cipherHex}:${ivHex}:${mac}`;
-    }
-    catch (err) {
-        console.error("Error in encrypt:", err);
-        throw err;
-    }
-};
-exports.encrypt = encrypt;
-/**
- * Decrypt data encrypted by {@link encrypt}.
- *
- * Steps:
- *   1. Parse cipher format
- *   2. Recompute and verify HMAC (tamper detection)
- *   3. Decrypt AES-256-CBC
- *   4. Parse JSON payload
- *
- * `appName` MUST match the value used during encryption.
- */
-const decrypt = (cipherText, encryptionKeyHex, appName = "timebasedcipher") => {
-    const parts = cipherText.split(":");
-    if (parts.length !== 3) {
-        throw new Error("Invalid cipher format, expected cipherHex:ivHex:hmacHex");
-    }
-    const [encryptedHex, ivHex, hmacHex] = parts;
-    // Re-derive MAC key using same appName context
-    const hmacKeyHex = deriveHmacKeyHex(encryptionKeyHex, appName);
-    const hmacKey = crypto_js_1.default.enc.Hex.parse(hmacKeyHex);
-    const recomputedMac = crypto_js_1.default.HmacSHA256(`${encryptedHex}:${ivHex}`, hmacKey).toString(crypto_js_1.default.enc.Hex);
-    // Not constant-time, but acceptable for most non-hostile environments
-    if (recomputedMac !== hmacHex) {
-        throw new Error("Invalid HMAC: ciphertext may be tampered or key/appName is wrong");
-    }
-    const key = crypto_js_1.default.enc.Hex.parse(encryptionKeyHex);
-    const iv = crypto_js_1.default.enc.Hex.parse(ivHex);
-    const ciphertext = crypto_js_1.default.enc.Hex.parse(encryptedHex);
-    const cipherParams = crypto_js_1.default.lib.CipherParams.create({ ciphertext });
-    try {
-        const decrypted = crypto_js_1.default.AES.decrypt(cipherParams, key, { iv });
-        const utf8 = decrypted.toString(crypto_js_1.default.enc.Utf8);
-        if (!utf8) {
-            throw new Error("Decryption produced empty string");
-        }
-        return JSON.parse(utf8);
-    }
-    catch (err) {
-        console.error("Error decrypting:", err);
-        throw new Error("Unable to decrypt: invalid key, appName, or corrupted payload");
-    }
-};
-exports.decrypt = decrypt;
+__exportStar(require("./cipher"), exports);
+__exportStar(require("./cryptoProvider"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "timebasedcipher",
-  "version": "3.0.1",
+  "version": "3.0.3",
   "description": "Time-based key generation and AES encryption/decryption SDK",
   "main": "dist/index.js",
   "module": "dist/index.js",