chore: wip

Author: chrisbbreuer

.github/workflows/release.yml

@@ -3,7 +3,7 @@ name: CI
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
 
 jobs:
   release:
@@ -22,7 +22,7 @@ jobs:
         uses: actions/cache@v4
         with:
           path: node_modules
-          key: node-modules-${{ hashFiles('**/bun.lockb') }}
+          key: node-modules-${{ hashFiles('**/bun.lock') }}
           restore-keys: |
             node-modules-
 

packages/crypto/build.ts

@@ -0,0 +1,8 @@
+import { dts } from 'bun-plugin-dtsx'
+
+await Bun.build({
+  entrypoints: ['src/index.ts'],
+  outdir: './dist',
+  target: 'node',
+  plugins: [dts()],
+})

packages/crypto/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "ts-security-crypto",
+  "type": "module",
+  "version": "0.0.0",
+  "description": "Cryptographic utilities using Bun native features",
+  "author": "Chris Breuer <[email protected]>",
+  "license": "MIT",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": ["README.md", "dist"],
+  "scripts": {
+    "build": "bun build.ts",
+    "typecheck": "bun tsc --noEmit"
+  }
+}

packages/crypto/src/encrypt.ts

@@ -0,0 +1,137 @@
+/**
+ * AES Encryption/Decryption using Web Crypto API (Bun/Node/Browser compatible)
+ */
+
+export interface EncryptOptions {
+  algorithm?: 'AES-GCM' | 'AES-CBC'
+  keyLength?: 128 | 192 | 256
+  iv?: Uint8Array
+}
+
+export interface EncryptResult {
+  encrypted: string
+  iv: string
+  algorithm: string
+}
+
+/**
+ * Generate a cryptographic key from a passphrase using PBKDF2
+ */
+async function deriveKey(
+  passphrase: string,
+  salt: Uint8Array,
+  keyLength: number = 256,
+): Promise<CryptoKey> {
+  const encoder = new TextEncoder()
+  const passphraseKey = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(passphrase),
+    { name: 'PBKDF2' },
+    false,
+    ['deriveKey'],
+  )
+
+  return await crypto.subtle.deriveKey(
+    {
+      name: 'PBKDF2',
+      salt,
+      iterations: 100000,
+      hash: 'SHA-256',
+    },
+    passphraseKey,
+    { name: 'AES-GCM', length: keyLength },
+    false,
+    ['encrypt', 'decrypt'],
+  )
+}
+
+/**
+ * Encrypt a message using AES-GCM
+ */
+export async function encrypt(
+  message: string,
+  passphrase: string,
+  options?: EncryptOptions,
+): Promise<EncryptResult> {
+  const algorithm = options?.algorithm || 'AES-GCM'
+  const keyLength = options?.keyLength || 256
+  const iv = options?.iv || crypto.getRandomValues(new Uint8Array(12))
+
+  // Generate salt for key derivation
+  const salt = crypto.getRandomValues(new Uint8Array(16))
+
+  // Derive key from passphrase
+  const key = await deriveKey(passphrase, salt, keyLength)
+
+  // Encrypt the message
+  const encoder = new TextEncoder()
+  const encrypted = await crypto.subtle.encrypt(
+    {
+      name: algorithm,
+      iv,
+    },
+    key,
+    encoder.encode(message),
+  )
+
+  // Combine salt + IV + encrypted data
+  const combined = new Uint8Array(salt.length + iv.length + encrypted.byteLength)
+  combined.set(salt, 0)
+  combined.set(iv, salt.length)
+  combined.set(new Uint8Array(encrypted), salt.length + iv.length)
+
+  // Convert to base64
+  return {
+    encrypted: Buffer.from(combined).toString('base64'),
+    iv: Buffer.from(iv).toString('base64'),
+    algorithm,
+  }
+}
+
+/**
+ * Decrypt a message using AES-GCM
+ */
+export async function decrypt(
+  encryptedData: string,
+  passphrase: string,
+  algorithm: string = 'AES-GCM',
+): Promise<string> {
+  // Decode from base64
+  const combined = Buffer.from(encryptedData, 'base64')
+
+  // Extract salt, IV, and encrypted data
+  const salt = combined.slice(0, 16)
+  const iv = combined.slice(16, 28) // 12 bytes for GCM
+  const encrypted = combined.slice(28)
+
+  // Derive key from passphrase
+  const key = await deriveKey(passphrase, salt)
+
+  // Decrypt the message
+  const decrypted = await crypto.subtle.decrypt(
+    {
+      name: algorithm,
+      iv,
+    },
+    key,
+    encrypted,
+  )
+
+  // Convert back to string
+  const decoder = new TextDecoder()
+  return decoder.decode(decrypted)
+}
+
+/**
+ * Simple base64 encode (Bun native)
+ */
+export function base64Encode(input: string): string {
+  return Buffer.from(input, 'utf-8').toString('base64')
+}
+
+/**
+ * Simple base64 decode (Bun native)
+ */
+export function base64Decode(input: string): string {
+  return Buffer.from(input, 'base64').toString('utf-8')
+}

packages/crypto/src/hash.ts

@@ -0,0 +1,70 @@
+/**
+ * Hashing utilities using Bun native crypto
+ */
+
+export interface HashOptions {
+  algorithm?: 'md5' | 'sha1' | 'sha256' | 'sha512' | 'blake2b256'
+  encoding?: 'hex' | 'base64'
+}
+
+/**
+ * Generate a hash using Bun's native crypto
+ */
+export function hash(input: string | Buffer, options?: HashOptions): string {
+  const algorithm = options?.algorithm || 'sha256'
+  const encoding = options?.encoding || 'hex'
+
+  const hasher = new Bun.CryptoHasher(algorithm)
+  hasher.update(input)
+
+  return hasher.digest(encoding)
+}
+
+/**
+ * Generate MD5 hash
+ */
+export function md5(input: string | Buffer, encoding: 'hex' | 'base64' = 'hex'): string {
+  return hash(input, { algorithm: 'md5', encoding })
+}
+
+/**
+ * Generate SHA1 hash
+ */
+export function sha1(input: string | Buffer, encoding: 'hex' | 'base64' = 'hex'): string {
+  return hash(input, { algorithm: 'sha1', encoding })
+}
+
+/**
+ * Generate SHA256 hash
+ */
+export function sha256(input: string | Buffer, encoding: 'hex' | 'base64' = 'hex'): string {
+  return hash(input, { algorithm: 'sha256', encoding })
+}
+
+/**
+ * Generate SHA512 hash
+ */
+export function sha512(input: string | Buffer, encoding: 'hex' | 'base64' = 'hex'): string {
+  return hash(input, { algorithm: 'sha512', encoding })
+}
+
+/**
+ * Generate BLAKE2b-256 hash
+ */
+export function blake2b256(input: string | Buffer, encoding: 'hex' | 'base64' = 'hex'): string {
+  return hash(input, { algorithm: 'blake2b256', encoding })
+}
+
+/**
+ * Generate HMAC
+ */
+export function hmac(
+  input: string | Buffer,
+  key: string,
+  algorithm: 'sha256' | 'sha512' = 'sha256',
+  encoding: 'hex' | 'base64' = 'hex',
+): string {
+  const hasher = new Bun.CryptoHasher(algorithm, key)
+  hasher.update(input)
+  return hasher.digest(encoding)
+}

packages/crypto/src/index.ts

@@ -0,0 +1,4 @@
+export * from './encrypt'
+export * from './hash'
+export * from './password'
+export * from './key'

packages/crypto/src/key.ts

@@ -0,0 +1,51 @@
+/**
+ * Key generation utilities using native crypto
+ */
+
+/**
+ * Generate a random application key
+ */
+export function generateKey(length: number = 32): string {
+  const random = crypto.getRandomValues(new Uint8Array(length))
+  const base64 = Buffer.from(random).toString('base64')
+  return `base64:${base64}`
+}
+
+/**
+ * Generate a random hex string
+ */
+export function generateHex(length: number = 32): string {
+  const random = crypto.getRandomValues(new Uint8Array(length))
+  return Buffer.from(random).toString('hex')
+}
+
+/**
+ * Generate a random UUID v4
+ */
+export function generateUUID(): string {
+  return crypto.randomUUID()
+}
+
+/**
+ * Generate random bytes
+ */
+export function randomBytes(length: number): Uint8Array {
+  return crypto.getRandomValues(new Uint8Array(length))
+}
+
+/**
+ * Generate a secure random integer between min and max (inclusive)
+ */
+export function randomInt(min: number, max: number): number {
+  const range = max - min + 1
+  const bytesNeeded = Math.ceil(Math.log2(range) / 8)
+  const maxValid = Math.floor(256 ** bytesNeeded / range) * range - 1
+
+  let randomValue: number
+  do {
+    const randomBytes = crypto.getRandomValues(new Uint8Array(bytesNeeded))
+    randomValue = randomBytes.reduce((acc, byte, i) => acc + byte * (256 ** i), 0)
+  } while (randomValue > maxValid)
+
+  return min + (randomValue % range)
+}