Initial commit

2026-06-03 04:40:09 +00:00 · 2026-01-28 11:41:24 -05:00
commit a3ba192fbd
257 changed files with 89482 additions and 0 deletions
@@ -0,0 +1,115 @@
+/**
+ * Component: Encryption Service
+ * Documentation: documentation/backend/services/config.md
+ */
+
+import crypto from 'crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 16;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+
+export class EncryptionService {
+  private key: Buffer;
+
+  constructor() {
+    const encryptionKey = process.env.CONFIG_ENCRYPTION_KEY;
+
+    if (!encryptionKey) {
+      throw new Error('CONFIG_ENCRYPTION_KEY environment variable is not set');
+    }
+
+    // Ensure key is exactly 32 bytes
+    if (encryptionKey.length < KEY_LENGTH) {
+      // Pad with zeros if too short
+      this.key = Buffer.alloc(KEY_LENGTH);
+      Buffer.from(encryptionKey).copy(this.key);
+    } else if (encryptionKey.length > KEY_LENGTH) {
+      // Truncate if too long
+      this.key = Buffer.from(encryptionKey).subarray(0, KEY_LENGTH);
+    } else {
+      this.key = Buffer.from(encryptionKey);
+    }
+  }
+
+  /**
+   * Encrypt a plaintext string
+   * @param plaintext - The string to encrypt
+   * @returns Base64-encoded string in format: iv:authTag:encryptedData
+   */
+  encrypt(plaintext: string): string {
+    try {
+      // Generate random IV for this encryption
+      const iv = crypto.randomBytes(IV_LENGTH);
+
+      // Create cipher
+      const cipher = crypto.createCipheriv(ALGORITHM, this.key, iv);
+
+      // Encrypt data
+      let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+      encrypted += cipher.final('base64');
+
+      // Get auth tag
+      const authTag = cipher.getAuthTag();
+
+      // Combine IV, auth tag, and encrypted data
+      const result = `${iv.toString('base64')}:${authTag.toString('base64')}:${encrypted}`;
+
+      return result;
+    } catch (error) {
+      throw new Error(`Encryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+  }
+
+  /**
+   * Decrypt an encrypted string
+   * @param encryptedData - Base64-encoded string in format: iv:authTag:encryptedData
+   * @returns Decrypted plaintext string
+   */
+  decrypt(encryptedData: string): string {
+    try {
+      // Split the encrypted data
+      const parts = encryptedData.split(':');
+      if (parts.length !== 3) {
+        throw new Error('Invalid encrypted data format');
+      }
+
+      const [ivBase64, authTagBase64, encrypted] = parts;
+
+      // Decode components
+      const iv = Buffer.from(ivBase64, 'base64');
+      const authTag = Buffer.from(authTagBase64, 'base64');
+
+      // Create decipher
+      const decipher = crypto.createDecipheriv(ALGORITHM, this.key, iv);
+      decipher.setAuthTag(authTag);
+
+      // Decrypt data
+      let decrypted = decipher.update(encrypted, 'base64', 'utf8');
+      decrypted += decipher.final('utf8');
+
+      return decrypted;
+    } catch (error) {
+      throw new Error(`Decryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+  }
+
+  /**
+   * Generate a random encryption key (32 bytes)
+   * @returns Base64-encoded random key
+   */
+  static generateKey(): string {
+    return crypto.randomBytes(KEY_LENGTH).toString('base64');
+  }
+}
+
+// Singleton instance
+let encryptionService: EncryptionService | null = null;
+
+export function getEncryptionService(): EncryptionService {
+  if (!encryptionService) {
+    encryptionService = new EncryptionService();
+  }
+  return encryptionService;
+}