mirror of
https://github.com/kikootwo/ReadMeABook.git
synced 2026-06-03 04:40:09 +00:00
kikootwo
116 lines
3.2 KiB
TypeScript
116 lines
3.2 KiB
TypeScript
/**
|
|
* Component: Encryption Service
|
|
* Documentation: documentation/backend/services/config.md
|
|
*/
|
|
|
|
import crypto from 'crypto';
|
|
|
|
const ALGORITHM = 'aes-256-gcm';
|
|
const IV_LENGTH = 16;
|
|
const AUTH_TAG_LENGTH = 16;
|
|
const KEY_LENGTH = 32;
|
|
|
|
export class EncryptionService {
|
|
private key: Buffer;
|
|
|
|
constructor() {
|
|
const encryptionKey = process.env.CONFIG_ENCRYPTION_KEY;
|
|
|
|
if (!encryptionKey) {
|
|
throw new Error('CONFIG_ENCRYPTION_KEY environment variable is not set');
|
|
}
|
|
|
|
// Ensure key is exactly 32 bytes
|
|
if (encryptionKey.length < KEY_LENGTH) {
|
|
// Pad with zeros if too short
|
|
this.key = Buffer.alloc(KEY_LENGTH);
|
|
Buffer.from(encryptionKey).copy(this.key);
|
|
} else if (encryptionKey.length > KEY_LENGTH) {
|
|
// Truncate if too long
|
|
this.key = Buffer.from(encryptionKey).subarray(0, KEY_LENGTH);
|
|
} else {
|
|
this.key = Buffer.from(encryptionKey);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Encrypt a plaintext string
|
|
* @param plaintext - The string to encrypt
|
|
* @returns Base64-encoded string in format: iv:authTag:encryptedData
|
|
*/
|
|
encrypt(plaintext: string): string {
|
|
try {
|
|
// Generate random IV for this encryption
|
|
const iv = crypto.randomBytes(IV_LENGTH);
|
|
|
|
// Create cipher
|
|
const cipher = crypto.createCipheriv(ALGORITHM, this.key, iv);
|
|
|
|
// Encrypt data
|
|
let encrypted = cipher.update(plaintext, 'utf8', 'base64');
|
|
encrypted += cipher.final('base64');
|
|
|
|
// Get auth tag
|
|
const authTag = cipher.getAuthTag();
|
|
|
|
// Combine IV, auth tag, and encrypted data
|
|
const result = `${iv.toString('base64')}:${authTag.toString('base64')}:${encrypted}`;
|
|
|
|
return result;
|
|
} catch (error) {
|
|
throw new Error(`Encryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Decrypt an encrypted string
|
|
* @param encryptedData - Base64-encoded string in format: iv:authTag:encryptedData
|
|
* @returns Decrypted plaintext string
|
|
*/
|
|
decrypt(encryptedData: string): string {
|
|
try {
|
|
// Split the encrypted data
|
|
const parts = encryptedData.split(':');
|
|
if (parts.length !== 3) {
|
|
throw new Error('Invalid encrypted data format');
|
|
}
|
|
|
|
const [ivBase64, authTagBase64, encrypted] = parts;
|
|
|
|
// Decode components
|
|
const iv = Buffer.from(ivBase64, 'base64');
|
|
const authTag = Buffer.from(authTagBase64, 'base64');
|
|
|
|
// Create decipher
|
|
const decipher = crypto.createDecipheriv(ALGORITHM, this.key, iv);
|
|
decipher.setAuthTag(authTag);
|
|
|
|
// Decrypt data
|
|
let decrypted = decipher.update(encrypted, 'base64', 'utf8');
|
|
decrypted += decipher.final('utf8');
|
|
|
|
return decrypted;
|
|
} catch (error) {
|
|
throw new Error(`Decryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Generate a random encryption key (32 bytes)
|
|
* @returns Base64-encoded random key
|
|
*/
|
|
static generateKey(): string {
|
|
return crypto.randomBytes(KEY_LENGTH).toString('base64');
|
|
}
|
|
}
|
|
|
|
// Singleton instance
|
|
let encryptionService: EncryptionService | null = null;
|
|
|
|
export function getEncryptionService(): EncryptionService {
|
|
if (!encryptionService) {
|
|
encryptionService = new EncryptionService();
|
|
}
|
|
return encryptionService;
|
|
}
|