{"version":3,"sources":["../../../next-server/server/crypto-utils.ts"],"names":["CIPHER_ALGORITHM","CIPHER_KEY_LENGTH","CIPHER_IV_LENGTH","CIPHER_TAG_LENGTH","CIPHER_SALT_LENGTH","PBKDF2_ITERATIONS","encryptWithSecret","secret","data","iv","crypto","randomBytes","salt","key","pbkdf2Sync","cipher","createCipheriv","encrypted","Buffer","concat","update","final","tag","getAuthTag","toString","decryptWithSecret","encryptedData","buffer","from","slice","decipher","createDecipheriv","setAuthTag"],"mappings":"6HAAA,sD,mFAEA;AACA;AAEA,KAAMA,CAAAA,gBAAgB,CAAI,aAA1B,CACEC,iBAAiB,CAAG,EADtB,CAC0B;AACxBC,gBAAgB,CAAG,EAFrB,CAEyB;AACvBC,iBAAiB,CAAG,EAHtB,CAIEC,kBAAkB,CAAG,EAJvB,CAMA,KAAMC,CAAAA,iBAAiB,CAAG,MAA1B,CAAkC;AAE3B,QAASC,CAAAA,iBAAT,CAA2BC,MAA3B,CAA2CC,IAA3C,CAAiE,CACtE,KAAMC,CAAAA,EAAE,CAAGC,gBAAOC,WAAP,CAAmBT,gBAAnB,CAAX,CACA,KAAMU,CAAAA,IAAI,CAAGF,gBAAOC,WAAP,CAAmBP,kBAAnB,CAAb,CAEA;AACA,KAAMS,CAAAA,GAAG,CAAGH,gBAAOI,UAAP,CACVP,MADU,CAEVK,IAFU,CAGVP,iBAHU,CAIVJ,iBAJU,CAKT,QALS,CAAZ,CAQA,KAAMc,CAAAA,MAAM,CAAGL,gBAAOM,cAAP,CAAsBhB,gBAAtB,CAAwCa,GAAxC,CAA6CJ,EAA7C,CAAf,CACA,KAAMQ,CAAAA,SAAS,CAAGC,MAAM,CAACC,MAAP,CAAc,CAACJ,MAAM,CAACK,MAAP,CAAcZ,IAAd,CAAqB,MAArB,CAAD,CAA8BO,MAAM,CAACM,KAAP,EAA9B,CAAd,CAAlB,CAEA;AACA,KAAMC,CAAAA,GAAG,CAAGP,MAAM,CAACQ,UAAP,EAAZ,CAEA,MAAOL,CAAAA,MAAM,CAACC,MAAP,CAAc,CACnB;AACA;AACA;AACA;AACAP,IALmB,CAMnBH,EANmB,CAOnBa,GAPmB,CAQnBL,SARmB,CAAd,EASJO,QATI,CASM,KATN,CAAP,CAUD,CAEM,QAASC,CAAAA,iBAAT,CACLlB,MADK,CAELmB,aAFK,CAGG,CACR,KAAMC,CAAAA,MAAM,CAAGT,MAAM,CAACU,IAAP,CAAYF,aAAZ,CAA4B,KAA5B,CAAf,CAEA,KAAMd,CAAAA,IAAI,CAAGe,MAAM,CAACE,KAAP,CAAa,CAAb,CAAgBzB,kBAAhB,CAAb,CACA,KAAMK,CAAAA,EAAE,CAAGkB,MAAM,CAACE,KAAP,CACTzB,kBADS,CAETA,kBAAkB,CAAGF,gBAFZ,CAAX,CAIA,KAAMoB,CAAAA,GAAG,CAAGK,MAAM,CAACE,KAAP,CACVzB,kBAAkB,CAAGF,gBADX,CAEVE,kBAAkB,CAAGF,gBAArB,CAAwCC,iBAF9B,CAAZ,CAIA,KAAMc,CAAAA,SAAS,CAAGU,MAAM,CAACE,KAAP,CAChBzB,kBAAkB,CAAGF,gBAArB,CAAwCC,iBADxB,CAAlB,CAIA;AACA,KAAMU,CAAAA,GAAG,CAAGH,gBAAOI,UAAP,CACVP,MADU,CAEVK,IAFU,CAGVP,iBAHU,CAIVJ,iBAJU,CAKT,QALS,CAAZ,CAQA,KAAM6B,CAAAA,QAAQ,CAAGpB,gBAAOqB,gBAAP,CAAwB/B,gBAAxB,CAA0Ca,GAA1C,CAA+CJ,EAA/C,CAAjB,CACAqB,QAAQ,CAACE,UAAT,CAAoBV,GAApB,EAEA,MAAOQ,CAAAA,QAAQ,CAACV,MAAT,CAAgBH,SAAhB,EAA6Ba,QAAQ,CAACT,KAAT,CAAgB,MAAhB,CAApC,CACD","sourcesContent":["import crypto from 'crypto'\n\n// Background:\n// https://security.stackexchange.com/questions/184305/why-would-i-ever-use-aes-256-cbc-if-aes-256-gcm-is-more-secure\n\nconst CIPHER_ALGORITHM = `aes-256-gcm`,\n  CIPHER_KEY_LENGTH = 32, // https://stackoverflow.com/a/28307668/4397028\n  CIPHER_IV_LENGTH = 16, // https://stackoverflow.com/a/28307668/4397028\n  CIPHER_TAG_LENGTH = 16,\n  CIPHER_SALT_LENGTH = 64\n\nconst PBKDF2_ITERATIONS = 100_000 // https://support.1password.com/pbkdf2/\n\nexport function encryptWithSecret(secret: Buffer, data: string): string {\n  const iv = crypto.randomBytes(CIPHER_IV_LENGTH)\n  const salt = crypto.randomBytes(CIPHER_SALT_LENGTH)\n\n  // https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest\n  const key = crypto.pbkdf2Sync(\n    secret,\n    salt,\n    PBKDF2_ITERATIONS,\n    CIPHER_KEY_LENGTH,\n    `sha512`\n  )\n\n  const cipher = crypto.createCipheriv(CIPHER_ALGORITHM, key, iv)\n  const encrypted = Buffer.concat([cipher.update(data, `utf8`), cipher.final()])\n\n  // https://nodejs.org/api/crypto.html#crypto_cipher_getauthtag\n  const tag = cipher.getAuthTag()\n\n  return Buffer.concat([\n    // Data as required by:\n    // Salt for Key: https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest\n    // IV: https://nodejs.org/api/crypto.html#crypto_class_decipher\n    // Tag: https://nodejs.org/api/crypto.html#crypto_decipher_setauthtag_buffer\n    salt,\n    iv,\n    tag,\n    encrypted,\n  ]).toString(`hex`)\n}\n\nexport function decryptWithSecret(\n  secret: Buffer,\n  encryptedData: string\n): string {\n  const buffer = Buffer.from(encryptedData, `hex`)\n\n  const salt = buffer.slice(0, CIPHER_SALT_LENGTH)\n  const iv = buffer.slice(\n    CIPHER_SALT_LENGTH,\n    CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH\n  )\n  const tag = buffer.slice(\n    CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH,\n    CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH + CIPHER_TAG_LENGTH\n  )\n  const encrypted = buffer.slice(\n    CIPHER_SALT_LENGTH + CIPHER_IV_LENGTH + CIPHER_TAG_LENGTH\n  )\n\n  // https://nodejs.org/api/crypto.html#crypto_crypto_pbkdf2sync_password_salt_iterations_keylen_digest\n  const key = crypto.pbkdf2Sync(\n    secret,\n    salt,\n    PBKDF2_ITERATIONS,\n    CIPHER_KEY_LENGTH,\n    `sha512`\n  )\n\n  const decipher = crypto.createDecipheriv(CIPHER_ALGORITHM, key, iv)\n  decipher.setAuthTag(tag)\n\n  return decipher.update(encrypted) + decipher.final(`utf8`)\n}\n"]}