encryption

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package encryption provides utilities for encrypting and decrypting sensitive data. It uses AES-256-GCM for symmetric encryption of data at rest.

Package encryption provides utilities for hashing sensitive data. It uses bcrypt for secure password-like hashing of tokens.

Package encryption provides a secure database wrapper that encrypts/decrypts sensitive fields.

Package encryption provides a secure token store wrapper that hashes tokens.

Index

Constants

View Source 
const (
	// KeySize is the required size for AES-256 encryption keys (32 bytes).
	KeySize = 32

	// NonceSize is the size of the GCM nonce (12 bytes).
	NonceSize = 12

	// EncryptedPrefix is added to encrypted values to identify them.
	EncryptedPrefix = "enc:v1:"
)
View Source 
const (
	// HashPrefix is added to hashed values to identify them.
	HashPrefix = "hash:v1:"

	// DefaultBcryptCost is the default cost parameter for bcrypt.
	// A cost of 10 is a good balance between security and performance.
	DefaultBcryptCost = 10
)

Variables

View Source 
var (
	// ErrInvalidKeySize is returned when the encryption key has an invalid size.
	ErrInvalidKeySize = errors.New("encryption key must be exactly 32 bytes")

	// ErrDecryptionFailed is returned when decryption fails.
	ErrDecryptionFailed = errors.New("decryption failed")

	// ErrNoEncryptionKey is returned when no encryption key is configured.
	ErrNoEncryptionKey = errors.New("no encryption key configured")

	// ErrInvalidCiphertext is returned when the ciphertext is invalid.
	ErrInvalidCiphertext = errors.New("invalid ciphertext format")
)
View Source 
var (
	// ErrHashMismatch is returned when a hash comparison fails.
	ErrHashMismatch = errors.New("hash does not match")

	// ErrInvalidHash is returned when the hash format is invalid.
	ErrInvalidHash = errors.New("invalid hash format")
)

Functions

func GenerateKey 

func GenerateKey() ([]byte, error)

GenerateKey generates a new random 32-byte encryption key.

func GenerateKeyBase64 

func GenerateKeyBase64() (string, error)

GenerateKeyBase64 generates a new random encryption key and returns it as base64.

func IsEncrypted 

func IsEncrypted(value string) bool

IsEncrypted checks if a value has the encryption prefix.

func IsHashed 

func IsHashed(value string) bool

IsHashed checks if a value has the hash prefix.

func IsHexString 

func IsHexString(s string) bool

IsHexString checks if a string contains only hexadecimal characters. Exported for use by migration tools and other packages.

Types

type Encryptor 

type Encryptor struct {
	// contains filtered or unexported fields
}

Encryptor provides encryption and decryption operations. It is safe for concurrent use - cipher.AEAD implementations are thread-safe.

func NewEncryptor 

func NewEncryptor(key []byte) (*Encryptor, error)

NewEncryptor creates a new Encryptor with the given 32-byte key. The key must be exactly 32 bytes for AES-256 encryption.

func NewEncryptorFromBase64Key 

func NewEncryptorFromBase64Key(base64Key string) (*Encryptor, error)

NewEncryptorFromBase64Key creates a new Encryptor from a base64-encoded key.

func (*Encryptor) Decrypt 

func (e *Encryptor) Decrypt(ciphertext string) (string, error)

Decrypt decrypts a base64-encoded ciphertext and returns the plaintext. If the value is not encrypted (no prefix), it returns the value as-is.

func (*Encryptor) Encrypt 

func (e *Encryptor) Encrypt(plaintext string) (string, error)

Encrypt encrypts plaintext and returns a base64-encoded ciphertext with prefix.

type FieldEncryptor 

type FieldEncryptor interface {
	Encrypt(plaintext string) (string, error)
	Decrypt(ciphertext string) (string, error)
}

FieldEncryptor is an interface for encrypting and decrypting field values.

type NullEncryptor 

type NullEncryptor struct{}

NullEncryptor is a no-op encryptor for when encryption is disabled.

func NewNullEncryptor 

func NewNullEncryptor() *NullEncryptor

NewNullEncryptor creates a new NullEncryptor.

func (*NullEncryptor) Decrypt 

func (e *NullEncryptor) Decrypt(ciphertext string) (string, error)

Decrypt returns the ciphertext as-is (no decryption).

func (*NullEncryptor) Encrypt 

func (e *NullEncryptor) Encrypt(plaintext string) (string, error)

Encrypt returns the plaintext as-is (no encryption).

type NullTokenHasher 

type NullTokenHasher struct{}

NullTokenHasher is a no-op hasher for when hashing is disabled.

func NewNullTokenHasher 

func NewNullTokenHasher() *NullTokenHasher

NewNullTokenHasher creates a new NullTokenHasher.

func (*NullTokenHasher) CreateLookupKey 

func (h *NullTokenHasher) CreateLookupKey(token string) string

CreateLookupKey returns the token as-is (it's already the lookup key).

func (*NullTokenHasher) HashToken 

func (h *NullTokenHasher) HashToken(token string) (string, error)

HashToken returns the token as-is (no hashing).

func (*NullTokenHasher) VerifyToken 

func (h *NullTokenHasher) VerifyToken(token, storedToken string) error

VerifyToken performs a constant-time comparison of the tokens.

type SecureProjectStore 

type SecureProjectStore struct {
	// contains filtered or unexported fields
}

SecureProjectStore wraps a ProjectStore and encrypts/decrypts API keys.

func NewSecureProjectStore 

func NewSecureProjectStore(store proxy.ProjectStore, encryptor FieldEncryptor) *SecureProjectStore

NewSecureProjectStore creates a new SecureProjectStore. The encryptor is used to encrypt API keys before storing and decrypt after retrieval. If encryptor is nil, a NullEncryptor is used (no encryption).

func (*SecureProjectStore) CreateProject 

func (s *SecureProjectStore) CreateProject(ctx context.Context, project proxy.Project) error

CreateProject encrypts the API key and creates the project.

func (*SecureProjectStore) DeleteProject 

func (s *SecureProjectStore) DeleteProject(ctx context.Context, projectID string) error

DeleteProject deletes a project.

func (*SecureProjectStore) GetAPIKeyForProject 

func (s *SecureProjectStore) GetAPIKeyForProject(ctx context.Context, projectID string) (string, error)

GetAPIKeyForProject retrieves and decrypts the API key for a project.

func (*SecureProjectStore) GetProjectActive 

func (s *SecureProjectStore) GetProjectActive(ctx context.Context, projectID string) (bool, error)

GetProjectActive returns whether a project is active.

func (*SecureProjectStore) GetProjectByID 

func (s *SecureProjectStore) GetProjectByID(ctx context.Context, projectID string) (proxy.Project, error)

GetProjectByID retrieves a project and decrypts its API key.

func (*SecureProjectStore) ListProjects 

func (s *SecureProjectStore) ListProjects(ctx context.Context) ([]proxy.Project, error)

ListProjects retrieves all projects and decrypts their API keys.

func (*SecureProjectStore) UpdateProject 

func (s *SecureProjectStore) UpdateProject(ctx context.Context, project proxy.Project) error

UpdateProject encrypts the API key and updates the project.

type SecureRateLimitStore 

type SecureRateLimitStore struct {
	// contains filtered or unexported fields
}

SecureRateLimitStore wraps a RateLimitStore and hashes tokens before operations.

func NewSecureRateLimitStore 

func NewSecureRateLimitStore(store token.RateLimitStore, hasher TokenHasherInterface) *SecureRateLimitStore

NewSecureRateLimitStore creates a new SecureRateLimitStore.

func (*SecureRateLimitStore) GetTokenByID 

func (s *SecureRateLimitStore) GetTokenByID(ctx context.Context, tokenID string) (token.TokenData, error)

GetTokenByID retrieves a token by its ID.

func (*SecureRateLimitStore) IncrementTokenUsage 

func (s *SecureRateLimitStore) IncrementTokenUsage(ctx context.Context, tokenID string) error

IncrementTokenUsage increments the usage count for a token.

func (*SecureRateLimitStore) ResetTokenUsage 

func (s *SecureRateLimitStore) ResetTokenUsage(ctx context.Context, tokenID string) error

ResetTokenUsage resets the usage count for a token to zero.

func (*SecureRateLimitStore) UpdateTokenLimit 

func (s *SecureRateLimitStore) UpdateTokenLimit(ctx context.Context, tokenID string, maxRequests *int) error

UpdateTokenLimit updates the maximum allowed requests for a token.

type SecureRevocationStore 

type SecureRevocationStore struct {
	// contains filtered or unexported fields
}

SecureRevocationStore wraps a RevocationStore and hashes tokens before operations.

func NewSecureRevocationStore 

func NewSecureRevocationStore(store token.RevocationStore, hasher TokenHasherInterface) *SecureRevocationStore

NewSecureRevocationStore creates a new SecureRevocationStore.

func (*SecureRevocationStore) DeleteToken 

func (s *SecureRevocationStore) DeleteToken(ctx context.Context, tokenID string) error

DeleteToken deletes a token by its ID.

func (*SecureRevocationStore) RevokeBatchTokens 

func (s *SecureRevocationStore) RevokeBatchTokens(ctx context.Context, tokenIDs []string) (int, error)

RevokeBatchTokens revokes multiple tokens at once.

func (*SecureRevocationStore) RevokeExpiredTokens 

func (s *SecureRevocationStore) RevokeExpiredTokens(ctx context.Context) (int, error)

RevokeExpiredTokens revokes all expired tokens.

func (*SecureRevocationStore) RevokeProjectTokens 

func (s *SecureRevocationStore) RevokeProjectTokens(ctx context.Context, projectID string) (int, error)

RevokeProjectTokens revokes all tokens for a project.

func (*SecureRevocationStore) RevokeToken 

func (s *SecureRevocationStore) RevokeToken(ctx context.Context, tokenID string) error

RevokeToken revokes a token by its ID.

type SecureTokenStore 

type SecureTokenStore struct {
	// contains filtered or unexported fields
}

SecureTokenStore wraps a TokenStore and hashes tokens before storage. This prevents tokens from being exposed if the database is compromised.

func NewSecureTokenStore 

func NewSecureTokenStore(store token.TokenStore, hasher TokenHasherInterface) *SecureTokenStore

NewSecureTokenStore creates a new SecureTokenStore. If hasher is nil, a NullTokenHasher is used (no hashing).

func (*SecureTokenStore) CreateToken 

func (s *SecureTokenStore) CreateToken(ctx context.Context, td token.TokenData) error

CreateToken creates a new token in the store. The token value is hashed before storage.

func (*SecureTokenStore) GetTokenByID 

func (s *SecureTokenStore) GetTokenByID(ctx context.Context, id string) (token.TokenData, error)

GetTokenByID retrieves a token by its UUID.

func (*SecureTokenStore) GetTokenByToken 

func (s *SecureTokenStore) GetTokenByToken(ctx context.Context, tokenString string) (token.TokenData, error)

GetTokenByToken retrieves a token by its token string (for authentication). The token is hashed before lookup, and the returned TokenData will have the hashed token value (not the original).

func (*SecureTokenStore) GetTokensByProjectID 

func (s *SecureTokenStore) GetTokensByProjectID(ctx context.Context, projectID string) ([]token.TokenData, error)

GetTokensByProjectID retrieves all tokens for a project. Note: The returned tokens will have hashed token values.

func (*SecureTokenStore) IncrementTokenUsage 

func (s *SecureTokenStore) IncrementTokenUsage(ctx context.Context, tokenString string) error

IncrementTokenUsage increments the usage count for a token by token string. The token is hashed before the operation.

func (*SecureTokenStore) ListTokens 

func (s *SecureTokenStore) ListTokens(ctx context.Context) ([]token.TokenData, error)

ListTokens retrieves all tokens from the store. Note: The returned tokens will have hashed token values.

func (*SecureTokenStore) UpdateToken 

func (s *SecureTokenStore) UpdateToken(ctx context.Context, td token.TokenData) error

UpdateToken updates an existing token. The token value is hashed before the operation.

type TokenHasher 

type TokenHasher struct {
	// contains filtered or unexported fields
}

TokenHasher provides secure hashing for authentication tokens. It uses SHA-256 for creating lookup keys and bcrypt for secure storage.

func NewTokenHasher 

func NewTokenHasher() *TokenHasher

NewTokenHasher creates a new TokenHasher with the default bcrypt cost.

func NewTokenHasherWithCost 

func NewTokenHasherWithCost(cost int) (*TokenHasher, error)

NewTokenHasherWithCost creates a new TokenHasher with a custom bcrypt cost.

func (*TokenHasher) CreateLookupKey 

func (h *TokenHasher) CreateLookupKey(token string) string

CreateLookupKey creates a deterministic hash for token lookup. This is used as an index key in the database for finding tokens. Uses SHA-256 which is fast and collision-resistant.

func (*TokenHasher) HashToken 

func (h *TokenHasher) HashToken(token string) (string, error)

HashToken creates a bcrypt hash of a token for secure storage. Returns a hash prefixed with HashPrefix for identification. For tokens longer than 72 bytes, a SHA-256 pre-hash is used since bcrypt has a 72-byte input limit.

func (*TokenHasher) VerifyToken 

func (h *TokenHasher) VerifyToken(token, hashedToken string) error

VerifyToken compares a plaintext token against a stored hash. It returns nil if the token matches, or ErrHashMismatch if it doesn't.

type TokenHasherInterface 

type TokenHasherInterface interface {
	HashToken(token string) (string, error)
	VerifyToken(token, hashedToken string) error
	CreateLookupKey(token string) string
}

TokenHasherInterface defines the interface for token hashing operations.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.