fix(security): implement private fields and enhance input validation 🔒

NeaByteLab · NeaByteLab · commit f683b93fab47 · 2025-09-06T05:24:57.000+07:00
- Add DATA_EMPTY_STRING error message for better error handling
- Add empty string validation to prevent invalid token creation
- Bump version to 1.1.1 for security patch release
- Convert all sensitive properties to private fields (#secret, #payloadCache, #verifyCache, #expireInMs, #version)
- Fix cache poisoning vulnerability by making caches truly private
- Fix memory dump vulnerability by preventing external access to sensitive data
- Update changelog with comprehensive v1.1.1 documentation
- Update error count in tests to reflect new error message
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,35 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [1.1.1] - 2025-09-06
+
+### Security
+- Fixed memory dump vulnerability by implementing private fields
+- Fixed cache poisoning vulnerability by making caches private
+- Enhanced input validation to reject empty strings
+- Converted all sensitive properties to private fields (#secret, #payloadCache, #verifyCache, #expireInMs, #version)
+
+### Bug Fixes
+- Added validation for empty string inputs
+- Improved error handling and messages
+- Enhanced code encapsulation and security
+
+### Documentation
+- Added TypeScript badge to README
+- Fixed license badge URL with proper .svg extension
+- Enhanced usage examples with version parameter
+- Added examples for different data types (strings, numbers, arrays)
+- Added Mermaid architecture diagrams for JWT encoding process
+- Added security layers visualization
+- Improved README structure and readability
+
+### Internal
+- Better encapsulation of sensitive data
+- Improved security posture
+- Enhanced error message coverage
+
+---
+
 ## [1.1.0] - 2025-09-06
 
 ### Added
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@neabyte/secure-jwt",
   "description": "Secure JWT with AES-256-GCM encryption, built-in caching, tamper detection, and TypeScript support",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
diff --git a/src/index.ts b/src/index.ts
@@ -21,15 +21,15 @@ import {
  */
 export default class SecureJWT {
   /** Secret key for encryption */
-  private readonly secret: Buffer
+  readonly #secret: Buffer
   /** Expiration time in milliseconds */
-  private readonly expireInMs: number
+  readonly #expireInMs: number
   /** Token version */
-  private readonly version: string
+  readonly #version: string
   /** Cache for decrypted payload data */
-  private readonly payloadCache: Cache<unknown>
+  readonly #payloadCache: Cache<unknown>
   /** Cache for token verification results */
-  private readonly verifyCache: Cache<boolean>
+  readonly #verifyCache: Cache<boolean>
 
   /**
    * Creates a new SecureJWT instance
@@ -44,11 +44,11 @@ export default class SecureJWT {
     if (options.version !== undefined) {
       ErrorHandler.validateVersion(options.version)
     }
-    this.secret = this.generateSecret(options.secret)
-    this.expireInMs = parsetimeToMs(options.expireIn)
-    this.version = options.version ?? '1.0.0'
-    this.payloadCache = new Cache<unknown>(options.cached ?? 1000, this.expireInMs)
-    this.verifyCache = new Cache<boolean>(options.cached ?? 1000, this.expireInMs)
+    this.#secret = this.generateSecret(options.secret)
+    this.#expireInMs = parsetimeToMs(options.expireIn)
+    this.#version = options.version ?? '1.0.0'
+    this.#payloadCache = new Cache<unknown>(options.cached ?? 1000, this.#expireInMs)
+    this.#verifyCache = new Cache<boolean>(options.cached ?? 1000, this.#expireInMs)
   }
 
   /**
@@ -72,10 +72,10 @@ export default class SecureJWT {
   private encrypt(data: string): TokenEncrypted {
     ErrorHandler.validateEncryptionData(data)
     const iv = randomBytes(16)
-    const key = this.secret.subarray(0, 32)
+    const key = this.#secret.subarray(0, 32)
     ErrorHandler.validateKeyLength(key)
     const cipher = createCipheriv('aes-256-gcm', key, iv)
-    cipher.setAAD(Buffer.from(`secure-jwt-${this.version}`, 'utf8'))
+    cipher.setAAD(Buffer.from(`secure-jwt-${this.#version}`, 'utf8'))
     let encrypted = cipher.update(data, 'utf8', 'hex')
     encrypted += cipher.final('hex')
     const tag = cipher.getAuthTag()
@@ -95,12 +95,12 @@ export default class SecureJWT {
   private decrypt(tokenEncrypted: TokenEncrypted): string {
     try {
       ErrorHandler.validateTokenEncrypted(tokenEncrypted)
-      const key = this.secret.subarray(0, 32)
+      const key = this.#secret.subarray(0, 32)
       ErrorHandler.validateKeyLength(key)
       ErrorHandler.validateIVFormat(tokenEncrypted.iv)
       ErrorHandler.validateTagFormat(tokenEncrypted.tag)
       const decipher = createDecipheriv('aes-256-gcm', key, Buffer.from(tokenEncrypted.iv, 'hex'))
-      decipher.setAAD(Buffer.from(`secure-jwt-${this.version}`, 'utf8'))
+      decipher.setAAD(Buffer.from(`secure-jwt-${this.#version}`, 'utf8'))
       decipher.setAuthTag(Buffer.from(tokenEncrypted.tag, 'hex'))
       let decrypted = decipher.update(tokenEncrypted.encrypted, 'hex', 'utf8')
       decrypted += decipher.final('utf8')
@@ -124,14 +124,14 @@ export default class SecureJWT {
     try {
       ErrorHandler.validateData(data)
       const now = Math.floor(Date.now() / 1000)
-      const exp = now + Math.floor(this.expireInMs / 1000)
+      const exp = now + Math.floor(this.#expireInMs / 1000)
       const maxExp = now + 365 * 24 * 60 * 60
       ErrorHandler.validateExpiration(exp, maxExp)
       const payload: PayloadData = {
         data,
         exp,
         iat: now,
-        version: this.version
+        version: this.#version
       }
       const payloadString = JSON.stringify(payload)
       ErrorHandler.validatePayloadSize(payloadString)
@@ -142,7 +142,7 @@ export default class SecureJWT {
         tag: tokenEncrypted.tag,
         exp,
         iat: now,
-        version: this.version
+        version: this.#version
       }
       const tokenString = JSON.stringify(tokenData)
       return Buffer.from(tokenString).toString('base64')
@@ -167,8 +167,8 @@ export default class SecureJWT {
    */
   verify(token: string): boolean {
     try {
-      if (this.verifyCache.has(token)) {
-        const cachedResult = this.verifyCache.get(token)
+      if (this.#verifyCache.has(token)) {
+        const cachedResult = this.#verifyCache.get(token)
         if (cachedResult !== undefined) {
           return cachedResult
         }
@@ -185,10 +185,10 @@ export default class SecureJWT {
       )
       ErrorHandler.validateTokenDataIntegrity(tokenData)
       if (!isValidTokenData(tokenData)) {
-        this.verifyCache.set(token, false, 0)
+        this.#verifyCache.set(token, false, 0)
         return false
       }
-      ErrorHandler.validateVersionCompatibility(tokenData.version, this.version)
+      ErrorHandler.validateVersionCompatibility(tokenData.version, this.#version)
       ErrorHandler.checkTokenExpiration(tokenData.exp)
       const tokenEncrypted: TokenEncrypted = {
         encrypted: tokenData.encrypted,
@@ -201,16 +201,16 @@ export default class SecureJWT {
         getErrorMessage('INVALID_PAYLOAD_STRUCTURE')
       )
       if (!isValidPayloadData(payload)) {
-        this.verifyCache.set(token, false, 0)
+        this.#verifyCache.set(token, false, 0)
         return false
       }
       ErrorHandler.validateVersionCompatibility(payload.version, tokenData.version)
       ErrorHandler.checkTokenExpiration(payload.exp)
       ErrorHandler.validateTokenTimestamps(payload.exp, tokenData.exp, payload.iat, tokenData.iat)
-      this.verifyCache.set(token, true, Math.max(0, payload.exp * 1000 - Date.now()))
+      this.#verifyCache.set(token, true, Math.max(0, payload.exp * 1000 - Date.now()))
       return true
     } catch {
-      this.verifyCache.set(token, false, 0)
+      this.#verifyCache.set(token, false, 0)
       return false
     }
   }
@@ -238,7 +238,7 @@ export default class SecureJWT {
     if (!isValidTokenData(tokenData)) {
       throw new ValidationError(getErrorMessage('INVALID_TOKEN_DATA_STRUCTURE'))
     }
-    ErrorHandler.validateVersionCompatibility(tokenData.version, this.version)
+    ErrorHandler.validateVersionCompatibility(tokenData.version, this.#version)
     ErrorHandler.checkTokenExpiration(tokenData.exp)
     const tokenEncrypted: TokenEncrypted = {
       encrypted: tokenData.encrypted,
@@ -269,8 +269,8 @@ export default class SecureJWT {
    */
   decode(token: string): unknown {
     try {
-      if (this.payloadCache.has(token)) {
-        const cachedResult = this.payloadCache.get(token)
+      if (this.#payloadCache.has(token)) {
+        const cachedResult = this.#payloadCache.get(token)
         if (cachedResult !== undefined) {
           return cachedResult
         }
@@ -289,7 +289,7 @@ export default class SecureJWT {
       if (!isValidTokenData(tokenData)) {
         throw new ValidationError(getErrorMessage('INVALID_TOKEN_DATA_STRUCTURE'))
       }
-      ErrorHandler.validateVersionCompatibility(tokenData.version, this.version)
+      ErrorHandler.validateVersionCompatibility(tokenData.version, this.#version)
       ErrorHandler.checkTokenExpiration(tokenData.exp)
       const tokenEncrypted: TokenEncrypted = {
         encrypted: tokenData.encrypted,
@@ -307,7 +307,7 @@ export default class SecureJWT {
       ErrorHandler.validateVersionCompatibility(payload.version, tokenData.version)
       ErrorHandler.checkTokenExpiration(payload.exp)
       ErrorHandler.validateTokenTimestamps(payload.exp, tokenData.exp, payload.iat, tokenData.iat)
-      this.payloadCache.set(token, payload.data, Math.max(0, payload.exp * 1000 - Date.now()))
+      this.#payloadCache.set(token, payload.data, Math.max(0, payload.exp * 1000 - Date.now()))
       return payload.data
     } catch (error) {
       if (
diff --git a/src/utils/ErrorHandler.ts b/src/utils/ErrorHandler.ts
@@ -53,6 +53,9 @@ export class ErrorHandler {
     if (data === null || data === undefined) {
       throw new ValidationError(getErrorMessage('DATA_NULL_UNDEFINED'))
     }
+    if (typeof data === 'string' && data.length === 0) {
+      throw new ValidationError(getErrorMessage('DATA_EMPTY_STRING'))
+    }
   }
 
   /**
diff --git a/src/utils/ErrorMap.ts b/src/utils/ErrorMap.ts
@@ -19,6 +19,7 @@ export const errorCodes = {
 export const errorMessages = {
   // Data validation errors
   DATA_NULL_UNDEFINED: 'Data cannot be null or undefined',
+  DATA_EMPTY_STRING: 'Data cannot be an empty string',
   DATA_INVALID_TYPE: 'Invalid data type provided',
   DATA_NON_EMPTY_STRING: 'Data must be a non-empty string',
 
diff --git a/tests/ErrorMap.test.ts b/tests/ErrorMap.test.ts
@@ -75,7 +75,7 @@ describe('ErrorMap', () => {
     })
 
     it('should have consistent structure', () => {
-      expect(Object.keys(errorMessages)).toHaveLength(59)
+      expect(Object.keys(errorMessages)).toHaveLength(60)
     })
 
     it('should have all messages as strings', () => {

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@neabyte/secure-jwt",`
`3`	`3`	`"description": "Secure JWT with AES-256-GCM encryption, built-in caching, tamper detection, and TypeScript support",`
`4`		`- "version": "1.1.0",`
	`4`	`+ "version": "1.1.1",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"main": "./dist/index.js",`
`7`	`7`	`"types": "./dist/index.d.ts",`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,9 @@ export class ErrorHandler {`
`53`	`53`	`if (data === null \|\| data === undefined) {`
`54`	`54`	`throw new ValidationError(getErrorMessage('DATA_NULL_UNDEFINED'))`
`55`	`55`	`}`
	`56`	`+ if (typeof data === 'string' && data.length === 0) {`
	`57`	`+ throw new ValidationError(getErrorMessage('DATA_EMPTY_STRING'))`
	`58`	`+ }`
`56`	`59`	`}`
`57`	`60`
`58`	`61`	`/**`