Skip to content

Releases: mqxym/secure-local-storage

v0.6.2

02 Oct 05:26
@mqxym mqxym
v0.6.2
c207c91
Compare
Choose a tag to compare
v0.6.2 Latest
Latest

@mqxym/secure-local-storage Changelog

0.6.2: New API

This release includes a new public API and corresponding tests.

  • feat: introduce .isLocked() API method in #2
  • This method returns true when the store is in master password mode and the session is locked (i.e., the data encryption key is not in memory). Otherwise, it returns false. This provides a convenient way for consumers of the library to check the lock status before attempting operations that require an unlocked session.
Assets 2
Loading

v0.6.1

27 Sep 11:12
@mqxym mqxym
v0.6.1
4922768
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v0.6.1

@mqxym/secure-local-storage Changelog

0.6.1: JSDoc

This release includes JSDoc for the factory and public APIs, covering usage examples, exceptions thrown, and return values.

Loading

v0.6.0

27 Sep 10:29
@mqxym mqxym
v0.6.0
daa0d6e
Compare
Choose a tag to compare
v0.6.0

@mqxym/secure-local-storage Changelog

0.6.0: Hardened Import, Validation, and Error Handling

This release strengthens import/decrypt validation, improves error messages, and aligns password rules for greater consistency and security.

Import

  • Enforced strict shape validation for bundles (header/data consistency, salt/rounds semantics, mPw type).
  • Clearer error messages for missing master vs. export password requirements.

DeviceKeyProvider

  • deletePersistent now deletes only the targeted keyId.
  • Full DB deletion remains only as a fallback, reducing risk of cross-tenant key loss.

Storage

  • Extended quota detection to cover more browser variants (NS_ERROR_DOM_QUOTA_REACHED, code 1014, and generic quota messages).

PlainObject

  • getData() now requires decrypted payloads to be true plain objects, rejecting arrays, null-prototype objects, or class instances.

Passwords

  • Master password flows reject whitespace-only inputs.
  • Consistent validation with export password rules.

Base64

  • bytesToBase64 explicitly handles empty inputs.
  • base64ToBytes rejects whitespace-only inputs and normalizes embedded whitespace.

Tests

  • Added import validation tests for invalid base64, salt/rounds mismatches, and bad mPw types.
  • Extended quota handling tests for new detection variants (NS_ERROR_DOM_QUOTA_REACHED, message-based).
  • Added tampered ciphertext tests to verify getData() rejects non-plain object payloads.
  • Covered DeviceKeyProvider surgical delete path to ensure only targeted keys are removed.
  • Added KeyDerivation importKey failure tests to validate CryptoError wrapping.
  • Extended base64 utility tests for empty inputs, whitespace-only, and embedded whitespace.
  • Added rotateMasterPassword in device mode path tests to confirm correct transition into master mode.

Migration Notes

  • Plain object enforcement: getData() will now reject arrays, class instances, or null-prototype objects. Ensure your data serialization results in plain objects.
  • Password input validation: Whitespace-only passwords will now be rejected. Update UI validation to align with these stricter rules.
  • DeviceKeyProvider behavior change: Persistent key deletion now affects only the specified keyId. If your workflow depended on full DB resets, update your logic accordingly.

0.5.0: Security Hardening, Configurability, and Improved Error Handling

SecureDataView

  • Added deep read-only enforcement to prevent nested object mutation.
  • Introduced locked state enforcement after .clear() to ensure wiped data cannot be accessed.

Error Handling

  • Separated validation errors from crypto errors in decryption and unwrap flows.
  • Added clearer messages for base64 parsing and JSON validation.
  • Improved handling of storage quota errors across browsers (QuotaExceededError, NS_ERROR_DOM_QUOTA_REACHED, message-based detection).

Config Validation

  • Hardened configuration checks in initialize():

    • Validates coherence of salt/rounds.
    • Ensures base64 fields decode correctly.
    • Validates decrypted payload shape (must be plain object).

DeviceKeyProvider

  • Added support for configurable IndexedDB settings (dbName, storeName, keyId).
  • Consistent IndexedDB feature detection across methods.
  • Isolated in-memory keys per config for multi-tenant scenarios.

Key Derivation

  • Added validation for iteration count (iterations must be positive integer within safe bounds).

Base64

  • Added support for base64url variants (- and _), whitespace trimming, and auto-padding.
  • Improved error messages for invalid base64.

API / Usability

  • unlock() clarified to be a no-op in device mode.
  • Added recommended update pattern: decrypt → copy → update → setData → clear.

Tests

  • Extended coverage for:

    • Deep immutability of SecureDataView.
    • Validation vs crypto errors in EncryptionManager.
    • DeviceKeyProvider with custom idbConfig.
    • Quota error variants.
    • Master password and export/import edge cases.
    • Base64 url-safe input and invalid inputs.

Migration Notes

  • Recommended update pattern: Adopt the new getData() → deepCopy → update → setData → clear workflow for safer state handling.
Loading

v0.4.0

23 Sep 16:52
@mqxym mqxym
v0.4.0-2
ed1eca7
Compare
Choose a tag to compare
v0.4.0

First Public Release

Loading