@gomani/secure
v0.8.0
Published
Security defaults: encryption-at-rest, an offline auth/session model, and integrity-protected sync.
Downloads
161
Maintainers
Readme
@gomani/secure
Security defaults, not add-ons (P12): encryption-at-rest for the local store, an offline-capable auth/session model, authorization against cached data, integrity-protected sync, and data-minimisation. Built entirely on Web Crypto, so it is isomorphic (browser + Node 20+ / edge) with zero dependencies.
Encryption-at-rest
The key is derived from user auth (PBKDF2), never stored beside the data. createCryptoCodec plugs
into @gomani/data's createStore({ codec }): the in-memory cache stays plaintext (instant, reactive
reads), but everything written to IndexedDB is AES-GCM ciphertext.
import { deriveKey, createCryptoCodec } from '@gomani/secure';
const key = deriveKey(passphrase, salt); // Promise<CryptoKey>, awaited lazily
const store = createStore({ collections: ['notes'], codec: createCryptoCodec(key) });
// A dump of IndexedDB is ciphertext — unreadable without the auth-derived key.Offline auth/session
issueSession mints an HMAC-signed token with a hard lifetime and a bounded offline-access window;
verifySession enforces both — offline, it's valid only within offlineWindowMs of the last online
verification, so a lost device can't be used offline indefinitely. refreshOnline resets the window
without extending the hard expiry. Authorization (authorize / isOwner) runs against cached data.
Integrity-protected sync
createSignedTransport HMAC-signs every sync request body (hardening the sync protocol);
verifySignedRequest verifies it server-side over the exact bytes. signPayload / verifyPayload
cover arbitrary payloads.
Data-minimisation
pick (allow-list), redact (deny-list), minimize — collect and store less.
Posture. Compliance rests with the developer and their provider; Gomani provides the primitives and secure defaults, not a certification.
