src/lib/utils/encryption.ts

import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';

const ALGORITHM = 'aes-256-gcm';
const IV_LENGTH = 12;

function getKey(): Buffer {
  const hex = process.env.EMAIL_CREDENTIAL_KEY;
  if (!hex || hex.length !== 64) {
    throw new Error('EMAIL_CREDENTIAL_KEY must be a 64-character hex string');
  }
  return Buffer.from(hex, 'hex');
}

/**
 * Encrypts plaintext using AES-256-GCM.
 * Returns a JSON string containing hex-encoded iv, tag, and data.
 */
export function encrypt(plaintext: string): string {
  const key = getKey();
  const iv = randomBytes(IV_LENGTH);
  const cipher = createCipheriv(ALGORITHM, key, iv);

  let encrypted = cipher.update(plaintext, 'utf8', 'hex');
  encrypted += cipher.final('hex');
  const tag = cipher.getAuthTag();

  return JSON.stringify({
    iv: iv.toString('hex'),
    tag: tag.toString('hex'),
    data: encrypted,
  });
}

/**
 * Decrypts a stored encrypted value (JSON string with iv, tag, data).
 * Returns the original plaintext.
 */
export function decrypt(stored: string): string {
  const key = getKey();
  const { iv, tag, data } = JSON.parse(stored) as {
    iv: string;
    tag: string;
    data: string;
  };

  const decipher = createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'hex'));
  decipher.setAuthTag(Buffer.from(tag, 'hex'));

  let decrypted = decipher.update(data, 'hex', 'utf8');
  decrypted += decipher.final('utf8');

  return decrypted;
}
Initial commit: Port Nimara CRM (Layers 0-4) Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-26 11:52:51 +01:00			`import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';`

			`const ALGORITHM = 'aes-256-gcm';`
			`const IV_LENGTH = 12;`

			`function getKey(): Buffer {`
			`const hex = process.env.EMAIL_CREDENTIAL_KEY;`
			`if (!hex \|\| hex.length !== 64) {`
			`throw new Error('EMAIL_CREDENTIAL_KEY must be a 64-character hex string');`
			`}`
			`return Buffer.from(hex, 'hex');`
			`}`

			`/**`
			`* Encrypts plaintext using AES-256-GCM.`
			`* Returns a JSON string containing hex-encoded iv, tag, and data.`
			`*/`
			`export function encrypt(plaintext: string): string {`
			`const key = getKey();`
			`const iv = randomBytes(IV_LENGTH);`
			`const cipher = createCipheriv(ALGORITHM, key, iv);`

			`let encrypted = cipher.update(plaintext, 'utf8', 'hex');`
			`encrypted += cipher.final('hex');`
			`const tag = cipher.getAuthTag();`

			`return JSON.stringify({`
			`iv: iv.toString('hex'),`
			`tag: tag.toString('hex'),`
			`data: encrypted,`
			`});`
			`}`

			`/**`
			`* Decrypts a stored encrypted value (JSON string with iv, tag, data).`
			`* Returns the original plaintext.`
			`*/`
			`export function decrypt(stored: string): string {`
			`const key = getKey();`
			`const { iv, tag, data } = JSON.parse(stored) as {`
			`iv: string;`
			`tag: string;`
			`data: string;`
			`};`

			`const decipher = createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'hex'));`
			`decipher.setAuthTag(Buffer.from(tag, 'hex'));`

			`let decrypted = decipher.update(data, 'hex', 'utf8');`
			`decrypted += decipher.final('utf8');`

			`return decrypted;`
			`}`