lever-ui-logger/dist/types/transports/secure-token-handler.d.ts

Zero-dependency logging library with optional EventBus integration. Built-in PII redaction, multiple transports, and comprehensive logging capabilities.

/**
 * Production-grade secure token handler for authentication tokens
 *
 * Provides comprehensive token security including:
 * - Memory protection against serialization attacks
 * - Token obfuscation using industry-standard techniques
 * - Comprehensive error message sanitization
 * - PII and token detection for debug outputs
 */
/**
 * Token provider function type
 */
export type TokenProvider = () => string | Promise<string>;
/**
 * Configuration for secure token handling
 */
export interface SecureTokenConfig {
    /** Enable additional security measures (default: true) */
    enableSecureMode?: boolean;
    /** Token expiration time in milliseconds (default: 1 hour) */
    tokenTtl?: number;
    /** Enable token validation (default: true) */
    validateToken?: boolean;
    /** Custom token validator function */
    tokenValidator?: (_token: string) => boolean;
}
/** Secure token handler that prevents accidental token exposure */
export declare class SecureTokenHandler {
    private readonly config;
    private readonly errorSanitizer;
    private tokenEntry;
    private tokenProvider;
    private disposed;
    private obfuscationKey;
    constructor(config?: SecureTokenConfig);
    /**
     * Set a static authentication token
     *
     * @param token - The authentication token to store securely
     * @throws Error if token is invalid or handler is disposed
     */
    setToken(token: string | null): void;
    /**
     * Set a token provider function for dynamic token retrieval
     *
     * @param provider - Function that returns an authentication token
     * @throws Error if provider is invalid or handler is disposed
     */
    setTokenProvider(provider: TokenProvider | null): void;
    /**
     * Retrieve the current authentication token
     *
     * @returns The current token or null if none available
     * @throws Error if token retrieval fails or handler is disposed
     */
    getToken(): Promise<string | null>;
    /**
     * Check if a token is currently available and valid
     */
    hasToken(): boolean;
    /**
     * Clear all token data and dispose resources
     *
     * This method should be called when the handler is no longer needed
     * to ensure tokens are properly cleared from memory.
     */
    dispose(): void;
    /**
     * Create a secure JSON replacer function that sanitizes sensitive data
     */
    createSecureReplacer(): (_key: string, _value: unknown) => unknown;
    /**
     * Sanitize HTTP headers to remove or mask authentication tokens
     *
     * @param headers - Headers object to sanitize
     * @returns New headers object with sensitive values masked
     */
    sanitizeHeaders(headers: Record<string, string>): Record<string, string>;
    /**
     * Mask a token showing first and last few characters
     *
     * @param token - Token to mask
     * @returns Masked token
     */
    maskToken(token: string): string;
    /**
     * Force sanitization of a value using masking strategy
     */
    private forceSanitizeValue;
    /**
     * Default token validator
     */
    private defaultTokenValidator;
    /**
     * Check if handler is disposed
     */
    private checkDisposed;
    /**
     * Check if a token entry is valid and not expired
     */
    private isTokenValid;
    /**
     * Multi-round obfuscation to protect tokens in memory using session key.
     * Uses a combination of XOR, character substitution, and encoding rounds
     * of transformation to protect tokens in memory against casual inspection
     * and memory dumps. Not meant for cryptographic security but provides
     * defense-in-depth against token extraction.
     */
    private obfuscateToken;
    /**
     * Reverse the multi-round obfuscation process
     */
    private deobfuscateToken;
    /**
     * XOR cipher implementation
     */
    private xorCipher;
    /**
     * Character substitution using a custom mapping
     */
    private substituteChars;
    /**
     * Reverse character substitution
     */
    private reverseSubstituteChars;
    /**
     * Encode the obfuscated string using base64 or similar
     */
    private encodeObfuscated;
    /**
     * Decode the obfuscated string
     */
    private decodeObfuscated;
    /**
     * Sanitize error messages to prevent token leakage
     */
    sanitizeErrorMessage(errorMessage: string): string;
    /**
     * Create character substitution map
     */
    private createSubstitutionMap;
    /**
     * Create reverse substitution map
     */
    private createReverseSubstitutionMap;
    /**
     * Simple encoding fallback for environments without btoa
     */
    private simpleEncode;
    /**
     * Simple decoding fallback for environments without atob
     */
    private simpleDecode;
    /**
     * Generate a random string for token clearing
     */
    private generateRandomString;
    /**
     * Get or generate the session-specific obfuscation key
     */
    private getObfuscationKey;
    /**
     * Make object non-serializable to prevent token leakage
     */
    private makeNonSerializable;
    /**
     * Remove non-serializable protection (for disposal)
     */
    private removeNonSerializable;
}
/**
 * Default secure token handler instance for immediate use
 */
export declare const defaultSecureTokenHandler: SecureTokenHandler;
//# sourceMappingURL=secure-token-handler.d.ts.map