refactor: split encryption logic and cookie

Author: peppescg

src/lib/auth/auth.ts

@@ -14,37 +14,24 @@ import {
   TOKEN_SEVEN_DAYS_SECONDS,
   TRUSTED_ORIGINS,
 } from "./constants";
+import { saveTokenCookie } from "./cookie";
 import type {
   OidcDiscovery,
   OidcDiscoveryResponse,
   OidcTokenData,
   TokenResponse,
 } from "./types";
-import { decrypt, encrypt, saveAccountToken } from "./utils";
+import { decrypt, saveAccountToken } from "./utils";
+
+// Re-export saveTokenCookie for backwards compatibility
+export { saveTokenCookie } from "./cookie";
 
 /**
  * Cached token endpoint to avoid repeated discovery calls.
  */
 let cachedTokenEndpoint: string | null = null;
 let cachedEndSessionEndpoint: string | null = null;
 
-/**
- * Saves encrypted token data in HTTP-only cookie.
- * Exported for use by saveAccountToken in utils.
- */
-export async function saveTokenCookie(tokenData: OidcTokenData): Promise<void> {
-  const encrypted = await encrypt(tokenData, BETTER_AUTH_SECRET);
-  const cookieStore = await cookies();
-
-  cookieStore.set(OIDC_TOKEN_COOKIE_NAME, encrypted, {
-    httpOnly: true,
-    secure: IS_PRODUCTION,
-    sameSite: "lax",
-    maxAge: TOKEN_SEVEN_DAYS_SECONDS,
-    path: "/",
-  });
-}
-
 /**
  * Discovers and caches the token and end_session endpoints from OIDC provider.
  * Exported for use in server actions and token refresh logic.
@@ -179,7 +166,7 @@ export async function refreshAccessToken({
 }
 
 export const auth: Auth<BetterAuthOptions> = betterAuth({
-  debug: true,
+  debug: !IS_PRODUCTION,
   secret: BETTER_AUTH_SECRET,
   baseURL: BASE_URL,
   account: {

src/lib/auth/cookie.ts

@@ -0,0 +1,31 @@
+/**
+ * Cookie utilities for OIDC token storage.
+ * Separated to avoid circular dependencies with auth modules.
+ */
+
+import { cookies } from "next/headers";
+import {
+  BETTER_AUTH_SECRET,
+  IS_PRODUCTION,
+  OIDC_TOKEN_COOKIE_NAME,
+  TOKEN_SEVEN_DAYS_SECONDS,
+} from "./constants";
+import { encrypt } from "./crypto";
+import type { OidcTokenData } from "./types";
+
+/**
+ * Saves encrypted token data in HTTP-only cookie.
+ * Used by saveAccountToken in utils and refreshAccessToken in auth.
+ */
+export async function saveTokenCookie(tokenData: OidcTokenData): Promise<void> {
+  const encrypted = await encrypt(tokenData, BETTER_AUTH_SECRET);
+  const cookieStore = await cookies();
+
+  cookieStore.set(OIDC_TOKEN_COOKIE_NAME, encrypted, {
+    httpOnly: true,
+    secure: IS_PRODUCTION,
+    sameSite: "lax",
+    maxAge: TOKEN_SEVEN_DAYS_SECONDS,
+    path: "/",
+  });
+}

src/lib/auth/crypto.ts

@@ -0,0 +1,88 @@
+/**
+ * Cryptographic utilities for token encryption and decryption.
+ * Separated to avoid circular dependencies with auth modules.
+ */
+
+import { createHash } from "node:crypto";
+import * as jose from "jose";
+import type { OidcTokenData } from "./types";
+
+/**
+ * Derives encryption key from secret.
+ * Uses SHA-256 to derive exactly 32 bytes (256 bits) from the provided secret,
+ * ensuring compatibility with AES-256-GCM regardless of secret length.
+ */
+function getSecret(secret: string): Uint8Array {
+  // Hash the secret to get exactly 32 bytes for AES-256-GCM
+  return new Uint8Array(createHash("sha256").update(secret).digest());
+}
+
+/**
+ * Encrypts token data using JWE (JSON Web Encryption).
+ * Uses AES-256-GCM with direct key agreement (alg: 'dir').
+ * Exported for testing purposes.
+ */
+export async function encrypt(
+  data: OidcTokenData,
+  secret: string,
+): Promise<string> {
+  const key = getSecret(secret);
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+  return await new jose.CompactEncrypt(plaintext)
+    .setProtectedHeader({ alg: "dir", enc: "A256GCM" })
+    .encrypt(key);
+}
+
+/**
+ * Decrypts JWE token and returns parsed token data.
+ * Validates data structure after decryption.
+ * Exported for testing purposes.
+ */
+export async function decrypt(
+  jwe: string,
+  secret: string,
+): Promise<OidcTokenData> {
+  try {
+    const key = getSecret(secret);
+    const { plaintext } = await jose.compactDecrypt(jwe, key);
+    const data = JSON.parse(new TextDecoder().decode(plaintext));
+
+    if (!isOidcTokenData(data)) {
+      throw new Error("Invalid token data structure");
+    }
+
+    return data;
+  } catch (error) {
+    if (error instanceof jose.errors.JWEDecryptionFailed) {
+      throw new Error("Token decryption failed - possible tampering");
+    }
+    if (error instanceof jose.errors.JWEInvalid) {
+      throw new Error("Invalid JWE format");
+    }
+    // Wrap unexpected errors to avoid exposing internal details
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new Error(`Token decryption error: ${message}`);
+  }
+}
+
+/**
+ * Type guard to validate OidcTokenData structure at runtime.
+ * Used after decrypting token data from cookie to ensure data integrity.
+ * Note: idToken is not validated here as it's optional and not critical for token validation.
+ */
+export function isOidcTokenData(data: unknown): data is OidcTokenData {
+  if (typeof data !== "object" || data === null) {
+    return false;
+  }
+
+  const obj = data as Record<string, unknown>;
+
+  return (
+    typeof obj.accessToken === "string" &&
+    typeof obj.accessTokenExpiresAt === "number" &&
+    typeof obj.userId === "string" &&
+    (obj.refreshToken === undefined || typeof obj.refreshToken === "string") &&
+    (obj.refreshTokenExpiresAt === undefined ||
+      typeof obj.refreshTokenExpiresAt === "number")
+  );
+}

src/lib/auth/types.ts

@@ -18,7 +18,7 @@ export interface OidcTokenData
     | "updatedAt"
     | "id"
   > {
-  accessTokenExpiresAt?: number;
+  accessTokenExpiresAt: number;
   refreshTokenExpiresAt?: number;
   providerId?: string;
   accountId?: string;

src/lib/auth/utils.ts

@@ -1,98 +1,20 @@
 /**
- * Utility functions for authentication, token validation, and encryption.
+ * Utility functions for authentication and token management.
  */
 
-import { createHash } from "node:crypto";
 import type { Account } from "better-auth";
-import * as jose from "jose";
 import { cookies } from "next/headers";
-import { saveTokenCookie } from "./auth";
 import {
   BETTER_AUTH_SECRET,
   OIDC_TOKEN_COOKIE_NAME,
   TOKEN_ONE_HOUR_MS,
 } from "./constants";
+import { saveTokenCookie } from "./cookie";
+import { decrypt } from "./crypto";
 import type { OidcTokenData } from "./types";
 
-/**
- * Derives encryption key from secret.
- * Uses SHA-256 to derive exactly 32 bytes (256 bits) from the provided secret,
- * ensuring compatibility with AES-256-GCM regardless of secret length.
- */
-function getSecret(secret: string): Uint8Array {
-  // Hash the secret to get exactly 32 bytes for AES-256-GCM
-  return new Uint8Array(createHash("sha256").update(secret).digest());
-}
-
-/**
- * Encrypts token data using JWE (JSON Web Encryption).
- * Uses AES-256-GCM with direct key agreement (alg: 'dir').
- * Exported for testing purposes.
- */
-export async function encrypt(
-  data: OidcTokenData,
-  secret: string,
-): Promise<string> {
-  const key = getSecret(secret);
-  const plaintext = new TextEncoder().encode(JSON.stringify(data));
-  return await new jose.CompactEncrypt(plaintext)
-    .setProtectedHeader({ alg: "dir", enc: "A256GCM" })
-    .encrypt(key);
-}
-
-/**
- * Decrypts JWE token and returns parsed token data.
- * Validates data structure after decryption.
- * Exported for testing purposes.
- */
-export async function decrypt(
-  jwe: string,
-  secret: string,
-): Promise<OidcTokenData> {
-  try {
-    const key = getSecret(secret);
-    const { plaintext } = await jose.compactDecrypt(jwe, key);
-    const data = JSON.parse(new TextDecoder().decode(plaintext));
-
-    if (!isOidcTokenData(data)) {
-      throw new Error("Invalid token data structure");
-    }
-
-    return data;
-  } catch (error) {
-    if (error instanceof jose.errors.JWEDecryptionFailed) {
-      throw new Error("Token decryption failed - possible tampering");
-    }
-    if (error instanceof jose.errors.JWEInvalid) {
-      throw new Error("Invalid JWE format");
-    }
-    // Wrap unexpected errors to avoid exposing internal details
-    const message = error instanceof Error ? error.message : "Unknown error";
-    throw new Error(`Token decryption error: ${message}`);
-  }
-}
-
-/**
- * Type guard to validate OidcTokenData structure at runtime.
- * Used after decrypting token data from cookie to ensure data integrity.
- * Note: idToken is not validated here as it's optional and not critical for token validation.
- */
-export function isOidcTokenData(data: unknown): data is OidcTokenData {
-  if (typeof data !== "object" || data === null) {
-    return false;
-  }
-
-  const obj = data as Record<string, unknown>;
-
-  return (
-    typeof obj.accessToken === "string" &&
-    typeof obj.accessTokenExpiresAt === "number" &&
-    typeof obj.userId === "string" &&
-    (obj.refreshToken === undefined || typeof obj.refreshToken === "string") &&
-    (obj.refreshTokenExpiresAt === undefined ||
-      typeof obj.refreshTokenExpiresAt === "number")
-  );
-}
+// Re-export crypto functions for backwards compatibility
+export { decrypt, encrypt, isOidcTokenData } from "./crypto";
 
 /**
  * Retrieves the OIDC ID token from HTTP-only cookie.
@@ -153,17 +75,6 @@ export async function saveAccountToken(account: Account) {
       userId: account.userId,
     };
 
-    console.log("[account] Token data to save:", JSON.stringify(account));
-
-    console.log("[Save Token] Token data to save:", {
-      hasAccessToken: !!tokenData.accessToken,
-      hasRefreshToken: !!tokenData.refreshToken,
-      accessTokenExpiresAt: new Date(accessTokenExpiresAt).toISOString(),
-      refreshTokenExpiresAt: tokenData.refreshTokenExpiresAt
-        ? new Date(tokenData.refreshTokenExpiresAt).toISOString()
-        : "none",
-    });
-
     await saveTokenCookie(tokenData);
 
     console.log("[Save Token] Token cookie saved successfully");