/** * Dependency-free cryptographic helpers for the server module. * * Everything here is built on the Web Crypto API (`globalThis.crypto`), which is * a standard global on every runtime the server module targets — Node ≥ 24, Bun, * Deno, and edge/workerd. No Node-specific `node:crypto` import is used, so the * helpers stay runtime-agnostic and tree-shakeable. * * @module bquery/server */ /** * Encode bytes as URL-safe base64 without padding. */ export declare const base64UrlEncode: (bytes: Uint8Array) => string; /** * Decode a URL-safe base64 string (with or without padding) into bytes. * * Returns `null` for malformed input instead of throwing, so callers verifying * untrusted tokens can treat decode failures as "invalid". */ export declare const base64UrlDecode: (value: string) => Uint8Array | null; /** * Generate a URL-safe random token with the requested entropy in bytes. * * @param byteLength - Number of random bytes (defaults to 18 → 24 base64url chars). */ export declare const randomToken: (byteLength?: number) => string; /** * Generate a collision-resistant identifier, preferring `crypto.randomUUID()` * when available and falling back to a random token otherwise. */ export declare const randomId: () => string; /** * Constant-time string comparison. * * Always inspects every character of `a` so the time taken does not leak how * many leading characters matched. Differing lengths still return `false`, but * only after a full constant-time scan against `a`. */ export declare const timingSafeEqual: (a: string, b: string) => boolean; /** * Sign a value with HMAC-SHA-256, producing `${value}.${signature}`. * * The plaintext value is preserved (this is a signature, not encryption); the * appended signature lets {@link unsignValue} detect tampering. */ export declare const signValue: (value: string, secret: string) => Promise; /** * Verify a `${value}.${signature}` token against one or more secrets. * * Supports secret rotation: the value is accepted when it verifies against any * provided secret, so you can prepend a new secret while old cookies still * validate. Returns the original value when valid, or `null` otherwise. */ export declare const unsignValue: (signed: string, secrets: readonly string[]) => Promise; //# sourceMappingURL=crypto.d.ts.map