feat: allow to pass encryption options

RomainLanz · RomainLanz · commit 08829b14a492 · 2026-01-17T15:16:49.000+01:00
diff --git a/src/drivers/aes_256_cbc.ts b/src/drivers/aes_256_cbc.ts
@@ -15,6 +15,7 @@ import type {
   CypherText,
   EncryptionConfig,
   EncryptionDriverContract,
+  EncryptOptions,
 } from '../types/main.ts'
 import { base64UrlDecode, base64UrlEncode } from '../base64.ts'
 
@@ -57,7 +58,24 @@ export class AES256CBC extends BaseDriver implements EncryptionDriverContract {
    * You can optionally define a purpose for which the value was encrypted and
    * mentioning a different purpose/no purpose during decrypt will fail.
    */
-  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText {
+  encrypt(payload: any, options?: EncryptOptions): CypherText
+  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
+  encrypt(
+    payload: any,
+    expiresInOrOptions?: string | number | EncryptOptions,
+    purpose?: string
+  ): CypherText {
+    let expiresIn: string | number | undefined
+    let actualPurpose: string | undefined
+
+    if (typeof expiresInOrOptions === 'object' && expiresInOrOptions !== null) {
+      expiresIn = expiresInOrOptions.expiresIn
+      actualPurpose = expiresInOrOptions.purpose
+    } else {
+      expiresIn = expiresInOrOptions
+      actualPurpose = purpose
+    }
+
     /**
      * Using a random string as the iv for generating unpredictable values
      */
@@ -73,7 +91,7 @@ export class AES256CBC extends BaseDriver implements EncryptionDriverContract {
     /**
      * Encoding value to a string so that we can set it on the cipher
      */
-    const plainText = new MessageBuilder().build(payload, expiresIn, purpose)
+    const plainText = new MessageBuilder().build(payload, expiresIn, actualPurpose)
 
     /**
      * Set final to the cipher instance and encrypt it
diff --git a/src/drivers/aes_256_gcm.ts b/src/drivers/aes_256_gcm.ts
@@ -15,6 +15,7 @@ import type {
   CypherText,
   EncryptionConfig,
   EncryptionDriverContract,
+  EncryptOptions,
 } from '../types/main.ts'
 
 export interface AES256GCMDriverConfig {
@@ -56,7 +57,24 @@ export class AES256GCM extends BaseDriver implements EncryptionDriverContract {
    * You can optionally define a purpose for which the value was encrypted and
    * mentioning a different purpose/no purpose during decrypt will fail.
    */
-  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText {
+  encrypt(payload: any, options?: EncryptOptions): CypherText
+  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
+  encrypt(
+    payload: any,
+    expiresInOrOptions?: string | number | EncryptOptions,
+    purpose?: string
+  ): CypherText {
+    let expiresIn: string | number | undefined
+    let actualPurpose: string | undefined
+
+    if (typeof expiresInOrOptions === 'object' && expiresInOrOptions !== null) {
+      expiresIn = expiresInOrOptions.expiresIn
+      actualPurpose = expiresInOrOptions.purpose
+    } else {
+      expiresIn = expiresInOrOptions
+      actualPurpose = purpose
+    }
+
     /**
      * Using a random string as the iv for generating unpredictable values
      */
@@ -67,8 +85,10 @@ export class AES256GCM extends BaseDriver implements EncryptionDriverContract {
      */
     const cipher = createCipheriv('aes-256-gcm', this.cryptoKey, iv)
 
-    if (purpose) {
-      cipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
+    if (actualPurpose) {
+      cipher.setAAD(Buffer.from(actualPurpose), {
+        plaintextLength: Buffer.byteLength(actualPurpose),
+      })
     }
 
     /**
diff --git a/src/drivers/base_driver.ts b/src/drivers/base_driver.ts
@@ -7,8 +7,8 @@
 
 import { createHash } from 'node:crypto'
 import * as errors from '../exceptions.ts'
-import type { BaseConfig, CypherText } from '../types/main.ts'
-import { type Secret } from '@poppinss/utils'
+import type { Secret } from '@poppinss/utils'
+import type { BaseConfig, CypherText, EncryptOptions } from '../types/main.ts'
 
 export abstract class BaseDriver {
   /**
@@ -62,6 +62,7 @@ export abstract class BaseDriver {
    * You can optionally define a purpose for which the value was encrypted and
    * mentioning a different purpose/no purpose during decrypt will fail.
    */
+  abstract encrypt(payload: any, options?: EncryptOptions): CypherText
   abstract encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
 
   /**
diff --git a/src/drivers/chacha20_poly1305.ts b/src/drivers/chacha20_poly1305.ts
@@ -14,6 +14,7 @@ import type {
   CypherText,
   EncryptionConfig,
   EncryptionDriverContract,
+  EncryptOptions,
 } from '../types/main.ts'
 import { base64UrlDecode, base64UrlEncode } from '../base64.ts'
 
@@ -56,7 +57,24 @@ export class ChaCha20Poly1305 extends BaseDriver implements EncryptionDriverCont
    * You can optionally define a purpose for which the value was encrypted and
    * mentioning a different purpose/no purpose during decrypt will fail.
    */
-  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText {
+  encrypt(payload: any, options?: EncryptOptions): CypherText
+  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
+  encrypt(
+    payload: any,
+    expiresInOrOptions?: string | number | EncryptOptions,
+    purpose?: string
+  ): CypherText {
+    let expiresIn: string | number | undefined
+    let actualPurpose: string | undefined
+
+    if (typeof expiresInOrOptions === 'object' && expiresInOrOptions !== null) {
+      expiresIn = expiresInOrOptions.expiresIn
+      actualPurpose = expiresInOrOptions.purpose
+    } else {
+      expiresIn = expiresInOrOptions
+      actualPurpose = purpose
+    }
+
     /**
      * Using a random string as the iv for generating unpredictable values
      */
@@ -69,8 +87,10 @@ export class ChaCha20Poly1305 extends BaseDriver implements EncryptionDriverCont
       authTagLength: 16,
     })
 
-    if (purpose) {
-      cipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
+    if (actualPurpose) {
+      cipher.setAAD(Buffer.from(actualPurpose), {
+        plaintextLength: Buffer.byteLength(actualPurpose),
+      })
     }
 
     /**
diff --git a/src/encryption.ts b/src/encryption.ts
@@ -6,7 +6,12 @@
  */
 
 import { MessageVerifier } from './message_verifier.ts'
-import type { CypherText, EncryptionConfig, EncryptionDriverContract } from './types/main.ts'
+import type {
+  CypherText,
+  EncryptionConfig,
+  EncryptionDriverContract,
+  EncryptOptions,
+} from './types/main.ts'
 
 /**
  * Encryption class that wraps a driver and manages multiple keys.
@@ -24,8 +29,25 @@ export class Encryption {
   /**
    * Encrypt a value using the first key
    */
-  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText {
-    return this.#drivers[0].encrypt(payload, expiresIn, purpose)
+  encrypt(payload: any, options?: EncryptOptions): CypherText
+  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
+  encrypt(
+    payload: any,
+    expiresInOrOptions?: string | number | EncryptOptions,
+    purpose?: string
+  ): CypherText {
+    let expiresIn: string | number | undefined
+    let actualPurpose: string | undefined
+
+    if (typeof expiresInOrOptions === 'object' && expiresInOrOptions !== null) {
+      expiresIn = expiresInOrOptions.expiresIn
+      actualPurpose = expiresInOrOptions.purpose
+    } else {
+      expiresIn = expiresInOrOptions
+      actualPurpose = purpose
+    }
+
+    return this.#drivers[0].encrypt(payload, expiresIn, actualPurpose)
   }
 
   /**
diff --git a/src/encryption_manager.ts b/src/encryption_manager.ts
@@ -9,7 +9,7 @@ import { RuntimeException } from '@poppinss/utils/exception'
 import debug from './debug.ts'
 import { Encryption } from './encryption.ts'
 import type { MessageVerifier } from './message_verifier.ts'
-import type { CypherText, EncryptionConfig } from './types/main.ts'
+import type { CypherText, EncryptionConfig, EncryptOptions } from './types/main.ts'
 
 export class EncryptionManager<KnownEncrypters extends Record<string, EncryptionConfig>> {
   /**
@@ -75,8 +75,25 @@ export class EncryptionManager<KnownEncrypters extends Record<string, Encryption
     return this.use().getMessageVerifier()
   }
 
-  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText {
-    return this.use().encrypt(payload, expiresIn, purpose)
+  encrypt(payload: any, options?: EncryptOptions): CypherText
+  encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
+  encrypt(
+    payload: any,
+    expiresInOrOptions?: string | number | EncryptOptions,
+    purpose?: string
+  ): CypherText {
+    let expiresIn: string | number | undefined
+    let actualPurpose: string | undefined
+
+    if (typeof expiresInOrOptions === 'object' && expiresInOrOptions !== null) {
+      expiresIn = expiresInOrOptions.expiresIn
+      actualPurpose = expiresInOrOptions.purpose
+    } else {
+      expiresIn = expiresInOrOptions
+      actualPurpose = purpose
+    }
+
+    return this.use().encrypt(payload, expiresIn, actualPurpose)
   }
 
   decrypt<T extends any>(value: string, purpose?: string): T | null {
diff --git a/src/types/main.ts b/src/types/main.ts
@@ -9,6 +9,14 @@ import { type Secret } from '@poppinss/utils'
 
 export type CypherText = `${string}.${string}.${string}.${string}`
 
+/**
+ * Options for the encrypt method
+ */
+export interface EncryptOptions {
+  expiresIn?: string | number
+  purpose?: string
+}
+
 /**
  * The contract Encryption drivers should adhere to
  */
@@ -27,6 +35,7 @@ export interface EncryptionDriverContract {
    * You can optionally define a purpose for which the value was encrypted and
    * mentioning a different purpose/no purpose during decrypt will fail.
    */
+  encrypt(payload: any, options?: EncryptOptions): CypherText
   encrypt(payload: any, expiresIn?: string | number, purpose?: string): CypherText
 
   /**
diff --git a/tests/drivers/aes_256_cbc.spec.ts b/tests/drivers/aes_256_cbc.spec.ts
@@ -130,7 +130,7 @@ test.group('AES-256-CBC', () => {
 
   test('return null when purpose is missing during decrypt', ({ assert }) => {
     const driver = new AES256CBC({ id: 'lanz', key: SECRET })
-    const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'login')
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'login' })
 
     assert.isNull(driver.decrypt(encrypted))
   })
@@ -144,12 +144,26 @@ test.group('AES-256-CBC', () => {
 
   test('return null when purpose are not same', ({ assert }) => {
     const driver = new AES256CBC({ id: 'lanz', key: SECRET })
-    const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'register')
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'register' })
 
     assert.isNull(driver.decrypt(encrypted, 'login'))
   })
 
   test('decrypt when purpose are same', ({ assert }) => {
+    const driver = new AES256CBC({ id: 'lanz', key: SECRET })
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'register' })
+
+    assert.deepEqual(driver.decrypt(encrypted, 'register'), { username: 'lanz' })
+  })
+
+  test('encrypt with options object containing both expiresIn and purpose', ({ assert }) => {
+    const driver = new AES256CBC({ id: 'lanz', key: SECRET })
+    const encrypted = driver.encrypt({ username: 'lanz' }, { expiresIn: '1h', purpose: 'register' })
+
+    assert.deepEqual(driver.decrypt(encrypted, 'register'), { username: 'lanz' })
+  })
+
+  test('backward compatibility: encrypt with positional arguments', ({ assert }) => {
     const driver = new AES256CBC({ id: 'lanz', key: SECRET })
     const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'register')
 
diff --git a/tests/drivers/aes_256_gcm.spec.ts b/tests/drivers/aes_256_gcm.spec.ts
@@ -137,7 +137,7 @@ test.group('AES-256-GCM', () => {
 
   test('return null when purpose is missing during decrypt', ({ assert }) => {
     const driver = new AES256GCM({ id: 'lanz', key: SECRET })
-    const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'login')
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'login' })
 
     assert.isNull(driver.decrypt(encrypted))
   })
@@ -151,12 +151,26 @@ test.group('AES-256-GCM', () => {
 
   test('return null when purpose are not same', ({ assert }) => {
     const driver = new AES256GCM({ id: 'lanz', key: SECRET })
-    const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'register')
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'register' })
 
     assert.isNull(driver.decrypt(encrypted, 'login'))
   })
 
   test('decrypt when purpose are same', ({ assert }) => {
+    const driver = new AES256GCM({ id: 'lanz', key: SECRET })
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'register' })
+
+    assert.deepEqual(driver.decrypt(encrypted, 'register'), { username: 'lanz' })
+  })
+
+  test('encrypt with options object containing both expiresIn and purpose', ({ assert }) => {
+    const driver = new AES256GCM({ id: 'lanz', key: SECRET })
+    const encrypted = driver.encrypt({ username: 'lanz' }, { expiresIn: '1h', purpose: 'register' })
+
+    assert.deepEqual(driver.decrypt(encrypted, 'register'), { username: 'lanz' })
+  })
+
+  test('backward compatibility: encrypt with positional arguments', ({ assert }) => {
     const driver = new AES256GCM({ id: 'lanz', key: SECRET })
     const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'register')
 
diff --git a/tests/drivers/chacha20_poly1305.spec.ts b/tests/drivers/chacha20_poly1305.spec.ts
@@ -130,7 +130,7 @@ test.group('ChaCha20-Poly1305', () => {
 
   test('return null when purpose is missing during decrypt', ({ assert }) => {
     const driver = new ChaCha20Poly1305({ id: 'lanz', key: SECRET })
-    const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'login')
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'login' })
 
     assert.isNull(driver.decrypt(encrypted))
   })
@@ -144,12 +144,26 @@ test.group('ChaCha20-Poly1305', () => {
 
   test('return null when purpose are not same', ({ assert }) => {
     const driver = new ChaCha20Poly1305({ id: 'lanz', key: SECRET })
-    const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'register')
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'register' })
 
     assert.isNull(driver.decrypt(encrypted, 'login'))
   })
 
   test('decrypt when purpose are same', ({ assert }) => {
+    const driver = new ChaCha20Poly1305({ id: 'lanz', key: SECRET })
+    const encrypted = driver.encrypt({ username: 'lanz' }, { purpose: 'register' })
+
+    assert.deepEqual(driver.decrypt(encrypted, 'register'), { username: 'lanz' })
+  })
+
+  test('encrypt with options object containing both expiresIn and purpose', ({ assert }) => {
+    const driver = new ChaCha20Poly1305({ id: 'lanz', key: SECRET })
+    const encrypted = driver.encrypt({ username: 'lanz' }, { expiresIn: '1h', purpose: 'register' })
+
+    assert.deepEqual(driver.decrypt(encrypted, 'register'), { username: 'lanz' })
+  })
+
+  test('backward compatibility: encrypt with positional arguments', ({ assert }) => {
     const driver = new ChaCha20Poly1305({ id: 'lanz', key: SECRET })
     const encrypted = driver.encrypt({ username: 'lanz' }, undefined, 'register')
 
diff --git a/tests/encryption.spec.ts b/tests/encryption.spec.ts
@@ -134,4 +134,25 @@ test.group('Encryption', () => {
     })
     assert.isNull(encryption.getMessageVerifier().unsign(signed))
   })
+
+  test('encrypt with options object containing purpose', ({ assert }) => {
+    const encryption = new Encryption({
+      driver: (key) => new ChaCha20Poly1305({ id: 'test', key }),
+      keys: [SECRET],
+    })
+
+    const encrypted = encryption.encrypt({ username: 'virk' }, { purpose: 'test' })
+    assert.deepEqual(encryption.decrypt(encrypted, 'test'), { username: 'virk' })
+    assert.isNull(encryption.decrypt(encrypted, 'wrong'))
+  })
+
+  test('encrypt with options object containing expiresIn and purpose', ({ assert }) => {
+    const encryption = new Encryption({
+      driver: (key) => new ChaCha20Poly1305({ id: 'test', key }),
+      keys: [SECRET],
+    })
+
+    const encrypted = encryption.encrypt({ username: 'virk' }, { expiresIn: '1h', purpose: 'test' })
+    assert.deepEqual(encryption.decrypt(encrypted, 'test'), { username: 'virk' })
+  })
 })
diff --git a/tests/encryption_manager.spec.ts b/tests/encryption_manager.spec.ts
