fr-rust 0.1.0

A comprehensive framework/utility library for Actix-web, Postgres, Redis, and authentication.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

use aes_gcm::{
    aead::{Aead, KeyInit},
    Aes256Gcm, Nonce,
};
use argon2::{
    password_hash::{
        rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString,
    },
    Argon2,
};
use base64::{engine::general_purpose, Engine as _};
use rand::Rng;
use sha2::{Digest, Sha256};
use thiserror::Error;
use tokio::task;

// --- ERROR HANDLING ---

#[derive(Error, Debug)]
pub enum CryptoError {
    #[error("Invalid encryption key length")]
    InvalidKeyLength,

    #[error("Encryption failed")]
    EncryptionFailed,

    #[error("Decryption failed")]
    DecryptionFailed,

    #[error("Invalid encrypted data: too short")]
    InvalidDataLength,

    #[error("Base64 decode error: {0}")]
    Base64(#[from] base64::DecodeError),

    #[error("Invalid UTF-8 sequence: {0}")]
    Utf8(#[from] std::string::FromUtf8Error),

    #[error("Argon2 hashing error: {0}")]
    Argon2(#[from] argon2::password_hash::Error),

    #[error("Async task join error: {0}")]
    Join(#[from] tokio::task::JoinError),
}

pub type Result<T> = std::result::Result<T, CryptoError>;

// --- DATA STRUCTURES ---

pub struct EncryptedData {
    pub encrypted_text: String,
}

pub struct DecryptedData {
    pub text: String,
}

pub struct HashedData {
    pub hash: String,
}

// --- OOP SERVICE ---

#[derive(Clone)]
pub struct CryptoService {
    cipher: Aes256Gcm,
}

impl CryptoService {
    /// Constructor: Initializes the AES cipher once.
    /// Fixes the performance issue of expanding the key schedule on every request.
    pub fn new(encryption_key: &[u8; 32]) -> Result<Self> {
        let cipher = Aes256Gcm::new_from_slice(encryption_key)
            .map_err(|_| CryptoError::InvalidKeyLength)?;

        Ok(Self { cipher })
    }

    /// Encrypts plaintext into a base64-encoded string (Nonce + Ciphertext)
    /// Purely CPU-bound and fast: Kept synchronous to avoid async executor overhead.
    pub fn encrypt_text(&self, text: &str) -> Result<EncryptedData> {
        let mut nonce_bytes = [0u8; 12];
        rand::rng().fill_bytes(&mut nonce_bytes);
        let nonce = Nonce::from_slice(&nonce_bytes);

        // Encrypt the data
        let ciphertext = self
            .cipher
            .encrypt(nonce, text.as_bytes())
            .map_err(|_| CryptoError::EncryptionFailed)?;

        // Pre-allocate exact capacity to prevent reallocation vectors
        let mut combined = Vec::with_capacity(12 + ciphertext.len());
        combined.extend_from_slice(&nonce_bytes);
        combined.extend_from_slice(&ciphertext);

        Ok(EncryptedData {
            encrypted_text: general_purpose::STANDARD.encode(combined),
        })
    }

    /// Decrypts a base64-encoded string back to plaintext
    /// Purely CPU-bound and fast: Kept synchronous.
    pub fn decrypt_text(&self, encrypted_text: &str) -> Result<DecryptedData> {
        let decoded = general_purpose::STANDARD.decode(encrypted_text)?;

        if decoded.len() < 12 {
            return Err(CryptoError::InvalidDataLength);
        }

        let (nonce_bytes, ciphertext) = decoded.split_at(12);
        let nonce = Nonce::from_slice(nonce_bytes);

        // Decrypt the data
        let plaintext = self
            .cipher
            .decrypt(nonce, ciphertext)
            .map_err(|_| CryptoError::DecryptionFailed)?;

        Ok(DecryptedData {
            text: String::from_utf8(plaintext)?,
        })
    }

    /// Hashes a string using SHA-256 and returns a hex-encoded string.
    /// Fast, non-blocking: Kept synchronous.
    pub fn sha256_hash(&self, data: &str) -> Result<HashedData> {
        let mut hasher = Sha256::new();
        hasher.update(data.as_bytes());
        let result = hasher.finalize();

        // Format raw bytes directly into a 64-character lowercase hex string
        let hash = format!("{:x}", result);

        Ok(HashedData { hash })
    }

    /// Hashes a string using Argon2.
    /// Heavy CPU/Memory usage: Must remain async and run on a blocking thread pool.
    pub async fn hash_data(&self, data: &str) -> Result<HashedData> {
        let data = data.to_string();

        let hash = task::spawn_blocking(move || -> Result<String> {
            let salt = SaltString::generate(&mut OsRng);
            let argon2 = Argon2::default();

            let hashed = argon2
                .hash_password(data.as_bytes(), &salt)?; // `?` cleanly converts to CryptoError::Argon2
            
            Ok(hashed.to_string())
        })
        .await??;

        Ok(HashedData { hash })
    }

    /// Verifies a string against an Argon2 hash.
    /// Heavy CPU usage: Must remain async and run on a blocking thread pool.
    pub async fn verify_hash(&self, data: &str, hash: &str) -> Result<bool> {
        let data = data.to_string();
        let hash = hash.to_string();

        let is_valid = task::spawn_blocking(move || {
            match PasswordHash::new(&hash) {
                Ok(parsed) => Argon2::default()
                    .verify_password(data.as_bytes(), &parsed)
                    .is_ok(),
                Err(_) => false,
            }
        })
        .await?;

        Ok(is_valid)
    }
}