HyperFrontend
← Back to @hyperfrontend/cryptography
@hyperfrontend/cryptography/browser

browser

Browser-targeted bindings of the cryptography primitives, wired to the Web Crypto API on globalThis.crypto.

Overview

This entry point composes the runtime-agnostic core (createEncrypt, createValueCreator, hashing, key derivation, time-based passwords) with browser implementations of subtle, getRandomValues, and UTF-8 encoding. The exported function signatures are identical to /node, so application code that imports from @hyperfrontend/cryptography/browser can be ported between runtimes without changes.

Usage

import { encrypt, decrypt, createVault, createHash } from '@hyperfrontend/cryptography/browser'

const ciphertext = await encrypt('top-secret', 'user-password')
const plaintext = await decrypt(ciphertext, 'user-password')

const vault = createVault(true) // singleUse
await vault.write('token', 'sk-live-...')
const password = vault.getPassword()
const token = await vault.read('token', password) // vault closes after read

const digest = await createHash('payload') // 64-char hex SHA-256

Notes

  • subtle resolves to globalThis.crypto.subtle; a secure context (HTTPS or localhost) is required.
  • getRandomValues is backed by crypto.getRandomValues and throws when called with a zero byte length.
  • Algorithm choices (AES-GCM, PBKDF2 with 100,000 iterations, SHA-256 default) live in the shared core and cannot be overridden per call.

API Reference

ƒ Functions

§function

createHash(data: string, algorithm: HashAlgorithm): Promise<string>

Creates a cryptographic hash of the provided data using Web Crypto API (browser implementation).

Parameters

NameTypeDescription
§data
string
The string data to hash
§algorithm
HashAlgorithm
The hash algorithm to use (defaults to SHA-256)
(default: 'SHA-256')

Returns

Promise<string>
A promise that resolves to the hexadecimal hash string

Example

Creating a hash

const hash = await createHash('secret-message')
// => '64-character hexadecimal string'
§function

getRandomValues(byteLength: number): Uint8Array

Generates cryptographically secure random values using Web Crypto API (browser implementation).

Parameters

NameTypeDescription
§byteLength
number
The number of random bytes to generate

Returns

Uint8Array
A Uint8Array containing the random bytes

Example

Generating random bytes

const randomBytes = getRandomValues(16)
// => Uint8Array(16) with cryptographically secure random values
§function

isSHA256Hash(hash: unknown): boolean

Validates whether the provided value is a valid SHA-256 hash string. Checks for exactly 64 hexadecimal characters (case-insensitive).

Parameters

NameTypeDescription
§hash
unknown
The value to validate as a SHA-256 hash

Returns

boolean
True if the value is a valid SHA-256 hash string, false otherwise

Example

Validating SHA-256 hashes

isSHA256Hash('e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855')
// => true

isSHA256Hash('invalid')
// => false

Interfaces

§interface

EncryptionConfig

Configuration for encryption algorithm settings.

Properties

§name:"AES-GCM" | "AES-CBC" | "AES-CTR"
Encryption algorithm name (AES-GCM, AES-CBC, or AES-CTR).
§interface

TimeBasedPasswordGenerators

Generators for time-based one-time passwords (TOTP).

Properties

§readonly current:() => Promise<string>
Generates the password for the current time window.
§readonly next:() => Promise<string>
Generates the password for the next time window.
§readonly previous:() => Promise<string>
Generates the password for the previous time window.
§interface

Vault

Secure vault for storing encrypted key-value pairs.

Properties

§readonly close:() => void
Closes the vault and clears sensitive data from memory
§readonly getPassword:() => string
Retrieves the current vault password, or null if not set
§readonly read:(label: string, password: string) => Promise<string>
Reads and decrypts a value by label, requiring the password
§readonly write:(label: string, value: string) => Promise<void>
Writes an encrypted value with the given label

Types

§type

HashAlgorithm

Supported cryptographic hash algorithms.
type HashAlgorithm = "SHA-256" | "SHA-384" | "SHA-512"

Variables

§type

createVault

§type

decrypt

§type

encrypt

§type

encryptionConfig

Frozen encryption configuration to prevent runtime tampering. Using AES-GCM as the default algorithm for authenticated encryption.
§type

generateKey

§type

getTimeBasedPassword

Generates a UTC time-based one-time password (TOTP) with configurable time window and offset (browser implementation). Uses Web Crypto API for hash generation.
§type

getTimeBasedPasswords

Generates time-based one-time passwords (TOTP) for current, previous, and next time windows (browser implementation). Useful for handling time synchronization issues by providing passwords across adjacent time windows.
§type

subtle