feat(api): Add simple HMAC encryption of clear content using SHA256

Author: nick-stebbings

Justfile

@@ -62,6 +62,10 @@ watch:
 build:
     cargo build
 
+# Build for production (optimized)
+gen-key:
+    cargo run --example gen-key -p web_server
+
 # Build for production (optimized)
 build-release:
     cargo build --release

crates/lib/lib-core/Cargo.toml

@@ -12,6 +12,10 @@ anyhow = { workspace = true }
 serde_with = { workspace = true }
 lib-util = { path = "../lib-util"}
 uuid = {version = "1", features = ["v4","fast-rng",]}
+rand = "0.9"
+hmac = "0.12"
+sha2 = "0.10"
+base64-url = "3"
 
 [dev-dependencies]
 serial_test = "3"

crates/lib/lib-core/src/crypt/error.rs

@@ -0,0 +1,20 @@
+use serde::Serialize;
+
+pub type Result<T> = core::result::Result<T, Error>;
+
+#[derive(Debug, Serialize)]
+pub enum Error {
+    KeyFailHmac,
+}
+
+// region:    --- Error Boilerplate
+
+impl core::fmt::Display for Error {
+    fn fmt(&self, fmt: &mut core::fmt::Formatter) -> core::result::Result<(), core::fmt::Error> {
+        write!(fmt, "{self:?}")
+    }
+}
+
+impl std::error::Error for Error {}
+
+// endregion: --- Error Boilerplate

crates/lib/lib-core/src/crypt/mod.rs

@@ -0,0 +1,61 @@
+// region:    --- Modules
+
+pub mod error;
+pub mod password;
+pub use error::{Error, Result};
+
+use hmac::{Hmac, Mac};
+use sha2::Sha256;
+
+// endregion: --- Modules
+
+pub struct EncryptContent {
+    pub content: String, // Clear content.
+    pub salt: String,    // Clear salt.
+}
+
+// We normalise into b64 url as it is portable and a reliable character set.
+pub fn encrypt_into_b64u(key: &[u8], enc_content: &EncryptContent) -> Result<String> {
+    let mut hmac = Hmac::<Sha256>::new_from_slice(key).map_err(|_| Error::KeyFailHmac)?;
+
+    let EncryptContent { content, salt } = enc_content;
+
+    hmac.update(content.as_bytes());
+    hmac.update(salt.as_bytes());
+
+    let result = hmac.finalize();
+
+    let result_bytes = result.into_bytes();
+
+    Ok(base64_url::encode(&result_bytes))
+}
+
+// region:    --- Tests
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use anyhow::Result;
+    use rand::RngCore;
+
+    #[test]
+    fn test_encrypt_into_b64u_ok() -> Result<()> {
+        let mut fx_key = [0u8; 64]; // 512 bits = 64 bytes
+        rand::rng().fill_bytes(&mut fx_key);
+
+        let fx_enc_content = EncryptContent {
+            content: "Hey there".to_string(),
+            salt: "don't be salty".to_string(),
+        };
+        let result = encrypt_into_b64u(&fx_key, &fx_enc_content)?;
+
+        let result2 = encrypt_into_b64u(&fx_key, &fx_enc_content)?;
+
+        // Basic indempotency test
+        assert_eq!(result, result2);
+
+        Ok(())
+    }
+}
+
+// endregion: --- Tests

crates/lib/lib-core/src/crypt/password.rs

@@ -0,0 +1 @@
+

crates/lib/lib-core/src/lib.rs

@@ -1,4 +1,5 @@
 pub mod config;
+pub mod crypt;
 pub mod ctx;
 pub mod model;
 

crates/lib/services/web_server/Cargo.toml

@@ -18,10 +18,12 @@ lib-web = { path = "../../lib-web"}
 tokio = { workspace = true }
 axum = { workspace = true }
 
+rand = "0.9"
 derive_more = { workspace = true }
 tracing-subscriber = { workspace = true }
 tracing = { workspace = true }
 httpc-test = "0.1.10"
+base64-url = "3"
 
 [lints]
 workspace = true

crates/lib/services/web_server/examples/gen-key.rs

@@ -0,0 +1,15 @@
+pub type Result<T> = core::result::Result<T, Error>;
+pub type Error = Box<dyn std::error::Error>; // Ok for tools.
+
+use rand::RngCore;
+
+fn main() -> Result<()> {
+    let mut key = [0u8; 64]; // 512 bits = 64 bytes
+    rand::rng().fill_bytes(&mut key);
+    println!("\nGenerated key from rand::thread_rng():\n{key:?}");
+
+    let b64u = base64_url::encode(&key);
+    println!("\nKey b64u encoded:\n{}", &b64u);
+
+    Ok(())
+}