Seckit
Secure cryptographic utilities for Dart: JWT authentication, field encryption with HMAC authentication, bcrypt password hashing, and deterministic hashing for searchable fields.
Features
- π JWT Handler - HS256 tokens with expiration validation
- π Field Encryptor - AES-256-CBC + HMAC authentication (searchable)
- π‘οΈ Password Hasher - bcrypt for authentication
- π Deterministic Hasher - HMAC-SHA256 for database lookups
- π§ Email Utils - Masking and validation
Security Highlights
β
Constant-time comparisons (timing attack prevention)
β
HMAC authentication (tampering detection)
β
Input validation (DoS prevention)
β
No information leakage in errors
β
Audited & production-ready
Quick Start
1. JWT Authentication
import 'package:seckit/seckit.dart';
final jwt = JwtHandler(
secretKey: 'your-secret-key-32-characters-long!',
devAuthToken: 'dev-token',
isProd: true,
userIdKey: 'user_id',
);
// Generate token
final token = jwt.generateToken(claims: {'user_id': 123, 'role': 'admin'});
// Validate
final result = jwt.validateToken(token);
if (result.isValue) print('Valid!');
2. Password Hashing (bcrypt - for authentication)
const hasher = PasswordHasher();
// Registration
final hash = hasher.hash('user-password').asValue!.value;
// Save to DB
// Login
final valid = hasher.verify('user-password', hash).asValue!.value;
3. Field Encryption (AES + HMAC - searchable & reversible)
final encryptor = FieldEncryptor(
dbSecretKey: 'base64-encoded-32-byte-key',
salt: 'unique-salt-16ch',
);
// Encrypt
final encrypted = encryptor.encrypt('user@example.com').asValue!.value;
// Decrypt
final decrypted = encryptor.decrypt(encrypted).asValue!.value;
4. Deterministic Hashing (HMAC - for DB lookups)
final hasher = DeterministicHasher(
secretKey: 'secret-key-32-characters-long!',
salt: 'email-salt-16ch',
);
// Hash for privacy + searchability
final emailHash = hasher.hash('user@example.com').asValue!.value;
// Store emailHash in DB index - same input = same hash
5. Email Masking
final masked = EmailUtils.mask('john.doe@example.com');
// Returns: "jo***@example.com"
When to Use What?
| Use Case | Tool | Why |
|---|---|---|
| User login/passwords | PasswordHasher |
Non-deterministic (secure) |
| Search by email/phone | DeterministicHasher |
Same input = same hash |
| Encrypt SSN/credit card | FieldEncryptor |
Reversible + searchable |
| API authentication | JwtHandler |
Stateless tokens |
Security Requirements
β οΈ Required in production:
- Key Lengths:
secretKeyβ₯32 chars,saltβ₯16 chars - Environment Variables: Never hardcode secrets
final config = Config(
secretKey: Platform.environment['JWT_SECRET']!,
dbSecretKey: Platform.environment['DB_SECRET']!,
devAuthToken: Platform.environment['DEV_TOKEN'] ?? '',
isProd: Platform.environment['ENV'] == 'production',
);
- Rate Limiting: Implement at app level (5 password attempts/min, 100 JWT validations/min)
Documentation
- CHANGELOG.md - Version history
- example/main.dart - Full working examples
- π οΈ scripts/README.md - Development scripts
dart run example/main.dart
License
MIT License - see LICENSE for details.
Libraries
- config
- deterministic_hasher
- email_utils
- field_encryptor
- jwt_handler
- password_hasher
- seckit
- Secure cryptographic utilities for Dart