Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Orbis25/FoundationKit/llms.txt
Use this file to discover all available pages before exploring further.
IEncryptorService is the central encryption abstraction in FoundationKit. It exposes two complementary encryption strategies: TweetNaCl/Curve25519 asymmetric encryption (via CryptoBoxAfternm) for protecting small payloads such as per-request AES configurations, and AES-CBC symmetric encryption for efficiently encrypting larger request and response bodies. Register it via AddFoundationKitEncryptor and inject it wherever encryption or decryption is required.
Interface members
HeaderAes
EncryptorOption.HeaderAes at construction time. Both EncryptorHelper.AesOk and FoundationKitAesEncryptorMiddleware read this property to locate the correct header.
The header name (e.g.
"x-aes-config") that clients must set on every request when using AES-encrypted endpoints. null if the option was not configured.EncryptCore<T>
Serializes an object to JSON and encrypts it using the TweetNaClCryptoBoxAfternm algorithm (Curve25519 + XSalsa20-Poly1305). The output is a single base64 string that contains the 24-byte random nonce prepended to the ciphertext.
The object to encrypt. Returns an empty string immediately if
null.Base64-encoded Curve25519 public key. When omitted, falls back to
EncryptorOption.PublicKey.Base64-encoded Curve25519 private key. When omitted, falls back to
EncryptorOption.PrivateKey.string — a base64-encoded payload structured as [24-byte nonce | ciphertext].
Throws ArgumentNullException if both the call-site key and the corresponding option key are null or empty.
DecryptCore<T>
Decrypts a base64 ciphertext previously produced byEncryptCore and deserializes the result to T. The first 24 bytes of the decoded payload are treated as the nonce; the remainder is the TweetNaCl ciphertext.
The base64-encoded ciphertext returned by
EncryptCore. Returns default(T) immediately if null or empty.Base64-encoded Curve25519 public key override. Falls back to
EncryptorOption.PublicKey when omitted.Base64-encoded Curve25519 private key override. Falls back to
EncryptorOption.PrivateKey when omitted.T? — the deserialized object, or null / default if the input is empty.
Throws ArgumentNullException if both the call-site key and the option key are null or empty.
AESEncrypt<T>
Serializes an object to JSON and encrypts it with AES-CBC using the key and IV from the suppliedAesConfig. The result is a base64-encoded ciphertext suitable for transmission in an HTTP body.
The object to encrypt. Returns an empty string immediately if
null.AES key and initialization vector. Both
Key and Iv must be non-null base64 strings; otherwise an ArgumentNullException is thrown.string — base64-encoded AES ciphertext, or an empty string if an internal error occurs (the exception is written to Console).
AESDecrypt<T> (typed)
Decrypts a base64 AES ciphertext and deserializes the resulting JSON toT.
Base64-encoded AES ciphertext, as produced by
AESEncrypt.The same
AesConfig (key + IV) used when encrypting. Key and IV must not be null or empty.T? — the deserialized object, or default if the decrypted JSON is empty or an error occurs.
AESDecrypt (string)
Decrypts a base64 AES ciphertext and returns the raw plain-text string without further deserialization. Useful when the caller needs to process the JSON manually or forward the decrypted body.Base64-encoded AES ciphertext.
AES key and IV configuration.
string? — the decrypted plain-text string, or null if the result is empty or an error occurs.
Supporting types
AesConfig
Carries the AES key and initialization vector for a single encrypt/decrypt operation. Clients typically generate a freshAesConfig per request, encrypt it with EncryptCore, and transmit it in the HeaderAes request header.
Base64-encoded AES key bytes. Passed through
Convert.FromBase64String before use; must be a valid AES key length (16, 24, or 32 bytes when decoded).Base64-encoded AES initialization vector (16 bytes when decoded for AES-CBC).
RequestAesBase
The standard HTTP request/response body wrapper for AES-encrypted endpoints. Both the middleware andAesOk use this class: the middleware expects an incoming body of this shape and replaces it with the decrypted content; AesOk wraps the encrypted response in this class before returning 200 OK.
The base64-encoded AES ciphertext that represents the actual request or response payload.
EncryptorHelper.AesOk
AControllerBase extension method that handles the full encrypt-on-send flow in a single call. It reads the HeaderAes header from the current request, uses DecryptCore to recover the AesConfig, encrypts the response object with AESEncrypt, and returns a 200 OK with a RequestAesBase body.
The MVC controller making the response. Used to resolve
IEncryptorService from the DI container and to read the request headers.The response object to encrypt. Throws
ArgumentNullException if null.| Result | Condition |
|---|---|
200 OK with RequestAesBase { Data = "<cipherText>" } | Header present, decryption succeeded, and AES encryption produced a non-empty result. |
401 Unauthorized | HeaderAes header is missing or DecryptCore returns null. |
400 Bad Request | AES encryption returned an empty string. |
AesOk calls controller.HttpContext.RequestServices.GetRequiredService<IEncryptorService>() internally, so IEncryptorService must be registered (via AddFoundationKitEncryptor) before using this helper.FoundationKitAesEncryptorMiddleware
An ASP.NET Core middleware that transparently decrypts incoming request bodies before the request reaches your controllers or minimal-API handlers. Register it withapp.UseMiddleware<FoundationKitAesEncryptorMiddleware>().
Request flow
- Read the
HeaderAesheader. If absent →401 Unauthorized. - Decrypt the header value with
DecryptCore<AesConfig>. If decryption fails →401 Unauthorized. - Read the request body and deserialize it as
RequestAesBase. IfDatais null or empty →400 Bad Request. - Decrypt
DatawithAESDecrypt(string)using the recoveredAesConfig. If decryption returnsnull→400 Bad Request. - Replace
HttpContext.Request.Bodywith a newMemoryStreamcontaining the decrypted JSON bytes (UTF-8). - Pass control to the next middleware/handler with
await _next(context).