fix: use rust blowfish instead of node

The JavaScript blowfish-node library had a critical bug where it would
sometimes return 2047 bytes instead of 2048 during decryption, causing
byte alignment issues that corrupted FLAC audio at specific intervals
(~every 32/82 seconds).

Changes:
- Add Rust dependencies: blowfish, md5, byteorder
- Implement new module in Rust with proper Blowfish CBC
- Add decryption Tauri command
- Update frontend to call Rust decryption instead of JavaScript
- Remove buggy JavaScript blowfish implementation
- Update decryption algorithm (6144-byte windows)

src-tauri/src/deezer_crypto.rs

@@ -0,0 +1,112 @@
+use blowfish::cipher::{BlockDecrypt, KeyInit};
+use blowfish::Blowfish;
+use byteorder::BigEndian;
+
+/// Generate Blowfish key for Deezer track decryption
+pub fn generate_blowfish_key(track_id: &str) -> Vec<u8> {
+    const SECRET: &[u8] = b"g4el58wc0zvf9na1";
+
+    // MD5 hash of track ID
+    let id_md5 = format!("{:x}", md5::compute(track_id.as_bytes()));
+
+    // Generate 16-byte key by XORing MD5 parts with secret
+    let mut bf_key = Vec::with_capacity(16);
+    for i in 0..16 {
+        let md5_byte1 = id_md5.as_bytes()[i];
+        let md5_byte2 = id_md5.as_bytes()[i + 16];
+        let secret_byte = SECRET[i];
+        bf_key.push(md5_byte1 ^ md5_byte2 ^ secret_byte);
+    }
+
+    bf_key
+}
+
+/// Decrypt a single 2048-byte chunk using Blowfish CBC
+pub fn decrypt_chunk(chunk: &[u8], blowfish_key: &[u8]) -> Vec<u8> {
+    let cipher = Blowfish::<BigEndian>::new_from_slice(blowfish_key)
+        .expect("Invalid key length");
+
+    let mut result = chunk.to_vec();
+    let iv = [0u8, 1, 2, 3, 4, 5, 6, 7];
+
+    // Decrypt in CBC mode
+    let mut prev_block = iv;
+
+    for chunk_idx in (0..result.len()).step_by(8) {
+        if chunk_idx + 8 <= result.len() {
+            let mut block = [0u8; 8];
+            block.copy_from_slice(&result[chunk_idx..chunk_idx + 8]);
+
+            let encrypted_block = block;
+            cipher.decrypt_block((&mut block).into());
+
+            // XOR with previous ciphertext (CBC mode)
+            for i in 0..8 {
+                block[i] ^= prev_block[i];
+            }
+
+            result[chunk_idx..chunk_idx + 8].copy_from_slice(&block);
+            prev_block = encrypted_block;
+        }
+    }
+
+    result
+}
+
+/// Decrypt track data using Deezer's encryption scheme
+/// Every 3 chunks (6144 bytes), only the first 2048 bytes are encrypted
+pub fn decrypt_track(data: &[u8], track_id: &str) -> Vec<u8> {
+    const CHUNK_SIZE: usize = 2048;
+    const WINDOW_SIZE: usize = CHUNK_SIZE * 3; // 6144
+
+    let blowfish_key = generate_blowfish_key(track_id);
+    let mut result = Vec::with_capacity(data.len());
+
+    let mut offset = 0;
+
+    while offset < data.len() {
+        let remaining = data.len() - offset;
+
+        if remaining >= WINDOW_SIZE {
+            // Full window: decrypt first 2048 bytes, keep next 4096 as-is
+            let encrypted_chunk = &data[offset..offset + CHUNK_SIZE];
+            let plain_part = &data[offset + CHUNK_SIZE..offset + WINDOW_SIZE];
+
+            let decrypted = decrypt_chunk(encrypted_chunk, &blowfish_key);
+            result.extend_from_slice(&decrypted);
+            result.extend_from_slice(plain_part);
+
+            offset += WINDOW_SIZE;
+        } else if remaining >= CHUNK_SIZE {
+            // Partial window: decrypt first 2048 bytes, keep rest as-is
+            let encrypted_chunk = &data[offset..offset + CHUNK_SIZE];
+            let plain_part = &data[offset + CHUNK_SIZE..];
+
+            let decrypted = decrypt_chunk(encrypted_chunk, &blowfish_key);
+            result.extend_from_slice(&decrypted);
+            result.extend_from_slice(plain_part);
+
+            offset = data.len();
+        } else {
+            // Less than 2048 bytes: keep as-is
+            result.extend_from_slice(&data[offset..]);
+            offset = data.len();
+        }
+    }
+
+    result
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_key_generation() {
+        let key = generate_blowfish_key("99756342");
+        assert_eq!(key.len(), 16);
+        // Key should be: 3333676c346d7c62372b7c3e6d32626c (in hex)
+        assert_eq!(format!("{:02x}", key[0]), "33");
+        assert_eq!(format!("{:02x}", key[1]), "33");
+    }
+}

src-tauri/src/lib.rs

@@ -2,6 +2,7 @@ use tauri_plugin_sql::{Migration, MigrationKind};
 
 mod tagger;
 mod metadata;
+mod deezer_crypto;
 
 // Learn more about Tauri commands at https://tauri.app/develop/calling-rust/
 #[tauri::command]
@@ -26,6 +27,12 @@ fn read_audio_metadata(path: String) -> Result<metadata::AudioMetadata, String>
     metadata::read_audio_metadata(&path)
 }
 
+/// Decrypt Deezer track data
+#[tauri::command]
+fn decrypt_deezer_track(data: Vec<u8>, track_id: String) -> Result<Vec<u8>, String> {
+    Ok(deezer_crypto::decrypt_track(&data, &track_id))
+}
+
 #[cfg_attr(mobile, tauri::mobile_entry_point)]
 pub fn run() {
     let library_migrations = vec![Migration {
@@ -143,7 +150,12 @@ pub fn run() {
         .plugin(tauri_plugin_store::Builder::new().build())
         .plugin(tauri_plugin_dialog::init())
         .plugin(tauri_plugin_fs::init())
-        .invoke_handler(tauri::generate_handler![greet, tag_audio_file, read_audio_metadata])
+        .invoke_handler(tauri::generate_handler![
+            greet,
+            tag_audio_file,
+            read_audio_metadata,
+            decrypt_deezer_track
+        ])
         .run(tauri::generate_context!())
         .expect("error while running tauri application");
 }