npm - @apolitical/server - Versions diffs - 4.1.0-pla-305-0 → 4.1.0-pla-305.0 - Mend

@apolitical/server 4.1.0-pla-305-0 → 4.1.0-pla-305.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +7 -3
package/src/config.js +3 -1
package/src/container.js +0 -2
package/src/secrets.js +10 -0
package/src/services/secrets.service.js +28 -14
package/src/helpers/impersonation.helper.js +0 -22

package/package.json CHANGED Viewed

@@ -1,10 +1,14 @@
 {
   "name": "@apolitical/server",
-  "version": "4.1.0-pla-305-0",
+  "version": "4.1.0-pla-305.0",
   "description": "Node.js module to encapsulate Apolitical's express server setup",
   "author": "Apolitical Group Limited <engineering@apolitical.co>",
   "license": "MIT",
   "main": "src/index.js",
+  "exports": {
+    ".": "./src/index.js",
+    "./secrets": "./src/secrets.js"
+  },
   "files": [
     "src"
   ],
@@ -24,8 +28,8 @@
   ],
   "dependencies": {
     "@apolitical/logger": "2.1.0",
-    "@google-cloud/secret-manager": "5.6.0",
     "@cloudnative/health-connect": "2.1.0",
+    "@google-cloud/secret-manager": "^6.1.1",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/auto-instrumentations-node": "0.57.1",
     "@opentelemetry/exporter-trace-otlp-grpc": "0.200.0",
@@ -40,7 +44,7 @@
     "cookie-parser": "1.4.6",
     "cors": "2.8.5",
     "dotenv": "16.0.3",
-    "express": "4.18.2",
+    "express": "4.22.0",
     "express-jwt": "8.3.0",
     "http-status-codes": "2.2.0",
     "http-terminator": "3.2.0",

package/src/config.js CHANGED Viewed

@@ -1,6 +1,6 @@
 'use strict';
-const { NODE_ENV, LOG_LEVEL } = process.env;
+const { NODE_ENV, LOG_LEVEL, GOOGLE_CLOUD_PROJECT, GOOGLE_IMPERSONATE_SERVICE_ACCOUNT } = process.env;
 const NAME = 'apolitical-server';
 const UUID = '00000000-0000-0000-0000-000000000000';
@@ -10,6 +10,8 @@ const ADMIN_ROLE = 'administrator';
 module.exports = {
   NODE_ENV,
   LOG_LEVEL,
+  GOOGLE_CLOUD_PROJECT,
+  GOOGLE_IMPERSONATE_SERVICE_ACCOUNT,
   LOGGER_OPTIONS: {
     logLevel: LOG_LEVEL,
     labels: {

package/src/container.js CHANGED Viewed

@@ -37,7 +37,6 @@ const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
 const jwtPassportHelper = require('./helpers/jwt/passport.helper');
 const loggerHelper = require('./helpers/logger.helper');
 const requestHelper = require('./helpers/request.helper');
-const impersonationHelper = require('./helpers/impersonation.helper');
 // Loaders
 const documentationLoader = require('./loaders/documentation.loader');
 const expressLoader = require('./loaders/express.loader');
@@ -98,7 +97,6 @@ container.register({
   jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
   loggerHelper: asFunction(loggerHelper).singleton(),
   requestHelper: asFunction(requestHelper).singleton(),
-  impersonationHelper: asFunction(impersonationHelper).singleton(),
   // Loaders
   documentationLoader: asFunction(documentationLoader).singleton(),
   expressLoader: asFunction(expressLoader).singleton(),

package/src/secrets.js ADDED Viewed

@@ -0,0 +1,10 @@
+'use strict';
+const secretManager = require('@google-cloud/secret-manager');
+const secretsServiceFactory = require('./services/secrets.service');
+module.exports = secretsServiceFactory({
+  secretManager,
+  config: process.env,
+  logger: console,
+});

package/src/services/secrets.service.js CHANGED Viewed

@@ -1,26 +1,39 @@
 'use strict';
-module.exports = ({ secretManager, impersonationHelper, logger }) => {
+module.exports = ({ secretManager, config, logger }) => {
   const DEV_DEFAULTS = {
-    projectId: 'hazel-tea-194609',
     impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
   };
   const cache = {};
   let client = null;
+  // Resolved once at first client creation; stored in closure so subsequent
+  // calls to isImpersonationEnabled() reflect the dev default without
+  // re-reading process.env.
+  let resolvedImpersonationTarget = config.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT?.trim() || null;
+  function isImpersonationEnabled() {
+    return resolvedImpersonationTarget !== null;
+  }
+  function impersonationLogContext() {
+    return resolvedImpersonationTarget ? { targetServiceAccount: resolvedImpersonationTarget } : {};
+  }
   function getClient() {
     if (!client) {
-      // Auto-configure impersonation for non-production environments
-      if (process.env['NODE_ENV'] !== 'production' && !impersonationHelper.isImpersonationEnabled()) {
-        process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = DEV_DEFAULTS.impersonateAccount;
+      if (config.NODE_ENV !== 'production' && !isImpersonationEnabled()) {
+        resolvedImpersonationTarget = DEV_DEFAULTS.impersonateAccount;
+        // Set on process.env so the Google Cloud SDK picks it up via ADC
+        process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = resolvedImpersonationTarget;
         logger.info('[secrets] set default impersonation for development', {
-          targetServiceAccount: DEV_DEFAULTS.impersonateAccount,
+          targetServiceAccount: resolvedImpersonationTarget,
         });
       }
-      if (impersonationHelper.isImpersonationEnabled()) {
-        logger.info('[secrets] using impersonation', impersonationHelper.impersonationLogContext());
+      if (isImpersonationEnabled()) {
+        logger.info('[secrets] using impersonation', impersonationLogContext());
       }
       client = new secretManager.SecretManagerServiceClient();
@@ -30,10 +43,7 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
   async function loadSecrets(opts) {
     const { secrets } = opts;
-    const projectId =
-      opts.projectId ??
-      process.env['GOOGLE_CLOUD_PROJECT'] ??
-      (process.env['NODE_ENV'] !== 'production' ? DEV_DEFAULTS.projectId : undefined);
+    const projectId = opts.projectId ?? config.GOOGLE_CLOUD_PROJECT;
     if (!projectId) {
       throw new Error('Missing projectId for Secret Manager');
@@ -57,12 +67,17 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
         }
         cache[spec.envVar] = payload;
-        process.env[spec.envVar] = payload;
+        if (spec.exportToEnv) {
+          process.env[spec.envVar] = payload;
+        }
         logger.info('[secrets] loaded', {
           name: spec.name,
           envVar: spec.envVar,
           version,
+          cached: true,
+          exportedToEnv: !!spec.exportToEnv,
         });
       } catch (err) {
         throw new Error(`Failed to load secret "${spec.name}": ${err.message}`);
@@ -81,6 +96,5 @@ module.exports = ({ secretManager, impersonationHelper, logger }) => {
   return {
     loadSecrets,
     getSecret,
-    impersonation: impersonationHelper,
   };
 };

package/src/helpers/impersonation.helper.js DELETED Viewed

@@ -1,22 +0,0 @@
-'use strict';
-module.exports = () => {
-  // Returns the target service account to impersonate if configured via env
-  function getImpersonationTarget() {
-    const target = process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'];
-    return target && target.trim().length > 0 ? target.trim() : null;
-  }
-  // Whether impersonation is enabled for the current process
-  function isImpersonationEnabled() {
-    return getImpersonationTarget() !== null;
-  }
-  // Produce a safe log payload for audit visibility
-  function impersonationLogContext() {
-    const target = getImpersonationTarget();
-    return target ? { targetServiceAccount: target } : {};
-  }
-  return { getImpersonationTarget, isImpersonationEnabled, impersonationLogContext };
-};