@apolitical/server 4.1.0 → 4.2.0-bht.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@apolitical/server",
-  "version": "4.1.0",
+  "version": "4.2.0-bht.0",
   "description": "Node.js module to encapsulate Apolitical's express server setup",
   "author": "Apolitical Group Limited <engineering@apolitical.co>",
   "license": "MIT",
@@ -23,9 +23,9 @@
     "Node Modules"
   ],
   "dependencies": {
-    "@apolitical/logger": "2.1.0",
-    "@google-cloud/secret-manager": "5.6.0",
+    "@apolitical/logger": "3.0.0-bht.0",
     "@cloudnative/health-connect": "2.1.0",
+    "@google-cloud/secret-manager": "6.1.1",
     "@opentelemetry/api": "1.9.0",
     "@opentelemetry/auto-instrumentations-node": "0.57.1",
     "@opentelemetry/exporter-trace-otlp-grpc": "0.200.0",
@@ -40,7 +40,7 @@
     "cookie-parser": "1.4.6",
     "cors": "2.8.5",
     "dotenv": "16.0.3",
-    "express": "4.18.2",
+    "express": "4.22.0",
     "express-jwt": "8.3.0",
     "http-status-codes": "2.2.0",
     "http-terminator": "3.2.0",

package/src/config.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const { NODE_ENV, LOG_LEVEL } = process.env;
+const { NODE_ENV, LOG_LEVEL, GOOGLE_CLOUD_PROJECT, GOOGLE_IMPERSONATE_SERVICE_ACCOUNT } = process.env;
 
 const NAME = 'apolitical-server';
 const UUID = '00000000-0000-0000-0000-000000000000';
@@ -10,6 +10,8 @@ const ADMIN_ROLE = 'administrator';
 module.exports = {
   NODE_ENV,
   LOG_LEVEL,
+  GOOGLE_CLOUD_PROJECT,
+  GOOGLE_IMPERSONATE_SERVICE_ACCOUNT,
   LOGGER_OPTIONS: {
     logLevel: LOG_LEVEL,
     labels: {

package/src/container.js

@@ -22,6 +22,7 @@ const prerender = require('prerender-node');
 const qs = require('qs');
 const swaggerUi = require('swagger-ui-express');
 const xss = require('xss');
+const secretManager = require('@google-cloud/secret-manager');
 // Internal Modules
 const apoliticalLogger = require('@apolitical/logger');
 // Configuration
@@ -36,7 +37,6 @@ const jwtEncodeHelper = require('./helpers/jwt/encode.helper');
 const jwtPassportHelper = require('./helpers/jwt/passport.helper');
 const loggerHelper = require('./helpers/logger.helper');
 const requestHelper = require('./helpers/request.helper');
-const impersonationHelper = require('./helpers/impersonation.helper');
 // Loaders
 const documentationLoader = require('./loaders/documentation.loader');
 const expressLoader = require('./loaders/express.loader');
@@ -82,6 +82,7 @@ container.register({
   qs: asValue(qs),
   swaggerUi: asValue(swaggerUi),
   xss: asValue(xss),
+  secretManager: asValue(secretManager),
   // Internal Modules
   apoliticalLogger: asValue(apoliticalLogger),
   // Configuration
@@ -96,7 +97,6 @@ container.register({
   jwtPassportHelper: asFunction(jwtPassportHelper).singleton(),
   loggerHelper: asFunction(loggerHelper).singleton(),
   requestHelper: asFunction(requestHelper).singleton(),
-  impersonationHelper: asFunction(impersonationHelper).singleton(),
   // Loaders
   documentationLoader: asFunction(documentationLoader).singleton(),
   expressLoader: asFunction(expressLoader).singleton(),

package/src/services/secrets.service.js

@@ -1,57 +1,32 @@
 'use strict';
 
-const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
+module.exports = ({ secretManager, config, logger }) => {
+  let client = null;
 
-const DEV_DEFAULTS = {
-  projectId: 'hazel-tea-194609',
-  impersonateAccount: 'development-platform@hazel-tea-194609.iam.gserviceaccount.com',
-};
+  const resolvedImpersonationTarget = config.GOOGLE_IMPERSONATE_SERVICE_ACCOUNT?.trim() || null;
 
-/**
- * GCP Secret Manager service for loading secrets at runtime.
- * Uses Application Default Credentials (ADC) with service account impersonation
- * for local development.
- */
-module.exports = ({ impersonationHelper, logger }) => {
-  const cache = {};
-  let client = null;
+  function isImpersonationEnabled() {
+    return resolvedImpersonationTarget !== null;
+  }
+
+  function impersonationLogContext() {
+    return resolvedImpersonationTarget ? { targetServiceAccount: resolvedImpersonationTarget } : {};
+  }
 
-  /**
-   * Get or create the Secret Manager client.
-   * In non-production, auto-configures impersonation if not already set.
-   * @returns {SecretManagerServiceClient}
-   */
   function getClient() {
     if (!client) {
-      if (process.env['NODE_ENV'] !== 'production' && !impersonationHelper.isImpersonationEnabled()) {
-        process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'] = DEV_DEFAULTS.impersonateAccount;
-        logger.info('[secrets] set default impersonation for development', {
-          targetServiceAccount: DEV_DEFAULTS.impersonateAccount,
-        });
-      }
-
-      if (impersonationHelper.isImpersonationEnabled()) {
-        logger.info('[secrets] using impersonation', impersonationHelper.impersonationLogContext());
+      if (isImpersonationEnabled()) {
+        logger.info('[secrets] using impersonation', impersonationLogContext());
       }
 
-      client = new SecretManagerServiceClient();
+      client = new secretManager.SecretManagerServiceClient();
     }
     return client;
   }
 
-  /**
-   * Load secrets from Google Secret Manager and set them as environment variables.
-   * @param {Object} opts
-   * @param {string} [opts.projectId] - GCP project ID (defaults to DEV_DEFAULTS in non-production)
-   * @param {Array<{name: string, envVar: string, version?: string}>} opts.secrets - Secrets to load
-   * @throws {Error} If projectId is missing or secret cannot be loaded
-   */
   async function loadSecrets(opts) {
     const { secrets } = opts;
-    const projectId =
-      opts.projectId ??
-      process.env['GOOGLE_CLOUD_PROJECT'] ??
-      (process.env['NODE_ENV'] !== 'production' ? DEV_DEFAULTS.projectId : undefined);
+    const projectId = opts.projectId ?? config.GOOGLE_CLOUD_PROJECT;
 
     if (!projectId) {
       throw new Error('Missing projectId for Secret Manager');
@@ -74,7 +49,6 @@ module.exports = ({ impersonationHelper, logger }) => {
           throw new Error(`Empty payload for secret ${spec.name}`);
         }
 
-        cache[spec.envVar] = payload;
         process.env[spec.envVar] = payload;
 
         logger.info('[secrets] loaded', {
@@ -88,14 +62,8 @@ module.exports = ({ impersonationHelper, logger }) => {
     }
   }
 
-  /**
-   * Get a secret value from cache or environment.
-   * @param {string} envVar - The environment variable name
-   * @returns {string} The secret value
-   * @throws {Error} If secret is not loaded
-   */
   function getSecret(envVar) {
-    const val = cache[envVar] ?? process.env[envVar];
+    const val = process.env[envVar];
     if (!val) {
       throw new Error(`Secret "${envVar}" not loaded`);
     }
@@ -105,6 +73,5 @@ module.exports = ({ impersonationHelper, logger }) => {
   return {
     loadSecrets,
     getSecret,
-    impersonation: impersonationHelper,
   };
 };

package/src/helpers/impersonation.helper.js

@@ -1,42 +0,0 @@
-'use strict';
-
-/**
- * Helpers for Application Default Credentials (ADC) impersonation detection.
- *
- * These utilities do not acquire credentials; they only surface intent
- * based on environment variables so applications can log and enforce policy.
- */
-
-/**
- * Returns the target service account to impersonate if configured via env.
- * GOOGLE_IMPERSONATE_SERVICE_ACCOUNT is respected by Google client libraries
- * when acquiring credentials via ADC.
- * @returns {string|null}
- */
-function getImpersonationTarget() {
-  const target = process.env['GOOGLE_IMPERSONATE_SERVICE_ACCOUNT'];
-  return target && target.trim().length > 0 ? target.trim() : null;
-}
-
-/**
- * Whether impersonation is enabled for the current process.
- * @returns {boolean}
- */
-function isImpersonationEnabled() {
-  return getImpersonationTarget() !== null;
-}
-
-/**
- * Produce a safe log payload for audit visibility.
- * @returns {{ targetServiceAccount: string } | {}}
- */
-function impersonationLogContext() {
-  const target = getImpersonationTarget();
-  return target ? { targetServiceAccount: target } : {};
-}
-
-module.exports = () => ({
-  getImpersonationTarget,
-  isImpersonationEnabled,
-  impersonationLogContext,
-});