@apolitical/server 4.2.0 → 4.3.0-pla-471.0

package/package.json

@@ -1,10 +1,14 @@
 {
   "name": "@apolitical/server",
-  "version": "4.2.0",
+  "version": "4.3.0-pla-471.0",
   "description": "Node.js module to encapsulate Apolitical's express server setup",
   "author": "Apolitical Group Limited <engineering@apolitical.co>",
   "license": "MIT",
   "main": "src/index.js",
+  "exports": {
+    ".": "./src/index.js",
+    "./secrets": "./src/services/secret-manager.service.js"
+  },
   "files": [
     "src"
   ],
@@ -23,7 +27,7 @@
     "Node Modules"
   ],
   "dependencies": {
-    "@apolitical/logger": "2.1.2",
+    "@apolitical/logger": "3.0.0",
     "@cloudnative/health-connect": "2.1.0",
     "@google-cloud/secret-manager": "6.1.1",
     "@opentelemetry/api": "1.9.0",

package/src/services/secret-manager.service.js

@@ -0,0 +1,74 @@
+'use strict';
+
+const { SecretManagerServiceClient } = require('@google-cloud/secret-manager');
+
+/**
+ * Thin wrapper around Google Cloud Secret Manager.
+ *
+ * Every method is static because the class is consumed before the Awilix DI
+ * container is available (e.g. inside app.js at startup).
+ * The underlying client is lazily created and reused across all calls.
+ */
+class SecretManagerService {
+  /**
+   * Derive the secret name prefix from the PLATFORM_BASE_URL subdomain.
+   * - https://apolitical.co                      -> "live"
+   * - https://[beta|rc].apolitical.co            -> "[beta|rc]"
+   * - https://[beta|rc]-[e1|a1].apolitical.co    -> "[beta|rc]"
+   * - https://localhost                           -> "tilt" (Local Tilt)
+   * - http://localhost                            -> "pnpm" (Local standalone)
+   */
+  static getSecretPrefix(useLocal) {
+    const baseURL = String(process.env.PLATFORM_BASE_URL ?? '');
+    try {
+      const hostname = new URL(baseURL).hostname;
+      if (hostname === 'apolitical.co') return 'live';
+      if (hostname === 'localhost' && useLocal)
+        return baseURL.startsWith('https') ? 'tilt' : 'pnpm';
+      const parts = hostname.split('.');
+      if (parts.length > 2 && hostname.endsWith('.apolitical.co'))
+        return parts[0].replace(/-[a-z]\d+$/, '');
+    } catch {
+      /* fall through */
+    }
+    return useLocal ? 'pnpm' : 'beta';
+  }
+
+  static async _getClient() {
+    if (!this._clientPromise) {
+      this._clientPromise = (async () => {
+        // eslint-disable-next-line no-console
+        console.log('[SecretManager] Initialising client.');
+        return new SecretManagerServiceClient();
+      })();
+    }
+    return this._clientPromise;
+  }
+
+  /**
+   * Access a secret's payload from Google Secret Manager.
+   *
+   * The full secret name is built as `{prefix}_{secretBaseName}`, where the
+   * prefix is derived from PLATFORM_BASE_URL (e.g. "beta", "live").
+   */
+  static async accessSecret(secretBaseName, options) {
+    const client = await this._getClient();
+    const projectId = process.env.GCP_PROJECT_ID ?? (await client.auth.getProjectId());
+
+    const prefix = this.getSecretPrefix(options?.useLocal);
+    const secretName = `${prefix}_${secretBaseName}`;
+    const version = options?.version ?? 'latest';
+
+    const name = `projects/${projectId}/secrets/${secretName}/versions/${version}`;
+    const [response] = await client.accessSecretVersion({ name });
+
+    const payload = response.payload?.data;
+    if (!payload) {
+      throw new Error(`Empty payload for secret "${secretName}"`);
+    }
+
+    return typeof payload === 'string' ? payload : payload.toString('utf8');
+  }
+}
+
+module.exports = { SecretManagerService };