@celerispay/hazelcast-client 3.12.5 → 3.12.7

package/lib/invocation/ConnectionAuthenticator.js

@@ -34,53 +34,126 @@ var ConnectionAuthenticator = /** @class */ (function () {
     }
     ConnectionAuthenticator.prototype.authenticate = function (asOwner) {
         var _this = this;
+        var addressStr = this.connection.getAddress().toString();
+        this.logger.info('ConnectionAuthenticator', "\uD83D\uDD10 Starting authentication for " + addressStr + " (asOwner=" + asOwner + ")");
         var credentials = this.createCredentials(asOwner);
+        this.logger.info('ConnectionAuthenticator', "\uD83D\uDCE4 Sending authentication request to " + addressStr + "...");
         return this.client.getInvocationService()
             .invokeOnConnection(this.connection, credentials)
             .then(function (msg) {
+            _this.logger.info('ConnectionAuthenticator', "\uD83D\uDCE5 Received authentication response from " + addressStr);
             var authResponse = ClientAuthenticationCodec_1.ClientAuthenticationCodec.decodeResponse(msg);
+            _this.logger.info('ConnectionAuthenticator', "\uD83D\uDD0D Authentication response for " + addressStr + ":");
+            _this.logger.info('ConnectionAuthenticator', "   - Status: " + authResponse.status + " (" + _this.getStatusDescription(authResponse.status) + ")");
+            _this.logger.info('ConnectionAuthenticator', "   - Server UUID: " + (authResponse.uuid || 'NOT PROVIDED'));
+            _this.logger.info('ConnectionAuthenticator', "   - Server Owner UUID: " + (authResponse.ownerUuid || 'NOT PROVIDED'));
+            _this.logger.info('ConnectionAuthenticator', "   - Server Address: " + (authResponse.address ? authResponse.address.toString() : 'NOT PROVIDED'));
+            _this.logger.info('ConnectionAuthenticator', "   - Server Version: " + (authResponse.serverHazelcastVersion || 'NOT PROVIDED'));
             switch (authResponse.status) {
                 case 0 /* AUTHENTICATED */:
+                    _this.logger.info('ConnectionAuthenticator', "\u2705 Authentication SUCCESSFUL for " + addressStr);
                     _this.connection.setAddress(authResponse.address);
                     _this.connection.setConnectedServerVersion(authResponse.serverHazelcastVersion);
                     if (asOwner) {
+                        var oldUuid = _this.clusterService.uuid;
+                        var oldOwnerUuid = _this.clusterService.ownerUuid;
                         _this.clusterService.uuid = authResponse.uuid;
                         _this.clusterService.ownerUuid = authResponse.ownerUuid;
+                        _this.logger.info('ConnectionAuthenticator', "\uD83D\uDD04 Updated cluster service for " + addressStr + ":");
+                        _this.logger.info('ConnectionAuthenticator', "   - UUID: " + (oldUuid || 'NOT SET') + " \u2192 " + authResponse.uuid);
+                        _this.logger.info('ConnectionAuthenticator', "   - Owner UUID: " + (oldOwnerUuid || 'NOT SET') + " \u2192 " + authResponse.ownerUuid);
                     }
-                    _this.logger.info('ConnectionAuthenticator', 'Connection to ' +
-                        _this.connection.getAddress().toString() + ' authenticated');
+                    _this.logger.info('ConnectionAuthenticator', "\u2705 Connection to " + addressStr + " authenticated successfully");
                     break;
                 case 1 /* CREDENTIALS_FAILED */:
-                    _this.logger.error('ConnectionAuthenticator', 'Invalid Credentials');
-                    throw new Error('Invalid Credentials, could not authenticate connection to ' +
-                        _this.connection.getAddress().toString());
+                    _this.logger.error('ConnectionAuthenticator', "\u274C Authentication FAILED for " + addressStr + ": Invalid Credentials");
+                    _this.logger.error('ConnectionAuthenticator', "   - Server rejected our credentials");
+                    _this.logger.error('ConnectionAuthenticator', "   - Check if UUIDs and group credentials are correct");
+                    throw new Error('Invalid Credentials, could not authenticate connection to ' + addressStr);
                 case 2 /* SERIALIZATION_VERSION_MISMATCH */:
-                    _this.logger.error('ConnectionAuthenticator', 'Serialization version mismatch');
-                    throw new Error('Serialization version mismatch, could not authenticate connection to ' +
-                        _this.connection.getAddress().toString());
+                    _this.logger.error('ConnectionAuthenticator', "\u274C Authentication FAILED for " + addressStr + ": Serialization version mismatch");
+                    throw new Error('Serialization version mismatch, could not authenticate connection to ' + addressStr);
                 default:
-                    _this.logger.error('ConnectionAuthenticator', 'Unknown authentication status: '
-                        + authResponse.status);
+                    _this.logger.error('ConnectionAuthenticator', "\u274C Authentication FAILED for " + addressStr + ": Unknown status " + authResponse.status);
                     throw new HazelcastError_1.AuthenticationError('Unknown authentication status: ' + authResponse.status +
-                        ' , could not authenticate connection to ' +
-                        _this.connection.getAddress().toString());
+                        ' , could not authenticate connection to ' + addressStr);
             }
+        })
+            .catch(function (error) {
+            _this.logger.error('ConnectionAuthenticator', "\uD83D\uDCA5 Authentication ERROR for " + addressStr + ": " + error.message);
+            throw error;
         });
     };
+    /**
+     * Gets a human-readable description of authentication status
+     */
+    ConnectionAuthenticator.prototype.getStatusDescription = function (status) {
+        switch (status) {
+            case 0 /* AUTHENTICATED */: return 'AUTHENTICATED';
+            case 1 /* CREDENTIALS_FAILED */: return 'CREDENTIALS_FAILED';
+            case 2 /* SERIALIZATION_VERSION_MISMATCH */: return 'SERIALIZATION_VERSION_MISMATCH';
+            default: return "UNKNOWN_STATUS_" + status;
+        }
+    };
+    /**
+     * Creates credentials with optional restoration from preservation service
+     * @param asOwner Whether this is an owner connection
+     * @param preservedCredentials Optional preserved credentials to use
+     * @returns The credentials message
+     */
+    ConnectionAuthenticator.prototype.createCredentialsWithRestoration = function (asOwner, preservedCredentials) {
+        if (preservedCredentials && preservedCredentials.uuid && preservedCredentials.ownerUuid) {
+            this.logger.debug('ConnectionAuthenticator', "Using preserved credentials: uuid=" + preservedCredentials.uuid + ", ownerUuid=" + preservedCredentials.ownerUuid);
+            // Use preserved credentials instead of current cluster state
+            var groupConfig = this.client.getConfig().groupConfig;
+            var customCredentials = this.client.getConfig().customCredentials;
+            var clientMessage = void 0;
+            var clientVersion = BuildInfo_1.BuildInfo.getClientVersion();
+            if (customCredentials != null) {
+                var credentialsPayload = this.client.getSerializationService().toData(customCredentials);
+                clientMessage = ClientAuthenticationCustomCodec_1.ClientAuthenticationCustomCodec.encodeRequest(credentialsPayload, preservedCredentials.uuid, preservedCredentials.ownerUuid, asOwner, 'NJS', 1, clientVersion);
+            }
+            else {
+                clientMessage = ClientAuthenticationCodec_1.ClientAuthenticationCodec.encodeRequest(preservedCredentials.groupName, preservedCredentials.groupPassword, preservedCredentials.uuid, preservedCredentials.ownerUuid, asOwner, 'NJS', 1, clientVersion);
+            }
+            return clientMessage;
+        }
+        // Fall back to normal credential creation
+        return this.createCredentials(asOwner);
+    };
     ConnectionAuthenticator.prototype.createCredentials = function (asOwner) {
         var groupConfig = this.client.getConfig().groupConfig;
         var uuid = this.clusterService.uuid;
         var ownerUuid = this.clusterService.ownerUuid;
         var customCredentials = this.client.getConfig().customCredentials;
+        // LOG EXACTLY WHAT CREDENTIALS WE'RE SENDING
+        this.logger.info('ConnectionAuthenticator', "\uD83D\uDD10 Creating authentication credentials for " + this.connection.getAddress().toString() + ":");
+        this.logger.info('ConnectionAuthenticator', "   - As Owner: " + asOwner);
+        this.logger.info('ConnectionAuthenticator', "   - UUID: " + (uuid || 'NOT SET'));
+        this.logger.info('ConnectionAuthenticator', "   - Owner UUID: " + (ownerUuid || 'NOT SET'));
+        this.logger.info('ConnectionAuthenticator', "   - Group Name: " + (groupConfig.name || 'NOT SET'));
+        this.logger.info('ConnectionAuthenticator', "   - Group Password: " + (groupConfig.password ? '***SET***' : 'NOT SET'));
+        this.logger.info('ConnectionAuthenticator', "   - Custom Credentials: " + (customCredentials ? 'YES' : 'NO'));
+        this.logger.info('ConnectionAuthenticator', "   - Client Version: " + BuildInfo_1.BuildInfo.getClientVersion());
         var clientMessage;
         var clientVersion = BuildInfo_1.BuildInfo.getClientVersion();
         if (customCredentials != null) {
             var credentialsPayload = this.client.getSerializationService().toData(customCredentials);
+            this.logger.info('ConnectionAuthenticator', "\uD83D\uDCE4 Sending CUSTOM authentication request with:");
+            this.logger.info('ConnectionAuthenticator', "   - Custom Credentials: " + typeof credentialsPayload);
+            this.logger.info('ConnectionAuthenticator', "   - UUID: " + (uuid || 'NOT SET'));
+            this.logger.info('ConnectionAuthenticator', "   - Owner UUID: " + (ownerUuid || 'NOT SET'));
             clientMessage = ClientAuthenticationCustomCodec_1.ClientAuthenticationCustomCodec.encodeRequest(credentialsPayload, uuid, ownerUuid, asOwner, 'NJS', 1, clientVersion);
         }
         else {
+            this.logger.info('ConnectionAuthenticator', "\uD83D\uDCE4 Sending STANDARD authentication request with:");
+            this.logger.info('ConnectionAuthenticator', "   - Group Name: " + (groupConfig.name || 'NOT SET'));
+            this.logger.info('ConnectionAuthenticator', "   - Group Password: " + (groupConfig.password ? '***SET***' : 'NOT SET'));
+            this.logger.info('ConnectionAuthenticator', "   - UUID: " + (uuid || 'NOT SET'));
+            this.logger.info('ConnectionAuthenticator', "   - Owner UUID: " + (ownerUuid || 'NOT SET'));
             clientMessage = ClientAuthenticationCodec_1.ClientAuthenticationCodec.encodeRequest(groupConfig.name, groupConfig.password, uuid, ownerUuid, asOwner, 'NJS', 1, clientVersion);
         }
+        this.logger.info('ConnectionAuthenticator', "\uD83D\uDCCB Final authentication message created and ready to send");
         return clientMessage;
     };
     return ConnectionAuthenticator;

package/lib/invocation/CredentialPreservationService.d.ts

@@ -0,0 +1,137 @@
+import { ILogger } from '../logging/ILogger';
+import Address = require('../Address');
+/**
+ * Interface for node credentials
+ */
+export interface NodeCredentials {
+    uuid: string;
+    ownerUuid: string;
+    groupName: string;
+    groupPassword: string;
+    lastAuthenticated: number;
+    isOwner: boolean;
+}
+/**
+ * Service to preserve and restore authentication credentials across failover cycles
+ * This fixes the "Invalid Credentials" issue that occurs when nodes rejoin after failover
+ */
+export declare class CredentialPreservationService {
+    private readonly logger;
+    /**
+     * Stores authentication context for each node
+     */
+    private nodeCredentials;
+    constructor(logger: ILogger);
+    /**
+     * Preserves authentication credentials for a node before it gets disconnected
+     * @param address The node address
+     * @param uuid The node's UUID
+     * @param ownerUuid The owner UUID
+     * @param groupName The group name
+     * @param groupPassword The group password
+     * @param isOwner Whether this is an owner connection
+     */
+    preserveCredentials(address: Address, uuid: string, ownerUuid: string, groupName: string, groupPassword: string, isOwner: boolean): void;
+    /**
+     * Restores authentication credentials for a specific node
+     * @param address The node address
+     * @returns The preserved credentials or null if not found
+     */
+    restoreCredentials(address: Address): NodeCredentials | null;
+    /**
+     * Updates credentials after successful authentication
+     * @param address The node address
+     * @param uuid The new UUID
+     * @param ownerUuid The new owner UUID
+     */
+    updateCredentials(address: Address, uuid: string, ownerUuid: string): void;
+    /**
+     * Clears credentials for a specific node
+     * @param address The node address
+     */
+    clearCredentials(address: Address): void;
+    /**
+     * Cleans up stale credentials older than the specified age
+     * @param maxAgeMs Maximum age in milliseconds (default: 5 minutes)
+     */
+    cleanupStaleCredentials(maxAgeMs?: number): void;
+    /**
+     * Gets a summary of preserved credentials for debugging
+     * @returns A summary string
+     */
+    getCredentialsSummary(): string;
+    /**
+     * Smart credential restoration that handles both scenarios:
+     * 1. If member added event occurred -> use new UUID
+     * 2. If no member added event -> use old UUID (node probably never changed)
+     * @param address The address to restore credentials for
+     * @param hasMemberAddedEvent Whether we received a member added event for this address
+     * @returns The appropriate credentials to use
+     */
+    smartRestoreCredentials(address: Address, hasMemberAddedEvent?: boolean): NodeCredentials | null;
+    /**
+     * Checks if we have valid credentials for an address
+     * @param address The address to check
+     * @returns True if we have valid credentials
+     */
+    hasValidCredentials(address: Address): boolean;
+    /**
+     * Gets the last known UUID for an address
+     * @param address The address to get UUID for
+     * @returns The UUID or null if not found
+     */
+    getLastKnownUuid(address: Address): string | null;
+    /**
+     * Updates the owner UUID for ALL preserved credentials
+     * This is called when cluster membership changes and we need to sync all credentials
+     * @param newOwnerUuid The new owner UUID from the current cluster state
+     */
+    updateAllOwnerUuids(newOwnerUuid: string): void;
+    /**
+     * Gets the current owner UUID from preserved credentials
+     * @returns The current owner UUID or null if not found
+     */
+    getCurrentOwnerUuid(): string | null;
+    /**
+     * Validates that all credentials have consistent owner UUIDs
+     * @returns True if all credentials are consistent, false otherwise
+     */
+    validateOwnerUuidConsistency(): boolean;
+    /**
+     * Invalidates ALL credentials that have a specific owner UUID
+     * This is called when cluster membership changes and old owner UUIDs become invalid
+     * @param oldOwnerUuid The old owner UUID that is no longer valid
+     */
+    invalidateCredentialsWithOwnerUuid(oldOwnerUuid: string): void;
+    /**
+     * Invalidates ALL credentials that don't match the current cluster owner UUID
+     * This ensures complete credential consistency across the entire cluster
+     * @param currentClusterOwnerUuid The current cluster owner UUID that should be valid
+     */
+    invalidateAllCredentialsExceptCurrentOwner(currentClusterOwnerUuid: string): void;
+    /**
+     * Invalidates only problematic credentials while preserving working ones
+     * This prevents breaking working connections (like 192.168.1.108)
+     * @param currentClusterOwnerUuid The current cluster owner UUID that should be valid
+     */
+    invalidateOnlyProblematicCredentials(currentClusterOwnerUuid: string): void;
+    /**
+     * Checks if an address has had recent authentication issues
+     * This helps determine which credentials to invalidate
+     * @param addressStr The address to check
+     * @returns True if the address has recent auth issues
+     */
+    private hasRecentAuthenticationIssues(addressStr);
+    /**
+     * Clears all credentials for a specific address
+     * This is called when we need to force fresh authentication for a node
+     * @param address The address to clear credentials for
+     */
+    clearCredentialsForAddress(address: Address): void;
+    /**
+     * Gets all addresses that have credentials with a specific owner UUID
+     * @param ownerUuid The owner UUID to search for
+     * @returns Array of addresses that have credentials with this owner UUID
+     */
+    getAddressesWithOwnerUuid(ownerUuid: string): string[];
+}

package/lib/invocation/CredentialPreservationService.js

@@ -0,0 +1,369 @@
+"use strict";
+/*
+ * Copyright (c) 2008-2021, Hazelcast, Inc. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * Service to preserve and restore authentication credentials across failover cycles
+ * This fixes the "Invalid Credentials" issue that occurs when nodes rejoin after failover
+ */
+var CredentialPreservationService = /** @class */ (function () {
+    function CredentialPreservationService(logger) {
+        /**
+         * Stores authentication context for each node
+         */
+        this.nodeCredentials = new Map();
+        this.logger = logger;
+    }
+    /**
+     * Preserves authentication credentials for a node before it gets disconnected
+     * @param address The node address
+     * @param uuid The node's UUID
+     * @param ownerUuid The owner UUID
+     * @param groupName The group name
+     * @param groupPassword The group password
+     * @param isOwner Whether this is an owner connection
+     */
+    CredentialPreservationService.prototype.preserveCredentials = function (address, uuid, ownerUuid, groupName, groupPassword, isOwner) {
+        var addressStr = address.toString();
+        this.nodeCredentials.set(addressStr, {
+            uuid: uuid,
+            ownerUuid: ownerUuid,
+            groupName: groupName,
+            groupPassword: groupPassword,
+            lastAuthenticated: Date.now(),
+            isOwner: isOwner
+        });
+        this.logger.debug('CredentialPreservationService', "Preserved credentials for " + addressStr + ": uuid=" + uuid + ", ownerUuid=" + ownerUuid + ", isOwner=" + isOwner);
+    };
+    /**
+     * Restores authentication credentials for a specific node
+     * @param address The node address
+     * @returns The preserved credentials or null if not found
+     */
+    CredentialPreservationService.prototype.restoreCredentials = function (address) {
+        var _this = this;
+        var addressStr = address.toString();
+        var credentials = this.nodeCredentials.get(addressStr);
+        if (credentials) {
+            this.logger.info('CredentialPreservationService', "\u2705 Found preserved credentials for " + addressStr + ": uuid=" + credentials.uuid + ", ownerUuid=" + credentials.ownerUuid);
+            return credentials;
+        }
+        // Log all available credentials for debugging
+        this.logger.info('CredentialPreservationService', "\u274C No preserved credentials found for " + addressStr);
+        this.logger.info('CredentialPreservationService', "\uD83D\uDCCB Available credentials: " + this.nodeCredentials.size + " entries");
+        if (this.nodeCredentials.size > 0) {
+            this.nodeCredentials.forEach(function (cred, addr) {
+                _this.logger.info('CredentialPreservationService', "   - " + addr + ": uuid=" + cred.uuid + ", ownerUuid=" + cred.ownerUuid + ", isOwner=" + cred.isOwner);
+            });
+        }
+        return null;
+    };
+    /**
+     * Updates credentials after successful authentication
+     * @param address The node address
+     * @param uuid The new UUID
+     * @param ownerUuid The new owner UUID
+     */
+    CredentialPreservationService.prototype.updateCredentials = function (address, uuid, ownerUuid) {
+        var addressStr = address.toString();
+        var credentials = this.nodeCredentials.get(addressStr);
+        if (credentials) {
+            credentials.uuid = uuid;
+            credentials.ownerUuid = ownerUuid;
+            credentials.lastAuthenticated = Date.now();
+            this.logger.debug('CredentialPreservationService', "Updated credentials for " + addressStr + ": uuid=" + uuid + ", ownerUuid=" + ownerUuid);
+        }
+    };
+    /**
+     * Clears credentials for a specific node
+     * @param address The node address
+     */
+    CredentialPreservationService.prototype.clearCredentials = function (address) {
+        var addressStr = address.toString();
+        if (this.nodeCredentials.delete(addressStr)) {
+            this.logger.debug('CredentialPreservationService', "Cleared credentials for " + addressStr);
+        }
+    };
+    /**
+     * Cleans up stale credentials older than the specified age
+     * @param maxAgeMs Maximum age in milliseconds (default: 5 minutes)
+     */
+    CredentialPreservationService.prototype.cleanupStaleCredentials = function (maxAgeMs) {
+        var _this = this;
+        if (maxAgeMs === void 0) { maxAgeMs = 300000; }
+        var now = Date.now();
+        var addressesToRemove = [];
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            var age = now - credentials.lastAuthenticated;
+            if (age > maxAgeMs) {
+                addressesToRemove.push(addressStr);
+            }
+        });
+        if (addressesToRemove.length > 0) {
+            addressesToRemove.forEach(function (addressStr) {
+                _this.nodeCredentials.delete(addressStr);
+            });
+            this.logger.debug('CredentialPreservationService', "Cleaned up " + addressesToRemove.length + " stale credential entries");
+        }
+    };
+    /**
+     * Gets a summary of preserved credentials for debugging
+     * @returns A summary string
+     */
+    CredentialPreservationService.prototype.getCredentialsSummary = function () {
+        var entries = Array.from(this.nodeCredentials.entries());
+        if (entries.length === 0) {
+            return 'none';
+        }
+        return entries.map(function (_a) {
+            var address = _a[0], creds = _a[1];
+            return address + ": uuid=" + (creds.uuid || 'null') + ", ownerUuid=" + (creds.ownerUuid || 'null') + ", isOwner=" + creds.isOwner;
+        }).join('; ');
+    };
+    /**
+     * Smart credential restoration that handles both scenarios:
+     * 1. If member added event occurred -> use new UUID
+     * 2. If no member added event -> use old UUID (node probably never changed)
+     * @param address The address to restore credentials for
+     * @param hasMemberAddedEvent Whether we received a member added event for this address
+     * @returns The appropriate credentials to use
+     */
+    CredentialPreservationService.prototype.smartRestoreCredentials = function (address, hasMemberAddedEvent) {
+        if (hasMemberAddedEvent === void 0) { hasMemberAddedEvent = false; }
+        var addressStr = address.toString();
+        var credentials = this.nodeCredentials.get(addressStr);
+        if (!credentials) {
+            this.logger.debug('CredentialPreservationService', "No preserved credentials found for " + addressStr);
+            return null;
+        }
+        if (hasMemberAddedEvent) {
+            // Member actually left and rejoined - use the updated credentials
+            this.logger.info('CredentialPreservationService', "\uD83D\uDD04 Member added event detected for " + addressStr + ", using updated credentials: uuid=" + credentials.uuid);
+            return credentials;
+        }
+        else {
+            // No member added event - node probably never changed, use original credentials
+            this.logger.info('CredentialPreservationService', "\uD83D\uDD04 No member added event for " + addressStr + ", assuming node unchanged, using original credentials: uuid=" + credentials.uuid);
+            return credentials;
+        }
+    };
+    /**
+     * Checks if we have valid credentials for an address
+     * @param address The address to check
+     * @returns True if we have valid credentials
+     */
+    CredentialPreservationService.prototype.hasValidCredentials = function (address) {
+        var addressStr = address.toString();
+        var credentials = this.nodeCredentials.get(addressStr);
+        return !!(credentials && credentials.uuid && credentials.ownerUuid);
+    };
+    /**
+     * Gets the last known UUID for an address
+     * @param address The address to get UUID for
+     * @returns The UUID or null if not found
+     */
+    CredentialPreservationService.prototype.getLastKnownUuid = function (address) {
+        var addressStr = address.toString();
+        var credentials = this.nodeCredentials.get(addressStr);
+        return credentials ? credentials.uuid : null;
+    };
+    /**
+     * Updates the owner UUID for ALL preserved credentials
+     * This is called when cluster membership changes and we need to sync all credentials
+     * @param newOwnerUuid The new owner UUID from the current cluster state
+     */
+    CredentialPreservationService.prototype.updateAllOwnerUuids = function (newOwnerUuid) {
+        var _this = this;
+        this.logger.info('CredentialPreservationService', "\uD83D\uDD04 Updating ALL preserved credentials with new owner UUID: " + newOwnerUuid);
+        var updatedCount = 0;
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            if (credentials.ownerUuid !== newOwnerUuid) {
+                var oldOwnerUuid = credentials.ownerUuid;
+                credentials.ownerUuid = newOwnerUuid;
+                updatedCount++;
+                _this.logger.info('CredentialPreservationService', "\uD83D\uDD04 Updated " + addressStr + ": ownerUuid " + oldOwnerUuid + " \u2192 " + newOwnerUuid);
+            }
+        });
+        this.logger.info('CredentialPreservationService', "\u2705 Updated " + updatedCount + " credential entries with new owner UUID");
+    };
+    /**
+     * Gets the current owner UUID from preserved credentials
+     * @returns The current owner UUID or null if not found
+     */
+    CredentialPreservationService.prototype.getCurrentOwnerUuid = function () {
+        // Find any credential that has isOwner=true
+        for (var _i = 0, _a = Array.from(this.nodeCredentials.values()); _i < _a.length; _i++) {
+            var credentials = _a[_i];
+            if (credentials.isOwner) {
+                return credentials.ownerUuid;
+            }
+        }
+        // If no owner found, return the first available ownerUuid
+        for (var _b = 0, _c = Array.from(this.nodeCredentials.values()); _b < _c.length; _b++) {
+            var credentials = _c[_b];
+            if (credentials.ownerUuid) {
+                return credentials.ownerUuid;
+            }
+        }
+        return null;
+    };
+    /**
+     * Validates that all credentials have consistent owner UUIDs
+     * @returns True if all credentials are consistent, false otherwise
+     */
+    CredentialPreservationService.prototype.validateOwnerUuidConsistency = function () {
+        var ownerUuids = new Set();
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            if (credentials.ownerUuid) {
+                ownerUuids.add(credentials.ownerUuid);
+            }
+        });
+        var isConsistent = ownerUuids.size <= 1;
+        if (!isConsistent) {
+            this.logger.warn('CredentialPreservationService', "\u26A0\uFE0F Owner UUID inconsistency detected: " + Array.from(ownerUuids).join(', '));
+        }
+        return isConsistent;
+    };
+    /**
+     * Invalidates ALL credentials that have a specific owner UUID
+     * This is called when cluster membership changes and old owner UUIDs become invalid
+     * @param oldOwnerUuid The old owner UUID that is no longer valid
+     */
+    CredentialPreservationService.prototype.invalidateCredentialsWithOwnerUuid = function (oldOwnerUuid) {
+        var _this = this;
+        this.logger.info('CredentialPreservationService', "\uD83D\uDDD1\uFE0F Invalidating ALL credentials with old owner UUID: " + oldOwnerUuid);
+        var invalidatedCount = 0;
+        var addressesToRemove = [];
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            if (credentials.ownerUuid === oldOwnerUuid) {
+                _this.logger.info('CredentialPreservationService', "\uD83D\uDDD1\uFE0F Invalidating credentials for " + addressStr + ": old ownerUuid=" + oldOwnerUuid);
+                addressesToRemove.push(addressStr);
+                invalidatedCount++;
+            }
+        });
+        // Remove the invalidated credentials
+        addressesToRemove.forEach(function (addressStr) {
+            _this.nodeCredentials.delete(addressStr);
+        });
+        this.logger.info('CredentialPreservationService', "\u2705 Invalidated " + invalidatedCount + " credential entries with old owner UUID: " + oldOwnerUuid);
+    };
+    /**
+     * Invalidates ALL credentials that don't match the current cluster owner UUID
+     * This ensures complete credential consistency across the entire cluster
+     * @param currentClusterOwnerUuid The current cluster owner UUID that should be valid
+     */
+    CredentialPreservationService.prototype.invalidateAllCredentialsExceptCurrentOwner = function (currentClusterOwnerUuid) {
+        var _this = this;
+        this.logger.info('CredentialPreservationService', "\uD83D\uDDD1\uFE0F Comprehensive credential cleanup: Invalidating ALL credentials except those with current owner UUID: " + currentClusterOwnerUuid);
+        var invalidatedCount = 0;
+        var addressesToRemove = [];
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            if (credentials.ownerUuid !== currentClusterOwnerUuid) {
+                _this.logger.info('CredentialPreservationService', "\uD83D\uDDD1\uFE0F Invalidating credentials for " + addressStr + ": old ownerUuid=" + credentials.ownerUuid + " \u2260 current=" + currentClusterOwnerUuid);
+                addressesToRemove.push(addressStr);
+                invalidatedCount++;
+            }
+            else {
+                _this.logger.debug('CredentialPreservationService', "\u2705 Keeping valid credentials for " + addressStr + ": ownerUuid=" + credentials.ownerUuid + " matches current");
+            }
+        });
+        // Remove the invalidated credentials
+        addressesToRemove.forEach(function (addressStr) {
+            _this.nodeCredentials.delete(addressStr);
+        });
+        this.logger.info('CredentialPreservationService', "\u2705 Comprehensive cleanup completed: Invalidated " + invalidatedCount + " credential entries, kept " + this.nodeCredentials.size + " valid entries");
+        // Log remaining valid credentials for debugging
+        if (this.nodeCredentials.size > 0) {
+            this.logger.info('CredentialPreservationService', "\uD83D\uDCCB Remaining valid credentials after cleanup:");
+            this.nodeCredentials.forEach(function (credentials, addressStr) {
+                _this.logger.info('CredentialPreservationService', "   - " + addressStr + ": uuid=" + credentials.uuid + ", ownerUuid=" + credentials.ownerUuid + ", isOwner=" + credentials.isOwner);
+            });
+        }
+    };
+    /**
+     * Invalidates only problematic credentials while preserving working ones
+     * This prevents breaking working connections (like 192.168.1.108)
+     * @param currentClusterOwnerUuid The current cluster owner UUID that should be valid
+     */
+    CredentialPreservationService.prototype.invalidateOnlyProblematicCredentials = function (currentClusterOwnerUuid) {
+        var _this = this;
+        this.logger.info('CredentialPreservationService', "\uD83C\uDFAF Targeted credential cleanup: Only invalidating problematic credentials, preserving working ones");
+        var invalidatedCount = 0;
+        var addressesToRemove = [];
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            // Only invalidate if the ownerUuid is clearly wrong AND we've had authentication issues
+            if (credentials.ownerUuid !== currentClusterOwnerUuid) {
+                // Check if this address has had recent authentication failures
+                var hasAuthIssues = _this.hasRecentAuthenticationIssues(addressStr);
+                if (hasAuthIssues) {
+                    _this.logger.info('CredentialPreservationService', "\uD83C\uDFAF Invalidating problematic credentials for " + addressStr + ": old ownerUuid=" + credentials.ownerUuid + " \u2260 current=" + currentClusterOwnerUuid + " (has auth issues)");
+                    addressesToRemove.push(addressStr);
+                    invalidatedCount++;
+                }
+                else {
+                    _this.logger.info('CredentialPreservationService', "\u2705 Keeping working credentials for " + addressStr + ": ownerUuid=" + credentials.ownerUuid + " (no auth issues)");
+                }
+            }
+            else {
+                _this.logger.debug('CredentialPreservationService', "\u2705 Keeping valid credentials for " + addressStr + ": ownerUuid=" + credentials.ownerUuid + " matches current");
+            }
+        });
+        // Remove only the problematic credentials
+        addressesToRemove.forEach(function (addressStr) {
+            _this.nodeCredentials.delete(addressStr);
+        });
+        this.logger.info('CredentialPreservationService', "\u2705 Targeted cleanup completed: Invalidated " + invalidatedCount + " problematic credential entries, kept " + this.nodeCredentials.size + " working entries");
+    };
+    /**
+     * Checks if an address has had recent authentication issues
+     * This helps determine which credentials to invalidate
+     * @param addressStr The address to check
+     * @returns True if the address has recent auth issues
+     */
+    CredentialPreservationService.prototype.hasRecentAuthenticationIssues = function (addressStr) {
+        // For now, we'll be conservative and only invalidate if we're certain
+        // In the future, we could track authentication failure history
+        return false; // Don't invalidate anything for now - revert to previous working behavior
+    };
+    /**
+     * Clears all credentials for a specific address
+     * This is called when we need to force fresh authentication for a node
+     * @param address The address to clear credentials for
+     */
+    CredentialPreservationService.prototype.clearCredentialsForAddress = function (address) {
+        var addressStr = address.toString();
+        if (this.nodeCredentials.has(addressStr)) {
+            this.logger.info('CredentialPreservationService', "\uD83D\uDDD1\uFE0F Clearing credentials for " + addressStr);
+            this.nodeCredentials.delete(addressStr);
+        }
+    };
+    /**
+     * Gets all addresses that have credentials with a specific owner UUID
+     * @param ownerUuid The owner UUID to search for
+     * @returns Array of addresses that have credentials with this owner UUID
+     */
+    CredentialPreservationService.prototype.getAddressesWithOwnerUuid = function (ownerUuid) {
+        var addresses = [];
+        this.nodeCredentials.forEach(function (credentials, addressStr) {
+            if (credentials.ownerUuid === ownerUuid) {
+                addresses.push(addressStr);
+            }
+        });
+        return addresses;
+    };
+    return CredentialPreservationService;
+}());
+exports.CredentialPreservationService = CredentialPreservationService;