@cubist-labs/cubesigner-sdk 0.1.26 → 0.1.77

package/src/session/{management_session_manager.ts → cognito_manager.ts}

@@ -4,7 +4,7 @@ import { HasEnv, SessionManager } from "./session_manager";
 import { SessionStorage } from "./session_storage";
 
 /** JSON representation of our "management session" file format */
-export interface ManagementSessionObject {
+export interface CognitoSessionObject {
   /** The email address of the user */
   email: string;
   /** The ID token */
@@ -17,13 +17,13 @@ export interface ManagementSessionObject {
   expiration: string;
 }
 
-export interface ManagementSessionInfo extends ManagementSessionObject, HasEnv {}
+export interface CognitoSessionInfo extends CognitoSessionObject, HasEnv {}
 
-/** Type of storage required for management sessions */
-export type ManagementSessionStorage = SessionStorage<ManagementSessionInfo>;
+/** Type of storage required for cognito (management) sessions */
+export type CognitoSessionStorage = SessionStorage<CognitoSessionInfo>;
 
-/** The session manager for management sessions */
-export class ManagementSessionManager extends SessionManager<ManagementSessionInfo> {
+/** The session manager for cognito (management) sessions */
+export class CognitoSessionManager extends SessionManager<CognitoSessionInfo> {
   #client: Client;
 
   /**
@@ -98,7 +98,7 @@ export class ManagementSessionManager extends SessionManager<ManagementSessionIn
     const expiration = new Date(new Date().getTime() + expiresInMs).toISOString();
     const idToken = resp.AuthenticationResult.IdToken;
 
-    await this.storage.save(<ManagementSessionInfo>{
+    await this.storage.save(<CognitoSessionInfo>{
       ...session,
       id_token: idToken,
       access_token: resp.AuthenticationResult.AccessToken,
@@ -108,15 +108,13 @@ export class ManagementSessionManager extends SessionManager<ManagementSessionIn
   }
 
   /**
-   * Loads an existing management session from storage.
-   * @param {ManagementSessionStorage} storage The storage back end to use
+   * Loads an existing cognito (management) session from storage.
+   * @param {CognitoSessionStorage} storage The storage back end to use
    * @return {Promise<SingerSession>} New token
    */
-  static async loadFromStorage(
-    storage: ManagementSessionStorage,
-  ): Promise<ManagementSessionManager> {
+  static async loadFromStorage(storage: CognitoSessionStorage): Promise<CognitoSessionManager> {
     const sessionInfo = await storage.retrieve();
-    return new ManagementSessionManager(
+    return new CognitoSessionManager(
       sessionInfo.env["Dev-CubeSignerStack"],
       sessionInfo.id_token,
       storage,
@@ -127,9 +125,9 @@ export class ManagementSessionManager extends SessionManager<ManagementSessionIn
    * Constructor.
    * @param {EnvInterface} env The environment of the session
    * @param {string} token The current token of the session
-   * @param {ManagementSessionStorage} storage The storage back end to use
+   * @param {CognitoSessionStorage} storage The storage back end to use
    */
-  private constructor(env: EnvInterface, token: string, storage: ManagementSessionStorage) {
+  private constructor(env: EnvInterface, token: string, storage: CognitoSessionStorage) {
     super(env, storage);
     this.#client = this.createClient(token);
   }

package/src/session/session_manager.ts

@@ -45,6 +45,27 @@ export abstract class SessionManager<U> {
     return false;
   }
 
+  /**
+   * Automatically refreshes the session in the background.
+   * The default implementation refreshes (if needed) every minute.
+   * Base implementations can, instead use the token expirations timestamps
+   * to refresh less often. This is a simple wrapper around `setInterval`.
+   * @return {number} The interval ID of the refresh timer.
+   */
+  autoRefresh(): RefreshId {
+    return setInterval(async () => {
+      await this.refreshIfNeeded();
+    }, 60 * 1000);
+  }
+
+  /**
+   * Clears the auto refresh timer.
+   * @param {number} timer The timer ID to clear.
+   */
+  clearAutoRefresh(timer: RefreshId): void {
+    clearInterval(timer);
+  }
+
   /**
    * Constructor.
    * @param {EnvInterface} env The environment of the session
@@ -77,7 +98,7 @@ export abstract class SessionManager<U> {
    * @return {boolean} True if the timestamp has expired
    */
   protected hasExpired(exp: number, buffer?: number): boolean {
-    return exp < new Date().getTime() / 1000 + (buffer || DEFAULT_EXPIRATION_BUFFER_SECS);
+    return exp < new Date().getTime() + (buffer || DEFAULT_EXPIRATION_BUFFER_SECS) * 1000;
   }
 
   /**
@@ -112,3 +133,6 @@ export interface HasEnv {
     ["Dev-CubeSignerStack"]: EnvInterface;
   };
 }
+
+/** Type of the refresh timer ID. */
+export type RefreshId = ReturnType<typeof setInterval>;

package/src/session/session_storage.ts

@@ -44,7 +44,7 @@ export class MemorySessionStorage<U> implements SessionStorage<U> {
 
 /** Stores session information in a JSON file */
 export class JsonFileSessionStorage<U> implements SessionStorage<U> {
-  #filePath: string;
+  readonly #filePath: string;
 
   /**
    * Store session information.

package/src/session/signer_session_manager.ts

@@ -1,10 +1,11 @@
-import { CubeSigner } from "..";
+import { CubeSigner, EnvInterface } from "..";
 import { assertOk } from "../util";
 import { components, paths, Client } from "../client";
 import { HasEnv, OrgSessionManager } from "./session_manager";
-import { SessionStorage } from "./session_storage";
+import { MemorySessionStorage, SessionStorage } from "./session_storage";
 
 export type ClientSessionInfo = components["schemas"]["ClientSessionInfo"];
+export type NewSessionResponse = components["schemas"]["NewSessionResponse"];
 
 export type CreateSignerSessionRequest =
   paths["/v0/org/{org_id}/roles/{role_id}/tokens"]["post"]["requestBody"]["content"]["application/json"];
@@ -16,9 +17,9 @@ export interface SignerSessionObject {
   /** The organization ID */
   org_id: string;
   /** The role ID */
-  role_id: string;
+  role_id?: string;
   /** The purpose of the session token */
-  purpose: string;
+  purpose?: string;
   /** The token to include in Authorization header */
   token: string;
   /** Session info */
@@ -37,18 +38,20 @@ export interface SignerSessionLifetime {
   auth: number;
   /** Refresh token lifetime (in seconds). Defaults to one day (86400). */
   refresh?: number;
+  /** Grace lifetime (in seconds). Defaults to 30 seconds (30). */
+  grace?: number;
 }
 
 const defaultSignerSessionLifetime: SignerSessionLifetime = {
   session: 604800,
   auth: 300,
   refresh: 86400,
+  grace: 30,
 };
 
 /** Manager for signer sessions. */
 export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
   readonly cs?: CubeSigner;
-  readonly roleId: string;
   #client: Client;
 
   /**
@@ -77,11 +80,10 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
     const session = await this.storage.retrieve();
     const resp = await (
       await this.cs.management()
-    ).del("/v0/org/{org_id}/roles/{role_id}/tokens/{session_id}", {
+    ).del("/v0/org/{org_id}/session/{session_id}", {
       params: {
         path: {
           org_id: session.org_id,
-          role_id: session.role_id,
           session_id: session.session_info.session_id,
         },
       },
@@ -97,7 +99,7 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
    */
   async isStale(): Promise<boolean> {
     const session = await this.storage.retrieve();
-    return this.hasExpired(session.session_info.auth_token_exp);
+    return this.hasExpired(session.session_info.auth_token_exp * 1000);
   }
 
   /**
@@ -127,7 +129,7 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
   /**
    * Create a new signer session.
    * @param {CubeSigner} cs The CubeSigner instance
-   * @param {SessionStorage<SignerSessionObject>} storage The session storage to use
+   * @param {SignerSessionStorage} storage The session storage to use
    * @param {string} orgId Org ID
    * @param {string} roleId Role ID
    * @param {string} purpose The purpose of the session
@@ -151,6 +153,7 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
         auth_lifetime: ttl?.auth || defaultSignerSessionLifetime.auth,
         refresh_lifetime: ttl?.refresh || defaultSignerSessionLifetime.refresh,
         session_lifetime: ttl?.session || defaultSignerSessionLifetime.session,
+        grace_lifetime: ttl?.grace || defaultSignerSessionLifetime.grace,
       },
       parseAs: "json",
     });
@@ -159,7 +162,7 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
     if (!session_info) {
       throw new Error("Signer session info missing");
     }
-    await storage.save({
+    const sessionData = {
       org_id: orgId,
       role_id: roleId,
       purpose,
@@ -169,43 +172,70 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
       env: {
         ["Dev-CubeSignerStack"]: cs.env,
       },
-    });
-    return new SignerSessionManager(cs, orgId, roleId, data.token, storage);
+    };
+    await storage.save(sessionData);
+    return new SignerSessionManager(sessionData, storage, cs);
+  }
+
+  /**
+   * @param {EnvInterface} env The CubeSigner environment
+   * @param {string} orgId The organization ID
+   * @param {NewSessionResponse} session The session information.
+   * @param {SignerSessionStorage} storage The storage to use for saving the session.
+   * @return {Promise<SignerSessionManager>} New signer session manager.
+   */
+  static async createFromSessionInfo(
+    env: EnvInterface,
+    orgId: string,
+    session: NewSessionResponse,
+    storage?: SignerSessionStorage,
+  ): Promise<SignerSessionManager> {
+    const sessionData = {
+      env: {
+        ["Dev-CubeSignerStack"]: env,
+      },
+      org_id: orgId,
+      token: session.token,
+      purpose: "sign via oidc",
+      session_info: session.session_info,
+    };
+    storage ??= new MemorySessionStorage();
+    await storage.save(sessionData);
+    return await SignerSessionManager.loadFromStorage(storage);
   }
 
   /**
    * Uses an existing session to create a new signer session manager.
-   * @param {CubeSigner} cs The CubeSigner instance
-   * @param {SessionStorage<SignerSessionObject>} storage The session storage to use
+   * @param {SignerSessionStorage} storage The session storage to use
+   * @param {CubeSigner} cs Optional CubeSigner instance.
+   *    Currently used for token revocation; will be completely removed
+   *    since token revocation should not require management session.
    * @return {Promise<SingerSession>} New signer session manager
    */
   static async loadFromStorage(
-    cs: CubeSigner,
     storage: SignerSessionStorage,
+    cs?: CubeSigner,
   ): Promise<SignerSessionManager> {
     const session = await storage.retrieve();
-    return new SignerSessionManager(cs, session.org_id, session.role_id, session.token, storage);
+    return new SignerSessionManager(session, storage, cs);
   }
 
   /**
    * Constructor.
-   * @param {CubeSigner} cs CubeSigner
-   * @param {string} orgId The id of the org associated with this session
-   * @param {string} roleId The id of the role that this session assumes
-   * @param {string} token The authorization token to use
+   * @param {SignerSessionData} sessionData Session data
    * @param {SignerSessionStorage} storage The session storage to use
+   * @param {CubeSigner} cs Optional CubeSigner instance.
+   *    Currently used for token revocation; will be completely removed
+   *    since token revocation should not require management session.
    * @internal
    */
   private constructor(
-    cs: CubeSigner,
-    orgId: string,
-    roleId: string,
-    token: string,
+    sessionData: SignerSessionData,
     storage: SignerSessionStorage,
+    cs?: CubeSigner,
   ) {
-    super(cs.env, orgId, storage);
+    super(sessionData.env["Dev-CubeSignerStack"], sessionData.org_id, storage);
     this.cs = cs;
-    this.roleId = roleId;
-    this.#client = this.createClient(token);
+    this.#client = this.createClient(sessionData.token);
   }
 }