@cubist-labs/cubesigner-sdk 0.2.21 → 0.2.24

package/src/schema.ts

@@ -886,7 +886,7 @@ export interface components {
      * https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria
      */
     AuthenticatorSelectionCriteria: {
-      authenticator_attachment?: components["schemas"]["AuthenticatorAttachment"] | null;
+      authenticatorAttachment?: components["schemas"]["AuthenticatorAttachment"] | null;
       /**
        * @description This member is retained for backwards compatibility with WebAuthn Level
        * 1 and, for historical reasons, its naming retains the deprecated
@@ -895,9 +895,9 @@ export interface components {
        *
        * https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-requireresidentkey
        */
-      require_resident_key?: boolean;
-      resident_key?: components["schemas"]["ResidentKeyRequirement"] | null;
-      user_verification?: components["schemas"]["UserVerificationRequirement"];
+      requireResidentKey?: boolean;
+      residentKey?: components["schemas"]["ResidentKeyRequirement"] | null;
+      userVerification?: components["schemas"]["UserVerificationRequirement"];
     };
     /**
      * @description Authenticators may implement various transports for communicating with
@@ -1580,25 +1580,6 @@ export interface components {
        */
       skip_email: boolean;
     };
-    /**
-     * @description Key material contained inside a [`JsonKeyPackage`], which can be either
-     * a raw secret or a mnemonic, password, and derivation path.
-     */
-    JsonKeyMaterial: {
-      /** @enum {string} */
-      material_type: "raw_secret";
-      /** @description The value of the raw secret */
-      secret: string;
-    } | {
-      /** @description The derivation path */
-      derivation_path: string;
-      /** @enum {string} */
-      material_type: "english_mnemonic";
-      /** @description The mnemonic */
-      mnemonic: string;
-      /** @description The password (which may be empty) */
-      password: string;
-    };
     /**
      * @description A [`KeyPackage`] serialized into a format that gives a tidier JSON
      * representation suitable for encryption in the user-export flow.
@@ -1669,9 +1650,21 @@ export interface components {
      * );
      * ```
      */
-    JsonKeyPackage: {
-      material_type: "JsonKeyPackage";
-    } & Omit<components["schemas"]["JsonKeyMaterial"], "material_type"> & {
+    JsonKeyPackage: ({
+      /** @enum {string} */
+      material_type: "raw_secret";
+      /** @description The value of the raw secret */
+      secret: string;
+    } | {
+      /** @description The derivation path */
+      derivation_path: string;
+      /** @enum {string} */
+      material_type: "english_mnemonic";
+      /** @description The mnemonic */
+      mnemonic: string;
+      /** @description The password (which may be empty) */
+      password: string;
+    }) & {
       /** @description The type of key this package represents */
       key_type: string;
     };
@@ -1811,6 +1804,12 @@ export interface components {
     Network: "mainnet" | "prater" | "goerli" | "holesky";
     /** @description Information about a new session, returned from multiple endpoints (e.g., login, refresh, etc.). */
     NewSessionResponse: {
+      /**
+       * Format: int64
+       * @description Session expiration (in seconds since UNIX epoch), beyond which it cannot be refreshed.
+       * @example 1701879640
+       */
+      expiration?: number;
       session_info: components["schemas"]["ClientSessionInfo"];
       /**
        * @description New token to be used for authentication. Requests to signing endpoints
@@ -1901,6 +1900,13 @@ export interface components {
        * ]
        */
       policy?: Record<string, never>[];
+      /**
+       * Format: int32
+       * @description The organization's currently configured TOTP failure limit, i.e., the number
+       * of times a user can provide an incorrect TOTP code before being rate limited.
+       * This value can be between 1 and 5 (inclusive).
+       */
+      totp_failure_limit: number;
       /**
        * Format: int64
        * @description The organization's currently configured user-export delay, i.e., the minimum
@@ -2659,6 +2665,12 @@ export interface components {
        * ]
        */
       policy?: Record<string, never>[] | null;
+      /**
+       * Format: int32
+       * @description If set, update this org's TOTP failure limit. After this many failures,
+       * the user is rate limited until the next 30-second TOTP window.
+       */
+      totp_failure_limit?: number | null;
       /**
        * Format: int64
        * @description If set, update this org's user-export delay, i.e., the amount of time
@@ -2704,6 +2716,11 @@ export interface components {
        * ]
        */
       policy?: Record<string, never>[] | null;
+      /**
+       * Format: int32
+       * @description The new value of the TOTP failure limit
+       */
+      totp_failure_limit?: number | null;
       /**
        * Format: int64
        * @description The new value of user-export delay
@@ -3183,6 +3200,12 @@ export interface components {
     NewSessionResponse: {
       content: {
         "application/json": {
+          /**
+           * Format: int64
+           * @description Session expiration (in seconds since UNIX epoch), beyond which it cannot be refreshed.
+           * @example 1701879640
+           */
+          expiration?: number;
           session_info: components["schemas"]["ClientSessionInfo"];
           /**
            * @description New token to be used for authentication. Requests to signing endpoints
@@ -3234,6 +3257,13 @@ export interface components {
            * ]
            */
           policy?: Record<string, never>[];
+          /**
+           * Format: int32
+           * @description The organization's currently configured TOTP failure limit, i.e., the number
+           * of times a user can provide an incorrect TOTP code before being rate limited.
+           * This value can be between 1 and 5 (inclusive).
+           */
+          totp_failure_limit: number;
           /**
            * Format: int64
            * @description The organization's currently configured user-export delay, i.e., the minimum
@@ -3517,6 +3547,11 @@ export interface components {
            * ]
            */
           policy?: Record<string, never>[] | null;
+          /**
+           * Format: int32
+           * @description The new value of the TOTP failure limit
+           */
+          totp_failure_limit?: number | null;
           /**
            * Format: int64
            * @description The new value of user-export delay

package/src/session/cognito_manager.ts

@@ -70,7 +70,7 @@ export class CognitoSessionManager extends OrgSessionManager<CognitoSessionInfo>
    */
   async isStale(): Promise<boolean> {
     const session = await this.storage.retrieve();
-    return SessionManager.hasExpired(new Date(session.expiration));
+    return SessionManager.isStale(new Date(session.expiration));
   }
 
   /**

package/src/session/session_manager.ts

@@ -2,6 +2,7 @@ import { Events } from "../events";
 import { EnvInterface } from "../env";
 import { Client, createHttpClient } from "../api";
 import { SessionStorage } from "./session_storage";
+import { delay } from "../util";
 
 const DEFAULT_EXPIRATION_BUFFER_SECS = 30;
 
@@ -10,6 +11,7 @@ export abstract class SessionManager<U> {
   readonly env: EnvInterface;
   readonly storage: SessionStorage<U>;
   readonly events = new Events();
+  #refreshing: boolean = false;
 
   /**
    * @return {string} The current auth token.
@@ -40,9 +42,24 @@ export abstract class SessionManager<U> {
    */
   async refreshIfNeeded(): Promise<boolean> {
     if (await this.isStale()) {
-      await this.refresh();
-      return true;
+      if (this.#refreshing) {
+        // wait until done refreshing
+        while (this.#refreshing) {
+          await delay(100);
+        }
+        return false;
+      } else {
+        // refresh
+        this.#refreshing = true;
+        try {
+          await this.refresh();
+          return true;
+        } finally {
+          this.#refreshing = false;
+        }
+      }
     }
+
     return false;
   }
 
@@ -88,19 +105,29 @@ export abstract class SessionManager<U> {
   }
 
   /**
-   * Check if a timestamp has expired.
+   * Check if a timestamp is within {@link bufferSeconds} seconds from expiration.
    * @param {Date} exp The timestamp to check
-   * @param {number} bufferSeconds Time buffer in seconds (defaults to 30s)
+   * @param {number} bufferSeconds Time buffer in seconds (defaults to 0s)
    * @return {boolean} True if the timestamp has expired
    */
   protected static hasExpired(exp: Date, bufferSeconds?: number): boolean {
-    bufferSeconds ??= DEFAULT_EXPIRATION_BUFFER_SECS;
+    bufferSeconds ??= 0;
     const expMsSinceEpoch = exp.getTime();
     const nowMsSinceEpoch = new Date().getTime();
     const bufferMs = bufferSeconds * 1000;
     return expMsSinceEpoch < nowMsSinceEpoch + bufferMs;
   }
 
+  /**
+   * Check if a timestamp is stale, i.e., it's within {@link bufferSeconds} seconds from expiration.
+   * @param {Date} exp The timestamp to check
+   * @param {number} bufferSeconds Time buffer in seconds (defaults to 30s)
+   * @return {boolean} True if the timestamp is stale
+   */
+  protected static isStale(exp: Date, bufferSeconds?: number): boolean {
+    return this.hasExpired(exp, bufferSeconds ?? DEFAULT_EXPIRATION_BUFFER_SECS);
+  }
+
   /**
    * Throws an error that says that some feature is unsupported.
    * @param {string} name The name of the feature that is not supported

package/src/session/signer_session_manager.ts

@@ -21,6 +21,8 @@ export interface SignerSessionObject {
   token: string;
   /** Session info */
   session_info: ClientSessionInfo;
+  /** Session expiration (in seconds since UNIX epoch) beyond which it cannot be refreshed */
+  session_exp: number | undefined; // may be missing in legacy session files
 }
 
 /**
@@ -51,7 +53,7 @@ export interface SignerSessionLifetime {
 /** Manager for signer sessions. */
 export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
   readonly #eventEmitter: EventEmitter;
-  #client: { client: Client; exp: Date };
+  #client: { client: Client; token_exp: Date; session_exp?: Date };
 
   /**
    * @return {string} The current auth token.
@@ -70,8 +72,12 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
   async client(): Promise<Client> {
     await this.refreshIfNeeded();
 
-    // trigger "session expired" if for whatever reason the token is still stale
-    if (SessionManager.hasExpired(this.#client.exp, /* buffer */ 0)) {
+    // trigger "session expired" if the session as a whole has expired
+    // or if (for whatever reason) the token is still stale
+    if (
+      SessionManager.hasExpired(this.#client.token_exp) ||
+      (this.#client.session_exp && SessionManager.hasExpired(this.#client.session_exp))
+    ) {
       await this.#eventEmitter.emitSessionExpired();
     }
 
@@ -92,7 +98,7 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
    * @internal
    */
   async isStale(): Promise<boolean> {
-    return SessionManager.hasExpired(this.#client.exp);
+    return SessionManager.isStale(this.#client.token_exp);
   }
 
   /**
@@ -120,7 +126,10 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
     await this.storage.save(newSession);
     this.#client = {
       client: this.createClient(newSession.token),
-      exp: secondsSinceEpochToDate(newSession.session_info.auth_token_exp),
+      token_exp: secondsSinceEpochToDate(newSession.session_info.auth_token_exp),
+      session_exp: newSession.session_exp
+        ? secondsSinceEpochToDate(newSession.session_exp)
+        : undefined,
     };
   }
 
@@ -145,6 +154,7 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
       token: session.token,
       purpose: "sign via oidc",
       session_info: session.session_info,
+      session_exp: session.expiration!,
     };
     storage ??= new MemorySessionStorage();
     await storage.save(sessionData);
@@ -187,7 +197,10 @@ export class SignerSessionManager extends OrgSessionManager<SignerSessionData> {
     this.#eventEmitter = new EventEmitter([this.events]);
     this.#client = {
       client: this.createClient(sessionData.token),
-      exp: secondsSinceEpochToDate(sessionData.session_info.auth_token_exp),
+      token_exp: secondsSinceEpochToDate(sessionData.session_info.auth_token_exp),
+      session_exp: sessionData.session_exp
+        ? secondsSinceEpochToDate(sessionData.session_exp)
+        : undefined,
     };
   }
 }

package/src/util.ts

@@ -71,3 +71,13 @@ export function encodeToBase64Url(buffer: Iterable<number>): string {
   // NOTE: there is no "base64url" encoding in the "buffer" module for the browser (unlike in node.js)
   return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=*$/g, "");
 }
+
+/**
+ * Sleeps for `ms` milliseconds.
+ *
+ * @param {number} ms Milliseconds to sleep
+ * @return {Promise<void>} A promise that is resolved after `ms` milliseconds.
+ */
+export function delay(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}