@culturefy/shared 1.0.76 → 1.0.77

package/build/src/utils/secrets.js

@@ -1,5 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerSecretsRedis = registerSecretsRedis;
 exports.getAzureVaultSecretByKey = getAzureVaultSecretByKey;
 exports.getInterservicesCommunicationKey = getInterservicesCommunicationKey;
 const tslib_1 = require("tslib");
@@ -7,36 +8,108 @@ const identity_1 = require("@azure/identity");
 const keyvault_secrets_1 = require("@azure/keyvault-secrets");
 const enums_1 = require("../enums");
 const mapper_1 = require("./mapper");
+// L1: in-memory cache — permanent for the lifetime of the Function host instance
+const secretCache = new Map();
+// Deduplicate concurrent in-flight fetches for the same key
+const secretInflight = new Map();
+// Singleton SecretClient per vault URL
+const secretClients = new Map();
+// L2: Redis cache — injected by cache.ts after Redis connects (avoids circular import)
+const SECRET_REDIS_TTL = 60; // seconds
+const SECRET_REDIS_NS = "kv-secret";
+let _redis = null;
+// These secrets are needed to bootstrap the Redis connection itself —
+// they must never be looked up via Redis to prevent infinite recursion.
+const BOOTSTRAP_KEYS = new Set([
+    enums_1.AzureSecretKeysEnum.REDIS_HOST,
+    enums_1.AzureSecretKeysEnum.REDIS_KEY,
+    enums_1.AzureSecretKeysEnum.REDIS_PORT,
+]);
+/**
+ * Called by cache.ts after the Redis client successfully connects.
+ * Enables L2 Redis caching for Key Vault secrets without a circular import.
+ */
+function registerSecretsRedis(client) {
+    _redis = client;
+}
+function getSecretClient(vaultName) {
+    const vaultUrl = `https://${vaultName}.vault.azure.net`;
+    if (!secretClients.has(vaultUrl)) {
+        secretClients.set(vaultUrl, new keyvault_secrets_1.SecretClient(vaultUrl, new identity_1.DefaultAzureCredential()));
+    }
+    return secretClients.get(vaultUrl);
+}
 /**
  * Fetches a secret value from Azure Key Vault by key.
- * @param key - The key name from the AzureSecretKeysEnum enum.
- * @returns The secret value.
- * @throws Error if the key is invalid or if the secret fetch fails.
-*/
+ *
+ * Lookup order (fastest to slowest):
+ *   L1 in-memory → L2 Redis (60s TTL) → Azure Key Vault
+ *
+ * Bootstrap secrets (REDIS_HOST/KEY/PORT) skip Redis to avoid circular calls.
+ */
 function getAzureVaultSecretByKey(context, vaultName, key) {
     return tslib_1.__awaiter(this, void 0, void 0, function* () {
         var _a;
-        // Build the list of valid enum values once
         const validKeys = (0, mapper_1.enumMapper)(enums_1.AzureSecretKeysEnum);
-        // Validate
         if (!validKeys.includes(key)) {
             const msg = `Invalid secret key requested: ${key}`;
             context.error(msg);
             throw new Error(msg);
         }
-        // Construct the vault URL
-        const vaultUrl = `https://${vaultName}.vault.azure.net`;
-        // Initialize the client
-        const credential = new identity_1.DefaultAzureCredential();
-        const client = new keyvault_secrets_1.SecretClient(vaultUrl, credential);
-        try {
-            const secret = yield client.getSecret(key);
-            return (_a = secret.value) !== null && _a !== void 0 ? _a : "";
-        }
-        catch (err) {
-            context.error(`Error fetching secret "${key}" from vault "${vaultName}"`, err);
-            throw new Error(`Failed to fetch secret "${key}": ${err.message}`);
+        const cacheKey = `${vaultName}:${key}`;
+        // L1 — in-memory
+        const l1 = secretCache.get(cacheKey);
+        if (l1 !== undefined)
+            return l1;
+        // L2 — Redis (skipped for bootstrap keys)
+        const useRedis = _redis !== null && !BOOTSTRAP_KEYS.has(key);
+        if (useRedis) {
+            try {
+                const l2 = yield _redis.get(`${SECRET_REDIS_NS}:${cacheKey}`);
+                if (l2 !== null) {
+                    secretCache.set(cacheKey, l2);
+                    return l2;
+                }
+            }
+            catch (err) {
+                (_a = context.warn) === null || _a === void 0 ? void 0 : _a.call(context, `Redis L2 secret cache read failed for "${key}", falling through to Key Vault`, err);
+            }
         }
+        // Deduplicate concurrent fetches for the same key
+        const inflight = secretInflight.get(cacheKey);
+        if (inflight)
+            return inflight;
+        const fetchPromise = (() => tslib_1.__awaiter(this, void 0, void 0, function* () {
+            var _a, _b;
+            const client = getSecretClient(vaultName);
+            try {
+                const secret = yield client.getSecret(key);
+                const value = (_a = secret.value) !== null && _a !== void 0 ? _a : "";
+                // Populate L1
+                secretCache.set(cacheKey, value);
+                // Populate L2 — re-check _redis at write time in case Redis connected
+                // during the Key Vault round-trip (cold-start race)
+                const redisForWrite = !BOOTSTRAP_KEYS.has(key) ? _redis : null;
+                if (redisForWrite) {
+                    try {
+                        yield redisForWrite.set(`${SECRET_REDIS_NS}:${cacheKey}`, value, "EX", SECRET_REDIS_TTL);
+                    }
+                    catch (err) {
+                        (_b = context.warn) === null || _b === void 0 ? void 0 : _b.call(context, `Redis L2 secret cache write failed for "${key}"`, err);
+                    }
+                }
+                return value;
+            }
+            catch (err) {
+                context.error(`Error fetching secret "${key}" from vault "${vaultName}"`, err);
+                throw new Error(`Failed to fetch secret "${key}": ${err.message}`);
+            }
+            finally {
+                secretInflight.delete(cacheKey);
+            }
+        }))();
+        secretInflight.set(cacheKey, fetchPromise);
+        return fetchPromise;
     });
 }
 function getInterservicesCommunicationKey(context) {

package/build/src/utils/secrets.js.map

@@ -1 +1 @@
-{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../src/utils/secrets.ts"],"names":[],"mappings":";;AAYA,4DA6BC;AAED,4EAwBC;;AAnED,8CAAyD;AACzD,8DAAuD;AAEvD,oCAA+C;AAC/C,qCAAsC;AAEtC;;;;;EAKE;AACF,SAAsB,wBAAwB,CAC5C,OAA0B,EAC1B,SAAiB,EACjB,GAAwB;;;QAExB,2CAA2C;QAC3C,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,2BAAmB,CAAC,CAAC;QAElD,WAAW;QACX,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,iCAAiC,GAAG,EAAE,CAAC;YACnD,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;QAED,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,WAAW,SAAS,kBAAkB,CAAC;QAExD,wBAAwB;QACxB,MAAM,UAAU,GAAG,IAAI,iCAAsB,EAAE,CAAC;QAChD,MAAM,MAAM,GAAO,IAAI,+BAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC3C,OAAO,MAAA,MAAM,CAAC,KAAK,mCAAI,EAAE,CAAC;QAC5B,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,0BAA0B,GAAG,iBAAiB,SAAS,GAAG,EAAE,GAAG,CAAC,CAAC;YAC/E,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;CAAA;AAED,SAAsB,gCAAgC,CACpD,OAA0B;;;QAE1B,MAAM,QAAQ,GAAG,MAAA,OAAO,CAAC,GAAG,CAAC,+BAA+B,0CAAE,IAAI,EAAE,CAAC;QACrE,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,wBAAwB,CACxC,OAAO,EACP,SAAS,EACT,2BAAmB,CAAC,+BAA+B,CACpD,CAAC;QAEF,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CAAA"}
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../src/utils/secrets.ts"],"names":[],"mappings":";;AAgCA,oDAEC;AAkBD,4DAoEC;AAED,4EAwBC;;AAjJD,8CAAyD;AACzD,8DAAuD;AAEvD,oCAA+C;AAC/C,qCAAsC;AAEtC,iFAAiF;AACjF,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;AAC9C,4DAA4D;AAC5D,MAAM,cAAc,GAAG,IAAI,GAAG,EAA2B,CAAC;AAE1D,uCAAuC;AACvC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEtD,uFAAuF;AACvF,MAAM,gBAAgB,GAAG,EAAE,CAAC,CAAC,UAAU;AACvC,MAAM,eAAe,GAAI,WAAW,CAAC;AACrC,IAAI,MAAM,GAAiB,IAAI,CAAC;AAEhC,sEAAsE;AACtE,wEAAwE;AACxE,MAAM,cAAc,GAAG,IAAI,GAAG,CAAsB;IAClD,2BAAmB,CAAC,UAAU;IAC9B,2BAAmB,CAAC,SAAS;IAC7B,2BAAmB,CAAC,UAAU;CAC/B,CAAC,CAAC;AAEH;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,MAAa;IAChD,MAAM,GAAG,MAAM,CAAC;AAClB,CAAC;AAED,SAAS,eAAe,CAAC,SAAiB;IACxC,MAAM,QAAQ,GAAG,WAAW,SAAS,kBAAkB,CAAC;IACxD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,+BAAY,CAAC,QAAQ,EAAE,IAAI,iCAAsB,EAAE,CAAC,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;AACtC,CAAC;AAED;;;;;;;GAOG;AACH,SAAsB,wBAAwB,CAC5C,OAA0B,EAC1B,SAAiB,EACjB,GAAwB;;;QAExB,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,2BAAmB,CAAC,CAAC;QAElD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,iCAAiC,GAAG,EAAE,CAAC;YACnD,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;QAED,MAAM,QAAQ,GAAG,GAAG,SAAS,IAAI,GAAG,EAAE,CAAC;QAEvC,iBAAiB;QACjB,MAAM,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,EAAE,KAAK,SAAS;YAAE,OAAO,EAAE,CAAC;QAEhC,0CAA0C;QAC1C,MAAM,QAAQ,GAAG,MAAM,KAAK,IAAI,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7D,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAM,EAAE,GAAG,MAAM,MAAO,CAAC,GAAG,CAAC,GAAG,eAAe,IAAI,QAAQ,EAAE,CAAC,CAAC;gBAC/D,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;oBAChB,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;oBAC9B,OAAO,EAAE,CAAC;gBACZ,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAA,OAAO,CAAC,IAAI,wDAAG,0CAA0C,GAAG,iCAAiC,EAAE,GAAG,CAAC,CAAC;YACtG,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC9C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE9B,MAAM,YAAY,GAAG,CAAC,GAAS,EAAE;;YAC/B,MAAM,MAAM,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC3C,MAAM,KAAK,GAAG,MAAA,MAAM,CAAC,KAAK,mCAAI,EAAE,CAAC;gBAEjC,cAAc;gBACd,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;gBAEjC,sEAAsE;gBACtE,oDAAoD;gBACpD,MAAM,aAAa,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC/D,IAAI,aAAa,EAAE,CAAC;oBAClB,IAAI,CAAC;wBACH,MAAM,aAAa,CAAC,GAAG,CAAC,GAAG,eAAe,IAAI,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,gBAAgB,CAAC,CAAC;oBAC3F,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,MAAA,OAAO,CAAC,IAAI,wDAAG,2CAA2C,GAAG,GAAG,EAAE,GAAG,CAAC,CAAC;oBACzE,CAAC;gBACH,CAAC;gBAED,OAAO,KAAK,CAAC;YACf,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,0BAA0B,GAAG,iBAAiB,SAAS,GAAG,EAAE,GAAG,CAAC,CAAC;gBAC/E,MAAM,IAAI,KAAK,CAAC,2BAA2B,GAAG,MAAM,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACrE,CAAC;oBAAS,CAAC;gBACT,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAClC,CAAC;QACH,CAAC,CAAA,CAAC,EAAE,CAAC;QAEL,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAC3C,OAAO,YAAY,CAAC;IACtB,CAAC;CAAA;AAED,SAAsB,gCAAgC,CACpD,OAA0B;;;QAE1B,MAAM,QAAQ,GAAG,MAAA,OAAO,CAAC,GAAG,CAAC,+BAA+B,0CAAE,IAAI,EAAE,CAAC;QACrE,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACjF,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,wBAAwB,CACxC,OAAO,EACP,SAAS,EACT,2BAAmB,CAAC,+BAA+B,CACpD,CAAC;QAEF,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;CAAA"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@culturefy/shared",
   "description": "Shared utilities for culturefy serverless services",
-  "version": "1.0.76",
+  "version": "1.0.77",
   "main": "build/cjs/index.js",
   "module": "build/esm/index.js",
   "types": "build/src/index.d.ts",