npm - @go-to-k/cdkd - Versions diffs - 0.162.1 → 0.162.3 - Mend

@go-to-k/cdkd 0.162.1 → 0.162.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -51328,6 +51328,56 @@ function matchPreflight(req, config) {
 	};
 }
 /**
+* Apply CORS headers to an **actual** (non-preflight) response. CORS
+* spec requires that 2xx / 4xx / 5xx responses all carry
+* `Access-Control-Allow-Origin` (only preflight responses also need
+* `Allow-Methods` / `Allow-Headers` / `Max-Age`) — without it the
+* browser blocks the response body from JS regardless of status code.
+*
+* Looks up the route's `apiLogicalId` in `corsConfigByApiId`. When a
+* matching config + the request Origin satisfies `AllowOrigins`, sets:
+*
+*   - `Access-Control-Allow-Origin: <origin or *>`  (always)
+*   - `Vary: Origin`                                (when origin echoed)
+*   - `Access-Control-Allow-Credentials: true`      (when configured)
+*   - `Access-Control-Expose-Headers: <list>`       (when configured)
+*
+* `Allow-Methods` / `Allow-Headers` / `Max-Age` are preflight-only and
+* deliberately NOT set on actual responses.
+*
+* Caller must invoke this BEFORE writing the response body (otherwise
+* `res.headersSent` flips and `setHeader` becomes a no-op). Idempotent:
+* a second call with the same args overwrites the same headers.
+*
+* No-op when:
+*   - `route.apiLogicalId` is undefined (no surface-config-bearing
+*     resource — e.g. routes discovered before issue #644's apiLogicalId
+*     plumbing existed; harmless on routes without CORS to apply)
+*   - The route's API has no entry in `corsConfigByApiId`
+*   - The request has no `Origin` header (non-CORS request — same
+*     posture as the matchPreflight gate)
+*   - The Origin is not in the AllowOrigins list (browser will block
+*     anyway; we don't smuggle through unauthorized origins by accident)
+*/
+function applyCorsResponseHeaders(res, apiLogicalId, corsConfigByApiId, requestOrigin) {
+	if (!apiLogicalId) return;
+	const cors = corsConfigByApiId.get(apiLogicalId);
+	if (!cors) return;
+	if (!requestOrigin) return;
+	const originMatch = matchOrigin(requestOrigin, cors.AllowOrigins);
+	if (!originMatch) return;
+	const allowOrigin = originMatch === "*" && cors.AllowCredentials !== true ? "*" : requestOrigin;
+	res.setHeader("Access-Control-Allow-Origin", allowOrigin);
+	if (allowOrigin !== "*") {
+		const existing = res.getHeader("Vary");
+		if (typeof existing === "string" && existing.length > 0) {
+			if (!existing.split(",").map((t) => t.trim()).some((t) => t.toLowerCase() === "origin")) res.setHeader("Vary", `${existing}, Origin`);
+		} else res.setHeader("Vary", "Origin");
+	}
+	if (cors.AllowCredentials === true) res.setHeader("Access-Control-Allow-Credentials", "true");
+	if (cors.ExposeHeaders.length > 0) res.setHeader("Access-Control-Expose-Headers", cors.ExposeHeaders.join(","));
+}
+/**
 * Whether the request's Origin matches the AllowOrigins list. Returns
 * `'*'` when a wildcard matched, the literal entry on a literal match,
 * `null` otherwise. The literal case is used by the caller to decide
@@ -53237,11 +53287,16 @@ async function handleRequest(req, res, state, opts) {
 		writeError(res, 404, "{\"message\":\"Not Found\"}");
 		return;
 	}
+	const requestOrigin = pickFirstHeaderValue(collectHeaders(req), "origin") ?? void 0;
+	const applyCors = () => {
+		applyCorsResponseHeaders(res, match.route.apiLogicalId, state.corsConfigByApiId, requestOrigin);
+	};
 	if (match.route.mockCors) {
 		writeMockCorsPreflight(res, match.route.mockCors);
 		return;
 	}
 	if (match.route.unsupported) {
+		applyCors();
 		writeNotImplemented(res, match.route.unsupported.reason);
 		return;
 	}
@@ -53268,10 +53323,12 @@ async function handleRequest(req, res, state, opts) {
 			outcome = await runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, baseEvent["requestContext"]);
 		} catch (err) {
 			logger.error(`Authorizer ${authorizer.logicalId} threw for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
+			applyCors();
 			writeAuthRejection(res, match.route.apiVersion, "policy-deny", authorizer.kind);
 			return;
 		}
 		if (!outcome.result.allow) {
+			applyCors();
 			writeAuthRejection(res, match.route.apiVersion, outcome.denyKind ?? "policy-deny", authorizer.kind);
 			return;
 		}
@@ -53280,16 +53337,21 @@ async function handleRequest(req, res, state, opts) {
 		if (overlay) baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
 	}
 	if (match.route.serviceIntegration) {
+		applyCors();
 		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult);
 		return;
 	}
 	if (match.route.restV1Integration) {
 		try {
-			writeIntegrationOutcome(res, await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts));
+			const outcome = await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts);
+			applyCors();
+			writeIntegrationOutcome(res, outcome);
 		} catch (err) {
 			logger.error(`REST v1 ${match.route.restV1Integration.kind} dispatch failed for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
-			else res.end();
+			if (!res.headersSent) {
+				applyCors();
+				writeError(res, 502);
+			} else res.end();
 		}
 		return;
 	}
@@ -53298,6 +53360,7 @@ async function handleRequest(req, res, state, opts) {
 		handle = await state.pool.acquire(match.route.lambdaLogicalId);
 	} catch (err) {
 		logger.error(`Failed to acquire container for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
+		applyCors();
 		writeError(res, 502);
 		return;
 	}
@@ -53306,6 +53369,7 @@ async function handleRequest(req, res, state, opts) {
 		try {
 			streamResult = await invokeRieStreaming(handle.containerHost, handle.hostPort, baseEvent, opts.rieTimeoutMs);
 			try {
+				applyCors();
 				writeStreamingResponse(res, streamResult, () => state.pool.release(handle));
 			} catch (writeErr) {
 				streamResult.body.on("error", () => {});
@@ -53315,8 +53379,10 @@ async function handleRequest(req, res, state, opts) {
 			return;
 		} catch (err) {
 			logger.error(`RIE streaming invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
-			else res.end();
+			if (!res.headersSent) {
+				applyCors();
+				writeError(res, 502);
+			} else res.end();
 			state.pool.release(handle);
 			return;
 		}
@@ -53326,11 +53392,14 @@ async function handleRequest(req, res, state, opts) {
 		res.statusCode = translated.statusCode;
 		for (const [name, value] of Object.entries(translated.headers)) res.setHeader(name, value);
 		if (translated.cookies.length > 0) res.setHeader("set-cookie", translated.cookies);
+		applyCors();
 		res.end(translated.body);
 	} catch (err) {
 		logger.error(`RIE invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
-		if (!res.headersSent) writeError(res, 502);
-		else res.end();
+		if (!res.headersSent) {
+			applyCors();
+			writeError(res, 502);
+		} else res.end();
 	} finally {
 		state.pool.release(handle);
 	}
@@ -54668,6 +54737,7 @@ async function localStartApiCommand(target, options) {
 			for (const [k, v] of direct) corsConfigByApiId.set(k, v);
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
+		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
 		const specs = /* @__PURE__ */ new Map();
 		for (let i = 0; i < lambdaIds.length; i++) {
@@ -54684,7 +54754,8 @@ async function localStartApiCommand(target, options) {
 				layerTmpDirs,
 				stateByStack,
 				skipPull: options.pull === false,
-				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn }
+				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn },
+				...profileCredentials && { profileCredentials }
 			});
 			specs.set(logicalId, spec);
 		}
@@ -55118,7 +55189,7 @@ function warnIamRoutes(routesWithAuth) {
 * missing, runtime not supported).
 */
 async function buildContainerSpec(args) {
-	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn } = args;
+	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials } = args;
 	const lambda = resolveLambdaByLogicalId(logicalId, stacks);
 	let codeDir;
 	let optDir;
@@ -55164,7 +55235,15 @@ async function buildContainerSpec(args) {
 		dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
 		dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
-	} else forwardAwsEnv$1(dockerEnv);
+	} else {
+		forwardAwsEnv$1(dockerEnv);
+		if (profileCredentials) {
+			dockerEnv["AWS_ACCESS_KEY_ID"] = profileCredentials.accessKeyId;
+			dockerEnv["AWS_SECRET_ACCESS_KEY"] = profileCredentials.secretAccessKey;
+			if (profileCredentials.sessionToken) dockerEnv["AWS_SESSION_TOKEN"] = profileCredentials.sessionToken;
+			else delete dockerEnv["AWS_SESSION_TOKEN"];
+		}
+	}
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
 	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
 		target: "/tmp",
@@ -55527,6 +55606,54 @@ function forwardAwsEnv$1(env) {
 	}
 }
 /**
+* Issue #654: resolve `--profile <p>` to a concrete credential set
+* for forwarding to Lambda containers.
+*
+* The dev's AWS credentials may live in any of:
+*   - `~/.aws/sso/cache/*.json` (AWS IAM Identity Center / legacy SSO)
+*   - `~/.aws/credentials` (regular long-lived access keys)
+*   - `~/.aws/config` profiles with `role_arn` + `source_profile` (chained AssumeRole)
+*   - `credential_process` external resolvers
+*
+* `forwardAwsEnv` only reads `process.env.AWS_*`, which is empty for
+* every shape except "user manually exported the env vars". The
+* Lambda container therefore boots without creds and the handler's
+* AWS SDK call fails with `Could not load credentials from any providers`.
+*
+* This helper constructs a transient `STSClient({ profile })` to drive
+* the SDK's default credential provider chain — same code path cdkd's
+* own CFn / CC API clients use when `--profile` is set, so SSO / IAM
+* Identity Center / role-assumption profiles all resolve the same way
+* they already do for cdkd's outbound calls. We then extract the
+* resolved `AwsCredentialIdentity` via `sts.config.credentials()` and
+* return the underlying `{ accessKeyId, secretAccessKey, sessionToken? }`
+* for env-var injection.
+*
+* Called ONCE at server boot; the resolved creds are reused for every
+* Lambda container's env overlay (when `--assume-role` is not set for
+* that Lambda — assume-role wins per the existing precedence). SSO
+* temp creds typically last 1h+, so a single resolve is fine for the
+* common dev session; long-running `--watch` sessions that outlive
+* the creds need a cdkd restart (deferred refresh out of scope for
+* v1, see issue #654).
+*/
+async function resolveProfileCredentials(profile) {
+	const { STSClient } = await import("@aws-sdk/client-sts");
+	const sts = new STSClient({ profile });
+	try {
+		const credsProvider = sts.config.credentials;
+		const creds = typeof credsProvider === "function" ? await credsProvider() : credsProvider;
+		if (!creds || !creds.accessKeyId || !creds.secretAccessKey) throw new Error(`--profile '${profile}': credential provider chain resolved without usable credentials. Check \`aws sso login --profile ` + profile + "` for SSO profiles, or `~/.aws/credentials` / `~/.aws/config` for regular profiles.");
+		return {
+			accessKeyId: creds.accessKeyId,
+			secretAccessKey: creds.secretAccessKey,
+			...creds.sessionToken && { sessionToken: creds.sessionToken }
+		};
+	} finally {
+		sts.destroy();
+	}
+}
+/**
 * Issue an STS AssumeRole and return temporary credentials. Mirrors
 * `cdkd local invoke`'s helper byte-for-byte; lifted here so the
 * start-api command stays self-contained.
@@ -60201,7 +60328,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.3");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());