@guardian/pan-domain-node 0.5.1 → 1.1.0

package/CHANGELOG.md

@@ -1,5 +1,123 @@
 # @guardian/pan-domain-node
 
+## 1.1.0
+
+### Minor Changes
+
+- b762261: Download public key from S3 with AWS credential
+
+## 1.0.0
+
+### Major Changes
+
+- f91598a: # Changes
+  Adds a 24-hour grace period after cookie expiry, during which requests will still be considered authenticated.
+
+  This is modelled by changing `AuthenticatedStatus` into a discriminated union with the following properties (among others):
+
+  ### `success`
+
+  Whether to treat request as authenticated or not. **This will remain true after cookie expiry for the length of the grace period.**
+
+  [Almost all consumers](https://docs.google.com/spreadsheets/d/19XABaP9ua935TYJARkL8tstnizL69gIJ9av8C3UQBYw/edit?gid=0#gid=0) of this library check **only** the `AUTHORISED` status right now. These should all be able to switch to checking just this single boolean, implicitly getting grace period functionality in the process.
+
+  ### `shouldRefreshCredentials`
+
+  Whether to try and get fresh credentials.
+
+  This allows page endpoints to redirect to auth, and API endpoints to tell the frontend to show a warning message to the user.
+
+  ### `mustRefreshByEpochTimeMillis`
+
+  The time at which the grace period ends and the request will be treated as unauthenticated. This allows library consumers to warn the user in the app UI when they are near the end of the grace period, as Composer does: https://github.com/guardian/flexible-content/pull/5210
+
+  ```
+  Panda cookie:               issued     expires                       `mustRefreshByEpochTimeMillis`
+                              |          |                             |
+                              |--1 hour--|                             |
+  Grace period:                          [------------- 24 hours ------]
+
+  `success`:         --false-][-true-----------------------------------][-false-------->
+  `shouldRefreshCredentials`  [-false---][-true------------------------]
+  ```
+
+  # Why have we made this change?
+
+  The Panda authentication cookie expires after 1 hour, and top-level navigation requests (page loads) trigger automatic re-authentication after this point.
+
+  Unfortunately API requests cannot trigger re-authentication on their own, and background refresh mechanisms (e.g. iframe-based method used by [Pandular](https://github.com/guardian/pandular)) are increasingly blocked by browsers due to third-party cookie restrictions.
+
+  We would like to enforce a 24-hour grace period
+
+  # How to update consuming code
+
+  At a minimum, switch from
+
+  ```typescript
+  const authResult = await panda.verify(cookieHeader);
+  if (
+    authResult.status === AuthenticationStatus.AUTHORISED &&
+    authResult.user
+  ) {
+    return authResult.user.email;
+  }
+  ```
+
+  to
+
+  ```typescript
+  const authResult = await panda.verify(cookieHeader);
+  if (authResult.success) {
+    return authResult.user.email;
+  }
+  ```
+
+  This will implicitly give you grace period functionality, because `success` will remain true during the grace period.
+
+  However, we **strongly** recommend all consumers to take account of `shouldRefreshCredentials`. What you do with the result should depend on whether your endpoint can trigger re-auth.
+
+  ## Endpoints that can refresh credentials
+
+  Endpoints that **can** refresh credentials, e.g. page endpoints that can redirect to an auth flow, should send the user to re-auth if `shouldRefreshCredentials` is `true`:
+
+  ```typescript
+  const authResult = await panda.verify(headers.cookie);
+  if (authResult.success) {
+    if (authResult.shouldRefreshCredentials) {
+      // Send for auth
+    } else {
+      // Can perform action with user
+      return authResult.user;
+    }
+  }
+  ```
+
+  ## Endpoints that cannot refresh credentials
+
+  Endpoints that **cannot** refresh credentials, e.g. API endpoints, should log appropriately and return something to the client that can be used to warn the user that they need to refresh their session.
+
+  ```typescript
+  const authResult = await panda.verify(headers.cookie);
+  if (authResult.success) {
+    const user = authResult.user;
+    // Handle request
+    // When returning response:
+    if (authResult.shouldRefreshCredentials) {
+      const mustRefreshByEpochTimeMillis =
+        authResult.mustRefreshByEpochTimeMillis;
+      const remainingTime = mustRefreshByEpochTimeMillis - Date.now();
+      console.warn(
+        `Stale Panda auth, will expire in ${remainingTime} milliseconds`
+      );
+      // Can still return 200, but depending on the type of API,
+      // we may want to return some extra information so the client
+      // can warn the user they need to refresh their session.
+    } else {
+      // It's a fresh session. Nothing to worry about!
+    }
+  }
+  ```
+
 ## 0.5.1
 
 ### Patch Changes

package/CODEOWNERS

@@ -1 +1 @@
-* @guardian/digital-cms
+* @guardian/workflow-and-collaboration

package/README.md

@@ -14,23 +14,53 @@ functionality for signing and verifying login cookies in Scala.
 
 The `pan-domain-node` library provides an implementation of *verification only* for node apps.
 
-## To verify login in NodeJS
+## Grace period
+We continue to consider the request authenticated for a period of time after the cookie expiry.
 
-[![npm version](https://badge.fury.io/js/%40guardian%2Fpan-domain-node.svg)](https://badge.fury.io/js/%40guardian%2Fpan-domain-node)
+This is to allow API requests which cannot directly send the user for re-auth to indicate to the user that they must take some action to refresh their credentials (usually, refreshing the page).
+
+When the cookie is expired but we're still within this grace period, `shouldRefreshCredentials` will be `true`, which means:
+- Endpoints that can refresh credentials (e.g. page endpoints that can redirect) should do so
+- Endpoints that cannot refresh credentials (e.g. API endpoints) should tell the user to take some action to refresh credentials
 
+```
+Panda cookie:               issued     expires                       `mustRefreshByEpochTimeMillis`
+                            |          |                             |
+                            |--1 hour--|                             |
+Grace period:                          [------------- 24 hours ------]
+
+`success`:         --false-][-true-----------------------------------][-false-------->
+`shouldRefreshCredentials`  [-false---][-true------------------------]
+```
+
+## Example usage
+### Installation
+[![npm version](https://badge.fury.io/js/%40guardian%2Fpan-domain-node.svg)](https://badge.fury.io/js/%40guardian%2Fpan-domain-node)
 ```
 npm install --save-dev @guardian/pan-domain-node
 ```
 
+### Setup
+The library load the public key file from a S3 object.  Consuming applications can specify the S3 object via the arugments 'region', 'bucket' and 'keyFile' to the constructor of `PanDomainAuthentication` class as shown in the Initialisation below.
+
+Therefore, the application must run with an AWS credential that has read access to the S3 object in that bucket.
+
+You may refer to [Pan Domain authentication documentation](https://github.com/guardian/pan-domain-authentication) for details on how this authentication works. 
+
+### Initialisation
 ```typescript
 import { PanDomainAuthentication, AuthenticationStatus, User, guardianValidation } from '@guardian/pan-domain-node';
+import { fromIni } from "@aws-sdk/credential-providers";
+
+const credentialsProvider = fromIni();  // get credentials locally using the default profile
 
 const panda = new PanDomainAuthentication(
   "gutoolsAuth-assym", // cookie name
   "eu-west-1", // AWS region
   "pan-domain-auth-settings", // Settings bucket
   "local.dev-gutools.co.uk.settings.public", // Settings file
-  guardianValidation
+  guardianValidation,
+  credentialsProvider, // it can be omitted if the app runs in AWS cloud.  In this case, "fromNodeProviderChain" is used by default.
 );
 
 // alternatively customise the validation function and pass at construction
@@ -38,18 +68,39 @@ function customValidation(user: User): boolean {
   const isInCorrectDomain = user.email.indexOf('test.com') !== -1;
   return isInCorrectDomain && user.multifactor;
 }
+```
 
-// when handling a request
-function(request) {
-  // Pass the raw unparsed cookies
-  return panda.verify(request.headers['Cookie']).then(( { status, user }) => {
-    switch(status) {
-      case AuthenticationStatus.Authorised:
-        // Good user, handle the request!
-
-      default:
-        // Bad user. Return 4XX
+### Verification: page endpoints
+This is for endpoints that **can** refresh credentials, e.g. a page endpoint that can redirect to an auth flow:
+```typescript
+const authenticationResult = await panda.verify(headers.cookie);
+if (authenticationResult.success) {
+    if (authenticationResult.shouldRefreshCredentials) {
+        // Send for auth
+    } else {
+        // Can perform action with user
+        return authenticationResult.user;
     }
-  });
 }
 ```
+
+### Verification: API endpoints
+This is for endpoints that **cannot** refresh credentials, e.g. API endpoints:
+```typescript
+const authenticationResult = await panda.verify(headers.cookie);
+if (authenticationResult.success) {
+  const user = authenticationResult.user;
+  // Handle request
+  // When returning response:
+  if (authenticationResult.shouldRefreshCredentials) {
+    const mustRefreshByEpochTimeMillis = authenticationResult.mustRefreshByEpochTimeMillis;
+    const remainingTime = mustRefreshByEpochTimeMillis - Date.now();
+    console.warn(`Stale Panda auth, will expire in ${remainingTime} milliseconds`);
+    // Can still return 200, but depending on the type of API,
+    // we may want to return some extra information so the client
+    // can warn the user they need to refresh their session.
+   } else {
+    // It's a fresh session. Nothing to worry about!
+  }
+}
+```

package/dist/src/api.d.ts

@@ -1,10 +1,35 @@
 export { PanDomainAuthentication } from './panda';
-export declare enum AuthenticationStatus {
-    INVALID_COOKIE = "Invalid Cookie",
-    EXPIRED = "Expired",
-    NOT_AUTHORISED = "Not Authorised",
-    AUTHORISED = "Authorised"
+export declare const gracePeriodInMillis: number;
+interface Result {
+    success: boolean;
 }
+interface Success extends Result {
+    success: true;
+    shouldRefreshCredentials: boolean;
+    user: User;
+}
+interface Failure extends Result {
+    success: false;
+    reason: string;
+}
+export interface FreshSuccess extends Success {
+    shouldRefreshCredentials: false;
+}
+export interface StaleSuccess extends Success {
+    shouldRefreshCredentials: true;
+    mustRefreshByEpochTimeMillis: number;
+}
+export interface UserValidationFailure extends Failure {
+    reason: 'invalid-user';
+    user: User;
+}
+export interface CookieFailure extends Failure {
+    reason: 'no-cookie' | 'invalid-cookie' | 'expired-cookie';
+}
+export interface UnknownFailure extends Failure {
+    reason: 'unknown';
+}
+export type AuthenticationResult = FreshSuccess | StaleSuccess | CookieFailure | UserValidationFailure | UnknownFailure;
 export interface User {
     firstName: string;
     lastName: string;
@@ -15,9 +40,5 @@ export interface User {
     expires: number;
     multifactor: boolean;
 }
-export interface AuthenticationResult {
-    status: AuthenticationStatus;
-    user?: User;
-}
-export declare type ValidateUserFn = (user: User) => boolean;
+export type ValidateUserFn = (user: User) => boolean;
 export declare function guardianValidation(user: User): boolean;

package/dist/src/api.js

@@ -1,17 +1,22 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.guardianValidation = exports.AuthenticationStatus = void 0;
+exports.gracePeriodInMillis = exports.PanDomainAuthentication = void 0;
+exports.guardianValidation = guardianValidation;
 var panda_1 = require("./panda");
 Object.defineProperty(exports, "PanDomainAuthentication", { enumerable: true, get: function () { return panda_1.PanDomainAuthentication; } });
-var AuthenticationStatus;
-(function (AuthenticationStatus) {
-    AuthenticationStatus["INVALID_COOKIE"] = "Invalid Cookie";
-    AuthenticationStatus["EXPIRED"] = "Expired";
-    AuthenticationStatus["NOT_AUTHORISED"] = "Not Authorised";
-    AuthenticationStatus["AUTHORISED"] = "Authorised";
-})(AuthenticationStatus = exports.AuthenticationStatus || (exports.AuthenticationStatus = {}));
+// We continue to consider the request authenticated for
+// a period of time after the cookie expiry. This is to allow
+// API requests which cannot directly send the user for re-auth to
+// indicate to the user that they must take some action to refresh their
+// credentials (usually, refreshing the page).
+// Panda cookie:               issued     expires
+//                             |          |
+//                             |--1 hour--|
+// Grace period:                          [------------- 24 hours ------]
+// `success`:         --false-][-true-----------------------------------][-false-------->
+// `shouldRefreshCredentials`  [-false---][-true------------------------]
+exports.gracePeriodInMillis = 24 * 60 * 60 * 1000;
 function guardianValidation(user) {
     const isGuardianUser = user.email.indexOf('guardian.co.uk') !== -1;
     return isGuardianUser && user.multifactor;
 }
-exports.guardianValidation = guardianValidation;

package/dist/src/fetch-public-key.d.ts

@@ -1,5 +1,6 @@
+import { S3 } from "@aws-sdk/client-s3";
 export interface PublicKeyHolder {
     key: string;
     lastUpdated: Date;
 }
-export declare function fetchPublicKey(region: string, bucket: String, keyFile: String): Promise<PublicKeyHolder>;
+export declare function fetchPublicKey(s3: S3, bucket: string, keyFile: string): Promise<PublicKeyHolder>;

package/dist/src/fetch-public-key.js

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -11,30 +15,54 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 }) : function(o, v) {
     o["default"] = v;
 });
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fetchPublicKey = void 0;
+exports.fetchPublicKey = fetchPublicKey;
 const iniparser = __importStar(require("iniparser"));
 const utils_1 = require("./utils");
-function fetchPublicKey(region, bucket, keyFile) {
-    const path = `https://s3.${region}.amazonaws.com/${bucket}/${keyFile}`;
-    return utils_1.httpGet(path).then(response => {
-        const config = iniparser.parseString(response);
-        if (config.publicKey) {
-            return {
-                key: utils_1.base64ToPEM(config.publicKey, "PUBLIC"),
-                lastUpdated: new Date()
-            };
+function fetchPublicKey(s3, bucket, keyFile) {
+    const publicKeyLocation = {
+        Bucket: bucket,
+        Key: keyFile,
+    };
+    return s3.getObject(publicKeyLocation)
+        .then(({ Body }) => Body === null || Body === void 0 ? void 0 : Body.transformToString())
+        .then((pandaConfigIni) => {
+        if (!pandaConfigIni) {
+            throw Error(`could not read panda config ${JSON.stringify(publicKeyLocation)}`);
         }
         else {
-            throw new Error("Missing publicKey setting from config");
+            const config = iniparser.parseString(pandaConfigIni);
+            if (config.publicKey) {
+                return {
+                    key: (0, utils_1.base64ToPEM)(config.publicKey, "PUBLIC"),
+                    lastUpdated: new Date()
+                };
+            }
+            else {
+                console.log(`Failed to retrieve panda public key from ${JSON.stringify(config)}`);
+                throw new Error("Missing publicKey setting from config");
+            }
         }
+    })
+        .catch((error) => {
+        console.error(`Error fetching public key from S3: ${error}`);
+        throw error;
     });
 }
-exports.fetchPublicKey = fetchPublicKey;

package/dist/src/panda.d.ts

@@ -1,6 +1,7 @@
-/// <reference types="node" />
 import { User, AuthenticationResult, ValidateUserFn } from './api';
 import { PublicKeyHolder } from './fetch-public-key';
+import { S3 } from "@aws-sdk/client-s3";
+import { AwsCredentialIdentityProvider } from "@aws-sdk/types";
 export declare function createCookie(user: User, privateKey: string): string;
 export declare function verifyUser(pandaCookie: string | undefined, publicKey: string, currentTime: Date, validateUser: ValidateUserFn): AuthenticationResult;
 export declare class PanDomainAuthentication {
@@ -10,9 +11,10 @@ export declare class PanDomainAuthentication {
     keyFile: string;
     validateUser: ValidateUserFn;
     publicKey: Promise<PublicKeyHolder>;
-    keyCacheTime: number;
+    keyCacheTimeInMillis: number;
     keyUpdateTimer?: NodeJS.Timeout;
-    constructor(cookieName: string, region: string, bucket: string, keyFile: string, validateUser: ValidateUserFn);
+    s3Client: S3;
+    constructor(cookieName: string, region: string, bucket: string, keyFile: string, validateUser: ValidateUserFn, credentialsProvider?: AwsCredentialIdentityProvider);
     stop(): void;
     getPublicKey(): Promise<string>;
     verify(requestCookies: string): Promise<AuthenticationResult>;

package/dist/src/panda.js

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -11,19 +15,33 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 }) : function(o, v) {
     o["default"] = v;
 });
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.PanDomainAuthentication = exports.verifyUser = exports.createCookie = void 0;
+exports.PanDomainAuthentication = void 0;
+exports.createCookie = createCookie;
+exports.verifyUser = verifyUser;
 const cookie = __importStar(require("cookie"));
 const utils_1 = require("./utils");
 const api_1 = require("./api");
 const fetch_public_key_1 = require("./fetch-public-key");
+const client_s3_1 = require("@aws-sdk/client-s3");
+const credential_providers_1 = require("@aws-sdk/credential-providers");
 function createCookie(user, privateKey) {
     let queryParams = [];
     queryParams.push("firstName=" + user.firstName);
@@ -36,46 +54,87 @@ function createCookie(user, privateKey) {
     queryParams.push("multifactor=" + String(user.multifactor));
     const combined = queryParams.join("&");
     const queryParamsString = Buffer.from(combined).toString('base64');
-    const signature = utils_1.sign(combined, privateKey);
+    const signature = (0, utils_1.sign)(combined, privateKey);
     return queryParamsString + "." + signature;
 }
-exports.createCookie = createCookie;
 function verifyUser(pandaCookie, publicKey, currentTime, validateUser) {
     if (!pandaCookie) {
-        return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
+        return {
+            success: false,
+            reason: 'no-cookie'
+        };
+    }
+    const parsedCookie = (0, utils_1.parseCookie)(pandaCookie);
+    if (!parsedCookie) {
+        return {
+            success: false,
+            reason: 'invalid-cookie'
+        };
     }
-    const { data, signature } = utils_1.parseCookie(pandaCookie);
-    if (!utils_1.verifySignature(data, signature, publicKey)) {
-        return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
+    const { data, signature } = parsedCookie;
+    if (!(0, utils_1.verifySignature)(data, signature, publicKey)) {
+        return {
+            success: false,
+            reason: 'invalid-cookie'
+        };
     }
-    const currentTimestampInMilliseconds = currentTime.getTime();
+    const currentTimestampInMillis = currentTime.getTime();
     try {
-        const user = utils_1.parseUser(data);
-        const isExpired = user.expires < currentTimestampInMilliseconds;
+        const user = (0, utils_1.parseUser)(data);
+        const isExpired = user.expires < currentTimestampInMillis;
         if (isExpired) {
-            return { status: api_1.AuthenticationStatus.EXPIRED, user };
+            const gracePeriodEndsAtEpochTimeMillis = user.expires + api_1.gracePeriodInMillis;
+            if (gracePeriodEndsAtEpochTimeMillis < currentTimestampInMillis) {
+                return {
+                    success: false,
+                    reason: 'expired-cookie'
+                };
+            }
+            else {
+                return {
+                    success: true,
+                    shouldRefreshCredentials: true,
+                    mustRefreshByEpochTimeMillis: gracePeriodEndsAtEpochTimeMillis,
+                    user
+                };
+            }
         }
         if (!validateUser(user)) {
-            return { status: api_1.AuthenticationStatus.NOT_AUTHORISED, user };
+            return {
+                success: false,
+                reason: 'invalid-user',
+                user
+            };
         }
-        return { status: api_1.AuthenticationStatus.AUTHORISED, user };
+        return {
+            success: true,
+            shouldRefreshCredentials: false,
+            user
+        };
     }
     catch (error) {
         console.error(error);
-        return { status: api_1.AuthenticationStatus.INVALID_COOKIE };
+        return {
+            success: false,
+            reason: 'unknown'
+        };
     }
 }
-exports.verifyUser = verifyUser;
 class PanDomainAuthentication {
-    constructor(cookieName, region, bucket, keyFile, validateUser) {
-        this.keyCacheTime = 60 * 1000; // 1 minute
+    constructor(cookieName, region, bucket, keyFile, validateUser, credentialsProvider = (0, credential_providers_1.fromNodeProviderChain)()) {
+        this.keyCacheTimeInMillis = 60 * 1000; // 1 minute
         this.cookieName = cookieName;
         this.region = region;
         this.bucket = bucket;
         this.keyFile = keyFile;
         this.validateUser = validateUser;
-        this.publicKey = fetch_public_key_1.fetchPublicKey(region, bucket, keyFile);
-        this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTime);
+        const standardAwsConfig = {
+            region: region,
+            credentials: credentialsProvider,
+        };
+        this.s3Client = new client_s3_1.S3(standardAwsConfig);
+        this.publicKey = (0, fetch_public_key_1.fetchPublicKey)(this.s3Client, bucket, keyFile);
+        this.keyUpdateTimer = setInterval(() => this.getPublicKey(), this.keyCacheTimeInMillis);
     }
     stop() {
         if (this.keyUpdateTimer) {
@@ -87,8 +146,8 @@ class PanDomainAuthentication {
         return this.publicKey.then(({ key, lastUpdated }) => {
             const now = new Date();
             const diff = now.getTime() - lastUpdated.getTime();
-            if (diff > this.keyCacheTime) {
-                this.publicKey = fetch_public_key_1.fetchPublicKey(this.region, this.bucket, this.keyFile);
+            if (diff > this.keyCacheTimeInMillis) {
+                this.publicKey = (0, fetch_public_key_1.fetchPublicKey)(this.s3Client, this.bucket, this.keyFile);
                 return this.publicKey.then(({ key }) => key);
             }
             else {

package/dist/src/utils.d.ts

@@ -1,12 +1,14 @@
 import { User } from './api';
 export declare function decodeBase64(data: string): string;
-/**
- * Parse a pan-domain user cookie in to data and signature
- */
-export declare function parseCookie(cookie: string): {
+export type ParsedCookie = {
     data: string;
     signature: string;
 };
+/**
+ * Parse a pan-domain user cookie in to data and signature
+ * Validates that the cookie is properly formatted (two base64 strings separated by '.')
+ */
+export declare function parseCookie(cookie: string): ParsedCookie | undefined;
 /**
  * Verify signed data using nodeJs crypto library
  */