@hot-updater/aws 0.27.1 → 0.29.0

package/dist/{index.js → index.mjs}

@@ -1,11 +1,12 @@
-import { CloudFrontClient, CreateInvalidationCommand } from "@aws-sdk/client-cloudfront";
+import { CloudFrontClient, CreateInvalidationCommand, GetInvalidationCommand } from "@aws-sdk/client-cloudfront";
 import { DeleteObjectCommand, DeleteObjectsCommand, GetObjectCommand, ListObjectsV2Command, NoSuchKey, S3Client } from "@aws-sdk/client-s3";
 import { Upload } from "@aws-sdk/lib-storage";
 import { createBlobDatabasePlugin, createStorageKeyBuilder, createStoragePlugin, getContentType, parseStorageUri } from "@hot-updater/plugin-core";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 import fs from "fs/promises";
 import path from "path";
-
+import { SSM } from "@aws-sdk/client-ssm";
+import { getSignedUrl as getSignedUrl$1 } from "@aws-sdk/cloudfront-signer";
 //#region ../../node_modules/.pnpm/mime@4.0.4/node_modules/mime/dist/types/other.js
 const types$1 = {
 	"application/prs.cww": ["cww"],
@@ -819,8 +820,6 @@ const types$1 = {
 	"x-conference/x-cooltalk": ["ice"]
 };
 Object.freeze(types$1);
-var other_default = types$1;
-
 //#endregion
 //#region ../../node_modules/.pnpm/mime@4.0.4/node_modules/mime/dist/types/standard.js
 const types = {
@@ -1266,11 +1265,9 @@ const types = {
 	"video/webm": ["webm"]
 };
 Object.freeze(types);
-var standard_default = types;
-
 //#endregion
 //#region ../../node_modules/.pnpm/mime@4.0.4/node_modules/mime/dist/src/Mime.js
-var __classPrivateFieldGet = void 0 && (void 0).__classPrivateFieldGet || function(receiver, state, kind, f) {
+var __classPrivateFieldGet = function(receiver, state, kind, f) {
 	if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
 	if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
 	return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
@@ -1304,11 +1301,11 @@ var Mime = class {
 		}
 		return this;
 	}
-	getType(path$1) {
-		if (typeof path$1 !== "string") return null;
-		const last = path$1.replace(/^.*[/\\]/, "").toLowerCase();
+	getType(path) {
+		if (typeof path !== "string") return null;
+		const last = path.replace(/^.*[/\\]/, "").toLowerCase();
 		const ext = last.replace(/^.*\./, "").toLowerCase();
-		const hasPath = last.length < path$1.length;
+		const hasPath = last.length < path.length;
 		if (!(ext.length < last.length - 1) && hasPath) return null;
 		return __classPrivateFieldGet(this, _Mime_extensionToType, "f").get(ext) ?? null;
 	}
@@ -1337,12 +1334,44 @@ var Mime = class {
 	}
 };
 _Mime_extensionToType = /* @__PURE__ */ new WeakMap(), _Mime_typeToExtension = /* @__PURE__ */ new WeakMap(), _Mime_typeToExtensions = /* @__PURE__ */ new WeakMap();
-var Mime_default = Mime;
-
 //#endregion
 //#region ../../node_modules/.pnpm/mime@4.0.4/node_modules/mime/dist/src/index.js
-var src_default = new Mime_default(standard_default, other_default)._freeze();
-
+var src_default = new Mime(types, types$1)._freeze();
+//#endregion
+//#region src/runtimeAwsConfig.ts
+const truthyValues = new Set([
+	"1",
+	"true",
+	"yes",
+	"on"
+]);
+const isTruthy = (value) => {
+	if (!value) return false;
+	return truthyValues.has(value.toLowerCase());
+};
+const getAwsEndpointUrl = () => {
+	return process.env.AWS_ENDPOINT_URL?.trim() || void 0;
+};
+const shouldForcePathStyle = (forcePathStyle, endpoint) => {
+	if (forcePathStyle !== void 0) return forcePathStyle;
+	if (isTruthy(process.env.AWS_S3_FORCE_PATH_STYLE)) return true;
+	return endpoint !== void 0;
+};
+const applyS3RuntimeAwsConfig = (config) => {
+	const endpoint = config.endpoint ?? getAwsEndpointUrl();
+	return {
+		...config,
+		endpoint,
+		forcePathStyle: shouldForcePathStyle(config.forcePathStyle, endpoint)
+	};
+};
+const applySsmRuntimeAwsConfig = (config) => {
+	const endpoint = config.endpoint ?? getAwsEndpointUrl();
+	return {
+		...config,
+		endpoint
+	};
+};
 //#endregion
 //#region src/utils/streamToString.ts
 const streamToString = (stream) => {
@@ -1353,9 +1382,11 @@ const streamToString = (stream) => {
 		stream.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
 	});
 };
-
 //#endregion
 //#region src/s3Database.ts
+const DEFAULT_INVALIDATION_POLL_INTERVAL_MS = 2e3;
+const DEFAULT_INVALIDATION_TIMEOUT_MS = 300 * 1e3;
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
 /**
 * Loads JSON data from S3.
 * Returns null if NoSuchKey error occurs.
@@ -1413,25 +1444,49 @@ async function deleteObjectInS3(client, bucketName, key) {
 /**
 * Invalidates CloudFront cache for the given paths.
 */
-async function invalidateCloudFront(client, distributionId, paths) {
+async function invalidateCloudFront(client, distributionId, paths, options) {
 	if (paths.length === 0) return;
 	const timestamp = Date.now();
-	await client.send(new CreateInvalidationCommand({
-		DistributionId: distributionId,
-		InvalidationBatch: {
-			CallerReference: `invalidation-${timestamp}`,
-			Paths: {
-				Quantity: paths.length,
-				Items: paths
+	try {
+		const response = await client.send(new CreateInvalidationCommand({
+			DistributionId: distributionId,
+			InvalidationBatch: {
+				CallerReference: `invalidation-${timestamp}`,
+				Paths: {
+					Quantity: paths.length,
+					Items: paths
+				}
 			}
+		}));
+		if (!options?.shouldWaitForInvalidation) return;
+		const invalidationId = response.Invalidation?.Id;
+		if (!invalidationId) throw new Error("CloudFront invalidation response is missing Invalidation.Id");
+		if (response.Invalidation?.Status === "Completed") return;
+		const timeoutMs = DEFAULT_INVALIDATION_TIMEOUT_MS;
+		const pollIntervalMs = DEFAULT_INVALIDATION_POLL_INTERVAL_MS;
+		const deadline = Date.now() + timeoutMs;
+		while (Date.now() < deadline) {
+			await sleep(pollIntervalMs);
+			if ((await client.send(new GetInvalidationCommand({
+				DistributionId: distributionId,
+				Id: invalidationId
+			}))).Invalidation?.Status === "Completed") return;
 		}
-	}));
+		throw new Error(`Timed out waiting for CloudFront invalidation ${invalidationId} to complete after ${timeoutMs}ms`);
+	} catch (error) {
+		if (options?.shouldWaitForInvalidation) throw error;
+		const message = error instanceof Error ? error.message : "Unknown invalidation error";
+		console.warn(`[hot-updater/aws] CloudFront invalidation failed for distribution ${distributionId}; continuing without cache invalidation.`, {
+			error: message,
+			paths
+		});
+	}
 }
 const s3Database = createBlobDatabasePlugin({
 	name: "s3Database",
 	factory: (config) => {
-		const { bucketName, cloudfrontDistributionId, apiBasePath = "/api/check-update",...s3Config } = config;
-		const client = new S3Client(s3Config);
+		const { bucketName, cloudfrontDistributionId, apiBasePath = "/api/check-update", shouldWaitForInvalidation = false, ...s3Config } = config;
+		const client = new S3Client(applyS3RuntimeAwsConfig(s3Config));
 		const cloudfrontClient = cloudfrontDistributionId ? new CloudFrontClient({
 			credentials: s3Config.credentials,
 			region: s3Config.region
@@ -1443,21 +1498,20 @@ const s3Database = createBlobDatabasePlugin({
 			uploadObject: (key, data) => uploadJsonToS3(client, bucketName, key, data),
 			deleteObject: (key) => deleteObjectInS3(client, bucketName, key),
 			invalidatePaths: (pathsToInvalidate) => {
-				if (cloudfrontClient && cloudfrontDistributionId && pathsToInvalidate.length > 0) return invalidateCloudFront(cloudfrontClient, cloudfrontDistributionId, pathsToInvalidate);
+				if (cloudfrontClient && cloudfrontDistributionId && pathsToInvalidate.length > 0) return invalidateCloudFront(cloudfrontClient, cloudfrontDistributionId, pathsToInvalidate, { shouldWaitForInvalidation });
 				return Promise.resolve();
 			}
 		};
 	}
 });
-
 //#endregion
 //#region src/s3Storage.ts
 const s3Storage = createStoragePlugin({
 	name: "s3Storage",
 	supportedProtocol: "s3",
 	factory: (config) => {
-		const { bucketName,...s3Config } = config;
-		const client = new S3Client(s3Config);
+		const { bucketName, ...s3Config } = config;
+		const client = new S3Client(applyS3RuntimeAwsConfig(s3Config));
 		const getStorageKey = createStorageKeyBuilder(config.basePath);
 		return {
 			async delete(storageUri) {
@@ -1518,6 +1572,74 @@ const s3Storage = createStoragePlugin({
 		};
 	}
 });
-
 //#endregion
-export { s3Database, s3Storage };
+//#region src/withCloudFrontSignedUrl.ts
+const ONE_YEAR_IN_SECONDS = 3600 * 24 * 365;
+const privateKeyCache = /* @__PURE__ */ new Map();
+const getPrivateKeyFromSsm = async (region, parameterName) => {
+	if (!region) throw new Error(`Invalid AWS region format: ${region}. Expected format like 'us-east-1' or 'ap-southeast-1'`);
+	const parameter = (await new SSM(applySsmRuntimeAwsConfig({ region })).getParameter({
+		Name: parameterName,
+		WithDecryption: true
+	})).Parameter;
+	if (!parameter) throw new Error(`Failed to retrieve private key from SSM parameter: ${parameterName}`);
+	const parameterValue = parameter.Value;
+	if (!parameterValue) throw new Error(`Failed to retrieve private key from SSM parameter: ${parameterName}`);
+	let keyPair;
+	try {
+		keyPair = JSON.parse(parameterValue);
+	} catch (error) {
+		throw new Error(`Invalid JSON format in SSM parameter: ${parameterName}. ${error instanceof Error ? error.message : String(error)}`);
+	}
+	const privateKey = keyPair.privateKey;
+	if (!privateKey || typeof privateKey !== "string") throw new Error(`Invalid private key format in SSM parameter: ${parameterName}`);
+	return privateKey;
+};
+const resolvePrivateKey = (config) => {
+	if ("getPrivateKey" in config && typeof config.getPrivateKey === "function") return config.getPrivateKey();
+	const cacheKey = `${config.ssmRegion}:${config.ssmParameterName}`;
+	const cachedPrivateKey = privateKeyCache.get(cacheKey);
+	if (cachedPrivateKey) return cachedPrivateKey;
+	const privateKeyPromise = getPrivateKeyFromSsm(config.ssmRegion, config.ssmParameterName).catch((error) => {
+		privateKeyCache.delete(cacheKey);
+		throw error;
+	});
+	privateKeyCache.set(cacheKey, privateKeyPromise);
+	return privateKeyPromise;
+};
+const resolvePublicBaseUrl = async (config, context) => {
+	const publicBaseUrl = typeof config.publicBaseUrl === "function" ? await config.publicBaseUrl(context) : config.publicBaseUrl;
+	if (!publicBaseUrl) throw new Error("CloudFront publicBaseUrl resolver returned an empty URL");
+	return publicBaseUrl;
+};
+const withCloudFrontSignedUrl = (storageFactory, config) => {
+	return () => {
+		const baseStorage = storageFactory();
+		return {
+			...baseStorage,
+			name: `${baseStorage.name}WithCloudFrontSignedUrl`,
+			async getDownloadUrl(storageUri, context) {
+				const storageUrl = new URL(storageUri);
+				if (storageUrl.protocol !== "s3:") return baseStorage.getDownloadUrl(storageUri, context);
+				const [privateKey, publicBaseUrl] = await Promise.all([resolvePrivateKey(config), resolvePublicBaseUrl(config, context)]);
+				const url = new URL(publicBaseUrl);
+				url.pathname = storageUrl.pathname;
+				url.search = "";
+				return { fileUrl: getSignedUrl$1({
+					url: url.toString(),
+					keyPairId: config.keyPairId,
+					privateKey,
+					dateLessThan: new Date(Date.now() + (config.expiresSeconds ?? ONE_YEAR_IN_SECONDS) * 1e3).toISOString()
+				}) };
+			}
+		};
+	};
+};
+//#endregion
+//#region src/s3LambdaEdgeStorage.ts
+const awsLambdaEdgeStorage = (config, hooks) => {
+	return withCloudFrontSignedUrl(s3Storage(config, hooks), config);
+};
+const s3LambdaEdgeStorage = awsLambdaEdgeStorage;
+//#endregion
+export { awsLambdaEdgeStorage, s3Database, s3LambdaEdgeStorage, s3Storage, withCloudFrontSignedUrl };