@kedaruma/revlm-client 1.0.10 → 1.0.13

package/dist/index.d.mts

@@ -173,6 +173,12 @@ type RevlmOptions = {
     provisionalAuthSecretMaster?: string;
     provisionalAuthDomain?: string;
     autoSetToken?: boolean;
+    autoRefreshOn401?: boolean;
+    sigv4SecretKey?: string;
+    sigv4AccessKey?: string;
+    sigv4Region?: string;
+    sigv4Service?: string;
+    sigv4Enabled?: boolean;
 };
 type RevlmResponse<T = any> = {
     ok: boolean;
@@ -191,6 +197,8 @@ declare class Revlm {
     private provisionalAuthSecretMaster;
     private provisionalAuthDomain;
     private autoSetToken;
+    private autoRefreshOn401;
+    private sigv4Signer;
     constructor(baseUrl: string, opts?: RevlmOptions);
     setToken(token: string): void;
     getToken(): string | undefined;
@@ -201,6 +209,9 @@ declare class Revlm {
     private makeHeaders;
     private parseResponse;
     private request;
+    private shouldSkipAuthRetry;
+    private signIfNeeded;
+    private requestWithRetry;
     login(authId: string, password: string): Promise<LoginResponse>;
     provisionalLogin(authId: string): Promise<ProvisionalLoginResponse>;
     registerUser(user: UserInput, password: string): Promise<RevlmResponse<any>>;

package/dist/index.d.ts

@@ -173,6 +173,12 @@ type RevlmOptions = {
     provisionalAuthSecretMaster?: string;
     provisionalAuthDomain?: string;
     autoSetToken?: boolean;
+    autoRefreshOn401?: boolean;
+    sigv4SecretKey?: string;
+    sigv4AccessKey?: string;
+    sigv4Region?: string;
+    sigv4Service?: string;
+    sigv4Enabled?: boolean;
 };
 type RevlmResponse<T = any> = {
     ok: boolean;
@@ -191,6 +197,8 @@ declare class Revlm {
     private provisionalAuthSecretMaster;
     private provisionalAuthDomain;
     private autoSetToken;
+    private autoRefreshOn401;
+    private sigv4Signer;
     constructor(baseUrl: string, opts?: RevlmOptions);
     setToken(token: string): void;
     getToken(): string | undefined;
@@ -201,6 +209,9 @@ declare class Revlm {
     private makeHeaders;
     private parseResponse;
     private request;
+    private shouldSkipAuthRetry;
+    private signIfNeeded;
+    private requestWithRetry;
     login(authId: string, password: string): Promise<LoginResponse>;
     provisionalLogin(authId: string): Promise<ProvisionalLoginResponse>;
     registerUser(user: UserInput, password: string): Promise<RevlmResponse<any>>;

package/dist/index.js

@@ -46,6 +46,8 @@ module.exports = __toCommonJS(index_exports);
 // src/Revlm.ts
 var import_bson = require("bson");
 var import_revlm_shared = require("@kedaruma/revlm-shared");
+var import_signature_v4 = require("@aws-sdk/signature-v4");
+var import_sha256_js = require("@aws-crypto/sha256-js");
 
 // src/MdbCollection.ts
 var MdbCollection = class {
@@ -155,6 +157,8 @@ var Revlm = class {
   provisionalAuthSecretMaster;
   provisionalAuthDomain;
   autoSetToken;
+  autoRefreshOn401;
+  sigv4Signer;
   constructor(baseUrl, opts = {}) {
     if (!baseUrl) throw new Error("baseUrl is required");
     this.baseUrl = baseUrl.replace(/\/$/, "");
@@ -164,6 +168,25 @@ var Revlm = class {
     this.provisionalAuthSecretMaster = opts.provisionalAuthSecretMaster || "";
     this.provisionalAuthDomain = opts.provisionalAuthDomain || "";
     this.autoSetToken = opts.autoSetToken ?? true;
+    this.autoRefreshOn401 = opts.autoRefreshOn401 || false;
+    const sigv4SecretKey = opts.sigv4SecretKey || process.env.REVLM_SIGV4_SECRET_KEY;
+    const sigv4AccessKey = opts.sigv4AccessKey || process.env.REVLM_SIGV4_ACCESS_KEY || "revlm-access";
+    const sigv4Region = opts.sigv4Region || process.env.REVLM_SIGV4_REGION || "revlm";
+    const sigv4Service = opts.sigv4Service || process.env.REVLM_SIGV4_SERVICE || "revlm";
+    const sigv4Enabled = opts.sigv4Enabled ?? true;
+    if (sigv4Enabled) {
+      if (!sigv4SecretKey) {
+        throw new Error("SigV4 is enabled but REVLM_SIGV4_SECRET_KEY or opts.sigv4SecretKey is not provided");
+      }
+      this.sigv4Signer = new import_signature_v4.SignatureV4({
+        credentials: { accessKeyId: sigv4AccessKey, secretAccessKey: sigv4SecretKey },
+        region: sigv4Region,
+        service: sigv4Service,
+        sha256: import_sha256_js.Sha256
+      });
+    } else {
+      this.sigv4Signer = null;
+    }
     if (!this.fetchImpl) {
       throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
     }
@@ -185,7 +208,7 @@ var Revlm = class {
   // On success, if autoSetToken is true and res.token is set, update the client token.
   async refreshToken() {
     if (!this._token) return { ok: false, error: "No token set" };
-    const res = await this.request("/refresh-token", "POST");
+    const res = await this.requestWithRetry("/refresh-token", "POST", void 0, { allowAuthRetry: false, retrying: false });
     if (this.autoSetToken && res && res.ok && res.token) {
       this.setToken(res.token);
     }
@@ -212,7 +235,7 @@ var Revlm = class {
       headers["Content-Type"] = "application/ejson";
     }
     if (this._token) {
-      headers["Authorization"] = `Bearer ${this._token}`;
+      headers["X-Revlm-JWT"] = `Bearer ${this._token}`;
     }
     return headers;
   }
@@ -230,6 +253,41 @@ var Revlm = class {
     }
   }
   async request(path, method = "POST", body) {
+    return this.requestWithRetry(path, method, body, { allowAuthRetry: this.autoRefreshOn401, retrying: false });
+  }
+  shouldSkipAuthRetry(path) {
+    const pathname = path.startsWith("http") ? new URL(path).pathname : path;
+    return pathname.includes("/login") || pathname.includes("/provisional-login") || pathname.includes("/refresh-token") || pathname.includes("/verify-token");
+  }
+  async signIfNeeded(url, method, headers, body) {
+    if (!this.sigv4Signer) {
+      return { signedUrl: url, signedHeaders: headers };
+    }
+    const u = new URL(url);
+    const signingHeaders = {
+      host: u.host,
+      ...headers
+    };
+    const reqToSign = {
+      method,
+      protocol: u.protocol,
+      path: u.pathname + (u.search || ""),
+      hostname: u.hostname,
+      headers: signingHeaders,
+      body: body ?? ""
+    };
+    if (u.port) {
+      reqToSign.port = Number(u.port);
+    }
+    const signed = await this.sigv4Signer.sign(reqToSign);
+    const signedHeaders = {};
+    Object.entries(signed.headers || {}).forEach(([k, v]) => {
+      signedHeaders[k] = Array.isArray(v) ? v.join(",") : String(v);
+    });
+    return { signedUrl: url, signedHeaders };
+  }
+  async requestWithRetry(path, method = "POST", body, opts = { allowAuthRetry: false, retrying: false }) {
+    const { allowAuthRetry, retrying } = opts;
     const url = path.startsWith("http") ? path : `${this.baseUrl}${path.startsWith("/") ? "" : "/"}${path}`;
     const hasBody = body !== void 0;
     const headers = this.makeHeaders(hasBody);
@@ -237,10 +295,11 @@ var Revlm = class {
     if (hasBody) {
       serializedBody = import_bson.EJSON.stringify(body);
     }
+    const { signedUrl, signedHeaders } = await this.signIfNeeded(url, method, headers, serializedBody);
     try {
-      const res = await this.fetchImpl(url, {
+      const res = await this.fetchImpl(signedUrl, {
         method,
-        headers,
+        headers: signedHeaders,
         body: serializedBody
       });
       const parsed = await this.parseResponse(res);
@@ -249,6 +308,12 @@ var Revlm = class {
       if (out && out.ok === false && !out.error) {
         out.error = parsed?.reason || parsed?.message || "Unknown error";
       }
+      if (allowAuthRetry && !retrying && res.status === 401 && !this.shouldSkipAuthRetry(path)) {
+        const refreshRes = await this.refreshToken();
+        if (refreshRes && refreshRes.ok && refreshRes.token) {
+          return this.requestWithRetry(path, method, body, { allowAuthRetry: false, retrying: true });
+        }
+      }
       return out;
     } catch (err) {
       return { ok: false, error: err?.message || String(err) };

package/dist/index.mjs

@@ -1,6 +1,8 @@
 // src/Revlm.ts
 import { EJSON } from "bson";
 import { AuthClient } from "@kedaruma/revlm-shared";
+import { SignatureV4 } from "@aws-sdk/signature-v4";
+import { Sha256 } from "@aws-crypto/sha256-js";
 
 // src/MdbCollection.ts
 var MdbCollection = class {
@@ -110,6 +112,8 @@ var Revlm = class {
   provisionalAuthSecretMaster;
   provisionalAuthDomain;
   autoSetToken;
+  autoRefreshOn401;
+  sigv4Signer;
   constructor(baseUrl, opts = {}) {
     if (!baseUrl) throw new Error("baseUrl is required");
     this.baseUrl = baseUrl.replace(/\/$/, "");
@@ -119,6 +123,25 @@ var Revlm = class {
     this.provisionalAuthSecretMaster = opts.provisionalAuthSecretMaster || "";
     this.provisionalAuthDomain = opts.provisionalAuthDomain || "";
     this.autoSetToken = opts.autoSetToken ?? true;
+    this.autoRefreshOn401 = opts.autoRefreshOn401 || false;
+    const sigv4SecretKey = opts.sigv4SecretKey || process.env.REVLM_SIGV4_SECRET_KEY;
+    const sigv4AccessKey = opts.sigv4AccessKey || process.env.REVLM_SIGV4_ACCESS_KEY || "revlm-access";
+    const sigv4Region = opts.sigv4Region || process.env.REVLM_SIGV4_REGION || "revlm";
+    const sigv4Service = opts.sigv4Service || process.env.REVLM_SIGV4_SERVICE || "revlm";
+    const sigv4Enabled = opts.sigv4Enabled ?? true;
+    if (sigv4Enabled) {
+      if (!sigv4SecretKey) {
+        throw new Error("SigV4 is enabled but REVLM_SIGV4_SECRET_KEY or opts.sigv4SecretKey is not provided");
+      }
+      this.sigv4Signer = new SignatureV4({
+        credentials: { accessKeyId: sigv4AccessKey, secretAccessKey: sigv4SecretKey },
+        region: sigv4Region,
+        service: sigv4Service,
+        sha256: Sha256
+      });
+    } else {
+      this.sigv4Signer = null;
+    }
     if (!this.fetchImpl) {
       throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
     }
@@ -140,7 +163,7 @@ var Revlm = class {
   // On success, if autoSetToken is true and res.token is set, update the client token.
   async refreshToken() {
     if (!this._token) return { ok: false, error: "No token set" };
-    const res = await this.request("/refresh-token", "POST");
+    const res = await this.requestWithRetry("/refresh-token", "POST", void 0, { allowAuthRetry: false, retrying: false });
     if (this.autoSetToken && res && res.ok && res.token) {
       this.setToken(res.token);
     }
@@ -167,7 +190,7 @@ var Revlm = class {
       headers["Content-Type"] = "application/ejson";
     }
     if (this._token) {
-      headers["Authorization"] = `Bearer ${this._token}`;
+      headers["X-Revlm-JWT"] = `Bearer ${this._token}`;
     }
     return headers;
   }
@@ -185,6 +208,41 @@ var Revlm = class {
     }
   }
   async request(path, method = "POST", body) {
+    return this.requestWithRetry(path, method, body, { allowAuthRetry: this.autoRefreshOn401, retrying: false });
+  }
+  shouldSkipAuthRetry(path) {
+    const pathname = path.startsWith("http") ? new URL(path).pathname : path;
+    return pathname.includes("/login") || pathname.includes("/provisional-login") || pathname.includes("/refresh-token") || pathname.includes("/verify-token");
+  }
+  async signIfNeeded(url, method, headers, body) {
+    if (!this.sigv4Signer) {
+      return { signedUrl: url, signedHeaders: headers };
+    }
+    const u = new URL(url);
+    const signingHeaders = {
+      host: u.host,
+      ...headers
+    };
+    const reqToSign = {
+      method,
+      protocol: u.protocol,
+      path: u.pathname + (u.search || ""),
+      hostname: u.hostname,
+      headers: signingHeaders,
+      body: body ?? ""
+    };
+    if (u.port) {
+      reqToSign.port = Number(u.port);
+    }
+    const signed = await this.sigv4Signer.sign(reqToSign);
+    const signedHeaders = {};
+    Object.entries(signed.headers || {}).forEach(([k, v]) => {
+      signedHeaders[k] = Array.isArray(v) ? v.join(",") : String(v);
+    });
+    return { signedUrl: url, signedHeaders };
+  }
+  async requestWithRetry(path, method = "POST", body, opts = { allowAuthRetry: false, retrying: false }) {
+    const { allowAuthRetry, retrying } = opts;
     const url = path.startsWith("http") ? path : `${this.baseUrl}${path.startsWith("/") ? "" : "/"}${path}`;
     const hasBody = body !== void 0;
     const headers = this.makeHeaders(hasBody);
@@ -192,10 +250,11 @@ var Revlm = class {
     if (hasBody) {
       serializedBody = EJSON.stringify(body);
     }
+    const { signedUrl, signedHeaders } = await this.signIfNeeded(url, method, headers, serializedBody);
     try {
-      const res = await this.fetchImpl(url, {
+      const res = await this.fetchImpl(signedUrl, {
         method,
-        headers,
+        headers: signedHeaders,
         body: serializedBody
       });
       const parsed = await this.parseResponse(res);
@@ -204,6 +263,12 @@ var Revlm = class {
       if (out && out.ok === false && !out.error) {
         out.error = parsed?.reason || parsed?.message || "Unknown error";
       }
+      if (allowAuthRetry && !retrying && res.status === 401 && !this.shouldSkipAuthRetry(path)) {
+        const refreshRes = await this.refreshToken();
+        if (refreshRes && refreshRes.ok && refreshRes.token) {
+          return this.requestWithRetry(path, method, body, { allowAuthRetry: false, retrying: true });
+        }
+      }
       return out;
     } catch (err) {
       return { ok: false, error: err?.message || String(err) };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kedaruma/revlm-client",
-  "version": "1.0.10",
+  "version": "1.0.13",
   "private": false,
   "description": "TypeScript client SDK for talking to the Revlm server replacement for MongoDB Realm.",
   "keywords": [
@@ -36,9 +36,11 @@
     "access": "public"
   },
   "dependencies": {
+    "@aws-sdk/signature-v4": "^3.374.0",
+    "@aws-crypto/sha256-js": "^5.2.0",
     "bson": "^6.10.4",
     "dotenv": "^17.2.3",
-    "@kedaruma/revlm-shared": "1.0.3"
+    "@kedaruma/revlm-shared": "1.0.4"
   },
   "devDependencies": {
     "tsup": "^8.5.1"