@levrbet/shared 0.1.76 → 0.1.77
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/server/auth/kms.js
CHANGED
|
@@ -9,8 +9,32 @@ const client_kms_1 = require("@aws-sdk/client-kms");
|
|
|
9
9
|
const crypto_1 = require("crypto");
|
|
10
10
|
const dotenv_1 = require("../config/dotenv");
|
|
11
11
|
const cache_keys_utils_1 = require("../oracle/redis-cache-manager/cache.keys.utils");
|
|
12
|
-
|
|
13
|
-
|
|
12
|
+
const client_sts_1 = require("@aws-sdk/client-sts");
|
|
13
|
+
// Initialize KMS client with proper region
|
|
14
|
+
async function createKMSClientWithRole() {
|
|
15
|
+
const stsClient = new client_sts_1.STSClient({ region: "ap-south-1" });
|
|
16
|
+
const assumedRole = await stsClient.send(new client_sts_1.AssumeRoleCommand({
|
|
17
|
+
RoleArn: "arn:aws:iam::905418397427:role/levr-v1-ecs-task-execution-dev",
|
|
18
|
+
RoleSessionName: "kms-session",
|
|
19
|
+
}));
|
|
20
|
+
if (!assumedRole.Credentials) {
|
|
21
|
+
throw new Error("Failed to assume role for KMS access");
|
|
22
|
+
}
|
|
23
|
+
if (!assumedRole.Credentials.AccessKeyId ||
|
|
24
|
+
!assumedRole.Credentials.SecretAccessKey ||
|
|
25
|
+
!assumedRole.Credentials.SessionToken) {
|
|
26
|
+
throw new Error("Incomplete credentials received from assumed role");
|
|
27
|
+
}
|
|
28
|
+
const client = new client_kms_1.KMSClient({
|
|
29
|
+
region: "ap-south-1",
|
|
30
|
+
credentials: {
|
|
31
|
+
accessKeyId: assumedRole.Credentials.AccessKeyId,
|
|
32
|
+
secretAccessKey: assumedRole.Credentials.SecretAccessKey,
|
|
33
|
+
sessionToken: assumedRole.Credentials.SessionToken,
|
|
34
|
+
},
|
|
35
|
+
});
|
|
36
|
+
return client;
|
|
37
|
+
}
|
|
14
38
|
/**
|
|
15
39
|
* Generates a new API key using AWS KMS
|
|
16
40
|
* @returns {Promise<Object>} Object containing:
|
|
@@ -21,10 +45,11 @@ const client = new client_kms_1.KMSClient({ region: "ap-south" });
|
|
|
21
45
|
const generateApiKey = async (userId) => {
|
|
22
46
|
const keyId = (0, crypto_1.randomBytes)(8).toString("hex"); // Unique key identifier
|
|
23
47
|
const payload = `${userId}:${keyId}`;
|
|
48
|
+
const client = await createKMSClientWithRole();
|
|
24
49
|
const { Mac } = await client.send(new client_kms_1.GenerateMacCommand({
|
|
25
50
|
KeyId: dotenv_1.kmsEnvConfig.HMAC_KEY_ALIAS,
|
|
26
51
|
Message: Buffer.from(payload),
|
|
27
|
-
MacAlgorithm: "
|
|
52
|
+
MacAlgorithm: "HMAC_SHA_384",
|
|
28
53
|
}));
|
|
29
54
|
if (!Mac) {
|
|
30
55
|
throw new Error("Failed to generate HMAC");
|
|
@@ -49,11 +74,12 @@ const validateApiKey = async (apiKey, redis) => {
|
|
|
49
74
|
if (isRevoked == "1") {
|
|
50
75
|
return { isValid: false, reason: "Key revoked" };
|
|
51
76
|
}
|
|
77
|
+
const client = await createKMSClientWithRole();
|
|
52
78
|
const { MacValid } = await client.send(new client_kms_1.VerifyMacCommand({
|
|
53
79
|
KeyId: dotenv_1.kmsEnvConfig.HMAC_KEY_ALIAS,
|
|
54
80
|
Message: Buffer.from(payload),
|
|
55
81
|
Mac: Buffer.from(signature, "base64"),
|
|
56
|
-
MacAlgorithm: "
|
|
82
|
+
MacAlgorithm: "HMAC_SHA_384",
|
|
57
83
|
}));
|
|
58
84
|
if (!MacValid) {
|
|
59
85
|
return { isValid: false, reason: "Invalid signature" };
|
|
@@ -70,6 +96,7 @@ const revokeKey = async (keyId, apiKey) => {
|
|
|
70
96
|
if (providedKeyId !== keyId) {
|
|
71
97
|
throw new Error("Key ID mismatch during revocation");
|
|
72
98
|
}
|
|
99
|
+
const client = await createKMSClientWithRole();
|
|
73
100
|
// 2. Verify KMS signature before revocation
|
|
74
101
|
const { SignatureValid } = await client.send(new client_kms_1.VerifyCommand({
|
|
75
102
|
KeyId: dotenv_1.kmsEnvConfig.HMAC_KEY_ALIAS,
|
|
@@ -95,8 +122,9 @@ const generateHmacSignature = async (payload) => {
|
|
|
95
122
|
const command = new client_kms_1.GenerateMacCommand({
|
|
96
123
|
KeyId: dotenv_1.kmsEnvConfig.HMAC_KEY_ALIAS,
|
|
97
124
|
Message: Buffer.from(payload),
|
|
98
|
-
MacAlgorithm: "
|
|
125
|
+
MacAlgorithm: "HMAC_SHA_384",
|
|
99
126
|
});
|
|
127
|
+
const client = await createKMSClientWithRole();
|
|
100
128
|
const response = await client.send(command);
|
|
101
129
|
if (!response.Mac) {
|
|
102
130
|
throw new Error("Failed to generate HMAC signature");
|
|
@@ -115,6 +143,7 @@ const verifyHmacSignature = async (payload, signature) => {
|
|
|
115
143
|
Mac: Buffer.from(signature, "base64"),
|
|
116
144
|
MacAlgorithm: "HMAC_SHA_384",
|
|
117
145
|
});
|
|
146
|
+
const client = await createKMSClientWithRole();
|
|
118
147
|
const response = await client.send(command);
|
|
119
148
|
return response.MacValid || false;
|
|
120
149
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"kms.js","sourceRoot":"","sources":["../../../src/server/auth/kms.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,
|
|
1
|
+
{"version":3,"file":"kms.js","sourceRoot":"","sources":["../../../src/server/auth/kms.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACH,oDAAqG;AACrG,mCAAoC;AAEpC,6CAA+C;AAC/C,qFAAiF;AACjF,oDAAmE;AAGnE,2CAA2C;AAC3C,KAAK,UAAU,uBAAuB;IACpC,MAAM,SAAS,GAAG,IAAI,sBAAS,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC;IAE1D,MAAM,WAAW,GAAG,MAAM,SAAS,CAAC,IAAI,CACtC,IAAI,8BAAiB,CAAC;QACpB,OAAO,EAAE,+DAA+D;QACxE,eAAe,EAAE,aAAa;KAC/B,CAAC,CACD,CAAC;IAEF,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAEH,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,WAAW;QACpC,CAAC,WAAW,CAAC,WAAW,CAAC,eAAe;QACxC,CAAC,WAAW,CAAC,WAAW,CAAC,YAAY,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,sBAAS,CAAC;QAC3B,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE;YACX,WAAW,EAAE,WAAW,CAAC,WAAW,CAAC,WAAW;YAChD,eAAe,EAAE,WAAW,CAAC,WAAW,CAAC,eAAe;YACxD,YAAY,EAAE,WAAW,CAAC,WAAW,CAAC,YAAY;SACnD;KACF,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AACD;;;;;;GAMG;AACI,MAAM,cAAc,GAAG,KAAK,EAC/B,MAAc,EAIf,EAAE;IACD,MAAM,KAAK,GAAG,IAAA,oBAAW,EAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA,CAAC,wBAAwB;IACrE,MAAM,OAAO,GAAG,GAAG,MAAM,IAAI,KAAK,EAAE,CAAA;IAEpC,MAAM,MAAM,GAAG,MAAM,uBAAuB,EAAE,CAAC;IAE/C,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAC7B,IAAI,+BAAkB,CAAC;QACnB,KAAK,EAAE,qBAAY,CAAC,cAAc;QAClC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;QAC7B,YAAY,EAAE,cAAc;KAC/B,CAAC,CACL,CAAA;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAA;IAC9C,CAAC;IAED,OAAO;QACH,MAAM,EAAE,GAAG,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,iCAAiC;QAC9F,KAAK;KACR,CAAA;AACL,CAAC,CAAA;AA3BY,QAAA,cAAc,kBA2B1B;AAED;;;;;GAKG;AACI,MAAM,cAAc,GAAG,KAAK,EAC/B,MAAc,EACd,KAAY,EAKb,EAAE;IACD,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9C,MAAM,CAAC,EAAE,KAAK,CAAC,GAAG,OAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAErC,sCAAsC;IACtC,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,IAAA,mCAAgB,EAAC,KAAe,CAAC,CAAC,CAAA,CAAC,mCAAmC;IAExG,IAAI,SAAS,IAAI,GAAG,EAAE,CAAC;QACnB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IAEpD,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,uBAAuB,EAAE,CAAC;IAE/C,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAClC,IAAI,6BAAgB,CAAC;QACjB,KAAK,EAAE,qBAAY,CAAC,cAAc;QAClC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAiB,CAAC;QACvC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,SAAmB,EAAE,QAAQ,CAAC;QAC/C,YAAY,EAAE,cAAc;KAC/B,CAAC,CACL,CAAA;IAED,IAAI,CAAC,QAAQ,EAAE,CAAC;QACZ,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IAC1D,CAAC;IAED,OAAO;QACH,OAAO,EAAE,QAAQ;QACjB,KAAK;KACR,CAAA;AACL,CAAC,CAAA;AAtCY,QAAA,cAAc,kBAsC1B;AAEM,MAAM,SAAS,GAAG,KAAK,EAAE,KAAa,EAAE,MAAc,EAAiB,EAAE;IAC5E,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9C,MAAM,CAAC,EAAE,aAAa,CAAC,GAAG,OAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC7C,IAAI,aAAa,KAAK,KAAK,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;IACxD,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,uBAAuB,EAAE,CAAC;IAC/C,4CAA4C;IAC5C,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CACxC,IAAI,0BAAa,CAAC;QACd,KAAK,EAAE,qBAAY,CAAC,cAAc;QAClC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAQ,CAAC;QAC9B,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,SAAU,EAAE,QAAQ,CAAC;QAC5C,gBAAgB,EAAE,eAAe;KACpC,CAAC,CACL,CAAA;IAED,IAAI,CAAC,cAAc,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAA;IAC1D,CAAC;AACL,CAAC,CAAA;AApBY,QAAA,SAAS,aAoBrB;AAED;;;GAGG;AACH,oCAAoC;AAC7B,MAAM,iBAAiB,GAAG,KAAK,EAAE,KAAa,EAAE,KAAY,EAAiB,EAAE;IAClF,MAAM,KAAK,CAAC,GAAG,CAAC,WAAW,KAAK,EAAE,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC,CAAA;AAFY,QAAA,iBAAiB,qBAE7B;AAEM,MAAM,qBAAqB,GAAG,KAAK,EAAE,OAAe,EAAmB,EAAE;IAC5E,MAAM,OAAO,GAAG,IAAI,+BAAkB,CAAC;QACnC,KAAK,EAAE,qBAAY,CAAC,cAAc;QAClC,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;QAC7B,YAAY,EAAE,cAAc;KAC/B,CAAC,CAAA;IAEF,MAAM,MAAM,GAAG,MAAM,uBAAuB,EAAE,CAAA;IAE9C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAC3C,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAA;IACxD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AACvD,CAAC,CAAA;AAdY,QAAA,qBAAqB,yBAcjC;AAED;;GAEG;AACI,MAAM,mBAAmB,GAAG,KAAK,EAAE,OAAe,EAAE,SAAiB,EAAoB,EAAE;IAC9F,IAAI,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,6BAAgB,CAAC;YACjC,KAAK,EAAE,qBAAY,CAAC,cAAc,EAAE,mEAAmE;YACvG,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;YAC7B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC;YACrC,YAAY,EAAE,cAAc;SAC/B,CAAC,CAAA;QAEF,MAAM,MAAM,GAAG,MAAM,uBAAuB,EAAE,CAAA;QAE9C,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAC3C,OAAO,QAAQ,CAAC,QAAQ,IAAI,KAAK,CAAA;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAA;QACjD,OAAO,KAAK,CAAA;IAChB,CAAC;AACL,CAAC,CAAA;AAjBY,QAAA,mBAAmB,uBAiB/B"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@levrbet/shared",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.77",
|
|
4
4
|
"main": "dist/index.js",
|
|
5
5
|
"types": "dist/index.d.ts",
|
|
6
6
|
"exports": {
|
|
@@ -56,6 +56,7 @@
|
|
|
56
56
|
},
|
|
57
57
|
"dependencies": {
|
|
58
58
|
"@aws-sdk/client-kms": "^3.899.0",
|
|
59
|
+
"@aws-sdk/client-sts": "^3.913.0",
|
|
59
60
|
"@opentelemetry/api": "^1.9.0",
|
|
60
61
|
"@opentelemetry/auto-instrumentations-node": "0.64.6",
|
|
61
62
|
"@opentelemetry/exporter-metrics-otlp-http": "^0.205.0",
|