@lighthouse/common 4.37.0-canary-4 → 4.37.0-canary-5

package/dist/helpers/fetch-image/index.js

@@ -50,7 +50,7 @@ function fetchImage(url, options = {}) {
   };
   const applicationId = options.applicationId;
 
-  if (url.contains('.cloudfront.net')) {
+  if (url && url.includes('.cloudfront.net')) {
     fetchOptions.credentials = 'include'; // Ensure cookies are sent with the request
 
     const signedCookies = (0, _getCloudfrontCookies.generateCloudFrontCookies)({

package/dist/helpers/get-cloudfront-cookies/index.js

@@ -1,19 +1,18 @@
 "use strict";
 
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+
 Object.defineProperty(exports, "__esModule", {
   value: true
 });
 exports.generateCloudFrontCookies = generateCloudFrontCookies;
 
-const {
-  getSignedCookies
-} = require('@aws-sdk/cloudfront-signer');
+var _awsSdk = _interopRequireDefault(require("aws-sdk"));
+
+var _getSecretValue = require("../get-secret-value");
 
-const {
-  getSecretValue
-} = require('../get-secret-value');
+const getSignedCookies = _awsSdk.default.CloudFront.Signer.getSignedCookies;
 
-const logger = require('../../logger');
 /**
  * Generate CloudFront signed cookies for authenticated users
  * @param {Object} options - Configuration options
@@ -27,15 +26,13 @@ const logger = require('../../logger');
  *   "CloudFront-Policy"?: string
  * } | null>} Signed cookies object or null if disabled/failed
  */
-
-
 async function generateCloudFrontCookies({
   userId,
   applicationId
 }) {
   // Early return if CloudFront is not configured
   if (!process.env.CLOUDFRONT_DOMAIN || !process.env.CLOUDFRONT_KEY_PAIR_ID) {
-    logger.debug('CloudFront cookie generation skipped - not configured');
+    console.debug('CloudFront cookie generation skipped - not configured');
     return null;
   }
 
@@ -44,7 +41,7 @@ async function generateCloudFrontCookies({
     const privateKey = await getPrivateKey();
 
     if (!privateKey) {
-      logger.warn('CloudFront private key not available');
+      console.warn('CloudFront private key not available');
       return null;
     } // Set expiration time (14 days from now)
 
@@ -63,7 +60,7 @@ async function generateCloudFrontCookies({
       dateLessThan: expiration.getTime() // Use epoch timestamp in milliseconds
 
     });
-    logger.info('CloudFront cookies generated successfully', {
+    console.info('CloudFront cookies generated successfully', {
       userId,
       applicationId,
       resourcePath,
@@ -71,7 +68,7 @@ async function generateCloudFrontCookies({
     });
     return signedCookies;
   } catch (error) {
-    logger.error('Failed to generate CloudFront cookies', {
+    console.error('Failed to generate CloudFront cookies', {
       userId,
       applicationId,
       error: {
@@ -95,18 +92,18 @@ async function getPrivateKey() {
   }
 
   if (!process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID) {
-    logger.warn('CLOUDFRONT_PRIVATE_KEY_SECRET_ID not configured');
+    console.warn('CLOUDFRONT_PRIVATE_KEY_SECRET_ID not configured');
     return null;
   }
 
   try {
-    const privateKey = await getSecretValue(process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID, 'CLOUDFRONT_PRIVATE_KEY');
+    const privateKey = await (0, _getSecretValue.getSecretValue)(process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID, 'CLOUDFRONT_PRIVATE_KEY');
     privateKeyCache = privateKey;
     cacheExpiry = now + CACHE_TTL;
-    logger.debug('CloudFront private key retrieved and cached');
+    console.debug('CloudFront private key retrieved and cached');
     return privateKey;
   } catch (error) {
-    logger.error('Failed to retrieve CloudFront private key', {
+    console.error('Failed to retrieve CloudFront private key', {
       secretId: process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID,
       error: {
         message: error.message,

package/dist/helpers/get-secret-value/index.js

@@ -7,7 +7,7 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.default = getSecretValue;
 
-var _clientSecretsManager = _interopRequireDefault(require("@aws-sdk/client-secrets-manager"));
+var _awsSdk = _interopRequireDefault(require("aws-sdk"));
 
 var _lodash = require("lodash");
 
@@ -17,7 +17,7 @@ function getSecretValue(secretId, secretKey) {
   } // TODO: update these credentials to specific values for service
 
 
-  const secretsClient = new _clientSecretsManager.default({
+  const secretsClient = new _awsSdk.default.SecretsManager({
     accessKeyId: process.env.AWS_KEY,
     region: process.env.AWS_SECRET_MANAGER_REGION,
     secretAccessKey: process.env.AWS_SECRET

package/lib/helpers/fetch-image/index.js

@@ -40,7 +40,7 @@ export function fetchImage(url) {
 
   var applicationId = options.applicationId;
 
-  if (url.contains('.cloudfront.net')) {
+  if (url && url.includes('.cloudfront.net')) {
     fetchOptions.credentials = 'include'; // Ensure cookies are sent with the request
 
     var signedCookies = generateCloudFrontCookies({

package/lib/helpers/fetch-image/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/helpers/fetch-image/index.js"],"names":["atob","btoa","fetchPonyfill","Promise","LIGHTHOUSE_LOGO_URL","imageNotFound","generateCloudFrontCookies","fetch","self","contentTypes","defaultOptions","cache","fetchImage","url","options","encodedUrl","encodeURI","fetchOptions","applicationId","contains","credentials","signedCookies","userId","headers","Cookie","Object","entries","map","key","value","join","isHeader","then","response","contentHeader","get","contentType","reject","Error","ok","imageType","arrayBuffer","buffer","base64Flag","imageStr","arrayBufferToBase64","base64","isValid","validateBase64Image","catch","error","console","binary","bytes","slice","call","Uint8Array","forEach","b","String","fromCharCode","base64String","isJpeg","startsWith","validateJpegImage","isPng","validatePngImage","base64string","src","imageData","from","replace","c","charCodeAt","imageCorrupted","length","sequence","i"],"mappings":";;;;;;;;AAAA,SAASA,IAAT,EAAeC,IAAf,QAA2B,kBAA3B;AACA,OAAOC,aAAP,MAA0B,gBAA1B;AACA,OAAOC,OAAP,MAAoB,UAApB;AACA,SAASC,mBAAT,QAAoC,iBAApC;AACA,SAASC,aAAT,QAA8B,cAA9B;AACA,SAASC,yBAAT,QAA0C,2BAA1C,C,CACA;AACA;AACA;;AACA,IAAMC,KAAK,GACR,QAAOC,IAAP,yCAAOA,IAAP,OAAgB,QAAhB,IAA4BA,IAAI,CAACD,KAAlC,IAA4CL,aAAa,CAAC;AAAEC,EAAAA,OAAO,EAAPA;AAAF,CAAD,CAAb,CAA2BI,KADzE;AAGA,IAAME,YAAY,GAAG;AACnB,eAAa,KADM;AAEnB,gBAAc;AAFK,CAArB;AAKA,IAAMC,cAAc,GAAG;AACrB;AACA;AACA;AACA;AACA;AACA;AACA;AACAC,EAAAA,KAAK,EAAE;AARc,CAAvB;AAWA,OAAO,SAASC,UAAT,CAAoBC,GAApB,EAAuC;AAAA,MAAdC,OAAc,uEAAJ,EAAI;AAC5C,MAAMC,UAAU,GAAGC,SAAS,CAACH,GAAD,CAA5B;;AACA,MAAMI,YAAY,mCACbP,cADa,GAEbI,OAFa,CAAlB;;AAKA,MAAMI,aAAa,GAAGJ,OAAO,CAACI,aAA9B;;AAEA,MAAIL,GAAG,CAACM,QAAJ,CAAa,iBAAb,CAAJ,EAAqC;AACnCF,IAAAA,YAAY,CAACG,WAAb,GAA2B,SAA3B,CADmC,CACE;;AAErC,QAAMC,aAAa,GAAGf,yBAAyB,CAAC;AAC9CgB,MAAAA,MAAM,EAAE,WADsC;AAE9CJ,MAAAA,aAAa,EAAbA;AAF8C,KAAD,CAA/C;AAKAD,IAAAA,YAAY,CAACM,OAAb,CAAqBC,MAArB,GAA8BC,MAAM,CAACC,OAAP,CAAeL,aAAf,EAC3BM,GAD2B,CACvB;AAAA;AAAA,UAAEC,GAAF;AAAA,UAAOC,KAAP;;AAAA,uBAAqBD,GAArB,cAA4BC,KAA5B;AAAA,KADuB,EAE3BC,IAF2B,CAEtB,IAFsB,CAA9B;AAGD;;AApB2C,0BAsBfhB,OAtBe,CAsBpCiB,QAtBoC;AAAA,MAsBpCA,QAtBoC,kCAsBzB,KAtByB;AAwB5C,SAAOxB,KAAK,CAACQ,UAAD,EAAaE,YAAb,CAAL,CACJe,IADI,CACC,UAAAC,QAAQ,EAAI;AAChB,QAAMC,aAAa,GAAGD,QAAQ,CAACV,OAAT,CAAiBY,GAAjB,CAAqB,gBAArB,CAAtB;AACA,QAAMC,WAAW,GAAGH,QAAQ,CAACV,OAAT,CAAiBY,GAAjB,CAAqB,cAArB,CAApB,CAFgB,CAIhB;AACA;;AACA,QAAID,aAAa,KAAK,GAAtB,EAA2B;AACzB,aAAO/B,OAAO,CAACkC,MAAR,CACL,IAAIC,KAAJ,uDAAyDvB,UAAzD,EADK,CAAP;AAGD;;AAED,QAAI,CAACkB,QAAQ,CAACM,EAAd,EAAkB;AAChB,aAAOpC,OAAO,CAACkC,MAAR,CAAe,IAAIC,KAAJ,kCAAoCvB,UAApC,EAAf,CAAP;AACD;;AAED,QAAMyB,SAAS,GAAG/B,YAAY,CAAC2B,WAAD,CAA9B;AAEA,WAAOH,QAAQ,CAACQ,WAAT,GAAuBT,IAAvB,CAA4B,UAAAU,MAAM;AAAA,aAAK;AAC5CA,QAAAA,MAAM,EAANA,MAD4C;AAE5CF,QAAAA,SAAS,EAATA;AAF4C,OAAL;AAAA,KAAlC,CAAP;AAID,GAvBI,EAwBJR,IAxBI,CAwBC,iBAA2B;AAAA,QAAxBU,MAAwB,SAAxBA,MAAwB;AAAA,QAAhBF,SAAgB,SAAhBA,SAAgB;AAC/B,QAAMG,UAAU,wBAAiBH,SAAjB,aAAhB;AACA,QAAMI,QAAQ,GAAGC,mBAAmB,CAACH,MAAD,CAApC;AAEA,QAAMI,MAAM,aAAMH,UAAN,SAAmBC,QAAnB,CAAZ;AACA,QAAMG,OAAO,GAAGC,mBAAmB,CAACF,MAAD,CAAnC;;AAEA,QAAI,CAACC,OAAL,EAAc;AACZ,aAAO5C,OAAO,CAACkC,MAAR,CAAe,IAAIC,KAAJ,CAAU,mBAAV,CAAf,CAAP;AACD;;AAED,WAAOQ,MAAP;AACD,GApCI,EAqCJG,KArCI,CAqCE,UAAAC,KAAK,EAAI;AACd,QAAInB,QAAJ,EAAc;AACZ;AACAoB,MAAAA,OAAO,CAACD,KAAR,CAAc,uBAAd,EAAuCA,KAAvC;AACA,aAAOtC,UAAU,CAACR,mBAAD,EAAsBM,cAAtB,CAAjB;AACD;;AAEDyC,IAAAA,OAAO,CAACD,KAAR,CAAcA,KAAd;AACA,WAAO7C,aAAP;AACD,GA9CI,CAAP;AA+CD;;AAED,SAASwC,mBAAT,CAA6BH,MAA7B,EAAqC;AACnC,MAAIU,MAAM,GAAG,EAAb;AACA,MAAMC,KAAK,GAAG,GAAGC,KAAH,CAASC,IAAT,CAAc,IAAIC,UAAJ,CAAed,MAAf,CAAd,CAAd;AAEAW,EAAAA,KAAK,CAACI,OAAN,CAAc,UAAAC,CAAC;AAAA,WAAKN,MAAM,IAAIO,MAAM,CAACC,YAAP,CAAoBF,CAApB,CAAf;AAAA,GAAf;AAEA,SAAOzD,IAAI,CAACmD,MAAD,CAAX;AACD;;AAED,OAAO,SAASJ,mBAAT,CAA6Ba,YAA7B,EAA2C;AAChD,MAAMC,MAAM,GAAGD,YAAY,CAACE,UAAb,CAAwB,yBAAxB,CAAf;AAEA,MAAID,MAAJ,EAAY,OAAOE,iBAAiB,CAACH,YAAD,CAAxB;AAEZ,MAAMI,KAAK,GAAGJ,YAAY,CAACE,UAAb,CAAwB,wBAAxB,CAAd;AAEA,MAAIE,KAAJ,EAAW,OAAOC,gBAAgB,CAACL,YAAD,CAAvB;AAEX,SAAO,KAAP;AACD,C,CAED;AACA;;AACA,OAAO,SAASG,iBAAT,CAA2BG,YAA3B,EAAyC;AAC9C,MAAMC,GAAG,GAAGD,YAAZ;AACA,MAAME,SAAS,GAAGb,UAAU,CAACc,IAAX,CAChBtE,IAAI,CAACoE,GAAG,CAACG,OAAJ,CAAY,yBAAZ,EAAuC,EAAvC,CAAD,CADY,EAEhB,UAAAC,CAAC;AAAA,WAAIA,CAAC,CAACC,UAAF,CAAa,CAAb,CAAJ;AAAA,GAFe,CAAlB;AAIA,MAAMC,cAAc,GAClBL,SAAS,CAACA,SAAS,CAACM,MAAV,GAAmB,CAApB,CAAT,KAAoC,GAApC,IACAN,SAAS,CAACA,SAAS,CAACM,MAAV,GAAmB,CAApB,CAAT,KAAoC,GAFtC;AAIA,SAAOD,cAAP;AACD,C,CAED;AACA;;AACA,OAAO,SAASR,gBAAT,CAA0BC,YAA1B,EAAwC;AAC7C,MAAMC,GAAG,GAAGD,YAAZ;AACA,MAAME,SAAS,GAAGb,UAAU,CAACc,IAAX,CAChBtE,IAAI,CAACoE,GAAG,CAACG,OAAJ,CAAY,wBAAZ,EAAsC,EAAtC,CAAD,CADY,EAEhB,UAAAC,CAAC;AAAA,WAAIA,CAAC,CAACC,UAAF,CAAa,CAAb,CAAJ;AAAA,GAFe,CAAlB;AAIA,MAAMG,QAAQ,GAAG,CAAC,CAAD,EAAI,CAAJ,EAAO,CAAP,EAAU,CAAV,EAAa,EAAb,EAAiB,EAAjB,EAAqB,EAArB,EAAyB,EAAzB,EAA6B,GAA7B,EAAkC,EAAlC,EAAsC,EAAtC,EAA0C,GAA1C,CAAjB,CAN6C,CAMmB;AAEhE;;AACA,OAAK,IAAIC,CAAC,GAAG,EAAb,EAAiBA,CAAC,GAAG,CAArB,EAAwBA,CAAC,EAAzB,EAA6B;AAC3B,QAAIR,SAAS,CAACA,SAAS,CAACM,MAAV,GAAmBE,CAApB,CAAT,KAAoCD,QAAQ,CAAC,KAAKC,CAAN,CAAhD,EAA0D;AACxD,aAAO,KAAP;AACD;AACF;;AAED,SAAO,IAAP;AACD","sourcesContent":["import { atob, btoa } from '@lighthouse/abab'\nimport fetchPonyfill from 'fetch-ponyfill'\nimport Promise from 'bluebird'\nimport { LIGHTHOUSE_LOGO_URL } from '../../constants'\nimport { imageNotFound } from '../../images'\nimport { generateCloudFrontCookies } from '../get-cloudfront-cookies'\n// NOTE use the native fetch if it's available in the browser, because the\n// ponyfill (which actually uses the github polyfill) does not support all the\n// same options as native fetch\nconst fetch =\n  (typeof self === 'object' && self.fetch) || fetchPonyfill({ Promise }).fetch\n\nconst contentTypes = {\n  'image/png': 'png',\n  'image/jpeg': 'jpeg',\n}\n\nconst defaultOptions = {\n  // NOTE The cache: no-cache option is important to avoid an issue with CORS\n  // and caching on Chrome. Here's a good explanation of the issue:\n  // https://stackoverflow.com/a/37455118\n  // In our case, when loading the web version of a form, the signature image is\n  // cached without the correct CORS headers. If the pdf is then generated,\n  // there's a mismatch between the cached image headers and the CORS headers\n  // sent from the fetch request, causing an error\n  cache: 'no-cache',\n}\n\nexport function fetchImage(url, options = {}) {\n  const encodedUrl = encodeURI(url)\n  const fetchOptions = {\n    ...defaultOptions,\n    ...options,\n  }\n\n  const applicationId = options.applicationId\n\n  if (url.contains('.cloudfront.net')) {\n    fetchOptions.credentials = 'include' // Ensure cookies are sent with the request\n\n    const signedCookies = generateCloudFrontCookies({\n      userId: 'anonymous',\n      applicationId,\n    })\n\n    fetchOptions.headers.Cookie = Object.entries(signedCookies)\n      .map(([key, value]) => `${key}=${value}`)\n      .join('; ')\n  }\n\n  const { isHeader = false } = options\n\n  return fetch(encodedUrl, fetchOptions)\n    .then(response => {\n      const contentHeader = response.headers.get('content-length')\n      const contentType = response.headers.get('content-type')\n\n      // NOTE: the response will be ok but we won't be able to render any\n      // image meaning pdfmake will error. Raise error here and return early.\n      if (contentHeader === '0') {\n        return Promise.reject(\n          new Error(`Failed to fetch image as no content length: ${encodedUrl}`)\n        )\n      }\n\n      if (!response.ok) {\n        return Promise.reject(new Error(`Failed to fetch image: ${encodedUrl}`))\n      }\n\n      const imageType = contentTypes[contentType]\n\n      return response.arrayBuffer().then(buffer => ({\n        buffer,\n        imageType,\n      }))\n    })\n    .then(({ buffer, imageType }) => {\n      const base64Flag = `data:image/${imageType};base64,`\n      const imageStr = arrayBufferToBase64(buffer)\n\n      const base64 = `${base64Flag}${imageStr}`\n      const isValid = validateBase64Image(base64)\n\n      if (!isValid) {\n        return Promise.reject(new Error('InvalidImageError'))\n      }\n\n      return base64\n    })\n    .catch(error => {\n      if (isHeader) {\n        // NOTE: Replace failed headers with LH logo\n        console.error('FetchImageHeaderError', error)\n        return fetchImage(LIGHTHOUSE_LOGO_URL, defaultOptions)\n      }\n\n      console.error(error)\n      return imageNotFound\n    })\n}\n\nfunction arrayBufferToBase64(buffer) {\n  let binary = ''\n  const bytes = [].slice.call(new Uint8Array(buffer))\n\n  bytes.forEach(b => (binary += String.fromCharCode(b)))\n\n  return btoa(binary)\n}\n\nexport function validateBase64Image(base64String) {\n  const isJpeg = base64String.startsWith('data:image/jpeg;base64,')\n\n  if (isJpeg) return validateJpegImage(base64String)\n\n  const isPng = base64String.startsWith('data:image/png;base64,')\n\n  if (isPng) return validatePngImage(base64String)\n\n  return false\n}\n\n// See SO for more info: https://stackoverflow.com/a/41635312\n// Fiddle: https://jsfiddle.net/Lnyxuchw/\nexport function validateJpegImage(base64string) {\n  const src = base64string\n  const imageData = Uint8Array.from(\n    atob(src.replace('data:image/jpeg;base64,', '')),\n    c => c.charCodeAt(0)\n  )\n  const imageCorrupted =\n    imageData[imageData.length - 1] === 217 &&\n    imageData[imageData.length - 2] === 255\n\n  return imageCorrupted\n}\n\n// See SO for more info: https://stackoverflow.com/a/41635312\n// Fiddle: https://jsfiddle.net/Lnyxuchw/\nexport function validatePngImage(base64string) {\n  const src = base64string\n  const imageData = Uint8Array.from(\n    atob(src.replace('data:image/png;base64,', '')),\n    c => c.charCodeAt(0)\n  )\n  const sequence = [0, 0, 0, 0, 73, 69, 78, 68, 174, 66, 96, 130] // in hex:\n\n  //check last 12 elements of array so they contains needed values\n  for (let i = 12; i > 0; i--) {\n    if (imageData[imageData.length - i] !== sequence[12 - i]) {\n      return false\n    }\n  }\n\n  return true\n}\n"],"file":"index.js"}
+{"version":3,"sources":["../../../src/helpers/fetch-image/index.js"],"names":["atob","btoa","fetchPonyfill","Promise","LIGHTHOUSE_LOGO_URL","imageNotFound","generateCloudFrontCookies","fetch","self","contentTypes","defaultOptions","cache","fetchImage","url","options","encodedUrl","encodeURI","fetchOptions","applicationId","includes","credentials","signedCookies","userId","headers","Cookie","Object","entries","map","key","value","join","isHeader","then","response","contentHeader","get","contentType","reject","Error","ok","imageType","arrayBuffer","buffer","base64Flag","imageStr","arrayBufferToBase64","base64","isValid","validateBase64Image","catch","error","console","binary","bytes","slice","call","Uint8Array","forEach","b","String","fromCharCode","base64String","isJpeg","startsWith","validateJpegImage","isPng","validatePngImage","base64string","src","imageData","from","replace","c","charCodeAt","imageCorrupted","length","sequence","i"],"mappings":";;;;;;;;AAAA,SAASA,IAAT,EAAeC,IAAf,QAA2B,kBAA3B;AACA,OAAOC,aAAP,MAA0B,gBAA1B;AACA,OAAOC,OAAP,MAAoB,UAApB;AACA,SAASC,mBAAT,QAAoC,iBAApC;AACA,SAASC,aAAT,QAA8B,cAA9B;AACA,SAASC,yBAAT,QAA0C,2BAA1C,C,CACA;AACA;AACA;;AACA,IAAMC,KAAK,GACR,QAAOC,IAAP,yCAAOA,IAAP,OAAgB,QAAhB,IAA4BA,IAAI,CAACD,KAAlC,IAA4CL,aAAa,CAAC;AAAEC,EAAAA,OAAO,EAAPA;AAAF,CAAD,CAAb,CAA2BI,KADzE;AAGA,IAAME,YAAY,GAAG;AACnB,eAAa,KADM;AAEnB,gBAAc;AAFK,CAArB;AAKA,IAAMC,cAAc,GAAG;AACrB;AACA;AACA;AACA;AACA;AACA;AACA;AACAC,EAAAA,KAAK,EAAE;AARc,CAAvB;AAWA,OAAO,SAASC,UAAT,CAAoBC,GAApB,EAAuC;AAAA,MAAdC,OAAc,uEAAJ,EAAI;AAC5C,MAAMC,UAAU,GAAGC,SAAS,CAACH,GAAD,CAA5B;;AACA,MAAMI,YAAY,mCACbP,cADa,GAEbI,OAFa,CAAlB;;AAKA,MAAMI,aAAa,GAAGJ,OAAO,CAACI,aAA9B;;AAEA,MAAIL,GAAG,IAAIA,GAAG,CAACM,QAAJ,CAAa,iBAAb,CAAX,EAA4C;AAC1CF,IAAAA,YAAY,CAACG,WAAb,GAA2B,SAA3B,CAD0C,CACL;;AAErC,QAAMC,aAAa,GAAGf,yBAAyB,CAAC;AAC9CgB,MAAAA,MAAM,EAAE,WADsC;AAE9CJ,MAAAA,aAAa,EAAbA;AAF8C,KAAD,CAA/C;AAKAD,IAAAA,YAAY,CAACM,OAAb,CAAqBC,MAArB,GAA8BC,MAAM,CAACC,OAAP,CAAeL,aAAf,EAC3BM,GAD2B,CACvB;AAAA;AAAA,UAAEC,GAAF;AAAA,UAAOC,KAAP;;AAAA,uBAAqBD,GAArB,cAA4BC,KAA5B;AAAA,KADuB,EAE3BC,IAF2B,CAEtB,IAFsB,CAA9B;AAGD;;AApB2C,0BAsBfhB,OAtBe,CAsBpCiB,QAtBoC;AAAA,MAsBpCA,QAtBoC,kCAsBzB,KAtByB;AAwB5C,SAAOxB,KAAK,CAACQ,UAAD,EAAaE,YAAb,CAAL,CACJe,IADI,CACC,UAAAC,QAAQ,EAAI;AAChB,QAAMC,aAAa,GAAGD,QAAQ,CAACV,OAAT,CAAiBY,GAAjB,CAAqB,gBAArB,CAAtB;AACA,QAAMC,WAAW,GAAGH,QAAQ,CAACV,OAAT,CAAiBY,GAAjB,CAAqB,cAArB,CAApB,CAFgB,CAIhB;AACA;;AACA,QAAID,aAAa,KAAK,GAAtB,EAA2B;AACzB,aAAO/B,OAAO,CAACkC,MAAR,CACL,IAAIC,KAAJ,uDAAyDvB,UAAzD,EADK,CAAP;AAGD;;AAED,QAAI,CAACkB,QAAQ,CAACM,EAAd,EAAkB;AAChB,aAAOpC,OAAO,CAACkC,MAAR,CAAe,IAAIC,KAAJ,kCAAoCvB,UAApC,EAAf,CAAP;AACD;;AAED,QAAMyB,SAAS,GAAG/B,YAAY,CAAC2B,WAAD,CAA9B;AAEA,WAAOH,QAAQ,CAACQ,WAAT,GAAuBT,IAAvB,CAA4B,UAAAU,MAAM;AAAA,aAAK;AAC5CA,QAAAA,MAAM,EAANA,MAD4C;AAE5CF,QAAAA,SAAS,EAATA;AAF4C,OAAL;AAAA,KAAlC,CAAP;AAID,GAvBI,EAwBJR,IAxBI,CAwBC,iBAA2B;AAAA,QAAxBU,MAAwB,SAAxBA,MAAwB;AAAA,QAAhBF,SAAgB,SAAhBA,SAAgB;AAC/B,QAAMG,UAAU,wBAAiBH,SAAjB,aAAhB;AACA,QAAMI,QAAQ,GAAGC,mBAAmB,CAACH,MAAD,CAApC;AAEA,QAAMI,MAAM,aAAMH,UAAN,SAAmBC,QAAnB,CAAZ;AACA,QAAMG,OAAO,GAAGC,mBAAmB,CAACF,MAAD,CAAnC;;AAEA,QAAI,CAACC,OAAL,EAAc;AACZ,aAAO5C,OAAO,CAACkC,MAAR,CAAe,IAAIC,KAAJ,CAAU,mBAAV,CAAf,CAAP;AACD;;AAED,WAAOQ,MAAP;AACD,GApCI,EAqCJG,KArCI,CAqCE,UAAAC,KAAK,EAAI;AACd,QAAInB,QAAJ,EAAc;AACZ;AACAoB,MAAAA,OAAO,CAACD,KAAR,CAAc,uBAAd,EAAuCA,KAAvC;AACA,aAAOtC,UAAU,CAACR,mBAAD,EAAsBM,cAAtB,CAAjB;AACD;;AAEDyC,IAAAA,OAAO,CAACD,KAAR,CAAcA,KAAd;AACA,WAAO7C,aAAP;AACD,GA9CI,CAAP;AA+CD;;AAED,SAASwC,mBAAT,CAA6BH,MAA7B,EAAqC;AACnC,MAAIU,MAAM,GAAG,EAAb;AACA,MAAMC,KAAK,GAAG,GAAGC,KAAH,CAASC,IAAT,CAAc,IAAIC,UAAJ,CAAed,MAAf,CAAd,CAAd;AAEAW,EAAAA,KAAK,CAACI,OAAN,CAAc,UAAAC,CAAC;AAAA,WAAKN,MAAM,IAAIO,MAAM,CAACC,YAAP,CAAoBF,CAApB,CAAf;AAAA,GAAf;AAEA,SAAOzD,IAAI,CAACmD,MAAD,CAAX;AACD;;AAED,OAAO,SAASJ,mBAAT,CAA6Ba,YAA7B,EAA2C;AAChD,MAAMC,MAAM,GAAGD,YAAY,CAACE,UAAb,CAAwB,yBAAxB,CAAf;AAEA,MAAID,MAAJ,EAAY,OAAOE,iBAAiB,CAACH,YAAD,CAAxB;AAEZ,MAAMI,KAAK,GAAGJ,YAAY,CAACE,UAAb,CAAwB,wBAAxB,CAAd;AAEA,MAAIE,KAAJ,EAAW,OAAOC,gBAAgB,CAACL,YAAD,CAAvB;AAEX,SAAO,KAAP;AACD,C,CAED;AACA;;AACA,OAAO,SAASG,iBAAT,CAA2BG,YAA3B,EAAyC;AAC9C,MAAMC,GAAG,GAAGD,YAAZ;AACA,MAAME,SAAS,GAAGb,UAAU,CAACc,IAAX,CAChBtE,IAAI,CAACoE,GAAG,CAACG,OAAJ,CAAY,yBAAZ,EAAuC,EAAvC,CAAD,CADY,EAEhB,UAAAC,CAAC;AAAA,WAAIA,CAAC,CAACC,UAAF,CAAa,CAAb,CAAJ;AAAA,GAFe,CAAlB;AAIA,MAAMC,cAAc,GAClBL,SAAS,CAACA,SAAS,CAACM,MAAV,GAAmB,CAApB,CAAT,KAAoC,GAApC,IACAN,SAAS,CAACA,SAAS,CAACM,MAAV,GAAmB,CAApB,CAAT,KAAoC,GAFtC;AAIA,SAAOD,cAAP;AACD,C,CAED;AACA;;AACA,OAAO,SAASR,gBAAT,CAA0BC,YAA1B,EAAwC;AAC7C,MAAMC,GAAG,GAAGD,YAAZ;AACA,MAAME,SAAS,GAAGb,UAAU,CAACc,IAAX,CAChBtE,IAAI,CAACoE,GAAG,CAACG,OAAJ,CAAY,wBAAZ,EAAsC,EAAtC,CAAD,CADY,EAEhB,UAAAC,CAAC;AAAA,WAAIA,CAAC,CAACC,UAAF,CAAa,CAAb,CAAJ;AAAA,GAFe,CAAlB;AAIA,MAAMG,QAAQ,GAAG,CAAC,CAAD,EAAI,CAAJ,EAAO,CAAP,EAAU,CAAV,EAAa,EAAb,EAAiB,EAAjB,EAAqB,EAArB,EAAyB,EAAzB,EAA6B,GAA7B,EAAkC,EAAlC,EAAsC,EAAtC,EAA0C,GAA1C,CAAjB,CAN6C,CAMmB;AAEhE;;AACA,OAAK,IAAIC,CAAC,GAAG,EAAb,EAAiBA,CAAC,GAAG,CAArB,EAAwBA,CAAC,EAAzB,EAA6B;AAC3B,QAAIR,SAAS,CAACA,SAAS,CAACM,MAAV,GAAmBE,CAApB,CAAT,KAAoCD,QAAQ,CAAC,KAAKC,CAAN,CAAhD,EAA0D;AACxD,aAAO,KAAP;AACD;AACF;;AAED,SAAO,IAAP;AACD","sourcesContent":["import { atob, btoa } from '@lighthouse/abab'\nimport fetchPonyfill from 'fetch-ponyfill'\nimport Promise from 'bluebird'\nimport { LIGHTHOUSE_LOGO_URL } from '../../constants'\nimport { imageNotFound } from '../../images'\nimport { generateCloudFrontCookies } from '../get-cloudfront-cookies'\n// NOTE use the native fetch if it's available in the browser, because the\n// ponyfill (which actually uses the github polyfill) does not support all the\n// same options as native fetch\nconst fetch =\n  (typeof self === 'object' && self.fetch) || fetchPonyfill({ Promise }).fetch\n\nconst contentTypes = {\n  'image/png': 'png',\n  'image/jpeg': 'jpeg',\n}\n\nconst defaultOptions = {\n  // NOTE The cache: no-cache option is important to avoid an issue with CORS\n  // and caching on Chrome. Here's a good explanation of the issue:\n  // https://stackoverflow.com/a/37455118\n  // In our case, when loading the web version of a form, the signature image is\n  // cached without the correct CORS headers. If the pdf is then generated,\n  // there's a mismatch between the cached image headers and the CORS headers\n  // sent from the fetch request, causing an error\n  cache: 'no-cache',\n}\n\nexport function fetchImage(url, options = {}) {\n  const encodedUrl = encodeURI(url)\n  const fetchOptions = {\n    ...defaultOptions,\n    ...options,\n  }\n\n  const applicationId = options.applicationId\n\n  if (url && url.includes('.cloudfront.net')) {\n    fetchOptions.credentials = 'include' // Ensure cookies are sent with the request\n\n    const signedCookies = generateCloudFrontCookies({\n      userId: 'anonymous',\n      applicationId,\n    })\n\n    fetchOptions.headers.Cookie = Object.entries(signedCookies)\n      .map(([key, value]) => `${key}=${value}`)\n      .join('; ')\n  }\n\n  const { isHeader = false } = options\n\n  return fetch(encodedUrl, fetchOptions)\n    .then(response => {\n      const contentHeader = response.headers.get('content-length')\n      const contentType = response.headers.get('content-type')\n\n      // NOTE: the response will be ok but we won't be able to render any\n      // image meaning pdfmake will error. Raise error here and return early.\n      if (contentHeader === '0') {\n        return Promise.reject(\n          new Error(`Failed to fetch image as no content length: ${encodedUrl}`)\n        )\n      }\n\n      if (!response.ok) {\n        return Promise.reject(new Error(`Failed to fetch image: ${encodedUrl}`))\n      }\n\n      const imageType = contentTypes[contentType]\n\n      return response.arrayBuffer().then(buffer => ({\n        buffer,\n        imageType,\n      }))\n    })\n    .then(({ buffer, imageType }) => {\n      const base64Flag = `data:image/${imageType};base64,`\n      const imageStr = arrayBufferToBase64(buffer)\n\n      const base64 = `${base64Flag}${imageStr}`\n      const isValid = validateBase64Image(base64)\n\n      if (!isValid) {\n        return Promise.reject(new Error('InvalidImageError'))\n      }\n\n      return base64\n    })\n    .catch(error => {\n      if (isHeader) {\n        // NOTE: Replace failed headers with LH logo\n        console.error('FetchImageHeaderError', error)\n        return fetchImage(LIGHTHOUSE_LOGO_URL, defaultOptions)\n      }\n\n      console.error(error)\n      return imageNotFound\n    })\n}\n\nfunction arrayBufferToBase64(buffer) {\n  let binary = ''\n  const bytes = [].slice.call(new Uint8Array(buffer))\n\n  bytes.forEach(b => (binary += String.fromCharCode(b)))\n\n  return btoa(binary)\n}\n\nexport function validateBase64Image(base64String) {\n  const isJpeg = base64String.startsWith('data:image/jpeg;base64,')\n\n  if (isJpeg) return validateJpegImage(base64String)\n\n  const isPng = base64String.startsWith('data:image/png;base64,')\n\n  if (isPng) return validatePngImage(base64String)\n\n  return false\n}\n\n// See SO for more info: https://stackoverflow.com/a/41635312\n// Fiddle: https://jsfiddle.net/Lnyxuchw/\nexport function validateJpegImage(base64string) {\n  const src = base64string\n  const imageData = Uint8Array.from(\n    atob(src.replace('data:image/jpeg;base64,', '')),\n    c => c.charCodeAt(0)\n  )\n  const imageCorrupted =\n    imageData[imageData.length - 1] === 217 &&\n    imageData[imageData.length - 2] === 255\n\n  return imageCorrupted\n}\n\n// See SO for more info: https://stackoverflow.com/a/41635312\n// Fiddle: https://jsfiddle.net/Lnyxuchw/\nexport function validatePngImage(base64string) {\n  const src = base64string\n  const imageData = Uint8Array.from(\n    atob(src.replace('data:image/png;base64,', '')),\n    c => c.charCodeAt(0)\n  )\n  const sequence = [0, 0, 0, 0, 73, 69, 78, 68, 174, 66, 96, 130] // in hex:\n\n  //check last 12 elements of array so they contains needed values\n  for (let i = 12; i > 0; i--) {\n    if (imageData[imageData.length - i] !== sequence[12 - i]) {\n      return false\n    }\n  }\n\n  return true\n}\n"],"file":"index.js"}

package/lib/helpers/get-cloudfront-cookies/index.js

@@ -1,13 +1,8 @@
 import _regeneratorRuntime from "@babel/runtime/regenerator";
 import _asyncToGenerator from "@babel/runtime/helpers/asyncToGenerator";
-
-var _require = require('@aws-sdk/cloudfront-signer'),
-    getSignedCookies = _require.getSignedCookies;
-
-var _require2 = require('../get-secret-value'),
-    getSecretValue = _require2.getSecretValue;
-
-var logger = require('../../logger');
+import AWS from 'aws-sdk';
+var getSignedCookies = AWS.CloudFront.Signer.getSignedCookies;
+import { getSecretValue } from '../get-secret-value';
 /**
  * Generate CloudFront signed cookies for authenticated users
  * @param {Object} options - Configuration options
@@ -22,7 +17,6 @@ var logger = require('../../logger');
  * } | null>} Signed cookies object or null if disabled/failed
  */
 
-
 export function generateCloudFrontCookies(_x) {
   return _generateCloudFrontCookies.apply(this, arguments);
 }
@@ -41,7 +35,7 @@ function _generateCloudFrontCookies() {
               break;
             }
 
-            logger.debug('CloudFront cookie generation skipped - not configured');
+            console.debug('CloudFront cookie generation skipped - not configured');
             return _context.abrupt("return", null);
 
           case 4:
@@ -57,7 +51,7 @@ function _generateCloudFrontCookies() {
               break;
             }
 
-            logger.warn('CloudFront private key not available');
+            console.warn('CloudFront private key not available');
             return _context.abrupt("return", null);
 
           case 11:
@@ -76,7 +70,7 @@ function _generateCloudFrontCookies() {
               dateLessThan: expiration.getTime() // Use epoch timestamp in milliseconds
 
             });
-            logger.info('CloudFront cookies generated successfully', {
+            console.info('CloudFront cookies generated successfully', {
               userId: userId,
               applicationId: applicationId,
               resourcePath: resourcePath,
@@ -87,7 +81,7 @@ function _generateCloudFrontCookies() {
           case 21:
             _context.prev = 21;
             _context.t0 = _context["catch"](4);
-            logger.error('Failed to generate CloudFront cookies', {
+            console.error('Failed to generate CloudFront cookies', {
               userId: userId,
               applicationId: applicationId,
               error: {
@@ -137,7 +131,7 @@ function _getPrivateKey() {
               break;
             }
 
-            logger.warn('CLOUDFRONT_PRIVATE_KEY_SECRET_ID not configured');
+            console.warn('CLOUDFRONT_PRIVATE_KEY_SECRET_ID not configured');
             return _context2.abrupt("return", null);
 
           case 6:
@@ -149,13 +143,13 @@ function _getPrivateKey() {
             privateKey = _context2.sent;
             privateKeyCache = privateKey;
             cacheExpiry = now + CACHE_TTL;
-            logger.debug('CloudFront private key retrieved and cached');
+            console.debug('CloudFront private key retrieved and cached');
             return _context2.abrupt("return", privateKey);
 
           case 16:
             _context2.prev = 16;
             _context2.t0 = _context2["catch"](6);
-            logger.error('Failed to retrieve CloudFront private key', {
+            console.error('Failed to retrieve CloudFront private key', {
               secretId: process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID,
               error: {
                 message: _context2.t0.message,

package/lib/helpers/get-cloudfront-cookies/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/helpers/get-cloudfront-cookies/index.js"],"names":["require","getSignedCookies","getSecretValue","logger","generateCloudFrontCookies","userId","applicationId","process","env","CLOUDFRONT_DOMAIN","CLOUDFRONT_KEY_PAIR_ID","debug","getPrivateKey","privateKey","warn","expiration","Date","setTime","getTime","distributionDomain","resourcePath","urlPattern","signedCookies","url","keyPairId","dateLessThan","info","toISOString","error","message","code","privateKeyCache","cacheExpiry","CACHE_TTL","now","CLOUDFRONT_PRIVATE_KEY_SECRET_ID","secretId"],"mappings":";;;eAA6BA,OAAO,CAAC,4BAAD,C;IAA5BC,gB,YAAAA,gB;;gBACmBD,OAAO,CAAC,qBAAD,C;IAA1BE,c,aAAAA,c;;AACR,IAAMC,MAAM,GAAGH,OAAO,CAAC,cAAD,CAAtB;AAEA;;;;;;;;;;;;;;;AAcA,gBAAsBI,yBAAtB;AAAA;AAAA;;;wFAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAA2CC,YAAAA,MAA3C,QAA2CA,MAA3C,EAAmDC,aAAnD,QAAmDA,aAAnD;;AAAA,kBAED,CAACC,OAAO,CAACC,GAAR,CAAYC,iBAAb,IAAkC,CAACF,OAAO,CAACC,GAAR,CAAYE,sBAF9C;AAAA;AAAA;AAAA;;AAGHP,YAAAA,MAAM,CAACQ,KAAP,CAAa,uDAAb;AAHG,6CAII,IAJJ;;AAAA;AAAA;AAAA;AAAA,mBASsBC,aAAa,EATnC;;AAAA;AASGC,YAAAA,UATH;;AAAA,gBAUEA,UAVF;AAAA;AAAA;AAAA;;AAWDV,YAAAA,MAAM,CAACW,IAAP,CAAY,sCAAZ;AAXC,6CAYM,IAZN;;AAAA;AAeH;AACMC,YAAAA,UAhBH,GAgBgB,IAAIC,IAAJ,EAhBhB;AAiBHD,YAAAA,UAAU,CAACE,OAAX,CAAmBF,UAAU,CAACG,OAAX,KAAuB,KAAK,EAAL,GAAU,EAAV,GAAe,EAAf,GAAoB,IAA9D,EAjBG,CAmBH;;AACMC,YAAAA,kBApBH,qBAoBmCZ,OAAO,CAACC,GAAR,CAAYC,iBApB/C;AAqBGW,YAAAA,YArBH,GAqBkBd,aAAa,aAAMA,aAAN,UAA0B,GArBzD;AAsBGe,YAAAA,UAtBH,aAsBmBF,kBAtBnB,cAsByCC,YAtBzC,GAwBH;;AACME,YAAAA,aAzBH,GAyBmBrB,gBAAgB,CAAC;AACrCsB,cAAAA,GAAG,EAAEF,UADgC;AAErCG,cAAAA,SAAS,EAAEjB,OAAO,CAACC,GAAR,CAAYE,sBAFc;AAGrCG,cAAAA,UAAU,EAAEA,UAHyB;AAIrCY,cAAAA,YAAY,EAAEV,UAAU,CAACG,OAAX,EAJuB,CAID;;AAJC,aAAD,CAzBnC;AAgCHf,YAAAA,MAAM,CAACuB,IAAP,CAAY,2CAAZ,EAAyD;AACvDrB,cAAAA,MAAM,EAANA,MADuD;AAEvDC,cAAAA,aAAa,EAAbA,aAFuD;AAGvDc,cAAAA,YAAY,EAAZA,YAHuD;AAIvDL,cAAAA,UAAU,EAAEA,UAAU,CAACY,WAAX;AAJ2C,aAAzD;AAhCG,6CAuCIL,aAvCJ;;AAAA;AAAA;AAAA;AAyCHnB,YAAAA,MAAM,CAACyB,KAAP,CAAa,uCAAb,EAAsD;AACpDvB,cAAAA,MAAM,EAANA,MADoD;AAEpDC,cAAAA,aAAa,EAAbA,aAFoD;AAGpDsB,cAAAA,KAAK,EAAE;AACLC,gBAAAA,OAAO,EAAE,YAAMA,OADV;AAELC,gBAAAA,IAAI,EAAE,YAAMA;AAFP;AAH6C,aAAtD;AAzCG,6CAiDI,IAjDJ;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,G;;;;AAqDP,IAAIC,eAAe,GAAG,IAAtB;AACA,IAAIC,WAAW,GAAG,IAAlB;AACA,IAAMC,SAAS,GAAG,IAAI,EAAJ,GAAS,IAA3B,C,CAAgC;;SAEjBrB,a;;;;;4EAAf;AAAA;AAAA;AAAA;AAAA;AAAA;AACQsB,YAAAA,GADR,GACclB,IAAI,CAACkB,GAAL,EADd;;AAAA,kBAGMH,eAAe,IAAIC,WAAnB,IAAkCE,GAAG,GAAGF,WAH9C;AAAA;AAAA;AAAA;;AAAA,8CAIWD,eAJX;;AAAA;AAAA,gBAOOxB,OAAO,CAACC,GAAR,CAAY2B,gCAPnB;AAAA;AAAA;AAAA;;AAQIhC,YAAAA,MAAM,CAACW,IAAP,CAAY,iDAAZ;AARJ,8CASW,IATX;;AAAA;AAAA;AAAA;AAAA,mBAa6BZ,cAAc,CACrCK,OAAO,CAACC,GAAR,CAAY2B,gCADyB,EAErC,wBAFqC,CAb3C;;AAAA;AAaUtB,YAAAA,UAbV;AAkBIkB,YAAAA,eAAe,GAAGlB,UAAlB;AACAmB,YAAAA,WAAW,GAAGE,GAAG,GAAGD,SAApB;AAEA9B,YAAAA,MAAM,CAACQ,KAAP,CAAa,6CAAb;AArBJ,8CAsBWE,UAtBX;;AAAA;AAAA;AAAA;AAwBIV,YAAAA,MAAM,CAACyB,KAAP,CAAa,2CAAb,EAA0D;AACxDQ,cAAAA,QAAQ,EAAE7B,OAAO,CAACC,GAAR,CAAY2B,gCADkC;AAExDP,cAAAA,KAAK,EAAE;AACLC,gBAAAA,OAAO,EAAE,aAAMA,OADV;AAELC,gBAAAA,IAAI,EAAE,aAAMA;AAFP;AAFiD,aAA1D;AAxBJ,8CA+BW,IA/BX;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,G","sourcesContent":["const { getSignedCookies } = require('@aws-sdk/cloudfront-signer')\nconst { getSecretValue } = require('../get-secret-value')\nconst logger = require('../../logger')\n\n/**\n * Generate CloudFront signed cookies for authenticated users\n * @param {Object} options - Configuration options\n * @param {string} options.userId - User ID for logging purposes\n * @param {string} options.applicationId - Application ID for resource scoping\n * Return Type: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-cloudfront-signer/Interface/CloudfrontSignedCookiesOutput/\n * @returns {Promise<{\n *   \"CloudFront-Key-Pair-Id\": string,\n *   \"CloudFront-Signature\": string,\n *   \"CloudFront-Expires\"?: number,\n *   \"CloudFront-Policy\"?: string\n * } | null>} Signed cookies object or null if disabled/failed\n */\n\nexport async function generateCloudFrontCookies({ userId, applicationId }) {\n  // Early return if CloudFront is not configured\n  if (!process.env.CLOUDFRONT_DOMAIN || !process.env.CLOUDFRONT_KEY_PAIR_ID) {\n    logger.debug('CloudFront cookie generation skipped - not configured')\n    return null\n  }\n\n  try {\n    // Get private key from AWS Secrets Manager\n    const privateKey = await getPrivateKey()\n    if (!privateKey) {\n      logger.warn('CloudFront private key not available')\n      return null\n    }\n\n    // Set expiration time (14 days from now)\n    const expiration = new Date()\n    expiration.setTime(expiration.getTime() + 14 * 24 * 60 * 60 * 1000)\n\n    // Generate resource URL pattern for wildcard access\n    const distributionDomain = `https://${process.env.CLOUDFRONT_DOMAIN}`\n    const resourcePath = applicationId ? `${applicationId}/*` : '*'\n    const urlPattern = `${distributionDomain}/${resourcePath}`\n\n    // Generate signed cookies\n    const signedCookies = getSignedCookies({\n      url: urlPattern,\n      keyPairId: process.env.CLOUDFRONT_KEY_PAIR_ID,\n      privateKey: privateKey,\n      dateLessThan: expiration.getTime(), // Use epoch timestamp in milliseconds\n    })\n\n    logger.info('CloudFront cookies generated successfully', {\n      userId,\n      applicationId,\n      resourcePath,\n      expiration: expiration.toISOString(),\n    })\n\n    return signedCookies\n  } catch (error) {\n    logger.error('Failed to generate CloudFront cookies', {\n      userId,\n      applicationId,\n      error: {\n        message: error.message,\n        code: error.code,\n      },\n    })\n    return null\n  }\n}\n\nlet privateKeyCache = null\nlet cacheExpiry = null\nconst CACHE_TTL = 5 * 60 * 1000 // 5 minutes\n\nasync function getPrivateKey() {\n  const now = Date.now()\n\n  if (privateKeyCache && cacheExpiry && now < cacheExpiry) {\n    return privateKeyCache\n  }\n\n  if (!process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID) {\n    logger.warn('CLOUDFRONT_PRIVATE_KEY_SECRET_ID not configured')\n    return null\n  }\n\n  try {\n    const privateKey = await getSecretValue(\n      process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID,\n      'CLOUDFRONT_PRIVATE_KEY'\n    )\n\n    privateKeyCache = privateKey\n    cacheExpiry = now + CACHE_TTL\n\n    logger.debug('CloudFront private key retrieved and cached')\n    return privateKey\n  } catch (error) {\n    logger.error('Failed to retrieve CloudFront private key', {\n      secretId: process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID,\n      error: {\n        message: error.message,\n        code: error.code,\n      },\n    })\n    return null\n  }\n}\n"],"file":"index.js"}
+{"version":3,"sources":["../../../src/helpers/get-cloudfront-cookies/index.js"],"names":["AWS","getSignedCookies","CloudFront","Signer","getSecretValue","generateCloudFrontCookies","userId","applicationId","process","env","CLOUDFRONT_DOMAIN","CLOUDFRONT_KEY_PAIR_ID","console","debug","getPrivateKey","privateKey","warn","expiration","Date","setTime","getTime","distributionDomain","resourcePath","urlPattern","signedCookies","url","keyPairId","dateLessThan","info","toISOString","error","message","code","privateKeyCache","cacheExpiry","CACHE_TTL","now","CLOUDFRONT_PRIVATE_KEY_SECRET_ID","secretId"],"mappings":";;AAAA,OAAOA,GAAP,MAAgB,SAAhB;AACA,IAAMC,gBAAgB,GAAGD,GAAG,CAACE,UAAJ,CAAeC,MAAf,CAAsBF,gBAA/C;AACA,SAASG,cAAT,QAA+B,qBAA/B;AAEA;;;;;;;;;;;;;;AAcA,gBAAsBC,yBAAtB;AAAA;AAAA;;;wFAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAA2CC,YAAAA,MAA3C,QAA2CA,MAA3C,EAAmDC,aAAnD,QAAmDA,aAAnD;;AAAA,kBAED,CAACC,OAAO,CAACC,GAAR,CAAYC,iBAAb,IAAkC,CAACF,OAAO,CAACC,GAAR,CAAYE,sBAF9C;AAAA;AAAA;AAAA;;AAGHC,YAAAA,OAAO,CAACC,KAAR,CAAc,uDAAd;AAHG,6CAII,IAJJ;;AAAA;AAAA;AAAA;AAAA,mBASsBC,aAAa,EATnC;;AAAA;AASGC,YAAAA,UATH;;AAAA,gBAUEA,UAVF;AAAA;AAAA;AAAA;;AAWDH,YAAAA,OAAO,CAACI,IAAR,CAAa,sCAAb;AAXC,6CAYM,IAZN;;AAAA;AAeH;AACMC,YAAAA,UAhBH,GAgBgB,IAAIC,IAAJ,EAhBhB;AAiBHD,YAAAA,UAAU,CAACE,OAAX,CAAmBF,UAAU,CAACG,OAAX,KAAuB,KAAK,EAAL,GAAU,EAAV,GAAe,EAAf,GAAoB,IAA9D,EAjBG,CAmBH;;AACMC,YAAAA,kBApBH,qBAoBmCb,OAAO,CAACC,GAAR,CAAYC,iBApB/C;AAqBGY,YAAAA,YArBH,GAqBkBf,aAAa,aAAMA,aAAN,UAA0B,GArBzD;AAsBGgB,YAAAA,UAtBH,aAsBmBF,kBAtBnB,cAsByCC,YAtBzC,GAwBH;;AACME,YAAAA,aAzBH,GAyBmBvB,gBAAgB,CAAC;AACrCwB,cAAAA,GAAG,EAAEF,UADgC;AAErCG,cAAAA,SAAS,EAAElB,OAAO,CAACC,GAAR,CAAYE,sBAFc;AAGrCI,cAAAA,UAAU,EAAEA,UAHyB;AAIrCY,cAAAA,YAAY,EAAEV,UAAU,CAACG,OAAX,EAJuB,CAID;;AAJC,aAAD,CAzBnC;AAgCHR,YAAAA,OAAO,CAACgB,IAAR,CAAa,2CAAb,EAA0D;AACxDtB,cAAAA,MAAM,EAANA,MADwD;AAExDC,cAAAA,aAAa,EAAbA,aAFwD;AAGxDe,cAAAA,YAAY,EAAZA,YAHwD;AAIxDL,cAAAA,UAAU,EAAEA,UAAU,CAACY,WAAX;AAJ4C,aAA1D;AAhCG,6CAuCIL,aAvCJ;;AAAA;AAAA;AAAA;AAyCHZ,YAAAA,OAAO,CAACkB,KAAR,CAAc,uCAAd,EAAuD;AACrDxB,cAAAA,MAAM,EAANA,MADqD;AAErDC,cAAAA,aAAa,EAAbA,aAFqD;AAGrDuB,cAAAA,KAAK,EAAE;AACLC,gBAAAA,OAAO,EAAE,YAAMA,OADV;AAELC,gBAAAA,IAAI,EAAE,YAAMA;AAFP;AAH8C,aAAvD;AAzCG,6CAiDI,IAjDJ;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,G;;;;AAqDP,IAAIC,eAAe,GAAG,IAAtB;AACA,IAAIC,WAAW,GAAG,IAAlB;AACA,IAAMC,SAAS,GAAG,IAAI,EAAJ,GAAS,IAA3B,C,CAAgC;;SAEjBrB,a;;;;;4EAAf;AAAA;AAAA;AAAA;AAAA;AAAA;AACQsB,YAAAA,GADR,GACclB,IAAI,CAACkB,GAAL,EADd;;AAAA,kBAGMH,eAAe,IAAIC,WAAnB,IAAkCE,GAAG,GAAGF,WAH9C;AAAA;AAAA;AAAA;;AAAA,8CAIWD,eAJX;;AAAA;AAAA,gBAOOzB,OAAO,CAACC,GAAR,CAAY4B,gCAPnB;AAAA;AAAA;AAAA;;AAQIzB,YAAAA,OAAO,CAACI,IAAR,CAAa,iDAAb;AARJ,8CASW,IATX;;AAAA;AAAA;AAAA;AAAA,mBAa6BZ,cAAc,CACrCI,OAAO,CAACC,GAAR,CAAY4B,gCADyB,EAErC,wBAFqC,CAb3C;;AAAA;AAaUtB,YAAAA,UAbV;AAkBIkB,YAAAA,eAAe,GAAGlB,UAAlB;AACAmB,YAAAA,WAAW,GAAGE,GAAG,GAAGD,SAApB;AAEAvB,YAAAA,OAAO,CAACC,KAAR,CAAc,6CAAd;AArBJ,8CAsBWE,UAtBX;;AAAA;AAAA;AAAA;AAwBIH,YAAAA,OAAO,CAACkB,KAAR,CAAc,2CAAd,EAA2D;AACzDQ,cAAAA,QAAQ,EAAE9B,OAAO,CAACC,GAAR,CAAY4B,gCADmC;AAEzDP,cAAAA,KAAK,EAAE;AACLC,gBAAAA,OAAO,EAAE,aAAMA,OADV;AAELC,gBAAAA,IAAI,EAAE,aAAMA;AAFP;AAFkD,aAA3D;AAxBJ,8CA+BW,IA/BX;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,G","sourcesContent":["import AWS from 'aws-sdk'\nconst getSignedCookies = AWS.CloudFront.Signer.getSignedCookies\nimport { getSecretValue } from '../get-secret-value'\n\n/**\n * Generate CloudFront signed cookies for authenticated users\n * @param {Object} options - Configuration options\n * @param {string} options.userId - User ID for logging purposes\n * @param {string} options.applicationId - Application ID for resource scoping\n * Return Type: https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-cloudfront-signer/Interface/CloudfrontSignedCookiesOutput/\n * @returns {Promise<{\n *   \"CloudFront-Key-Pair-Id\": string,\n *   \"CloudFront-Signature\": string,\n *   \"CloudFront-Expires\"?: number,\n *   \"CloudFront-Policy\"?: string\n * } | null>} Signed cookies object or null if disabled/failed\n */\n\nexport async function generateCloudFrontCookies({ userId, applicationId }) {\n  // Early return if CloudFront is not configured\n  if (!process.env.CLOUDFRONT_DOMAIN || !process.env.CLOUDFRONT_KEY_PAIR_ID) {\n    console.debug('CloudFront cookie generation skipped - not configured')\n    return null\n  }\n\n  try {\n    // Get private key from AWS Secrets Manager\n    const privateKey = await getPrivateKey()\n    if (!privateKey) {\n      console.warn('CloudFront private key not available')\n      return null\n    }\n\n    // Set expiration time (14 days from now)\n    const expiration = new Date()\n    expiration.setTime(expiration.getTime() + 14 * 24 * 60 * 60 * 1000)\n\n    // Generate resource URL pattern for wildcard access\n    const distributionDomain = `https://${process.env.CLOUDFRONT_DOMAIN}`\n    const resourcePath = applicationId ? `${applicationId}/*` : '*'\n    const urlPattern = `${distributionDomain}/${resourcePath}`\n\n    // Generate signed cookies\n    const signedCookies = getSignedCookies({\n      url: urlPattern,\n      keyPairId: process.env.CLOUDFRONT_KEY_PAIR_ID,\n      privateKey: privateKey,\n      dateLessThan: expiration.getTime(), // Use epoch timestamp in milliseconds\n    })\n\n    console.info('CloudFront cookies generated successfully', {\n      userId,\n      applicationId,\n      resourcePath,\n      expiration: expiration.toISOString(),\n    })\n\n    return signedCookies\n  } catch (error) {\n    console.error('Failed to generate CloudFront cookies', {\n      userId,\n      applicationId,\n      error: {\n        message: error.message,\n        code: error.code,\n      },\n    })\n    return null\n  }\n}\n\nlet privateKeyCache = null\nlet cacheExpiry = null\nconst CACHE_TTL = 5 * 60 * 1000 // 5 minutes\n\nasync function getPrivateKey() {\n  const now = Date.now()\n\n  if (privateKeyCache && cacheExpiry && now < cacheExpiry) {\n    return privateKeyCache\n  }\n\n  if (!process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID) {\n    console.warn('CLOUDFRONT_PRIVATE_KEY_SECRET_ID not configured')\n    return null\n  }\n\n  try {\n    const privateKey = await getSecretValue(\n      process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID,\n      'CLOUDFRONT_PRIVATE_KEY'\n    )\n\n    privateKeyCache = privateKey\n    cacheExpiry = now + CACHE_TTL\n\n    console.debug('CloudFront private key retrieved and cached')\n    return privateKey\n  } catch (error) {\n    console.error('Failed to retrieve CloudFront private key', {\n      secretId: process.env.CLOUDFRONT_PRIVATE_KEY_SECRET_ID,\n      error: {\n        message: error.message,\n        code: error.code,\n      },\n    })\n    return null\n  }\n}\n"],"file":"index.js"}

package/lib/helpers/get-secret-value/index.js

@@ -1,4 +1,4 @@
-import SecretsManager from '@aws-sdk/client-secrets-manager';
+import AWS from 'aws-sdk';
 import { attempt, isError } from 'lodash';
 export default function getSecretValue(secretId, secretKey) {
   if (!secretId) {
@@ -6,7 +6,7 @@ export default function getSecretValue(secretId, secretKey) {
   } // TODO: update these credentials to specific values for service
 
 
-  var secretsClient = new SecretsManager({
+  var secretsClient = new AWS.SecretsManager({
     accessKeyId: process.env.AWS_KEY,
     region: process.env.AWS_SECRET_MANAGER_REGION,
     secretAccessKey: process.env.AWS_SECRET

package/lib/helpers/get-secret-value/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/helpers/get-secret-value/index.js"],"names":["SecretsManager","attempt","isError","getSecretValue","secretId","secretKey","Promise","reject","Error","secretsClient","accessKeyId","process","env","AWS_KEY","region","AWS_SECRET_MANAGER_REGION","secretAccessKey","AWS_SECRET","SecretId","promise","then","payload","secret","parseSecretString","secretValue","catch","err","code","message","secretString","SecretString","parsed","JSON","parse"],"mappings":"AAAA,OAAOA,cAAP,MAA2B,iCAA3B;AACA,SAASC,OAAT,EAAkBC,OAAlB,QAAiC,QAAjC;AAEA,eAAe,SAASC,cAAT,CAAwBC,QAAxB,EAAkCC,SAAlC,EAA6C;AAC1D,MAAI,CAACD,QAAL,EAAe;AACb,WAAOE,OAAO,CAACC,MAAR,CACL,IAAIC,KAAJ,4CAA8CJ,QAA9C,EADK,CAAP;AAGD,GALyD,CAO1D;;;AACA,MAAMK,aAAa,GAAG,IAAIT,cAAJ,CAAmB;AACvCU,IAAAA,WAAW,EAAEC,OAAO,CAACC,GAAR,CAAYC,OADc;AAEvCC,IAAAA,MAAM,EAAEH,OAAO,CAACC,GAAR,CAAYG,yBAFmB;AAGvCC,IAAAA,eAAe,EAAEL,OAAO,CAACC,GAAR,CAAYK;AAHU,GAAnB,CAAtB;AAMA,SAAOR,aAAa,CACjBN,cADI,CACW;AAAEe,IAAAA,QAAQ,EAAEd;AAAZ,GADX,EAEJe,OAFI,GAGJC,IAHI,CAGC,UAAAC,OAAO,EAAI;AACf,QAAMC,MAAM,GAAGC,iBAAiB,CAACF,OAAD,CAAhC,CADe,CAGf;;AACA,QAAI,CAAChB,SAAL,EAAgB,OAAOiB,MAAP;AAEhB,QAAME,WAAW,GAAGF,MAAM,CAACjB,SAAD,CAA1B;;AAEA,QAAI,CAACmB,WAAL,EAAkB;AAChB,YAAM,IAAIhB,KAAJ,CAAU,iCAAV,CAAN;AACD;;AAED,WAAOgB,WAAP;AACD,GAhBI,EAiBJC,KAjBI,CAiBE,UAAAC,GAAG,EAAI;AACZ,UAAM,IAAIlB,KAAJ,gCAAkCkB,GAAG,CAACC,IAAtC,eAA+CD,GAAG,CAACE,OAAnD,EAAN;AACD,GAnBI,CAAP;AAoBD;;AAED,SAASL,iBAAT,CAA2BF,OAA3B,EAAoC;AAClC,MAAMQ,YAAY,GAAGR,OAAO,CAACS,YAAR,IAAwB,EAA7C;AAEA,MAAMC,MAAM,GAAG9B,OAAO,CAAC+B,IAAI,CAACC,KAAN,EAAaJ,YAAb,CAAtB;AAEA,SAAO3B,OAAO,CAAC6B,MAAD,CAAP,GAAkB,EAAlB,GAAuBA,MAA9B;AACD","sourcesContent":["import SecretsManager from '@aws-sdk/client-secrets-manager'\nimport { attempt, isError } from 'lodash'\n\nexport default function getSecretValue(secretId, secretKey) {\n  if (!secretId) {\n    return Promise.reject(\n      new Error(`Missing required param: secretId:${secretId}`)\n    )\n  }\n\n  // TODO: update these credentials to specific values for service\n  const secretsClient = new SecretsManager({\n    accessKeyId: process.env.AWS_KEY,\n    region: process.env.AWS_SECRET_MANAGER_REGION,\n    secretAccessKey: process.env.AWS_SECRET,\n  })\n\n  return secretsClient\n    .getSecretValue({ SecretId: secretId })\n    .promise()\n    .then(payload => {\n      const secret = parseSecretString(payload)\n\n      // Return early if secretKey isn't defined (we want the full set of key/values)\n      if (!secretKey) return secret\n\n      const secretValue = secret[secretKey]\n\n      if (!secretValue) {\n        throw new Error('Secret value could not be found')\n      }\n\n      return secretValue\n    })\n    .catch(err => {\n      throw new Error(`AWSSecretFetchError: ${err.code}, ${err.message}`)\n    })\n}\n\nfunction parseSecretString(payload) {\n  const secretString = payload.SecretString || ''\n\n  const parsed = attempt(JSON.parse, secretString)\n\n  return isError(parsed) ? {} : parsed\n}\n"],"file":"index.js"}
+{"version":3,"sources":["../../../src/helpers/get-secret-value/index.js"],"names":["AWS","attempt","isError","getSecretValue","secretId","secretKey","Promise","reject","Error","secretsClient","SecretsManager","accessKeyId","process","env","AWS_KEY","region","AWS_SECRET_MANAGER_REGION","secretAccessKey","AWS_SECRET","SecretId","promise","then","payload","secret","parseSecretString","secretValue","catch","err","code","message","secretString","SecretString","parsed","JSON","parse"],"mappings":"AAAA,OAAOA,GAAP,MAAgB,SAAhB;AACA,SAASC,OAAT,EAAkBC,OAAlB,QAAiC,QAAjC;AAEA,eAAe,SAASC,cAAT,CAAwBC,QAAxB,EAAkCC,SAAlC,EAA6C;AAC1D,MAAI,CAACD,QAAL,EAAe;AACb,WAAOE,OAAO,CAACC,MAAR,CACL,IAAIC,KAAJ,4CAA8CJ,QAA9C,EADK,CAAP;AAGD,GALyD,CAO1D;;;AACA,MAAMK,aAAa,GAAG,IAAIT,GAAG,CAACU,cAAR,CAAuB;AAC3CC,IAAAA,WAAW,EAAEC,OAAO,CAACC,GAAR,CAAYC,OADkB;AAE3CC,IAAAA,MAAM,EAAEH,OAAO,CAACC,GAAR,CAAYG,yBAFuB;AAG3CC,IAAAA,eAAe,EAAEL,OAAO,CAACC,GAAR,CAAYK;AAHc,GAAvB,CAAtB;AAMA,SAAOT,aAAa,CACjBN,cADI,CACW;AAAEgB,IAAAA,QAAQ,EAAEf;AAAZ,GADX,EAEJgB,OAFI,GAGJC,IAHI,CAGC,UAAAC,OAAO,EAAI;AACf,QAAMC,MAAM,GAAGC,iBAAiB,CAACF,OAAD,CAAhC,CADe,CAGf;;AACA,QAAI,CAACjB,SAAL,EAAgB,OAAOkB,MAAP;AAEhB,QAAME,WAAW,GAAGF,MAAM,CAAClB,SAAD,CAA1B;;AAEA,QAAI,CAACoB,WAAL,EAAkB;AAChB,YAAM,IAAIjB,KAAJ,CAAU,iCAAV,CAAN;AACD;;AAED,WAAOiB,WAAP;AACD,GAhBI,EAiBJC,KAjBI,CAiBE,UAAAC,GAAG,EAAI;AACZ,UAAM,IAAInB,KAAJ,gCAAkCmB,GAAG,CAACC,IAAtC,eAA+CD,GAAG,CAACE,OAAnD,EAAN;AACD,GAnBI,CAAP;AAoBD;;AAED,SAASL,iBAAT,CAA2BF,OAA3B,EAAoC;AAClC,MAAMQ,YAAY,GAAGR,OAAO,CAACS,YAAR,IAAwB,EAA7C;AAEA,MAAMC,MAAM,GAAG/B,OAAO,CAACgC,IAAI,CAACC,KAAN,EAAaJ,YAAb,CAAtB;AAEA,SAAO5B,OAAO,CAAC8B,MAAD,CAAP,GAAkB,EAAlB,GAAuBA,MAA9B;AACD","sourcesContent":["import AWS from 'aws-sdk'\nimport { attempt, isError } from 'lodash'\n\nexport default function getSecretValue(secretId, secretKey) {\n  if (!secretId) {\n    return Promise.reject(\n      new Error(`Missing required param: secretId:${secretId}`)\n    )\n  }\n\n  // TODO: update these credentials to specific values for service\n  const secretsClient = new AWS.SecretsManager({\n    accessKeyId: process.env.AWS_KEY,\n    region: process.env.AWS_SECRET_MANAGER_REGION,\n    secretAccessKey: process.env.AWS_SECRET,\n  })\n\n  return secretsClient\n    .getSecretValue({ SecretId: secretId })\n    .promise()\n    .then(payload => {\n      const secret = parseSecretString(payload)\n\n      // Return early if secretKey isn't defined (we want the full set of key/values)\n      if (!secretKey) return secret\n\n      const secretValue = secret[secretKey]\n\n      if (!secretValue) {\n        throw new Error('Secret value could not be found')\n      }\n\n      return secretValue\n    })\n    .catch(err => {\n      throw new Error(`AWSSecretFetchError: ${err.code}, ${err.message}`)\n    })\n}\n\nfunction parseSecretString(payload) {\n  const secretString = payload.SecretString || ''\n\n  const parsed = attempt(JSON.parse, secretString)\n\n  return isError(parsed) ? {} : parsed\n}\n"],"file":"index.js"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lighthouse/common",
-  "version": "4.37.0-canary-4",
+  "version": "4.37.0-canary-5",
   "description": "",
   "main": "dist/index.js",
   "module": "lib/index.js",
@@ -38,9 +38,8 @@
   },
   "homepage": "https://github.com/Lighthouse-io/common#readme",
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.307.0",
-    "@aws-sdk/cloudfront-signer": "^3.307.0",
     "@lighthouse/abab": "^0.0.6",
+    "aws-sdk": "2.1361.0",
     "bluebird": "^3.7.2",
     "fetch-ponyfill": "^6.1.0",
     "lodash": "^4.17.15",