npm - @markwharton/pwa-core - Versions diffs - 3.4.2 → 3.5.0 - Mend

@markwharton/pwa-core 3.4.2 → 3.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/server.d.ts CHANGED Viewed

@@ -676,4 +676,31 @@ export declare function deleteExpiredSessions(): Promise<number>;
  * context.log(`Cleaned up ${deleted} expired magic links`);
  */
 export declare function deleteExpiredMagicLinks(): Promise<number>;
+/**
+ * Checks if any environment variables contain Key Vault references.
+ * Useful for skipping resolution in development environments.
+ * @returns True if any env vars match the @Microsoft.KeyVault pattern
+ * @example
+ * if (hasKeyVaultReferences()) {
+ *   await resolveKeyVaultReferences();
+ * }
+ */
+export declare function hasKeyVaultReferences(): boolean;
+/**
+ * Resolves all @Microsoft.KeyVault(SecretUri=...) references in process.env.
+ * Replaces env var values in-place with the resolved secret values.
+ * Uses DefaultAzureCredential for authentication (managed identity in Azure, az cli locally).
+ *
+ * Requires @azure/keyvault-secrets as a peer dependency.
+ *
+ * @returns Number of secrets resolved
+ * @throws Error if any secret resolution fails (fail-fast)
+ * @example
+ * // In sessionAuthInit.ts (before any other initialization):
+ * if (hasKeyVaultReferences()) {
+ *   const count = await resolveKeyVaultReferences();
+ *   console.log(`Resolved ${count} Key Vault secrets`);
+ * }
+ */
+export declare function resolveKeyVaultReferences(): Promise<number>;
 export { Result, ok, okVoid, err, getErrorMessage, BaseJwtPayload, UserTokenPayload, UsernameTokenPayload, RoleTokenPayload, hasUsername, hasRole, isAdmin, HTTP_STATUS, HttpStatus, ErrorResponse, SessionUser, SessionInfo, MagicLinkRequest, SessionAuthResponse } from './shared';

package/dist/server.js CHANGED Viewed

@@ -4,6 +4,39 @@
  *
  * Includes: JWT auth, API keys, HTTP responses, Azure Table Storage
  */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -66,6 +99,8 @@ exports.withSessionAuth = withSessionAuth;
 exports.withSessionAdminAuth = withSessionAdminAuth;
 exports.deleteExpiredSessions = deleteExpiredSessions;
 exports.deleteExpiredMagicLinks = deleteExpiredMagicLinks;
+exports.hasKeyVaultReferences = hasKeyVaultReferences;
+exports.resolveKeyVaultReferences = resolveKeyVaultReferences;
 const crypto_1 = require("crypto");
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const data_tables_1 = require("@azure/data-tables");
@@ -1290,6 +1325,113 @@ async function deleteExpiredMagicLinks() {
     return deleted;
 }
 // =============================================================================
+// Key Vault Secret Resolution
+// =============================================================================
+/**
+ * Pattern to match Azure Key Vault references in environment variables.
+ * Format: @Microsoft.KeyVault(SecretUri=https://{vault}.vault.azure.net/secrets/{name}[/{version}])
+ */
+const KEY_VAULT_PATTERN = /^@Microsoft\.KeyVault\(SecretUri=(.+)\)$/;
+/**
+ * Parses a Key Vault secret URI into vault URL, secret name, and optional version.
+ * @param secretUri - Full Key Vault secret URI
+ * @returns Parsed components or null if invalid
+ */
+function parseSecretUri(secretUri) {
+    try {
+        const url = new URL(secretUri);
+        const pathParts = url.pathname.split('/').filter(Boolean);
+        // Expected: /secrets/{name} or /secrets/{name}/{version}
+        if (pathParts.length < 2 || pathParts[0] !== 'secrets') {
+            return null;
+        }
+        return {
+            vaultUrl: `${url.protocol}//${url.host}`,
+            secretName: pathParts[1],
+            secretVersion: pathParts[2]
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Checks if any environment variables contain Key Vault references.
+ * Useful for skipping resolution in development environments.
+ * @returns True if any env vars match the @Microsoft.KeyVault pattern
+ * @example
+ * if (hasKeyVaultReferences()) {
+ *   await resolveKeyVaultReferences();
+ * }
+ */
+function hasKeyVaultReferences() {
+    for (const value of Object.values(process.env)) {
+        if (value && KEY_VAULT_PATTERN.test(value)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Resolves all @Microsoft.KeyVault(SecretUri=...) references in process.env.
+ * Replaces env var values in-place with the resolved secret values.
+ * Uses DefaultAzureCredential for authentication (managed identity in Azure, az cli locally).
+ *
+ * Requires @azure/keyvault-secrets as a peer dependency.
+ *
+ * @returns Number of secrets resolved
+ * @throws Error if any secret resolution fails (fail-fast)
+ * @example
+ * // In sessionAuthInit.ts (before any other initialization):
+ * if (hasKeyVaultReferences()) {
+ *   const count = await resolveKeyVaultReferences();
+ *   console.log(`Resolved ${count} Key Vault secrets`);
+ * }
+ */
+async function resolveKeyVaultReferences() {
+    // Dynamic import - only loaded when Key Vault references are present
+    const { SecretClient } = await Promise.resolve().then(() => __importStar(require('@azure/keyvault-secrets')));
+    // Group env vars by vault URL to reuse clients
+    const vaultSecrets = new Map();
+    for (const [key, value] of Object.entries(process.env)) {
+        if (!value)
+            continue;
+        const match = value.match(KEY_VAULT_PATTERN);
+        if (!match)
+            continue;
+        const parsed = parseSecretUri(match[1]);
+        if (!parsed) {
+            throw new Error(`Invalid Key Vault secret URI in ${key}: ${match[1]}`);
+        }
+        const existing = vaultSecrets.get(parsed.vaultUrl) ?? [];
+        existing.push({ envKey: key, secretName: parsed.secretName, secretVersion: parsed.secretVersion });
+        vaultSecrets.set(parsed.vaultUrl, existing);
+    }
+    if (vaultSecrets.size === 0) {
+        return 0;
+    }
+    const cred = getCredential();
+    let resolved = 0;
+    for (const [vaultUrl, secrets] of vaultSecrets) {
+        const client = new SecretClient(vaultUrl, cred);
+        for (const { envKey, secretName, secretVersion } of secrets) {
+            try {
+                const secret = await client.getSecret(secretName, secretVersion ? { version: secretVersion } : undefined);
+                if (!secret.value) {
+                    throw new Error(`Secret '${secretName}' in ${vaultUrl} has no value`);
+                }
+                process.env[envKey] = secret.value;
+                resolved++;
+            }
+            catch (error) {
+                const message = (0, shared_1.getErrorMessage)(error, 'Unknown error');
+                throw new Error(`Failed to resolve Key Vault secret '${secretName}' for ${envKey}: ${message}`);
+            }
+        }
+    }
+    return resolved;
+}
+// =============================================================================
 // Re-exports from shared (for convenience)
 // =============================================================================
 var shared_2 = require("./shared");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@markwharton/pwa-core",
-  "version": "3.4.2",
+  "version": "3.5.0",
   "description": "Shared patterns for Azure PWA projects",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -30,12 +30,19 @@
   "peerDependencies": {
     "@azure/data-tables": "^13.0.0",
     "@azure/identity": "^4.0.0",
+    "@azure/keyvault-secrets": "^4.0.0",
     "jsonwebtoken": "^9.0.0"
   },
+  "peerDependenciesMeta": {
+    "@azure/keyvault-secrets": {
+      "optional": true
+    }
+  },
   "devDependencies": {
     "@azure/data-tables": "^13.2.2",
     "@azure/functions": "^4.5.0",
     "@azure/identity": "^4.5.0",
+    "@azure/keyvault-secrets": "^4.10.0",
     "@types/jsonwebtoken": "^9.0.5",
     "@types/node": "^20.10.0",
     "jsonwebtoken": "^9.0.2",