@metaplay/metaplay-auth 1.1.5 → 1.1.7

package/src/auth.ts

@@ -20,7 +20,6 @@ const tokenEndpoint = `${baseURL}/oauth2/token`
 const wellknownApi = new WellknownApi(new Configuration({
   basePath: baseURL,
 }))
-const tokenList: string[] = ['id_token', 'access_token', 'refresh_token'] // List of compulsory tokens
 
 /**
  * A helper function which generates a code verifier and challenge for exchaning code from Ory server.
@@ -111,7 +110,9 @@ export async function loginAndSaveTokens () {
     try {
       logger.debug(`Received callback request with code ${code}. Preparing to exchange for tokens...`)
       const tokens = await getTokensWithAuthorizationCode(state, redirectUri, verifier, code)
-      await saveTokens(tokens)
+
+      // Only save access_token, id_token, and refresh_token
+      await saveTokens({ access_token: tokens.access_token, id_token: tokens.id_token, refresh_token: tokens.refresh_token })
 
       console.log('You are now logged in and can call the other commands.')
 
@@ -140,6 +141,40 @@ export async function loginAndSaveTokens () {
   void open(authorizationUrl)
 }
 
+export async function machineLoginAndSaveTokens (clientId: string, clientSecret: string) {
+  // Get a fresh access token from Metaplay Auth.
+  const params = new URLSearchParams()
+  params.set('grant_type', 'client_credentials')
+  params.set('client_id', clientId)
+  params.set('client_secret', clientSecret)
+  params.set('scope', 'openid email profile offline_access')
+
+  const res = await fetch(tokenEndpoint, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/x-www-form-urlencoded',
+    },
+    body: params.toString(),
+  })
+
+  // Return type checked manually by Teemu on 2024-3-7.
+  const tokens = await res.json() as { access_token: string, token_type: string, expires_in: number, scope: string }
+
+  logger.debug('Received machine authentication tokens, saving them for future use...')
+
+  await saveTokens({ access_token: tokens.access_token })
+
+  const userInfoResponse = await fetch('https://portal.metaplay.dev/api/external/userinfo', {
+    headers: {
+      Authorization: `Bearer ${tokens.access_token}`
+    },
+  })
+
+  const userInfo = await userInfoResponse.json() as { given_name: string, family_name: string }
+
+  console.log(`You are now logged in with machine user ${userInfo.given_name} ${userInfo.family_name} (clientId=${clientId}) and can execute the other commands.`)
+}
+
 /**
  * Refresh access and ID token with a refresh token.
  */
@@ -147,18 +182,22 @@ export async function extendCurrentSession (): Promise<void> {
   try {
     const tokens = await loadTokens()
 
-    logger.debug('Validating access token...')
+    logger.debug('Check if access token still valid...')
     if (await validateToken(tokens.access_token)) {
       // Access token is not expired, return to the caller
-      logger.debug('Access token is valid, return to the caller.')
+      logger.debug('Access token is valid, no need to refresh.')
       return
     }
 
-    logger.debug('Access token is no longer valid, trying to extend the current session with a refresh token.')
+    // Check that the refresh_token exists (machine users don't have it)
+    if (!tokens.refresh_token) {
+      throw new Error('Cannot refresh an access_token without a refresh_token. With machine users, should just login again instead.')
+    }
 
+    logger.debug('Access token is no longer valid, trying to extend the current session with a refresh token.')
     const refreshedTokens = await extendCurrentSessionWithRefreshToken(tokens.refresh_token)
 
-    await saveTokens(refreshedTokens)
+    await saveTokens({ access_token: refreshedTokens.access_token, id_token: refreshedTokens.id_token, refresh_token: refreshedTokens.refresh_token })
   } catch (error) {
     if (error instanceof Error) {
       console.error(error.message)
@@ -173,7 +212,7 @@ export async function extendCurrentSession (): Promise<void> {
  * @returns A promise that resolves to a new set of tokens.
  */
 async function extendCurrentSessionWithRefreshToken (refreshToken: string): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
-  // TODO: similiar to the todo task in getTokensWithAuthorizationCode, http request can be handled by ory/client.
+  // TODO: similar to the todo task in getTokensWithAuthorizationCode, http request can be handled by ory/client.
   const params = new URLSearchParams({
     grant_type: 'refresh_token',
     refresh_token: refreshToken,
@@ -218,7 +257,7 @@ async function extendCurrentSessionWithRefreshToken (refreshToken: string): Prom
  * @param code
  * @returns
  */
-async function getTokensWithAuthorizationCode (state: string, redirectUri: string, verifier: string, code: string): Promise<{ id_token: string, access_token: string, refresh_token: string } | {}> {
+async function getTokensWithAuthorizationCode (state: string, redirectUri: string, verifier: string, code: string): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
   // TODO: the authorication code exchange flow might be better to be handled by ory/client, could check if there's any useful toosl there.
   try {
     const response = await fetch(tokenEndpoint, {
@@ -234,29 +273,22 @@ async function getTokensWithAuthorizationCode (state: string, redirectUri: strin
     if (error instanceof Error) {
       logger.error(`Error exchanging code for tokens: ${error.message}`)
     }
-
-    return {}
+    throw error
   }
 }
 
 /**
  * Load tokens from the local secret store.
  */
-export async function loadTokens (): Promise<{ id_token: string, access_token: string, refresh_token: string }> {
+export async function loadTokens (): Promise<{ id_token?: string, access_token: string, refresh_token?: string }> {
   try {
-    const idToken = await getSecret('id_token')
-    const accessToken = await getSecret('access_token')
-    const refreshToken = await getSecret('refresh_token')
+    const tokens = await getSecret('tokens') as { id_token?: string, access_token: string, refresh_token?: string }
 
-    if (idToken == null || accessToken == null || refreshToken == null) {
-      throw new Error('Metaplay tokens not found. Are you logged in?')
+    if (!tokens) {
+      throw new Error('Unable to load tokens. You need to login first.')
     }
 
-    return {
-      id_token: idToken,
-      access_token: accessToken,
-      refresh_token: refreshToken
-    }
+    return tokens
   } catch (error) {
     if (error instanceof Error) {
       throw new Error(`Error loading tokens: ${error.message}`)
@@ -273,23 +305,18 @@ export async function saveTokens (tokens: Record<string, string>): Promise<void>
   try {
     logger.debug('Received new tokens, verifying...')
 
-    // Check if all tokens are present
-    for (const tokenName of tokenList) {
-      if (tokens[tokenName] === undefined) {
-        throw new Error(`Metaplay token ${tokenName} not found. Please log in again and make sure all checkboxes of permissions are selected before proceeding.`)
-      }
+    // All tokens must have an access_token (machine users only have it)
+    if (!tokens.access_token) {
+      throw new Error('Metaplay token has no access_token. Please log in again and make sure all checkboxes of permissions are selected before proceeding.')
     }
 
     logger.debug('Token verification completed, storing tokens...')
 
-    await setSecret('id_token', tokens.id_token)
-    await setSecret('access_token', tokens.access_token)
-    await setSecret('refresh_token', tokens.refresh_token)
+    await setSecret('tokens', tokens)
 
     logger.debug('Tokens successfully stored.')
 
     await showTokenInfo(tokens.access_token)
-    // await showTokenInfo(tokens.id_token)
   } catch (error) {
     if (error instanceof Error) {
       throw new Error(`Failed to save tokens: ${error.message}`)
@@ -303,12 +330,8 @@ export async function saveTokens (tokens: Record<string, string>): Promise<void>
  */
 export async function removeTokens (): Promise<void> {
   try {
-    await removeSecret('id_token')
-    logger.debug('Removed id_token.')
-    await removeSecret('access_token')
-    logger.debug('Removed access_token.')
-    await removeSecret('refresh_token')
-    logger.debug('Removed refresh_token.')
+    await removeSecret('tokens')
+    logger.debug('Removed tokens.')
   } catch (error) {
     if (error instanceof Error) {
       throw new Error(`Error removing tokens: ${error.message}`)

package/src/deployment.ts

@@ -0,0 +1,260 @@
+import { promises as fs, existsSync } from 'fs'
+import { KubeConfig, CoreV1Api, V1Pod } from '@kubernetes/client-node'
+import { logger } from './logging.js'
+import { error } from 'console'
+
+enum GameServerPodPhase {
+  Pending = 'Pending', // Still being deployed
+  Ready = 'Ready', // Successfully started and ready to accept traffic
+  Failed = 'Failed', // Failed to start
+  Unknown = 'Unknown', // Unknown status -- treat like Pending
+}
+
+interface GameServerPodStatus {
+  phase: GameServerPodPhase
+  message: string
+  details?: any
+}
+
+async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string) {
+  // Define label selector for gameserver
+  const labelSelector = 'app=metaplay-server'
+
+  try {
+    // Get gameserver pods in the namespace
+    const response = await k8sApi.listNamespacedPod(namespace, undefined, undefined, undefined, undefined, labelSelector)
+
+    // Return pod statuses
+    return response.body.items
+  } catch (error) {
+    // \todo Better error handling ..
+    console.log('Failed to fetch pods from Kubernetes:', error)
+    throw new Error('Failed to fetch pods from Kubernetes')
+  }
+}
+
+function resolvePodContainersConditions (pod: V1Pod): GameServerPodStatus {
+  const containerStatuses = pod.status?.containerStatuses
+  if (!containerStatuses || containerStatuses.length === 0) {
+    return { phase: GameServerPodPhase.Unknown, message: 'Unable to determine pod container statuses: pod.status.containerStatuses is empty' }
+  }
+
+  // Only one container allowed in the game server pod
+  if (containerStatuses.length !== 1) {
+    throw new Error(`Internal error: Expecting only one container in the game server pod, got ${containerStatuses.length}`)
+  }
+
+  // Handle missing container state
+  const containerStatus = containerStatuses[0]
+  console.log('Container status:', containerStatus)
+  const containerState = containerStatus.state
+  if (!containerState) {
+    return { phase: GameServerPodPhase.Unknown, message: 'Unable to get container state' }
+  }
+
+  // Check if container running & ready
+  const containerName = containerStatus.name
+  if (containerStatus.ready && containerState.running) {
+    return { phase: GameServerPodPhase.Ready, message: `Container ${containerName} is in ready phase and was started at ${containerState.running.startedAt}`, details: containerState.running }
+  }
+
+  // \note these may not be complete (or completely accurate)
+  const knownContainerFailureReasons = ['CrashLoopBackOff', 'Error', 'ImagePullBackOff', 'CreateContainerConfigError', 'OOMKilled', 'ContainerCannotRun', 'BackOff', 'InvalidImageName']
+  const knownContainerPendingReasons = ['Init', 'Pending', 'PodInitializing']
+
+  // Check if there's a previous terminated state (usually indicates a crash during server initialization)
+  const lastState = containerStatus.lastState
+  if (lastState) {
+    if (lastState.terminated) {
+      // Try to detecth why the previous launch failed
+      if (containerState.waiting) {
+        const reason = containerState.waiting.reason
+        if (knownContainerFailureReasons.includes(reason as string)) {
+          return { phase: GameServerPodPhase.Failed, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
+        } else if (knownContainerPendingReasons.includes(reason as string)) {
+          return { phase: GameServerPodPhase.Pending, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
+        } else {
+          return { phase: GameServerPodPhase.Unknown, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
+        }
+      } else if (containerState.running) {
+        // This happens when the container is still initializing
+        return { phase: GameServerPodPhase.Pending, message: `Container ${containerName} is in running state`, details: containerState.running }
+      } else if (containerState.terminated) {
+        return { phase: GameServerPodPhase.Failed, message: `Container ${containerName} is in terminated state`, details: containerState.terminated }
+      }
+
+      // Unable to determine launch failure reason, just return previous launch
+      return { phase: GameServerPodPhase.Failed, message: `Container ${containerName} previous launch failed with exitCode=${lastState.terminated.exitCode} and reason=${lastState.terminated.reason}`, details: lastState.terminated }
+    }
+
+    // \todo handle containerState.running states (including various initialization states)
+    // \todo handle containerState.terminated states (what do these even mean)
+  }
+
+  console.log('Game server pod container in unknown state:', containerState)
+  return { phase: GameServerPodPhase.Unknown, message: 'Container in unknown state', details: containerState }
+}
+
+function resolvePodStatusConditions (pod: V1Pod): GameServerPodStatus {
+  const conditions = pod.status?.conditions
+  if (!conditions || conditions.length === 0) {
+    return { phase: GameServerPodPhase.Unknown, message: 'Unable to determine pod status: pod.status.conditions is empty', details: pod.status }
+  }
+
+  // Bail if 'PodScheduled' is not yet true
+  const condPodScheduled = conditions.find(cond => cond.type === 'PodScheduled')
+  if (condPodScheduled?.status !== 'True') {
+    return { phase: GameServerPodPhase.Pending, message: `Pod has not yet been scheduled on a node: ${condPodScheduled?.message}`, details: condPodScheduled }
+  }
+
+  // Bail if 'Initialized' not is yet true
+  const condInitialized = conditions.find(cond => cond.type === 'Initialized')
+  if (condInitialized?.status !== 'True') {
+    return { phase: GameServerPodPhase.Pending, message: `Pod has not yet been initialized: ${condInitialized?.message}`, details: condInitialized }
+  }
+
+  // Bail if 'ContainersReady' is not yet true
+  const condContainersReady = conditions.find(cond => cond.type === 'ContainersReady')
+  if (condContainersReady?.status !== 'True') {
+    if (condContainersReady?.reason === 'ContainersNotReady') {
+      return resolvePodContainersConditions(pod)
+    }
+
+    return { phase: GameServerPodPhase.Pending, message: `Pod containers are not yet ready: ${condContainersReady?.message}`, details: condContainersReady }
+  }
+
+  // Bail if 'Ready' is not yet true
+  const condReady = conditions.find(cond => cond.type === 'Ready')
+  if (condReady?.status !== 'True') {
+    return { phase: GameServerPodPhase.Pending, message: `Pod is not yet ready: ${condReady?.message}`, details: condReady }
+  }
+
+  // resolvePodContainersConditions(pod) // DEBUG DEBUG enable to print container state for running pods
+  return { phase: GameServerPodPhase.Ready, message: 'Pod is ready to serve traffic' }
+}
+
+function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
+  // console.log('Pod.status:', JSON.stringify(pod.status, undefined, 2))
+
+  if (!pod.status) {
+    return { phase: GameServerPodPhase.Unknown, message: 'Unable to access pod.status from Kubernetes' }
+  }
+
+  // Handle status.phase
+  const podPhase = pod.status?.phase
+  switch (podPhase) {
+    case 'Pending':
+      // Pod not yet scheduled
+      return { phase: GameServerPodPhase.Pending, message: 'Pod is still in Pending phase' }
+
+    case 'Running':
+      // Pod has been scheduled and start -- note that the containers may have failed!
+      return resolvePodStatusConditions(pod)
+
+    case 'Succeeded': // Should not happen, the game server pods should never stop
+    case 'Failed': // Should not happen, the game server pods should never stop
+    case 'Unknown':
+    default:
+      return { phase: GameServerPodPhase.Unknown, message: `Invalid pod.status.phase: ${podPhase}` }
+  }
+}
+
+async function fetchPodLogs (k8sApi: CoreV1Api, pod: V1Pod) {
+  console.log('Fetching logs for pod..')
+  const podName = pod.metadata?.name
+  const namespace = pod.metadata?.namespace
+  const containerName = pod.spec?.containers[0].name // \todo Handle multiple containers?
+  if (!podName || !namespace || !containerName) {
+    throw new Error('Unable to determine pod metadata')
+  }
+
+  const pretty = 'True'
+  const previous = false
+  const tailLines = 100
+  const timestamps = true
+  try {
+    const response = await k8sApi.readNamespacedPodLog(podName, namespace, containerName, undefined, undefined, undefined, pretty, previous, undefined, tailLines, timestamps)
+    return response.body
+  } catch (error) {
+    // \todo Better error handling ..
+    console.log('Failed to fetch pod logs from Kubernetes:', error)
+    throw new Error('Failed to fetch pod logs from Kubernetes')
+  }
+}
+
+async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod) {
+  // console.log('Pod:', JSON.stringify(pod, undefined, 2))
+
+  // Classify game server status
+  const podStatus = resolvePodStatus(pod)
+
+  // If game server launch failed, get the error logs
+  if (podStatus.phase === GameServerPodPhase.Failed) {
+    const logs = await fetchPodLogs(k8sApi, pod)
+    console.log('Pod logs:\n' + logs)
+  }
+
+  console.log(`Pod ${pod.metadata?.name} status:`, podStatus)
+  return podStatus
+}
+
+async function delay (ms: number): Promise<void> {
+  return await new Promise<void>(resolve => setTimeout(resolve, ms))
+}
+
+export async function checkGameServerDeployment (namespace: string): Promise<number> {
+  logger.info(`Validating game server deployment in namespace ${namespace}`)
+
+  // Check that the KUBECONFIG environment variable exists
+  const kubeconfigPath = process.env.KUBECONFIG
+  if (!kubeconfigPath) {
+    throw new Error('The KUBECONFIG environment variable must be specified')
+  }
+
+  // Check that the kubeconfig file exists
+  if (!await existsSync(kubeconfigPath)) {
+    throw new Error(`The environment variable KUBECONFIG points to a file '${kubeconfigPath}' that doesn't exist`)
+  }
+
+  // Create Kubernetes API instance (with default kubeconfig)
+  const kc = new KubeConfig()
+  kc.loadFromFile(kubeconfigPath)
+  const k8sApi = kc.makeApiClient(CoreV1Api)
+
+  // Figure out when to stop
+  const startTime = Date.now()
+  const timeoutAt = startTime + 1 * 60 * 1000 // 5min
+
+  while (true) {
+    // Check pod states
+    const pods = await fetchGameServerPods(k8sApi, namespace)
+    const podStatus = await checkGameServerPod(k8sApi, pods[0]) // \todo Handle all pods
+
+    switch (podStatus.phase) {
+      case GameServerPodPhase.Ready:
+        console.log('Gameserver successfully started')
+        // \todo add further readiness checks -- ping endpoint, ping dashboard, other checks?
+        return 0
+
+      case GameServerPodPhase.Failed:
+        console.log('Gameserver failed to start')
+        return 1
+
+      case GameServerPodPhase.Pending:
+        console.log('Gameserver still starting')
+        break
+
+      case GameServerPodPhase.Unknown:
+      default:
+        console.log('Gameserver in unknown state')
+        break
+    }
+
+    if (Date.now() >= timeoutAt) {
+      logger.error('Timeout while waiting for gameserver to initialize')
+      return 124 // timeout
+    }
+
+    await delay(1000)
+  }
+}

package/src/index.ts

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 import { Command } from 'commander'
-import { loginAndSaveTokens, extendCurrentSession, loadTokens, removeTokens } from './auth.js'
+import { loginAndSaveTokens, machineLoginAndSaveTokens, extendCurrentSession, loadTokens, removeTokens } from './auth.js'
 import { StackAPI } from './stackapi.js'
+import { checkGameServerDeployment } from './deployment.js'
 import { setLogLevel } from './logging.js'
 import { exit } from 'process'
 
@@ -10,7 +11,7 @@ const program = new Command()
 program
   .name('metaplay-auth')
   .description('Authenticate with Metaplay and get AWS and Kubernetes credentials for game servers.')
-  .version('1.1.5')
+  .version('1.1.7')
   .option('-d, --debug', 'enable debug output')
   .hook('preAction', (thisCommand) => {
     // Handle debug flag for all commands.
@@ -28,6 +29,34 @@ program.command('login')
     await loginAndSaveTokens()
   })
 
+program.command('machine-login')
+  .description('login to the Metaplay cloud using a machine account (using credentials in environment variable METAPLAY_CREDENTIALS)')
+  .option('--dev-credentials', 'machine user credentials to use, only for dev purposes, use METAPLAY_CREDENTIALS env variable for better safety!')
+  .action(async (options) => {
+    // Get credentials from command line or from METAPLAY_CREDENTIALS environment variable
+    let credentials
+    if (options.devCredentials) {
+      credentials = options.devCredentials
+    } else {
+      credentials = process.env.METAPLAY_CREDENTIALS
+      if (!credentials || credentials === '') {
+        throw new Error('Unable to find the credentials, the environment variable METAPLAY_CREDENTIALS is not defined!')
+      }
+    }
+
+    // Parse the clientId and clientSecret from the credentials (separate by a '+' character)
+    // \note We can't be certain that the secret does not contain pluses so split at the first occurrence
+    const splitOffset = credentials.indexOf('+')
+    if (splitOffset === -1) {
+      throw new Error('Invalid format for credentials, you should copy-paste the value from the developer portal verbatim')
+    }
+    const clientId = credentials.substring(0, splitOffset)
+    const clientSecret = credentials.substring(splitOffset + 1)
+
+    // Login with machine user and save the tokens
+    await machineLoginAndSaveTokens(clientId, clientSecret)
+  })
+
 program.command('logout')
   .description('log out of your Metaplay account')
   .action(async () => {
@@ -50,7 +79,7 @@ program.command('show-tokens')
   .hook('preAction', async () => {
     await extendCurrentSession()
   })
-  .action(async () => {
+  .action(async (options) => {
     try {
       // TODO: Could detect if not logged in and fail more gracefully?
       const tokens = await loadTokens()
@@ -81,7 +110,7 @@ program.command('get-kubeconfig')
         throw new Error('Could not determine a deployment to fetch the KubeConfigs from. You need to specify either a gameserver or an organization, project, and environment')
       }
 
-      const stackApi = new StackAPI(tokens.id_token, tokens.access_token)
+      const stackApi = new StackAPI(tokens.access_token)
       if (options.stackApi) {
         stackApi.stack_api_base_uri = options.stackApi
       }
@@ -121,7 +150,7 @@ program.command('get-aws-credentials')
         throw new Error('Could not determine a deployment to fetch the AWS credentials from. You need to specify either a gameserver or an organization, project, and environment')
       }
 
-      const stackApi = new StackAPI(tokens.id_token, tokens.access_token)
+      const stackApi = new StackAPI(tokens.access_token)
       if (options.stackApi) {
         stackApi.stack_api_base_uri = options.stackApi
       }
@@ -166,7 +195,7 @@ program.command('get-environment')
         throw new Error('Could not determine a deployment to fetch environment details from. You need to specify either a gameserver or an organization, project, and environment')
       }
 
-      const stackApi = new StackAPI(tokens.id_token, tokens.access_token)
+      const stackApi = new StackAPI(tokens.access_token)
       if (options.stackApi) {
         stackApi.stack_api_base_uri = options.stackApi
       }
@@ -183,4 +212,24 @@ program.command('get-environment')
     }
   })
 
+program.command('check-deployment')
+  .description('[experimental] check that a game server was successfully deployed, or print out useful error messages in case of failure')
+  .argument('[namespace]', 'kubernetes namespace of the deployment')
+  .action(async (namespace: string) => {
+    setLogLevel(0)
+
+    try {
+      if (!namespace) {
+        throw new Error('Must specify value for argument "namespace"')
+      }
+
+      // Run the checks and exit with success/failure exitCode depending on result
+      const exitCode = await checkGameServerDeployment(namespace)
+      exit(exitCode)
+    } catch (error) {
+      console.error(`Failed to check deployment status: ${error}`)
+      exit(1)
+    }
+  })
+
 void program.parseAsync()

package/src/secret_store.ts

@@ -65,7 +65,7 @@ function decrypt (text: string): string {
   return decrypted.toString()
 }
 
-export async function setSecret (key: string, value: string): Promise<void> {
+export async function setSecret (key: string, value: any): Promise<void> {
   logger.debug(`Setting secret ${key}...`)
 
   const secrets = await loadSecrets()
@@ -75,7 +75,7 @@ export async function setSecret (key: string, value: string): Promise<void> {
   await fs.writeFile(filePath, content)
 }
 
-export async function getSecret (key: string): Promise<string | null> {
+export async function getSecret (key: string): Promise<any | undefined> {
   logger.debug(`Getting secret ${key}...`)
 
   const secrets = await loadSecrets()

package/src/stackapi.ts

@@ -16,21 +16,16 @@ interface GameserverId {
 }
 
 export class StackAPI {
-  private readonly id_token: string
-  private readonly access_token: string
+  private readonly accessToken: string
 
   private _stack_api_base_uri: string
 
-  constructor (idToken: string | null, accessToken: string | null) {
-    if (idToken == null) {
-      throw new Error('id_token is missing')
-    }
+  constructor (accessToken: string) {
     if (accessToken == null) {
-      throw new Error('access_token is missing')
+      throw new Error('accessToken must be provided')
     }
 
-    this.id_token = idToken
-    this.access_token = accessToken
+    this.accessToken = accessToken
     this._stack_api_base_uri = 'https://infra.p1.metaplay.io/stackapi'
   }
 
@@ -62,13 +57,13 @@ export class StackAPI {
     const response = await fetch(url, {
       method: 'POST',
       headers: {
-        Authorization: `Bearer ${this.id_token}`,
+        Authorization: `Bearer ${this.accessToken}`,
         'Content-Type': 'application/json'
       }
     })
 
     if (response.status !== 200) {
-      throw new Error(`Failed to fetch AWS credetials: ${response.statusText}`)
+      throw new Error(`Failed to fetch AWS credentials: ${response.statusText}, response code=${response.status}`)
     }
 
     return await response.json()
@@ -94,7 +89,7 @@ export class StackAPI {
     const response = await fetch(url, {
       method: 'POST',
       headers: {
-        Authorization: `Bearer ${this.id_token}`,
+        Authorization: `Bearer ${this.accessToken}`,
         'Content-Type': 'application/json'
       }
     })
@@ -125,7 +120,7 @@ export class StackAPI {
     const response = await fetch(url, {
       method: 'GET',
       headers: {
-        Authorization: `Bearer ${this.id_token}`,
+        Authorization: `Bearer ${this.accessToken}`,
         'Content-Type': 'application/json'
       }
     })