@omen.foundation/node-microservice-runtime 0.1.65 → 0.1.68

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@omen.foundation/node-microservice-runtime",
-  "version": "0.1.65",
+  "version": "0.1.68",
   "description": "Beamable microservice runtime for Node.js/TypeScript services.",
   "type": "module",
   "main": "dist/index.js",
@@ -14,6 +14,10 @@
   "bin": {
     "beamo-node": "./dist/cli/index.js"
   },
+  "files": [
+    "dist",
+    "scripts"
+  ],
   "scripts": {
     "clean": "rimraf dist dist-cjs",
     "build": "npm run clean && tsc -p tsconfig.build.json",

package/scripts/deprecate-all-versions.js

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+/**
+ * Script to deprecate all old versions that contain .env files
+ * 
+ * Usage: node scripts/deprecate-all-versions.js
+ * 
+ * This will deprecate all versions from 0.1.0 to 0.1.66
+ * You cannot unpublish packages older than 72 hours, so deprecation is the alternative
+ */
+
+import { execSync } from 'child_process';
+
+const PACKAGE_NAME = '@omen.foundation/node-microservice-runtime';
+const DEPRECATE_MESSAGE = 'Security: This version contains exposed credentials. Use version 0.1.67 or later.';
+
+// All versions that need to be deprecated
+const VERSIONS = [
+  '0.1.0', '0.1.1', '0.1.2', '0.1.3', '0.1.4', '0.1.5', '0.1.6', '0.1.7', '0.1.8', '0.1.9',
+  '0.1.10', '0.1.11', '0.1.12', '0.1.13', '0.1.14', '0.1.15', '0.1.16', '0.1.17', '0.1.18', '0.1.19',
+  '0.1.20', '0.1.21', '0.1.22', '0.1.23', '0.1.24', '0.1.25', '0.1.26', '0.1.27', '0.1.28', '0.1.29',
+  '0.1.30', '0.1.31', '0.1.32', '0.1.33', '0.1.34', '0.1.35', '0.1.36', '0.1.37', '0.1.38', '0.1.39',
+  '0.1.40', '0.1.41', '0.1.42', '0.1.43', '0.1.44', '0.1.45', '0.1.46', '0.1.47', '0.1.48', '0.1.49',
+  '0.1.50', '0.1.51', '0.1.52', '0.1.53', '0.1.54', '0.1.55', '0.1.56', '0.1.57', '0.1.58', '0.1.59',
+  '0.1.60', '0.1.61', '0.1.62', '0.1.63', '0.1.64', '0.1.65', '0.1.66'
+];
+
+console.log(`\n🚨 Deprecating ${VERSIONS.length} versions of ${PACKAGE_NAME}\n`);
+console.log(`Message: "${DEPRECATE_MESSAGE}"\n`);
+
+let successCount = 0;
+let failCount = 0;
+const failedVersions = [];
+
+for (const version of VERSIONS) {
+  const fullPackageName = `${PACKAGE_NAME}@${version}`;
+  
+  try {
+    console.log(`Deprecating ${fullPackageName}...`);
+    
+    // Escape the message for shell
+    const escapedMessage = DEPRECATE_MESSAGE.replace(/'/g, "\\'").replace(/"/g, '\\"');
+    const command = `npm deprecate "${fullPackageName}" "${escapedMessage}"`;
+    
+    execSync(command, { stdio: 'inherit' });
+    
+    console.log(`✅ Deprecated ${version}\n`);
+    successCount++;
+    
+    // Small delay to avoid rate limiting
+    if (successCount % 10 === 0) {
+      console.log('Pausing for 2 seconds to avoid rate limiting...\n');
+      await new Promise(resolve => setTimeout(resolve, 2000));
+    }
+  } catch (error) {
+    console.error(`❌ Failed to deprecate ${version}: ${error.message}\n`);
+    failCount++;
+    failedVersions.push(version);
+  }
+}
+
+console.log(`\n=== Summary ===`);
+console.log(`✅ Successfully deprecated: ${successCount} versions`);
+console.log(`❌ Failed: ${failCount} versions`);
+
+if (failedVersions.length > 0) {
+  console.log(`\nFailed versions:`);
+  failedVersions.forEach(v => console.log(`  - ${v}`));
+  console.log(`\nYou may need to deprecate these manually or they may already be deprecated.`);
+}
+
+console.log(`\n⚠️  Important: Rotate your Beamable SECRET immediately!`);
+console.log(`   All these versions contained exposed credentials.`);

package/.env

@@ -1,13 +0,0 @@
-# Beamable credentials
-CID=1890069218625633
-PID=DE_1934633364747296
-HOST=wss://api.beamable.com/socket
-SECRET=6a24a8a1-f9f1-4e4a-b487-a446896f9b9f
-# Alternatively, you can use a refresh token instead of SECRET
-# REFRESH_TOKEN=
-
-# Optional developer settings
-NAME_PREFIX=
-LOG_LEVEL=info
-WATCH_TOKEN=false
-BEAM_INSTANCE_COUNT=1

package/env.sample

@@ -1,13 +0,0 @@
-# Beamable credentials
-CID=1890069218625633
-PID=DE_1934633364747296
-HOST=wss://portal.beamable.com/socket
-SECRET=6a24a8a1-f9f1-4e4a-b487-a446896f9b9f
-# Alternatively, you can use a refresh token instead of SECRET
-# REFRESH_TOKEN=
-
-# Optional developer settings
-NAME_PREFIX=
-LOG_LEVEL=info
-WATCH_TOKEN=false
-BEAM_INSTANCE_COUNT=1

package/src/auth.ts

@@ -1,117 +0,0 @@
-import { createHash } from 'node:crypto';
-import { URL } from 'node:url';
-import type { EnvironmentConfig } from './types.js';
-import type { GatewayRequester } from './requester.js';
-import { AuthenticationError } from './errors.js';
-
-interface NonceResponse {
-  nonce: string;
-}
-
-interface AuthResponse {
-  result: string;
-}
-
-interface TokenResponse {
-  access_token?: string;
-  error?: string;
-}
-
-export class AuthManager {
-  private readonly env: EnvironmentConfig;
-  private readonly requester: GatewayRequester;
-
-  constructor(env: EnvironmentConfig, requester: GatewayRequester) {
-    this.env = env;
-    this.requester = requester;
-  }
-
-  async authenticate(): Promise<void> {
-    if (this.env.secret) {
-      await this.authenticateWithRealmSecret();
-      return;
-    }
-    if (this.env.refreshToken) {
-      await this.authenticateWithRefreshToken();
-      return;
-    }
-    throw new AuthenticationError('Neither SECRET nor REFRESH_TOKEN is configured.');
-  }
-
-  private async authenticateWithRealmSecret(): Promise<void> {
-    const nonce = await this.requester.request<NonceResponse>('get', 'gateway/nonce');
-    if (!nonce?.nonce) {
-      throw new AuthenticationError('Gateway did not provide a nonce for authentication.');
-    }
-    const signature = this.calculateRealmSignature(this.env.secret ?? '', nonce.nonce);
-    const body = {
-      cid: this.env.cid,
-      pid: this.env.pid,
-      signature,
-    };
-    const response = await this.requester.request<AuthResponse>('post', 'gateway/auth', body);
-    if (!response || response.result !== 'ok') {
-      throw new AuthenticationError(`Realm secret authentication failed with result=${response?.result ?? 'unknown'}.`);
-    }
-  }
-
-  private async authenticateWithRefreshToken(): Promise<void> {
-    const accessToken = await this.exchangeRefreshToken();
-    const body = {
-      cid: this.env.cid,
-      pid: this.env.pid,
-      token: accessToken,
-    };
-    const response = await this.requester.request<AuthResponse>('post', 'gateway/auth', body);
-    if (!response || response.result !== 'ok') {
-      throw new AuthenticationError(`Refresh-token authentication failed with result=${response?.result ?? 'unknown'}.`);
-    }
-  }
-
-  private calculateRealmSignature(secret: string, nonce: string): string {
-    const hash = createHash('md5');
-    hash.update(secret + nonce, 'utf8');
-    return hash.digest('base64');
-  }
-
-  private async exchangeRefreshToken(): Promise<string> {
-    if (!this.env.refreshToken) {
-      throw new AuthenticationError('REFRESH_TOKEN missing.');
-    }
-    const baseUrl = this.hostToHttpUrl();
-    const tokenUrl = new URL('/basic/auth/token', baseUrl).toString();
-    const response = await fetch(tokenUrl, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        Accept: 'application/json',
-        'beam-scope': `${this.env.cid}.${this.env.pid}`,
-      },
-      body: JSON.stringify({
-        grant_type: 'refresh_token',
-        refresh_token: this.env.refreshToken,
-      }),
-    });
-
-    if (!response.ok) {
-      throw new AuthenticationError(`Failed to retrieve access token. status=${response.status}`);
-    }
-
-    const payload = (await response.json()) as TokenResponse;
-    if (!payload.access_token) {
-      throw new AuthenticationError(`Refresh-token exchange failed: ${payload.error ?? 'unknown error'}`);
-    }
-    return payload.access_token;
-  }
-
-  private hostToHttpUrl(): string {
-    const host = this.env.host.replace(/\/socket$/, '');
-    if (host.startsWith('wss://')) {
-      return `https://${host.substring('wss://'.length)}`;
-    }
-    if (host.startsWith('ws://')) {
-      return `http://${host.substring('ws://'.length)}`;
-    }
-    return host;
-  }
-}