@platformatic/kafka 1.11.0 → 1.13.0

package/README.md

@@ -281,7 +281,7 @@ Many of the methods accept the same options as the client's constructors. The co
 
 ## Requirements
 
-Node.js LTS versions: 
+Node.js LTS versions:
 
 - `20.19.4` or above
 - `22.18.0` or above
@@ -301,7 +301,7 @@ Edit .env file as needed, enabling or not `JAVA_OPTIONS`
 Start Kafka cluster locally
 
 ```bash
-docker compose -f compose-local.yml up -d
+docker compose -f compose.yml up -d
 ```
 
 ## License

package/dist/clients/base/base.d.ts

@@ -24,7 +24,6 @@ export declare const kListApis: unique symbol;
 export declare const kMetadata: unique symbol;
 export declare const kCheckNotClosed: unique symbol;
 export declare const kClearMetadata: unique symbol;
-export declare const kParseBroker: unique symbol;
 export declare const kPerformWithRetry: unique symbol;
 export declare const kPerformDeduplicated: unique symbol;
 export declare const kValidateOptions: unique symbol;
@@ -65,7 +64,6 @@ export declare class Base<OptionsType extends BaseOptions = BaseOptions> extends
     [kMetadata](options: MetadataOptions, callback: CallbackWithPromise<ClusterMetadata>): void;
     [kCheckNotClosed](callback: CallbackWithPromise<any>): boolean;
     [kClearMetadata](): void;
-    [kParseBroker](broker: Broker | string): Broker;
     [kPerformWithRetry]<ReturnType>(operationId: string, operation: (callback: Callback<ReturnType>) => void, callback: CallbackWithPromise<ReturnType>, attempt?: number, errors?: Error[], shouldSkipRetry?: (e: Error) => boolean): void | Promise<ReturnType>;
     [kPerformDeduplicated]<ReturnType>(operationId: string, operation: (callback: CallbackWithPromise<ReturnType>) => void, callback: CallbackWithPromise<ReturnType>): void | Promise<ReturnType>;
     [kGetApi]<RequestArguments extends Array<unknown>, ResponseType>(name: string, callback: Callback<API<RequestArguments, ResponseType>>): void;

package/dist/clients/base/base.js

@@ -5,6 +5,7 @@ import { api as apiVersionsV3 } from "../../apis/metadata/api-versions-v3.js";
 import { baseApisChannel, baseMetadataChannel, createDiagnosticContext, notifyCreation } from "../../diagnostic.js";
 import { MultipleErrors, NetworkError, UnsupportedApiError, UserError } from "../../errors.js";
 import { ConnectionPool } from "../../network/connection-pool.js";
+import { parseBroker } from "../../network/utils.js";
 import { kInstance } from "../../symbols.js";
 import { ajv, debugDump, loggers } from "../../utils.js";
 import { baseOptionsValidator, clientSoftwareName, clientSoftwareVersion, defaultBaseOptions, defaultPort, metadataOptionsValidator } from "./options.js";
@@ -23,7 +24,6 @@ export const kListApis = Symbol('plt.kafka.base.listApis');
 export const kMetadata = Symbol('plt.kafka.base.metadata');
 export const kCheckNotClosed = Symbol('plt.kafka.base.checkNotClosed');
 export const kClearMetadata = Symbol('plt.kafka.base.clearMetadata');
-export const kParseBroker = Symbol('plt.kafka.base.parseBroker');
 export const kPerformWithRetry = Symbol('plt.kafka.base.performWithRetry');
 export const kPerformDeduplicated = Symbol('plt.kafka.base.performDeduplicated');
 export const kValidateOptions = Symbol('plt.kafka.base.validateOptions');
@@ -63,7 +63,7 @@ export class Base extends EventEmitter {
         // Initialize bootstrap brokers
         this[kBootstrapBrokers] = [];
         for (const broker of options.bootstrapBrokers) {
-            this[kBootstrapBrokers].push(this[kParseBroker](broker));
+            this[kBootstrapBrokers].push(parseBroker(broker, defaultPort));
         }
         // Initialize main connection pool
         this[kConnections] = this[kCreateConnectionPool]();
@@ -177,7 +177,15 @@ export class Base extends EventEmitter {
             ownerId: this[kInstance],
             ...this[kOptions]
         });
-        this.#forwardEvents(pool, ['connect', 'disconnect', 'failed', 'drain', 'sasl:handshake', 'sasl:authentication']);
+        this.#forwardEvents(pool, [
+            'connect',
+            'disconnect',
+            'failed',
+            'drain',
+            'sasl:handshake',
+            'sasl:authentication',
+            'sasl:authentication:extended'
+        ]);
         return pool;
     }
     [kListApis](callback) {
@@ -216,7 +224,7 @@ export class Base extends EventEmitter {
             }
         }
         // All topics are already up-to-date, simply return them
-        if (this.#metadata && !topicsToFetch.length) {
+        if (this.#metadata && !topicsToFetch.length && !options.forceUpdate) {
             callback(null, {
                 ...this.#metadata,
                 topics: new Map(options.topics.map(topic => [topic, this.#metadata.topics.get(topic)]))
@@ -306,18 +314,6 @@ export class Base extends EventEmitter {
     [kClearMetadata]() {
         this.#metadata = undefined;
     }
-    [kParseBroker](broker) {
-        if (typeof broker === 'string') {
-            if (broker.includes(':')) {
-                const [host, port] = broker.split(':');
-                return { host, port: Number(port) };
-            }
-            else {
-                return { host: broker, port: defaultPort };
-            }
-        }
-        return broker;
-    }
     [kPerformWithRetry](operationId, operation, callback, attempt = 0, errors = [], shouldSkipRetry) {
         const retries = this[kOptions].retries;
         this.emitWithDebug('client', 'performWithRetry', operationId, attempt, retries);

package/dist/clients/base/index.d.ts

@@ -1,3 +1,3 @@
-export { Base, kCheckNotClosed, kClearMetadata, kGetApi, kGetBootstrapConnection, kGetConnection, kListApis, kMetadata, kOptions, kParseBroker, kPerformDeduplicated, kPerformWithRetry, kValidateOptions } from './base.ts';
+export { Base, kCheckNotClosed, kClearMetadata, kGetApi, kGetBootstrapConnection, kGetConnection, kListApis, kMetadata, kOptions, kPerformDeduplicated, kPerformWithRetry, kValidateOptions } from './base.ts';
 export * from './options.ts';
 export * from './types.ts';

package/dist/clients/base/index.js

@@ -1,3 +1,3 @@
-export { Base, kCheckNotClosed, kClearMetadata, kGetApi, kGetBootstrapConnection, kGetConnection, kListApis, kMetadata, kOptions, kParseBroker, kPerformDeduplicated, kPerformWithRetry, kValidateOptions } from "./base.js";
+export { Base, kCheckNotClosed, kClearMetadata, kGetApi, kGetBootstrapConnection, kGetConnection, kListApis, kMetadata, kOptions, kPerformDeduplicated, kPerformWithRetry, kValidateOptions } from "./base.js";
 export * from "./options.js";
 export * from "./types.js";

package/dist/clients/base/options.d.ts

@@ -91,13 +91,34 @@ export declare const baseOptionsSchema: {
                     enum: readonly ["PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512", "OAUTHBEARER"];
                 };
                 username: {
-                    type: string;
+                    oneOf: ({
+                        type: string;
+                        function?: undefined;
+                    } | {
+                        function: boolean;
+                        type?: undefined;
+                    })[];
                 };
                 password: {
-                    type: string;
+                    oneOf: ({
+                        type: string;
+                        function?: undefined;
+                    } | {
+                        function: boolean;
+                        type?: undefined;
+                    })[];
                 };
                 token: {
-                    type: string;
+                    oneOf: ({
+                        type: string;
+                        function?: undefined;
+                    } | {
+                        function: boolean;
+                        type?: undefined;
+                    })[];
+                };
+                authBytesValidator: {
+                    function: boolean;
                 };
             };
             required: string[];

package/dist/clients/base/options.js

@@ -37,9 +37,10 @@ export const baseOptionsSchema = {
             type: 'object',
             properties: {
                 mechanism: { type: 'string', enum: SASLMechanisms },
-                username: { type: 'string' },
-                password: { type: 'string' },
-                token: { type: 'string' }
+                username: { oneOf: [{ type: 'string' }, { function: true }] },
+                password: { oneOf: [{ type: 'string' }, { function: true }] },
+                token: { oneOf: [{ type: 'string' }, { function: true }] },
+                authBytesValidator: { function: true }
             },
             required: ['mechanism'],
             additionalProperties: false

package/dist/clients/producer/types.d.ts

@@ -1,4 +1,4 @@
-import { type CompressionAlgorithms } from '../../protocol/compression.ts';
+import { type CompressionAlgorithmValue } from '../../protocol/compression.ts';
 import { type MessageToProduce } from '../../protocol/records.ts';
 import { type BaseOptions, type TopicWithPartitionAndOffset } from '../base/types.ts';
 import { type Serializers } from '../serde.ts';
@@ -16,7 +16,7 @@ export interface ProduceOptions<Key, Value, HeaderKey, HeaderValue> {
     producerEpoch?: number;
     idempotent?: boolean;
     acks?: number;
-    compression?: CompressionAlgorithms;
+    compression?: CompressionAlgorithmValue;
     partitioner?: Partitioner<Key, Value, HeaderKey, HeaderValue>;
     autocreateTopics?: boolean;
     repeatOnStaleMetadata?: boolean;

package/dist/network/connection-pool.js

@@ -114,6 +114,9 @@ export class ConnectionPool extends EventEmitter {
         connection.on('sasl:authentication', authentication => {
             this.emit('sasl:authentication', { ...eventPayload, authentication });
         });
+        connection.on('sasl:authentication:extended', authentication => {
+            this.emit('sasl:authentication:extended', { ...eventPayload, authentication });
+        });
         // Remove stale connections from the pool
         connection.once('close', () => {
             this.emit('disconnect', eventPayload);

package/dist/network/connection.d.ts

@@ -5,15 +5,17 @@ import { type CallbackWithPromise } from '../apis/callbacks.ts';
 import { type Callback, type ResponseParser } from '../apis/definitions.ts';
 import { type SASLMechanism } from '../apis/enumerations.ts';
 import { Writer } from '../protocol/writer.ts';
+export type SASLCredentialProvider = () => string | Promise<string>;
 export interface Broker {
     host: string;
     port: number;
 }
 export interface SASLOptions {
     mechanism: SASLMechanism;
-    username?: string;
-    password?: string;
-    token?: string;
+    username?: string | SASLCredentialProvider;
+    password?: string | SASLCredentialProvider;
+    token?: string | SASLCredentialProvider;
+    authBytesValidator?: (authBytes: Buffer, callback: CallbackWithPromise<Buffer>) => void;
 }
 export interface ConnectionOptions {
     connectTimeout?: number;

package/dist/network/connection.js

@@ -47,6 +47,7 @@ export class Connection extends EventEmitter {
     #responseReader;
     #socket;
     #socketMustBeDrained;
+    #reauthenticationTimeout;
     constructor(clientId, options = {}) {
         super();
         this.setMaxListeners(0);
@@ -178,6 +179,7 @@ export class Connection extends EventEmitter {
         if (!callback) {
             callback = createPromisifiedCallback();
         }
+        clearInterval(this.#reauthenticationTimeout);
         if (this.#status === ConnectionStatuses.CLOSED ||
             this.#status === ConnectionStatuses.ERROR ||
             this.#status === ConnectionStatuses.NONE) {
@@ -231,7 +233,9 @@ export class Connection extends EventEmitter {
         }, callback);
     }
     #authenticate(host, port, diagnosticContext) {
-        this.#status = ConnectionStatuses.AUTHENTICATING;
+        if (this.#status === ConnectionStatuses.CONNECTING) {
+            this.#status = ConnectionStatuses.AUTHENTICATING;
+        }
         const { mechanism, username, password, token } = this.#options.sasl;
         if (!SASLMechanisms.includes(mechanism)) {
             this.#onConnectionError(host, port, diagnosticContext, new UserError(`SASL mechanism ${mechanism} not supported.`));
@@ -243,14 +247,15 @@ export class Connection extends EventEmitter {
                 return;
             }
             this.emit('sasl:handshake', response.mechanisms);
+            const callback = this.#onSaslAuthenticate.bind(this, host, port, diagnosticContext);
             if (mechanism === 'PLAIN') {
-                saslPlain.authenticate(saslAuthenticateV2.api, this, username, password, this.#onSaslAuthenticate.bind(this, host, port, diagnosticContext));
+                saslPlain.authenticate(saslAuthenticateV2.api, this, username, password, callback);
             }
             else if (mechanism === 'OAUTHBEARER') {
-                saslOAuthBearer.authenticate(saslAuthenticateV2.api, this, token, this.#onSaslAuthenticate.bind(this, host, port, diagnosticContext));
+                saslOAuthBearer.authenticate(saslAuthenticateV2.api, this, token, callback);
             }
             else {
-                saslScramSha.authenticate(saslAuthenticateV2.api, this, mechanism.substring(6), username, password, defaultCrypto, this.#onSaslAuthenticate.bind(this, host, port, diagnosticContext));
+                saslScramSha.authenticate(saslAuthenticateV2.api, this, mechanism.substring(6), username, password, defaultCrypto, callback);
             }
         });
     }
@@ -299,6 +304,7 @@ export class Connection extends EventEmitter {
             request.diagnostic.error = err;
             connectionsApiChannel.error.publish(request.diagnostic);
             throw err;
+            /* c8 ignore next 3 - Hard to test */
         }
         finally {
             connectionsApiChannel.end.publish(request.diagnostic);
@@ -313,6 +319,7 @@ export class Connection extends EventEmitter {
     #onConnectionError(host, port, diagnosticContext, cause) {
         const error = new NetworkError(`Connection to ${host}:${port} failed.`, { cause });
         this.#status = ConnectionStatuses.ERROR;
+        clearTimeout(this.#reauthenticationTimeout);
         diagnosticContext.error = error;
         connectionsConnectsChannel.error.publish(diagnosticContext);
         connectionsConnectsChannel.asyncStart.publish(diagnosticContext);
@@ -322,15 +329,43 @@ export class Connection extends EventEmitter {
     }
     #onSaslAuthenticate(host, port, diagnosticContext, error, response) {
         if (error) {
-            const protocolError = error.errors[0];
-            if (protocolError.apiId === 'SASL_AUTHENTICATION_FAILED') {
+            const protocolError = error.errors?.[0];
+            if (protocolError?.apiId === 'SASL_AUTHENTICATION_FAILED') {
                 error = new AuthenticationError('SASL authentication failed.', { cause: error });
             }
             this.#onConnectionError(host, port, diagnosticContext, error);
             return;
         }
-        this.emit('sasl:authentication', response.authBytes);
-        this.#onConnectionSucceed(diagnosticContext);
+        if (this.#options.sasl.authBytesValidator) {
+            this.#options.sasl.authBytesValidator(response.authBytes, this.#onSaslAuthenticationValidation.bind(this, host, port, diagnosticContext, response.sessionLifetimeMs));
+        }
+        else {
+            this.#onSaslAuthenticationValidation(host, port, diagnosticContext, response.sessionLifetimeMs, null, response.authBytes);
+        }
+    }
+    #onSaslAuthenticationValidation(host, port, diagnosticContext, sessionLifetimeMs, error, authBytes) {
+        if (error) {
+            this.#onConnectionError(host, port, diagnosticContext, error);
+            return;
+        }
+        if (sessionLifetimeMs > 0) {
+            this.#reauthenticationTimeout = setTimeout(() => {
+                const diagnosticContext = createDiagnosticContext({
+                    connection: this,
+                    operation: 'reauthenticate',
+                    host,
+                    port
+                });
+                this.#authenticate(host, port, diagnosticContext);
+            }, Number(sessionLifetimeMs) * 0.8);
+        }
+        if (this.#status === ConnectionStatuses.CONNECTED) {
+            this.emit('sasl:authentication:extended', authBytes);
+        }
+        else {
+            this.emit('sasl:authentication', authBytes);
+            this.#onConnectionSucceed(diagnosticContext);
+        }
     }
     /*
       Response Header v1 => correlation_id TAG_BUFFER
@@ -428,6 +463,7 @@ export class Connection extends EventEmitter {
         }
     }
     #onError(error) {
+        clearTimeout(this.#reauthenticationTimeout);
         this.emit('error', new NetworkError('Connection error', { cause: error }));
     }
 }

package/dist/network/index.d.ts

@@ -1,2 +1,3 @@
 export * from './connection-pool.ts';
 export * from './connection.ts';
+export * from './utils.ts';

package/dist/network/index.js

@@ -1,2 +1,3 @@
 export * from "./connection-pool.js";
 export * from "./connection.js";
+export * from "./utils.js";

package/dist/network/utils.d.ts

@@ -0,0 +1,2 @@
+import { type Broker } from './connection.ts';
+export declare function parseBroker(broker: Broker | string, defaultPort?: number): Broker;

package/dist/network/utils.js

@@ -0,0 +1,12 @@
+export function parseBroker(broker, defaultPort = 9092) {
+    if (typeof broker === 'string') {
+        if (broker.includes(':')) {
+            const [host, port] = broker.split(':');
+            return { host, port: Number(port) };
+        }
+        else {
+            return { host: broker, port: defaultPort };
+        }
+    }
+    return broker;
+}

package/dist/protocol/compression.d.ts

@@ -1,12 +1,21 @@
 import { DynamicBuffer } from './dynamic-buffer.ts';
 export type SyncCompressionPhase = (data: Buffer | DynamicBuffer) => Buffer;
 export type CompressionOperation = (data: Buffer) => Buffer;
-export interface CompressionAlgorithm {
+export interface CompressionAlgorithmSpecification {
     compressSync: SyncCompressionPhase;
     decompressSync: SyncCompressionPhase;
     bitmask: number;
     available?: boolean;
 }
+export declare const CompressionAlgorithms: {
+    readonly NONE: "none";
+    readonly GZIP: "gzip";
+    readonly SNAPPY: "snappy";
+    readonly LZ4: "lz4";
+    readonly ZSTD: "zstd";
+};
+export type CompressionAlgorithm = keyof typeof CompressionAlgorithms;
+export type CompressionAlgorithmValue = (typeof CompressionAlgorithms)[keyof typeof CompressionAlgorithms];
 export declare const compressionsAlgorithms: {
     readonly none: {
         readonly compressSync: (data: Buffer | DynamicBuffer) => Buffer;
@@ -67,4 +76,3 @@ export declare const compressionsAlgorithmsByBitmask: {
         readonly available: boolean;
     };
 };
-export type CompressionAlgorithms = keyof typeof compressionsAlgorithms;

package/dist/protocol/compression.js

@@ -4,6 +4,13 @@ import { UnsupportedCompressionError } from "../errors.js";
 import { DynamicBuffer } from "./dynamic-buffer.js";
 const require = createRequire(import.meta.url);
 const { zstdCompressSync, zstdDecompressSync, gzipSync, gunzipSync } = zlib;
+export const CompressionAlgorithms = {
+    NONE: 'none',
+    GZIP: 'gzip',
+    SNAPPY: 'snappy',
+    LZ4: 'lz4',
+    ZSTD: 'zstd'
+};
 function ensureBuffer(data) {
     return DynamicBuffer.isDynamicBuffer(data) ? data.slice() : data;
 }

package/dist/protocol/errors.js

@@ -489,7 +489,7 @@ export const protocolErrors = {
         id: 'SASL_AUTHENTICATION_FAILED',
         code: 58,
         canRetry: false,
-        message: 'SASL Authentication failed.'
+        message: 'SASL authentication failed.'
     },
     UNKNOWN_PRODUCER_ID: {
         id: 'UNKNOWN_PRODUCER_ID',

package/dist/protocol/records.d.ts

@@ -1,5 +1,5 @@
 import { type NumericMap } from '../utils.ts';
-import { type CompressionAlgorithms } from './compression.ts';
+import { type CompressionAlgorithmValue } from './compression.ts';
 import { type NullableString } from './definitions.ts';
 import { Reader } from './reader.ts';
 import { Writer } from './writer.ts';
@@ -28,7 +28,7 @@ export interface MessageRecord {
 }
 export interface CreateRecordsBatchOptions {
     transactionalId?: NullableString;
-    compression: CompressionAlgorithms;
+    compression: CompressionAlgorithmValue;
     firstSequence?: number;
     producerId: bigint;
     producerEpoch: number;

package/dist/protocol/records.js

@@ -65,8 +65,10 @@ export function createRecordsBatch(messages, options = {}) {
     let buffer = new DynamicBuffer();
     for (let i = 0; i < messages.length; i++) {
         let ts = messages[i].timestamp ?? now;
-        if (typeof ts === 'number')
+        /* c8 ignore next 3 - Hard to test */
+        if (typeof ts === 'number') {
             ts = BigInt(ts);
+        }
         messages[i].timestamp = ts;
         if (ts > maxTimestamp)
             maxTimestamp = ts;
@@ -138,6 +140,9 @@ export function readRecordsBatch(reader) {
             throw new UnsupportedCompressionError(`Unsupported compression algorithm with bitmask ${compression}`);
         }
         const buffer = algorithm.decompressSync(reader.buffer.slice(reader.position, reader.buffer.length));
+        // Move the original reader to the end
+        reader.skip(reader.buffer.length - reader.position);
+        // Replace the reader with the decompressed buffer
         reader = Reader.from(buffer);
     }
     for (let i = 0; i < recordsLength; i++) {

package/dist/protocol/sasl/credential-provider.d.ts

@@ -0,0 +1,3 @@
+import { type Callback } from '../../apis/index.ts';
+import { type SASLCredentialProvider } from '../../network/connection.ts';
+export declare function getCredential(label: string, credentialOrProvider: string | SASLCredentialProvider, callback: Callback<string>): void;

package/dist/protocol/sasl/credential-provider.js

@@ -0,0 +1,36 @@
+import { AuthenticationError } from "../../errors.js";
+export function getCredential(label, credentialOrProvider, callback) {
+    if (typeof credentialOrProvider === 'string') {
+        callback(null, credentialOrProvider);
+        return;
+    }
+    else if (typeof credentialOrProvider !== 'function') {
+        callback(new AuthenticationError(`The ${label} should be a string or a function.`), undefined);
+        return;
+    }
+    try {
+        const credential = credentialOrProvider();
+        if (typeof credential === 'string') {
+            callback(null, credential);
+            return;
+        }
+        else if (typeof credential?.then !== 'function') {
+            callback(new AuthenticationError(`The ${label} provider should return a string or a promise that resolves to a string.`), undefined);
+            return;
+        }
+        credential
+            .then(token => {
+            if (typeof token !== 'string') {
+                process.nextTick(callback, new AuthenticationError(`The ${label} provider should resolve to a string.`), undefined);
+                return;
+            }
+            process.nextTick(callback, null, token);
+        })
+            .catch(error => {
+            process.nextTick(callback, new AuthenticationError(`The ${label} provider threw an error.`, { cause: error }));
+        });
+    }
+    catch (error) {
+        callback(new AuthenticationError(`The ${label} provider threw an error.`, { cause: error }), undefined);
+    }
+}

package/dist/protocol/sasl/oauth-bearer.d.ts

@@ -1,5 +1,6 @@
 import { type CallbackWithPromise } from '../../apis/callbacks.ts';
 import { type SASLAuthenticationAPI, type SaslAuthenticateResponse } from '../../apis/security/sasl-authenticate-v2.ts';
-import { type Connection } from '../../network/connection.ts';
-export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, token: string, callback: CallbackWithPromise<SaslAuthenticateResponse>): void;
-export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, token: string): Promise<SaslAuthenticateResponse>;
+import { type Connection, type SASLCredentialProvider } from '../../network/connection.ts';
+export declare function jwtValidateAuthenticationBytes(authBytes: Buffer, callback: CallbackWithPromise<Buffer>): void;
+export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, tokenOrProvider: string | SASLCredentialProvider, callback: CallbackWithPromise<SaslAuthenticateResponse>): void;
+export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, tokenOrProvider: string | SASLCredentialProvider): Promise<SaslAuthenticateResponse>;

package/dist/protocol/sasl/oauth-bearer.js

@@ -1,8 +1,29 @@
 import { createPromisifiedCallback, kCallbackPromise } from "../../apis/callbacks.js";
-export function authenticate(authenticateAPI, connection, token, callback) {
+import { AuthenticationError } from "../../errors.js";
+import { getCredential } from "./credential-provider.js";
+export function jwtValidateAuthenticationBytes(authBytes, callback) {
+    let authData;
+    try {
+        authData = authBytes.length > 0 ? JSON.parse(authBytes.toString('utf-8')) : {};
+    }
+    catch (e) {
+        callback(new AuthenticationError('Invalid authBytes in SASL/OAUTHBEARER response', { authBytes }), undefined);
+        return;
+    }
+    if (authData.status === 'invalid_token') {
+        callback(new AuthenticationError('Invalid SASL/OAUTHBEARER token.', { authData }), undefined);
+    }
+    callback(null, authBytes);
+}
+export function authenticate(authenticateAPI, connection, tokenOrProvider, callback) {
     if (!callback) {
         callback = createPromisifiedCallback();
     }
-    authenticateAPI(connection, Buffer.from(`n,,\x01auth=Bearer ${token}\x01\x01`), callback);
+    getCredential('SASL/OAUTHBEARER token', tokenOrProvider, (error, token) => {
+        if (error) {
+            return callback(error, undefined);
+        }
+        authenticateAPI(connection, Buffer.from(`n,,\x01auth=Bearer ${token}\x01\x01`), callback);
+    });
     return callback[kCallbackPromise];
 }

package/dist/protocol/sasl/plain.d.ts

@@ -1,5 +1,5 @@
 import { type CallbackWithPromise } from '../../apis/callbacks.ts';
 import { type SASLAuthenticationAPI, type SaslAuthenticateResponse } from '../../apis/security/sasl-authenticate-v2.ts';
-import { type Connection } from '../../network/connection.ts';
-export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, username: string, password: string, callback: CallbackWithPromise<SaslAuthenticateResponse>): void;
-export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, username: string, password: string): Promise<SaslAuthenticateResponse>;
+import { type Connection, type SASLCredentialProvider } from '../../network/connection.ts';
+export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, usernameProvider: string | SASLCredentialProvider, passwordProvider: string | SASLCredentialProvider, callback: CallbackWithPromise<SaslAuthenticateResponse>): void;
+export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, usernameProvider: string | SASLCredentialProvider, passwordProvider: string | SASLCredentialProvider): Promise<SaslAuthenticateResponse>;

package/dist/protocol/sasl/plain.js

@@ -1,8 +1,19 @@
 import { createPromisifiedCallback, kCallbackPromise } from "../../apis/callbacks.js";
-export function authenticate(authenticateAPI, connection, username, password, callback) {
+import { getCredential } from "./credential-provider.js";
+export function authenticate(authenticateAPI, connection, usernameProvider, passwordProvider, callback) {
     if (!callback) {
         callback = createPromisifiedCallback();
     }
-    authenticateAPI(connection, Buffer.from(['', username, password].join('\0')), callback);
+    getCredential('SASL/PLAIN username', usernameProvider, (error, username) => {
+        if (error) {
+            return callback(error, undefined);
+        }
+        getCredential('SASL/PLAIN password', passwordProvider, (error, password) => {
+            if (error) {
+                return callback(error, undefined);
+            }
+            authenticateAPI(connection, Buffer.from(['', username, password].join('\0')), callback);
+        });
+    });
     return callback[kCallbackPromise];
 }

package/dist/protocol/sasl/scram-sha.d.ts

@@ -1,6 +1,6 @@
 import { type CallbackWithPromise } from '../../apis/callbacks.ts';
 import { type SASLAuthenticationAPI, type SaslAuthenticateResponse } from '../../apis/security/sasl-authenticate-v2.ts';
-import { type Connection } from '../../network/connection.ts';
+import { type Connection, type SASLCredentialProvider } from '../../network/connection.ts';
 export interface ScramAlgorithmDefinition {
     keyLength: number;
     algorithm: string;
@@ -33,5 +33,5 @@ export declare function hi(definition: ScramAlgorithmDefinition, password: strin
 export declare function hmac(definition: ScramAlgorithmDefinition, key: Buffer, data: string | Buffer): Buffer;
 export declare function xor(a: Buffer, b: Buffer): Buffer;
 export declare const defaultCrypto: ScramCryptoModule;
-export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, algorithm: ScramAlgorithm, username: string, password: string, crypto: ScramCryptoModule, callback: CallbackWithPromise<SaslAuthenticateResponse>): void;
-export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, algorithm: ScramAlgorithm, username: string, password: string, crypto?: ScramCryptoModule): Promise<SaslAuthenticateResponse>;
+export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, algorithm: ScramAlgorithm, usernameProvider: string | SASLCredentialProvider, passwordProvider: string | SASLCredentialProvider, crypto: ScramCryptoModule, callback: CallbackWithPromise<SaslAuthenticateResponse>): void;
+export declare function authenticate(authenticateAPI: SASLAuthenticationAPI, connection: Connection, algorithm: ScramAlgorithm, usernameProvider: string | SASLCredentialProvider, passwordProvider: string | SASLCredentialProvider, crypto?: ScramCryptoModule): Promise<SaslAuthenticateResponse>;

package/dist/protocol/sasl/scram-sha.js

@@ -1,6 +1,7 @@
 import { createHash, createHmac, pbkdf2Sync, randomBytes } from 'node:crypto';
 import { createPromisifiedCallback, kCallbackPromise } from "../../apis/callbacks.js";
 import { AuthenticationError } from "../../errors.js";
+import { getCredential } from "./credential-provider.js";
 const GS2_HEADER = 'n,,';
 const GS2_HEADER_BASE64 = Buffer.from(GS2_HEADER).toString('base64');
 const HMAC_CLIENT_KEY = 'Client Key';
@@ -57,21 +58,14 @@ export const defaultCrypto = {
     hmac,
     xor
 };
-export function authenticate(authenticateAPI, connection, algorithm, username, password, crypto = defaultCrypto, callback) {
-    if (!callback) {
-        callback = createPromisifiedCallback();
-    }
+function performAuthentication(connection, algorithm, definition, authenticateAPI, crypto, username, password, callback) {
     const { h, hi, hmac, xor } = crypto;
-    const definition = ScramAlgorithms[algorithm];
-    if (!definition) {
-        throw new AuthenticationError(`Unsupported SCRAM algorithm ${algorithm}`);
-    }
     const clientNonce = createNonce();
     const clientFirstMessageBare = `n=${sanitizeString(username)},r=${clientNonce}`;
     // First of all, send the first message
     authenticateAPI(connection, Buffer.from(`${GS2_HEADER}${clientFirstMessageBare}`), (error, firstResponse) => {
         if (error) {
-            callback(new AuthenticationError('Authentication failed.', { cause: error }), undefined);
+            callback(new AuthenticationError('SASL authentication failed.', { cause: error }), undefined);
             return;
         }
         const firstData = parseParameters(firstResponse.authBytes);
@@ -108,7 +102,7 @@ export function authenticate(authenticateAPI, connection, algorithm, username, p
         const serverSignature = hmac(definition, serverKey, authMessage);
         authenticateAPI(connection, Buffer.from(`${clientFinalMessageWithoutProof},p=${clientProof.toString('base64')}`), (error, lastResponse) => {
             if (error) {
-                callback(new AuthenticationError('Authentication failed.', { cause: error }), undefined);
+                callback(new AuthenticationError('SASL authentication failed.', { cause: error }), undefined);
                 return;
             }
             // Send the last message to the server
@@ -124,5 +118,25 @@ export function authenticate(authenticateAPI, connection, algorithm, username, p
             callback(null, lastResponse);
         });
     });
+}
+export function authenticate(authenticateAPI, connection, algorithm, usernameProvider, passwordProvider, crypto = defaultCrypto, callback) {
+    if (!callback) {
+        callback = createPromisifiedCallback();
+    }
+    const definition = ScramAlgorithms[algorithm];
+    if (!definition) {
+        throw new AuthenticationError(`Unsupported SCRAM algorithm ${algorithm}`);
+    }
+    getCredential(`SASL/SCRAM-${algorithm} username`, usernameProvider, (error, username) => {
+        if (error) {
+            return callback(error, undefined);
+        }
+        getCredential(`SASL/SCRAM-${algorithm} password`, passwordProvider, (error, password) => {
+            if (error) {
+                return callback(error, undefined);
+            }
+            performAuthentication(connection, algorithm, definition, authenticateAPI, crypto, username, password, callback);
+        });
+    });
     return callback[kCallbackPromise];
 }

package/dist/utils.js

@@ -2,6 +2,7 @@ import { Ajv2020 } from 'ajv/dist/2020.js';
 import debug from 'debug';
 import { inspect } from 'node:util';
 export { setTimeout as sleep } from 'node:timers/promises';
+/* c8 ignore start - Hard to test */
 function PromiseWithResolversPolyfill() {
     let resolve;
     let reject;
@@ -12,7 +13,10 @@ function PromiseWithResolversPolyfill() {
     // @ts-expect-error - resolve and reject are assigned in the promise constructor
     return { promise, resolve, reject };
 }
-export const PromiseWithResolvers = Promise.withResolvers ? Promise.withResolvers.bind(Promise) : PromiseWithResolversPolyfill;
+export const PromiseWithResolvers = Promise.withResolvers
+    ? Promise.withResolvers.bind(Promise)
+    : PromiseWithResolversPolyfill;
+/* c8 ignore end */
 export const ajv = new Ajv2020({ allErrors: true, coerceTypes: false, strict: true });
 export const loggers = {
     protocol: debug('plt:kafka:protocol'),

package/dist/version.js

@@ -1,2 +1,2 @@
 export const name = "@platformatic/kafka";
-export const version = "1.11.0";
+export const version = "1.13.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@platformatic/kafka",
-  "version": "1.11.0",
+  "version": "1.13.0",
   "description": "Modern and performant client for Apache Kafka",
   "homepage": "https://github.com/platformatic/kafka",
   "author": "Platformatic Inc. <oss@platformatic.dev> (https://platformatic.dev)",
@@ -26,39 +26,39 @@
   "types": "./dist/index.d.ts",
   "dependencies": {
     "ajv": "^8.17.1",
-    "debug": "^4.4.0",
+    "debug": "^4.4.3",
     "fastq": "^1.19.1",
     "mnemonist": "^0.40.3",
     "scule": "^1.3.0"
   },
   "optionalDependencies": {
-    "lz4-napi": "^2.8.0",
-    "snappy": "^7.2.2"
+    "lz4-napi": "^2.9.0",
+    "snappy": "^7.3.3"
   },
   "devDependencies": {
     "@platformatic/rdkafka": "^4.0.0",
     "@types/debug": "^4.1.12",
-    "@types/node": "^22.17.2",
-    "@types/semver": "^7.7.0",
+    "@types/node": "^22.18.5",
+    "@types/semver": "^7.7.1",
     "@watchable/unpromise": "^1.0.2",
-    "avsc": "^5.7.7",
+    "avsc": "^5.7.9",
     "c8": "^10.1.3",
     "cleaner-spec-reporter": "^0.5.0",
     "cronometro": "^5.3.0",
-    "eslint": "^9.21.0",
+    "eslint": "^9.35.0",
     "fast-jwt": "^6.0.2",
     "hwp": "^0.4.1",
     "json5": "^2.2.3",
     "kafkajs": "^2.2.4",
-    "neostandard": "^0.12.1",
-    "node-rdkafka": "^3.3.1",
-    "parse5": "^7.2.1",
-    "prettier": "^3.5.3",
+    "neostandard": "^0.12.2",
+    "node-rdkafka": "^3.5.0",
+    "parse5": "^7.3.0",
+    "prettier": "^3.6.2",
     "prettier-plugin-space-before-function-paren": "^0.0.8",
     "prom-client": "^15.1.3",
-    "semver": "^7.7.1",
+    "semver": "^7.7.2",
     "table": "^6.9.0",
-    "typescript": "^5.7.3"
+    "typescript": "^5.9.2"
   },
   "engines": {
     "node": ">= 20.19.4 || >= 22.18.0 || >= 24.6.0"
@@ -74,12 +74,9 @@
     "test:docker:up": "node scripts/docker.ts up -d --wait",
     "test:docker:down": "node scripts/docker.ts down",
     "ci": "npm run build && npm run lint && npm run test:ci",
+    "ci:v20": "npm run lint && rm -rf dist && tsc -p tsconfig.json && node dist/scripts/postbuild.js && cd dist && c8 -c ../test/config/c8-ci.json node --env-file=../test/config/env --no-warnings --test --test-timeout=300000",
     "generate:apis": "node scripts/generate-apis.ts",
     "generate:errors": "node scripts/generate-errors.ts",
-    "create:api": "node scripts/create-api.ts",
-    "build:v20": "rm -rf dist && tsc -p tsconfig.json",
-    "postbuild:v20": "cp package.json dist/package.json && node dist/scripts/postbuild.js",
-    "test:v20": "npm run build:v20 && cp -R test/fixtures dist/test/fixtures && node --env-file=test/config/env --no-warnings --test --test-timeout=300000 dist/test/**/*.test.js",
-    "test:ci:v20": "npm run build:v20 && cp -R test/fixtures dist/test/fixtures && node --env-file=test/config/env --no-warnings --test --test-timeout=300000 dist/test/**/*.test.js"
+    "create:api": "node scripts/create-api.ts"
   }
 }