npm - @riocrypto/common-server - Versions diffs - 1.0.2761 → 1.0.2764 - Mend

@riocrypto/common-server 1.0.2761 → 1.0.2764

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/clients/secret-manager-client.d.ts +1 -0
package/build/clients/secret-manager-client.js +27 -18
package/package.json +2 -2

package/build/clients/secret-manager-client.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ declare class SecretManagerClient {
     client: SecretManagerServiceClient;
     projectId: string;
     private secretCache;
+    private envMismatch;
     private readonly POLL_INTERVAL_MS;
     constructor(env: RioEnv);
     /**

package/build/clients/secret-manager-client.js CHANGED Viewed

@@ -40,20 +40,27 @@ class SecretManagerClient {
     constructor(env) {
         this.env = env;
         this.secretCache = null;
+        this.envMismatch = false;
         this.POLL_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
         const secretFilePath = "/etc/secrets/secret-manager/secret-manager-service-account-key.json";
-        const secretFileContents = fs.readFileSync(secretFilePath, "utf8");
-        const secretData = JSON.parse(secretFileContents);
-        this.projectId = secretData.project_id;
-        const clientEmail = secretData.client_email;
-        const privateKey = secretData.private_key;
-        this.client = new secret_manager_1.SecretManagerServiceClient({
-            projectId: this.projectId,
-            credentials: {
-                client_email: clientEmail,
-                private_key: privateKey,
-            },
-        });
+        if (fs.existsSync(secretFilePath)) {
+            const secretFileContents = fs.readFileSync(secretFilePath, "utf8");
+            const secretData = JSON.parse(secretFileContents);
+            this.projectId = secretData.project_id;
+            this.client = new secret_manager_1.SecretManagerServiceClient({
+                projectId: this.projectId,
+                credentials: {
+                    client_email: secretData.client_email,
+                    private_key: secretData.private_key,
+                },
+            });
+        }
+        else {
+            this.projectId = process.env.GCP_PROJECT_ID || "riocrypto";
+            this.client = new secret_manager_1.SecretManagerServiceClient({
+                projectId: this.projectId,
+            });
+        }
     }
     /**
      * Get a secret value from cache or fetch the entire secret file
@@ -61,20 +68,19 @@ class SecretManagerClient {
      */
     getSecretValue(secretId) {
         return __awaiter(this, void 0, void 0, function* () {
-            // Check if we have a cache and the secret exists
+            if (this.envMismatch) {
+                throw new Error("Secret access blocked: RIO_ENV mismatch between service and secret file");
+            }
             if (this.secretCache && this.secretCache.secrets[secretId]) {
                 return this.secretCache.secrets[secretId];
             }
-            // If not in cache or cache doesn't exist, fetch entire secret file
             const success = yield this.refreshSecretCache();
             if (!success) {
                 return null;
             }
-            // Check again after refresh
             if (this.secretCache && this.secretCache.secrets[secretId]) {
                 return this.secretCache.secrets[secretId];
             }
-            // Secret not found even after refresh
             console.error(`Secret ${secretId} not found in secret file`);
             return null;
         });
@@ -116,11 +122,14 @@ class SecretManagerClient {
                         throw new Error("No payload data");
                     }
                     const secrets = JSON.parse(version.payload.data.toString());
-                    // Clear existing polling if it exists
+                    if (secrets.RIO_ENV && secrets.RIO_ENV !== this.env) {
+                        console.error(`FATAL: Environment mismatch! Service expects "${this.env}" but secret file "${file}" contains RIO_ENV="${secrets.RIO_ENV}"`);
+                        this.envMismatch = true;
+                        return false;
+                    }
                     if ((_c = this.secretCache) === null || _c === void 0 ? void 0 : _c.pollingInterval) {
                         clearInterval(this.secretCache.pollingInterval);
                     }
-                    // Set up new cache with polling
                     this.setupCacheWithPolling(secrets);
                     console.info(`Refreshed ${Object.keys(secrets).length} secrets from ${file}`);
                     return true;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@riocrypto/common-server",
-  "version": "1.0.2761",
+  "version": "1.0.2764",
   "description": "",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -24,7 +24,7 @@
     "@google-cloud/secret-manager": "^5.6.0",
     "@google-cloud/storage": "^7.19.0",
     "@hyperdx/node-opentelemetry": "^0.10.3",
-    "@riocrypto/common": "^1.0.2558",
+    "@riocrypto/common": "1.0.2560",
     "@slack/web-api": "^7.15.0",
     "@types/express": "^4.17.25",
     "axios": "1.13.6",