npm - @riocrypto/common-server - Versions diffs - 1.0.2762 → 1.0.2765 - Mend

@riocrypto/common-server 1.0.2762 → 1.0.2765

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/build/clients/gcloud-storage-client.js +33 -7
package/build/clients/secret-manager-client.d.ts +1 -0
package/build/clients/secret-manager-client.js +9 -6
package/package.json +2 -2

package/build/clients/gcloud-storage-client.js CHANGED Viewed

@@ -1,4 +1,27 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
     function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
     return new (P || (P = Promise))(function (resolve, reject) {
@@ -11,13 +34,18 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildGCloudStorageClient = exports.GCloudStorageClient = void 0;
 const storage_1 = require("@google-cloud/storage");
+const fs = __importStar(require("fs"));
 const secret_manager_client_1 = require("./secret-manager-client");
+const KEY_PATH = "/etc/secrets/cloud-storage/cloud-storage-service-account-key.json";
+function buildStorage() {
+    if (fs.existsSync(KEY_PATH)) {
+        return new storage_1.Storage({ keyFilename: KEY_PATH });
+    }
+    return new storage_1.Storage();
+}
 class GCloudStorageClient {
     constructor(bucket) {
-        const storage = new storage_1.Storage({
-            keyFilename: "/etc/secrets/cloud-storage/cloud-storage-service-account-key.json",
-        });
-        this._bucket = storage.bucket(bucket);
+        this._bucket = buildStorage().bucket(bucket);
     }
     get bucket() {
         return this._bucket;
@@ -26,9 +54,7 @@ class GCloudStorageClient {
         return __awaiter(this, void 0, void 0, function* () {
             const bucketName = gcsUri.split("/")[2];
             const folderPath = gcsUri.split("/").slice(4).join("/"); // Extract the folder path from the URI
-            const storage = new storage_1.Storage({
-                keyFilename: "/etc/secrets/cloud-storage/cloud-storage-service-account-key.json",
-            });
+            const storage = buildStorage();
             const [files] = yield storage
                 .bucket(bucketName)
                 .getFiles({ prefix: folderPath });

package/build/clients/secret-manager-client.d.ts CHANGED Viewed

@@ -5,6 +5,7 @@ declare class SecretManagerClient {
     client: SecretManagerServiceClient;
     projectId: string;
     private secretCache;
+    private envMismatch;
     private readonly POLL_INTERVAL_MS;
     constructor(env: RioEnv);
     /**

package/build/clients/secret-manager-client.js CHANGED Viewed

@@ -40,6 +40,7 @@ class SecretManagerClient {
     constructor(env) {
         this.env = env;
         this.secretCache = null;
+        this.envMismatch = false;
         this.POLL_INTERVAL_MS = 60 * 60 * 1000; // 1 hour
         const secretFilePath = "/etc/secrets/secret-manager/secret-manager-service-account-key.json";
         if (fs.existsSync(secretFilePath)) {
@@ -67,20 +68,19 @@ class SecretManagerClient {
      */
     getSecretValue(secretId) {
         return __awaiter(this, void 0, void 0, function* () {
-            // Check if we have a cache and the secret exists
+            if (this.envMismatch) {
+                throw new Error("Secret access blocked: RIO_ENV mismatch between service and secret file");
+            }
             if (this.secretCache && this.secretCache.secrets[secretId]) {
                 return this.secretCache.secrets[secretId];
             }
-            // If not in cache or cache doesn't exist, fetch entire secret file
             const success = yield this.refreshSecretCache();
             if (!success) {
                 return null;
             }
-            // Check again after refresh
             if (this.secretCache && this.secretCache.secrets[secretId]) {
                 return this.secretCache.secrets[secretId];
             }
-            // Secret not found even after refresh
             console.error(`Secret ${secretId} not found in secret file`);
             return null;
         });
@@ -122,11 +122,14 @@ class SecretManagerClient {
                         throw new Error("No payload data");
                     }
                     const secrets = JSON.parse(version.payload.data.toString());
-                    // Clear existing polling if it exists
+                    if (secrets.RIO_ENV && secrets.RIO_ENV !== this.env) {
+                        console.error(`FATAL: Environment mismatch! Service expects "${this.env}" but secret file "${file}" contains RIO_ENV="${secrets.RIO_ENV}"`);
+                        this.envMismatch = true;
+                        return false;
+                    }
                     if ((_c = this.secretCache) === null || _c === void 0 ? void 0 : _c.pollingInterval) {
                         clearInterval(this.secretCache.pollingInterval);
                     }
-                    // Set up new cache with polling
                     this.setupCacheWithPolling(secrets);
                     console.info(`Refreshed ${Object.keys(secrets).length} secrets from ${file}`);
                     return true;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@riocrypto/common-server",
-  "version": "1.0.2762",
+  "version": "1.0.2765",
   "description": "",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -24,7 +24,7 @@
     "@google-cloud/secret-manager": "^5.6.0",
     "@google-cloud/storage": "^7.19.0",
     "@hyperdx/node-opentelemetry": "^0.10.3",
-    "@riocrypto/common": "1.0.2558",
+    "@riocrypto/common": "1.0.2560",
     "@slack/web-api": "^7.15.0",
     "@types/express": "^4.17.25",
     "axios": "1.13.6",