npm - @sebspark/gcp-iam - Versions diffs - 3.0.5 → 3.0.7 - Mend

@sebspark/gcp-iam 3.0.5 → 3.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/{index.d.ts → index.d.mts} +9 -4
package/dist/index.d.mts.map +1 -0
package/dist/index.mjs +152 -0
package/dist/index.mjs.map +1 -0
package/package.json +5 -5
package/dist/index.js +0 -156
package/dist/index.js.map +0 -1

package/dist/{index.d.ts → index.d.mts} RENAMED Viewed

@@ -1,3 +1,4 @@
+//#region src/apiGatewayToken.d.ts
 /**
  * Generate a system token for the API Gateway.
  * This is intended to be run under the context of the service account signing the JWT.
@@ -6,9 +7,12 @@
  * @param logger An optional logger to use for logging.
  * @returns A JWT.
  */
-declare const getApiGatewayTokenByUrl: ({ apiURL, key, }: {
-    apiURL: string;
-    key?: string;
+declare const getApiGatewayTokenByUrl: ({
+  apiURL,
+  key
+}: {
+  apiURL: string;
+  key?: string;
 }) => Promise<string>;
 /**
  *
@@ -21,5 +25,6 @@ declare const clearCache: (key: string) => Promise<void>;
  * @returns ID Token.
  */
 declare const getApiGatewayTokenByClientId: (clientId: string) => Promise<string>;
+//#endregion
 export { clearCache, getApiGatewayTokenByClientId, getApiGatewayTokenByUrl };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.mts","names":[],"sources":["../src/apiGatewayToken.ts"],"sourcesContent":[],"mappings":";;AA2GA;;;;;AAiBA;AAsDA;cAvEa;;;;;;MAMT;;;;;cAWS,6BAA+B;;;;;;cAsD/B,oDAEV"}

package/dist/index.mjs ADDED Viewed

@@ -0,0 +1,152 @@
+import { IAMCredentialsClient } from "@google-cloud/iam-credentials";
+import { getLogger } from "@sebspark/otel";
+import { GoogleAuth } from "google-auth-library";
+//#region src/lruCache.ts
+var LruCache = class {
+	values = /* @__PURE__ */ new Map();
+	maxEntries = 1e4;
+	defaultTTL = 1e3 * 10;
+	constructor(props) {
+		this.defaultTTL = props?.ttl ?? this.defaultTTL;
+		this.maxEntries = props?.maxEntries ?? this.maxEntries;
+	}
+	get(key) {
+		if (this.values.has(key)) {
+			const entry = this.values.get(key);
+			if (Date.now() - entry.timestamp > entry.ttl) {
+				this.values.delete(key);
+				return;
+			}
+			this.values.delete(key);
+			this.values.set(key, entry);
+			return entry.data;
+		}
+	}
+	put(key, value, ttl) {
+		if (this.values.size >= this.maxEntries) {
+			const keyToDelete = this.values.keys().next().value;
+			this.values.delete(keyToDelete);
+		}
+		this.values.set(key, {
+			data: value,
+			timestamp: Date.now(),
+			ttl: ttl || this.defaultTTL
+		});
+	}
+	clear(key) {
+		this.values.delete(key);
+	}
+};
+//#endregion
+//#region src/apiGatewayToken.ts
+const expInSeconds = 3600;
+const apiGatewayJwtCache = new LruCache();
+const logger = getLogger("gcp-iam");
+const generateTokenByUrl = async ({ apiURL, key }) => {
+	try {
+		const iamClient = new IAMCredentialsClient();
+		const serviceAccountEmail = (await new GoogleAuth().getCredentials()).client_email;
+		if (!serviceAccountEmail) throw new Error("No service account e-mail could be found.");
+		logger.info(`Service account e-mail being used: ${serviceAccountEmail}`);
+		const headerBase64 = Buffer.from(JSON.stringify({
+			alg: "RS256",
+			typ: "JWT"
+		})).toString("base64");
+		/**
+		* JWT Payload.
+		*/
+		const now = Math.floor(Date.now() / 1e3);
+		const payload = {
+			iss: serviceAccountEmail,
+			sub: serviceAccountEmail,
+			aud: apiURL,
+			iat: now,
+			exp: now + expInSeconds
+		};
+		/**
+		* JWT Signature.
+		*/
+		const unsignedJWT = `${headerBase64}.${Buffer.from(JSON.stringify(payload)).toString("base64")}`;
+		const [response] = await iamClient.signBlob({
+			delegates: [serviceAccountEmail],
+			name: `projects/-/serviceAccounts/${serviceAccountEmail}`,
+			payload: new Uint8Array(Buffer.from(unsignedJWT))
+		});
+		if (!response.signedBlob) throw new Error("signBlob(...) returned an empty response. Cannot sign JWT.");
+		logger.debug(`New JWT for ${key || apiURL} created. Signed with ${response.keyId}.`);
+		return `${unsignedJWT}.${Buffer.from(response.signedBlob).toString("base64")}`;
+	} catch (error) {
+		if (process.env.GCP_IAM_SOFT_FAIL === "true") {
+			logger.info("Soft fail enabled, returning empty JWT");
+			return "";
+		}
+		logger.error("Error generating system JWT", error);
+		throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`);
+	}
+};
+/**
+* Generate a system token for the API Gateway.
+* This is intended to be run under the context of the service account signing the JWT.
+* @param apiUrl The URL of the API Gateway including the path of the specific API to be accessed using the token.
+* @param serviceAccountEmail The email of the service account to be used.
+* @param logger An optional logger to use for logging.
+* @returns A JWT.
+*/
+const getApiGatewayTokenByUrl = async ({ apiURL, key }) => {
+	return checkCache({
+		cacheKey: key || apiURL,
+		generate: () => generateTokenByUrl({
+			apiURL,
+			key
+		})
+	});
+};
+/**
+*
+* @param key Clears a cached JWT by key.
+*/
+const clearCache = async (key) => {
+	apiGatewayJwtCache.clear(key);
+};
+const checkCache = ({ cacheKey, generate }) => {
+	/**
+	* Check if there is a cached JWT
+	*/
+	const cachedJwt = apiGatewayJwtCache.get(cacheKey);
+	if (cachedJwt) {
+		logger.debug(`JWT for ${cacheKey} found in cache.`);
+		return cachedJwt;
+	}
+	const jwtPromise = generate();
+	apiGatewayJwtCache.put(cacheKey, jwtPromise, expInSeconds / 2 * 1e3);
+	return jwtPromise;
+};
+const generateTokenByClientId = async (clientId) => {
+	try {
+		return await (await new GoogleAuth({ scopes: "https://www.googleapis.com/auth/cloud-platform" }).getIdTokenClient(clientId)).idTokenProvider.fetchIdToken(clientId);
+	} catch (error) {
+		if (process.env.GCP_IAM_SOFT_FAIL === "true") {
+			logger.info("Soft fail enabled, returning empty JWT.");
+			return "";
+		}
+		logger.error("Error generating system JWT", error);
+		throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`);
+	}
+};
+/**
+* Generates a JWT for the API Gateway, using Client ID as audience.
+* @param clientId OAUTH Client ID.
+* @returns ID Token.
+*/
+const getApiGatewayTokenByClientId = async (clientId) => {
+	return checkCache({
+		cacheKey: clientId,
+		generate: () => generateTokenByClientId(clientId)
+	});
+};
+//#endregion
+export { clearCache, getApiGatewayTokenByClientId, getApiGatewayTokenByUrl };
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.mjs","names":[],"sources":["../src/lruCache.ts","../src/apiGatewayToken.ts"],"sourcesContent":["export class LruCache<T> {\n private values: Map<string, { timestamp: number; data: T; ttl: number }> =\n new Map<string, { timestamp: number; data: T; ttl: number }>()\n private readonly maxEntries: number = 10000\n private readonly defaultTTL: number = 1000 * 10 // 10 seconds\n\n constructor(props?: { ttl?: number; maxEntries?: number }) {\n this.defaultTTL = props?.ttl ?? this.defaultTTL\n this.maxEntries = props?.maxEntries ?? this.maxEntries\n }\n\n public get(key: string): T | undefined {\n const hasKey = this.values.has(key)\n\n if (hasKey) {\n // peek the entry, re-insert for LRU strategy\n const entry = this.values.get(key) as {\n timestamp: number\n data: T\n ttl: number\n }\n if (Date.now() - entry.timestamp > entry.ttl) {\n this.values.delete(key)\n return undefined\n }\n this.values.delete(key)\n this.values.set(key, entry)\n return entry.data\n }\n }\n\n public put(key: string, value: T, ttl?: number) {\n if (this.values.size >= this.maxEntries) {\n // least-recently used cache eviction strategy\n const keyToDelete = this.values.keys().next().value as string\n this.values.delete(keyToDelete)\n }\n\n this.values.set(key, {\n data: value,\n timestamp: Date.now(),\n ttl: ttl || this.defaultTTL,\n })\n }\n\n public clear(key: string) {\n this.values.delete(key)\n }\n}\n","import { IAMCredentialsClient } from '@google-cloud/iam-credentials'\nimport { getLogger } from '@sebspark/otel'\nimport { GoogleAuth } from 'google-auth-library'\nimport { LruCache } from './lruCache'\n\nconst expInSeconds = 60 * 60\n// TODO: Make ttl changeable from getApiGatewayToken function\nconst apiGatewayJwtCache = new LruCache<Promise<string>>()\n\nconst logger = getLogger('gcp-iam')\n\nconst generateTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}) => {\n try {\n const iamClient = new IAMCredentialsClient()\n const auth = new GoogleAuth()\n const cred = await auth.getCredentials()\n const serviceAccountEmail = cred.client_email\n\n if (!serviceAccountEmail) {\n throw new Error('No service account e-mail could be found.')\n }\n\n // Remove when verified\n logger.info(`Service account e-mail being used: ${serviceAccountEmail}`)\n\n /**\n * JWT Header.\n */\n\n const header = {\n alg: 'RS256',\n typ: 'JWT',\n }\n const headerBase64 = Buffer.from(JSON.stringify(header)).toString('base64')\n\n /**\n * JWT Payload.\n */\n\n const now = Math.floor(Date.now() / 1000)\n const payload = {\n iss: serviceAccountEmail,\n sub: serviceAccountEmail,\n aud: apiURL,\n iat: now,\n exp: now + expInSeconds,\n }\n\n const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString(\n 'base64'\n )\n\n /**\n * JWT Signature.\n */\n\n const unsignedJWT = `${headerBase64}.${payloadBase64}`\n const [response] = await iamClient.signBlob({\n delegates: [serviceAccountEmail],\n name: `projects/-/serviceAccounts/${serviceAccountEmail}`,\n payload: new Uint8Array(Buffer.from(unsignedJWT)),\n })\n\n if (!response.signedBlob) {\n throw new Error(\n 'signBlob(...) returned an empty response. Cannot sign JWT.'\n )\n }\n\n // Debug.\n logger.debug(\n `New JWT for ${key || apiURL} created. Signed with ${response.keyId}.`\n )\n\n // Encode the binary signature to Base64.\n const signature = Buffer.from(response.signedBlob).toString('base64')\n\n // Combine into the final JWT.\n const signedJWT = `${unsignedJWT}.${signature}`\n\n return signedJWT\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generate a system token for the API Gateway.\n * This is intended to be run under the context of the service account signing the JWT.\n * @param apiUrl The URL of the API Gateway including the path of the specific API to be accessed using the token.\n * @param serviceAccountEmail The email of the service account to be used.\n * @param logger An optional logger to use for logging.\n * @returns A JWT.\n */\nexport const getApiGatewayTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}): Promise<string> => {\n return checkCache({\n cacheKey: key || apiURL,\n generate: () => generateTokenByUrl({ apiURL, key }),\n })\n}\n\n/**\n *\n * @param key Clears a cached JWT by key.\n */\nexport const clearCache = async (key: string) => {\n apiGatewayJwtCache.clear(key)\n}\n\nconst checkCache = ({\n cacheKey,\n generate,\n}: {\n cacheKey: string\n generate: () => Promise<string>\n}) => {\n /**\n * Check if there is a cached JWT\n */\n\n const cachedJwt = apiGatewayJwtCache.get(cacheKey)\n if (cachedJwt) {\n logger.debug(`JWT for ${cacheKey} found in cache.`)\n return cachedJwt\n }\n\n const jwtPromise = generate()\n\n // cache generated jwt\n apiGatewayJwtCache.put(cacheKey, jwtPromise, (expInSeconds / 2) * 1000)\n\n return jwtPromise\n}\n\nconst generateTokenByClientId = async (clientId: string) => {\n try {\n const auth = new GoogleAuth({\n scopes: 'https://www.googleapis.com/auth/cloud-platform',\n })\n const client = await auth.getIdTokenClient(clientId)\n\n return await client.idTokenProvider.fetchIdToken(clientId)\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT.')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generates a JWT for the API Gateway, using Client ID as audience.\n * @param clientId OAUTH Client ID.\n * @returns ID Token.\n */\nexport const getApiGatewayTokenByClientId = async (\n clientId: string\n): Promise<string> => {\n return checkCache({\n cacheKey: clientId,\n generate: () => generateTokenByClientId(clientId),\n })\n}\n"],"mappings":";;;;;AAAA,IAAa,WAAb,MAAyB;CACvB,AAAQ,yBACN,IAAI,KAA0D;CAChE,AAAiB,aAAqB;CACtC,AAAiB,aAAqB,MAAO;CAE7C,YAAY,OAA+C;AACzD,OAAK,aAAa,OAAO,OAAO,KAAK;AACrC,OAAK,aAAa,OAAO,cAAc,KAAK;;CAG9C,AAAO,IAAI,KAA4B;AAGrC,MAFe,KAAK,OAAO,IAAI,IAAI,EAEvB;GAEV,MAAM,QAAQ,KAAK,OAAO,IAAI,IAAI;AAKlC,OAAI,KAAK,KAAK,GAAG,MAAM,YAAY,MAAM,KAAK;AAC5C,SAAK,OAAO,OAAO,IAAI;AACvB;;AAEF,QAAK,OAAO,OAAO,IAAI;AACvB,QAAK,OAAO,IAAI,KAAK,MAAM;AAC3B,UAAO,MAAM;;;CAIjB,AAAO,IAAI,KAAa,OAAU,KAAc;AAC9C,MAAI,KAAK,OAAO,QAAQ,KAAK,YAAY;GAEvC,MAAM,cAAc,KAAK,OAAO,MAAM,CAAC,MAAM,CAAC;AAC9C,QAAK,OAAO,OAAO,YAAY;;AAGjC,OAAK,OAAO,IAAI,KAAK;GACnB,MAAM;GACN,WAAW,KAAK,KAAK;GACrB,KAAK,OAAO,KAAK;GAClB,CAAC;;CAGJ,AAAO,MAAM,KAAa;AACxB,OAAK,OAAO,OAAO,IAAI;;;;;;ACzC3B,MAAM,eAAe;AAErB,MAAM,qBAAqB,IAAI,UAA2B;AAE1D,MAAM,SAAS,UAAU,UAAU;AAEnC,MAAM,qBAAqB,OAAO,EAChC,QACA,UAII;AACJ,KAAI;EACF,MAAM,YAAY,IAAI,sBAAsB;EAG5C,MAAM,uBADO,MADA,IAAI,YAAY,CACL,gBAAgB,EACP;AAEjC,MAAI,CAAC,oBACH,OAAM,IAAI,MAAM,4CAA4C;AAI9D,SAAO,KAAK,sCAAsC,sBAAsB;EAUxE,MAAM,eAAe,OAAO,KAAK,KAAK,UAJvB;GACb,KAAK;GACL,KAAK;GACN,CACsD,CAAC,CAAC,SAAS,SAAS;;;;EAM3E,MAAM,MAAM,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;EACzC,MAAM,UAAU;GACd,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,MAAM;GACZ;;;;EAUD,MAAM,cAAc,GAAG,aAAa,GARd,OAAO,KAAK,KAAK,UAAU,QAAQ,CAAC,CAAC,SACzD,SACD;EAOD,MAAM,CAAC,YAAY,MAAM,UAAU,SAAS;GAC1C,WAAW,CAAC,oBAAoB;GAChC,MAAM,8BAA8B;GACpC,SAAS,IAAI,WAAW,OAAO,KAAK,YAAY,CAAC;GAClD,CAAC;AAEF,MAAI,CAAC,SAAS,WACZ,OAAM,IAAI,MACR,6DACD;AAIH,SAAO,MACL,eAAe,OAAO,OAAO,wBAAwB,SAAS,MAAM,GACrE;AAQD,SAFkB,GAAG,YAAY,GAHf,OAAO,KAAK,SAAS,WAAW,CAAC,SAAS,SAAS;UAM9D,OAAO;AACd,MAAI,QAAQ,IAAI,sBAAsB,QAAQ;AAC5C,UAAO,KAAK,yCAAyC;AACrD,UAAO;;AAGT,SAAO,MAAM,+BAA+B,MAAe;AAE3D,QAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,MAAM,GAAG;;;;;;;;;;;AAY5E,MAAa,0BAA0B,OAAO,EAC5C,QACA,UAIqB;AACrB,QAAO,WAAW;EAChB,UAAU,OAAO;EACjB,gBAAgB,mBAAmB;GAAE;GAAQ;GAAK,CAAC;EACpD,CAAC;;;;;;AAOJ,MAAa,aAAa,OAAO,QAAgB;AAC/C,oBAAmB,MAAM,IAAI;;AAG/B,MAAM,cAAc,EAClB,UACA,eAII;;;;CAKJ,MAAM,YAAY,mBAAmB,IAAI,SAAS;AAClD,KAAI,WAAW;AACb,SAAO,MAAM,WAAW,SAAS,kBAAkB;AACnD,SAAO;;CAGT,MAAM,aAAa,UAAU;AAG7B,oBAAmB,IAAI,UAAU,YAAa,eAAe,IAAK,IAAK;AAEvE,QAAO;;AAGT,MAAM,0BAA0B,OAAO,aAAqB;AAC1D,KAAI;AAMF,SAAO,OAFQ,MAHF,IAAI,WAAW,EAC1B,QAAQ,kDACT,CAAC,CACwB,iBAAiB,SAAS,EAEhC,gBAAgB,aAAa,SAAS;UACnD,OAAO;AACd,MAAI,QAAQ,IAAI,sBAAsB,QAAQ;AAC5C,UAAO,KAAK,0CAA0C;AACtD,UAAO;;AAGT,SAAO,MAAM,+BAA+B,MAAe;AAE3D,QAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,MAAM,GAAG;;;;;;;;AAS5E,MAAa,+BAA+B,OAC1C,aACoB;AACpB,QAAO,WAAW;EAChB,UAAU;EACV,gBAAgB,wBAAwB,SAAS;EAClD,CAAC"}

package/package.json CHANGED Viewed

@@ -1,15 +1,15 @@
 {
   "name": "@sebspark/gcp-iam",
-  "version": "3.0.5",
+  "version": "3.0.7",
   "license": "Apache-2.0",
   "type": "module",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
+  "main": "dist/index.mjs",
+  "types": "dist/index.d.mts",
   "files": [
     "dist"
   ],
   "scripts": {
-    "build": "tsup src/index.ts --config ./tsup.config.ts",
+    "build": "tsdown src/index.ts",
     "depcheck": "depcheck",
     "dev": "tsc --watch --noEmit",
     "lint": "biome check .",
@@ -18,7 +18,7 @@
   },
   "devDependencies": {
     "@sebspark/tsconfig": "*",
-    "tsup": "8.5.0",
+    "tsdown": "0.16.6",
     "vitest": "4.0.6"
   },
   "dependencies": {

package/dist/index.js DELETED Viewed

@@ -1,156 +0,0 @@
-// src/apiGatewayToken.ts
-import { IAMCredentialsClient } from "@google-cloud/iam-credentials";
-import { getLogger } from "@sebspark/otel";
-import { GoogleAuth } from "google-auth-library";
-// src/lruCache.ts
-var LruCache = class {
-  values = /* @__PURE__ */ new Map();
-  maxEntries = 1e4;
-  defaultTTL = 1e3 * 10;
-  // 10 seconds
-  constructor(props) {
-    this.defaultTTL = props?.ttl ?? this.defaultTTL;
-    this.maxEntries = props?.maxEntries ?? this.maxEntries;
-  }
-  get(key) {
-    const hasKey = this.values.has(key);
-    if (hasKey) {
-      const entry = this.values.get(key);
-      if (Date.now() - entry.timestamp > entry.ttl) {
-        this.values.delete(key);
-        return void 0;
-      }
-      this.values.delete(key);
-      this.values.set(key, entry);
-      return entry.data;
-    }
-  }
-  put(key, value, ttl) {
-    if (this.values.size >= this.maxEntries) {
-      const keyToDelete = this.values.keys().next().value;
-      this.values.delete(keyToDelete);
-    }
-    this.values.set(key, {
-      data: value,
-      timestamp: Date.now(),
-      ttl: ttl || this.defaultTTL
-    });
-  }
-  clear(key) {
-    this.values.delete(key);
-  }
-};
-// src/apiGatewayToken.ts
-var expInSeconds = 60 * 60;
-var apiGatewayJwtCache = new LruCache();
-var logger = getLogger("gcp-iam");
-var generateTokenByUrl = async ({
-  apiURL,
-  key
-}) => {
-  try {
-    const iamClient = new IAMCredentialsClient();
-    const auth = new GoogleAuth();
-    const cred = await auth.getCredentials();
-    const serviceAccountEmail = cred.client_email;
-    if (!serviceAccountEmail) {
-      throw new Error("No service account e-mail could be found.");
-    }
-    logger.info(`Service account e-mail being used: ${serviceAccountEmail}`);
-    const header = {
-      alg: "RS256",
-      typ: "JWT"
-    };
-    const headerBase64 = Buffer.from(JSON.stringify(header)).toString("base64");
-    const now = Math.floor(Date.now() / 1e3);
-    const payload = {
-      iss: serviceAccountEmail,
-      sub: serviceAccountEmail,
-      aud: apiURL,
-      iat: now,
-      exp: now + expInSeconds
-    };
-    const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString(
-      "base64"
-    );
-    const unsignedJWT = `${headerBase64}.${payloadBase64}`;
-    const [response] = await iamClient.signBlob({
-      delegates: [serviceAccountEmail],
-      name: `projects/-/serviceAccounts/${serviceAccountEmail}`,
-      payload: new Uint8Array(Buffer.from(unsignedJWT))
-    });
-    if (!response.signedBlob) {
-      throw new Error(
-        "signBlob(...) returned an empty response. Cannot sign JWT."
-      );
-    }
-    logger.debug(
-      `New JWT for ${key || apiURL} created. Signed with ${response.keyId}.`
-    );
-    const signature = Buffer.from(response.signedBlob).toString("base64");
-    const signedJWT = `${unsignedJWT}.${signature}`;
-    return signedJWT;
-  } catch (error) {
-    if (process.env.GCP_IAM_SOFT_FAIL === "true") {
-      logger.info("Soft fail enabled, returning empty JWT");
-      return "";
-    }
-    logger.error("Error generating system JWT", error);
-    throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`);
-  }
-};
-var getApiGatewayTokenByUrl = async ({
-  apiURL,
-  key
-}) => {
-  return checkCache({
-    cacheKey: key || apiURL,
-    generate: () => generateTokenByUrl({ apiURL, key })
-  });
-};
-var clearCache = async (key) => {
-  apiGatewayJwtCache.clear(key);
-};
-var checkCache = ({
-  cacheKey,
-  generate
-}) => {
-  const cachedJwt = apiGatewayJwtCache.get(cacheKey);
-  if (cachedJwt) {
-    logger.debug(`JWT for ${cacheKey} found in cache.`);
-    return cachedJwt;
-  }
-  const jwtPromise = generate();
-  apiGatewayJwtCache.put(cacheKey, jwtPromise, expInSeconds / 2 * 1e3);
-  return jwtPromise;
-};
-var generateTokenByClientId = async (clientId) => {
-  try {
-    const auth = new GoogleAuth({
-      scopes: "https://www.googleapis.com/auth/cloud-platform"
-    });
-    const client = await auth.getIdTokenClient(clientId);
-    return await client.idTokenProvider.fetchIdToken(clientId);
-  } catch (error) {
-    if (process.env.GCP_IAM_SOFT_FAIL === "true") {
-      logger.info("Soft fail enabled, returning empty JWT.");
-      return "";
-    }
-    logger.error("Error generating system JWT", error);
-    throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`);
-  }
-};
-var getApiGatewayTokenByClientId = async (clientId) => {
-  return checkCache({
-    cacheKey: clientId,
-    generate: () => generateTokenByClientId(clientId)
-  });
-};
-export {
-  clearCache,
-  getApiGatewayTokenByClientId,
-  getApiGatewayTokenByUrl
-};
-//# sourceMappingURL=index.js.map

package/dist/index.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/apiGatewayToken.ts","../src/lruCache.ts"],"sourcesContent":["import { IAMCredentialsClient } from '@google-cloud/iam-credentials'\nimport { getLogger } from '@sebspark/otel'\nimport { GoogleAuth } from 'google-auth-library'\nimport { LruCache } from './lruCache'\n\nconst expInSeconds = 60 * 60\n// TODO: Make ttl changeable from getApiGatewayToken function\nconst apiGatewayJwtCache = new LruCache<Promise<string>>()\n\nconst logger = getLogger('gcp-iam')\n\nconst generateTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}) => {\n try {\n const iamClient = new IAMCredentialsClient()\n const auth = new GoogleAuth()\n const cred = await auth.getCredentials()\n const serviceAccountEmail = cred.client_email\n\n if (!serviceAccountEmail) {\n throw new Error('No service account e-mail could be found.')\n }\n\n // Remove when verified\n logger.info(`Service account e-mail being used: ${serviceAccountEmail}`)\n\n /**\n * JWT Header.\n */\n\n const header = {\n alg: 'RS256',\n typ: 'JWT',\n }\n const headerBase64 = Buffer.from(JSON.stringify(header)).toString('base64')\n\n /**\n * JWT Payload.\n */\n\n const now = Math.floor(Date.now() / 1000)\n const payload = {\n iss: serviceAccountEmail,\n sub: serviceAccountEmail,\n aud: apiURL,\n iat: now,\n exp: now + expInSeconds,\n }\n\n const payloadBase64 = Buffer.from(JSON.stringify(payload)).toString(\n 'base64'\n )\n\n /**\n * JWT Signature.\n */\n\n const unsignedJWT = `${headerBase64}.${payloadBase64}`\n const [response] = await iamClient.signBlob({\n delegates: [serviceAccountEmail],\n name: `projects/-/serviceAccounts/${serviceAccountEmail}`,\n payload: new Uint8Array(Buffer.from(unsignedJWT)),\n })\n\n if (!response.signedBlob) {\n throw new Error(\n 'signBlob(...) returned an empty response. Cannot sign JWT.'\n )\n }\n\n // Debug.\n logger.debug(\n `New JWT for ${key || apiURL} created. Signed with ${response.keyId}.`\n )\n\n // Encode the binary signature to Base64.\n const signature = Buffer.from(response.signedBlob).toString('base64')\n\n // Combine into the final JWT.\n const signedJWT = `${unsignedJWT}.${signature}`\n\n return signedJWT\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generate a system token for the API Gateway.\n * This is intended to be run under the context of the service account signing the JWT.\n * @param apiUrl The URL of the API Gateway including the path of the specific API to be accessed using the token.\n * @param serviceAccountEmail The email of the service account to be used.\n * @param logger An optional logger to use for logging.\n * @returns A JWT.\n */\nexport const getApiGatewayTokenByUrl = async ({\n apiURL,\n key,\n}: {\n apiURL: string\n key?: string\n}): Promise<string> => {\n return checkCache({\n cacheKey: key || apiURL,\n generate: () => generateTokenByUrl({ apiURL, key }),\n })\n}\n\n/**\n *\n * @param key Clears a cached JWT by key.\n */\nexport const clearCache = async (key: string) => {\n apiGatewayJwtCache.clear(key)\n}\n\nconst checkCache = ({\n cacheKey,\n generate,\n}: {\n cacheKey: string\n generate: () => Promise<string>\n}) => {\n /**\n * Check if there is a cached JWT\n */\n\n const cachedJwt = apiGatewayJwtCache.get(cacheKey)\n if (cachedJwt) {\n logger.debug(`JWT for ${cacheKey} found in cache.`)\n return cachedJwt\n }\n\n const jwtPromise = generate()\n\n // cache generated jwt\n apiGatewayJwtCache.put(cacheKey, jwtPromise, (expInSeconds / 2) * 1000)\n\n return jwtPromise\n}\n\nconst generateTokenByClientId = async (clientId: string) => {\n try {\n const auth = new GoogleAuth({\n scopes: 'https://www.googleapis.com/auth/cloud-platform',\n })\n const client = await auth.getIdTokenClient(clientId)\n\n return await client.idTokenProvider.fetchIdToken(clientId)\n } catch (error) {\n if (process.env.GCP_IAM_SOFT_FAIL === 'true') {\n logger.info('Soft fail enabled, returning empty JWT.')\n return ''\n }\n\n logger.error('Error generating system JWT', error as Error)\n\n throw new Error(`Error generating system JWT: ${JSON.stringify(error)}`)\n }\n}\n\n/**\n * Generates a JWT for the API Gateway, using Client ID as audience.\n * @param clientId OAUTH Client ID.\n * @returns ID Token.\n */\nexport const getApiGatewayTokenByClientId = async (\n clientId: string\n): Promise<string> => {\n return checkCache({\n cacheKey: clientId,\n generate: () => generateTokenByClientId(clientId),\n })\n}\n","export class LruCache<T> {\n private values: Map<string, { timestamp: number; data: T; ttl: number }> =\n new Map<string, { timestamp: number; data: T; ttl: number }>()\n private readonly maxEntries: number = 10000\n private readonly defaultTTL: number = 1000 * 10 // 10 seconds\n\n constructor(props?: { ttl?: number; maxEntries?: number }) {\n this.defaultTTL = props?.ttl ?? this.defaultTTL\n this.maxEntries = props?.maxEntries ?? this.maxEntries\n }\n\n public get(key: string): T | undefined {\n const hasKey = this.values.has(key)\n\n if (hasKey) {\n // peek the entry, re-insert for LRU strategy\n const entry = this.values.get(key) as {\n timestamp: number\n data: T\n ttl: number\n }\n if (Date.now() - entry.timestamp > entry.ttl) {\n this.values.delete(key)\n return undefined\n }\n this.values.delete(key)\n this.values.set(key, entry)\n return entry.data\n }\n }\n\n public put(key: string, value: T, ttl?: number) {\n if (this.values.size >= this.maxEntries) {\n // least-recently used cache eviction strategy\n const keyToDelete = this.values.keys().next().value as string\n this.values.delete(keyToDelete)\n }\n\n this.values.set(key, {\n data: value,\n timestamp: Date.now(),\n ttl: ttl || this.defaultTTL,\n })\n }\n\n public clear(key: string) {\n this.values.delete(key)\n }\n}\n"],"mappings":";AAAA,SAAS,4BAA4B;AACrC,SAAS,iBAAiB;AAC1B,SAAS,kBAAkB;;;ACFpB,IAAM,WAAN,MAAkB;AAAA,EACf,SACN,oBAAI,IAAyD;AAAA,EAC9C,aAAqB;AAAA,EACrB,aAAqB,MAAO;AAAA;AAAA,EAE7C,YAAY,OAA+C;AACzD,SAAK,aAAa,OAAO,OAAO,KAAK;AACrC,SAAK,aAAa,OAAO,cAAc,KAAK;AAAA,EAC9C;AAAA,EAEO,IAAI,KAA4B;AACrC,UAAM,SAAS,KAAK,OAAO,IAAI,GAAG;AAElC,QAAI,QAAQ;AAEV,YAAM,QAAQ,KAAK,OAAO,IAAI,GAAG;AAKjC,UAAI,KAAK,IAAI,IAAI,MAAM,YAAY,MAAM,KAAK;AAC5C,aAAK,OAAO,OAAO,GAAG;AACtB,eAAO;AAAA,MACT;AACA,WAAK,OAAO,OAAO,GAAG;AACtB,WAAK,OAAO,IAAI,KAAK,KAAK;AAC1B,aAAO,MAAM;AAAA,IACf;AAAA,EACF;AAAA,EAEO,IAAI,KAAa,OAAU,KAAc;AAC9C,QAAI,KAAK,OAAO,QAAQ,KAAK,YAAY;AAEvC,YAAM,cAAc,KAAK,OAAO,KAAK,EAAE,KAAK,EAAE;AAC9C,WAAK,OAAO,OAAO,WAAW;AAAA,IAChC;AAEA,SAAK,OAAO,IAAI,KAAK;AAAA,MACnB,MAAM;AAAA,MACN,WAAW,KAAK,IAAI;AAAA,MACpB,KAAK,OAAO,KAAK;AAAA,IACnB,CAAC;AAAA,EACH;AAAA,EAEO,MAAM,KAAa;AACxB,SAAK,OAAO,OAAO,GAAG;AAAA,EACxB;AACF;;;AD3CA,IAAM,eAAe,KAAK;AAE1B,IAAM,qBAAqB,IAAI,SAA0B;AAEzD,IAAM,SAAS,UAAU,SAAS;AAElC,IAAM,qBAAqB,OAAO;AAAA,EAChC;AAAA,EACA;AACF,MAGM;AACJ,MAAI;AACF,UAAM,YAAY,IAAI,qBAAqB;AAC3C,UAAM,OAAO,IAAI,WAAW;AAC5B,UAAM,OAAO,MAAM,KAAK,eAAe;AACvC,UAAM,sBAAsB,KAAK;AAEjC,QAAI,CAAC,qBAAqB;AACxB,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC7D;AAGA,WAAO,KAAK,sCAAsC,mBAAmB,EAAE;AAMvE,UAAM,SAAS;AAAA,MACb,KAAK;AAAA,MACL,KAAK;AAAA,IACP;AACA,UAAM,eAAe,OAAO,KAAK,KAAK,UAAU,MAAM,CAAC,EAAE,SAAS,QAAQ;AAM1E,UAAM,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AACxC,UAAM,UAAU;AAAA,MACd,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK,MAAM;AAAA,IACb;AAEA,UAAM,gBAAgB,OAAO,KAAK,KAAK,UAAU,OAAO,CAAC,EAAE;AAAA,MACzD;AAAA,IACF;AAMA,UAAM,cAAc,GAAG,YAAY,IAAI,aAAa;AACpD,UAAM,CAAC,QAAQ,IAAI,MAAM,UAAU,SAAS;AAAA,MAC1C,WAAW,CAAC,mBAAmB;AAAA,MAC/B,MAAM,8BAA8B,mBAAmB;AAAA,MACvD,SAAS,IAAI,WAAW,OAAO,KAAK,WAAW,CAAC;AAAA,IAClD,CAAC;AAED,QAAI,CAAC,SAAS,YAAY;AACxB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAGA,WAAO;AAAA,MACL,eAAe,OAAO,MAAM,yBAAyB,SAAS,KAAK;AAAA,IACrE;AAGA,UAAM,YAAY,OAAO,KAAK,SAAS,UAAU,EAAE,SAAS,QAAQ;AAGpE,UAAM,YAAY,GAAG,WAAW,IAAI,SAAS;AAE7C,WAAO;AAAA,EACT,SAAS,OAAO;AACd,QAAI,QAAQ,IAAI,sBAAsB,QAAQ;AAC5C,aAAO,KAAK,wCAAwC;AACpD,aAAO;AAAA,IACT;AAEA,WAAO,MAAM,+BAA+B,KAAc;AAE1D,UAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,EACzE;AACF;AAUO,IAAM,0BAA0B,OAAO;AAAA,EAC5C;AAAA,EACA;AACF,MAGuB;AACrB,SAAO,WAAW;AAAA,IAChB,UAAU,OAAO;AAAA,IACjB,UAAU,MAAM,mBAAmB,EAAE,QAAQ,IAAI,CAAC;AAAA,EACpD,CAAC;AACH;AAMO,IAAM,aAAa,OAAO,QAAgB;AAC/C,qBAAmB,MAAM,GAAG;AAC9B;AAEA,IAAM,aAAa,CAAC;AAAA,EAClB;AAAA,EACA;AACF,MAGM;AAKJ,QAAM,YAAY,mBAAmB,IAAI,QAAQ;AACjD,MAAI,WAAW;AACb,WAAO,MAAM,WAAW,QAAQ,kBAAkB;AAClD,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,SAAS;AAG5B,qBAAmB,IAAI,UAAU,YAAa,eAAe,IAAK,GAAI;AAEtE,SAAO;AACT;AAEA,IAAM,0BAA0B,OAAO,aAAqB;AAC1D,MAAI;AACF,UAAM,OAAO,IAAI,WAAW;AAAA,MAC1B,QAAQ;AAAA,IACV,CAAC;AACD,UAAM,SAAS,MAAM,KAAK,iBAAiB,QAAQ;AAEnD,WAAO,MAAM,OAAO,gBAAgB,aAAa,QAAQ;AAAA,EAC3D,SAAS,OAAO;AACd,QAAI,QAAQ,IAAI,sBAAsB,QAAQ;AAC5C,aAAO,KAAK,yCAAyC;AACrD,aAAO;AAAA,IACT;AAEA,WAAO,MAAM,+BAA+B,KAAc;AAE1D,UAAM,IAAI,MAAM,gCAAgC,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,EACzE;AACF;AAOO,IAAM,+BAA+B,OAC1C,aACoB;AACpB,SAAO,WAAW;AAAA,IAChB,UAAU;AAAA,IACV,UAAU,MAAM,wBAAwB,QAAQ;AAAA,EAClD,CAAC;AACH;","names":[]}