@vizamodo/aws-sts-core 0.1.10

package/dist/federation/login.d.ts

@@ -0,0 +1,11 @@
+export declare function buildFederationLoginUrl(input: {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string;
+    region: string;
+}): Promise<{
+    loginUrl: string;
+    shortUrl: string;
+    ttlHours: number;
+    region: string;
+}>;

package/dist/federation/login.js

@@ -0,0 +1,25 @@
+export async function buildFederationLoginUrl(input) {
+    const session = {
+        sessionId: input.accessKeyId,
+        sessionKey: input.secretAccessKey,
+        sessionToken: input.sessionToken
+    };
+    const sessionJson = JSON.stringify(session);
+    const encoded = encodeURIComponent(sessionJson);
+    const tokenResp = await fetch(`https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${encoded}`);
+    const { SigninToken } = await tokenResp.json();
+    if (!SigninToken)
+        throw new Error("federation_failed");
+    const loginUrl = `https://signin.aws.amazon.com/federation?Action=login` +
+        `&Issuer=viza` +
+        `&Destination=https://console.aws.amazon.com/?region=${input.region}` +
+        `&SigninToken=${SigninToken}`;
+    const shortUrl = loginUrl.slice(0, 40) + "..." +
+        loginUrl.slice(-60);
+    return {
+        loginUrl,
+        shortUrl,
+        ttlHours: 1,
+        region: input.region
+    };
+}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./types";
+export * from "./sts/issue";
+export * from "./federation/login";

package/dist/index.js

@@ -0,0 +1,3 @@
+export * from "./types";
+export * from "./sts/issue";
+export * from "./federation/login";

package/dist/sigv4/canonical.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Build AWS SigV4 Canonical Request
+ * This module is PURE and deterministic.
+ * It does NOT sign anything.
+ */
+export interface CanonicalRequestInput {
+    method: string;
+    /**
+     * Path MUST be URI-encoded and start with '/'
+     * Example: '/sessions'
+     */
+    canonicalUri: string;
+    /**
+     * Canonicalized query string.
+     * Must already be sorted and encoded.
+     * This string is used as-is.
+     */
+    query?: string;
+    /**
+     * Headers to be signed.
+     * This is a fully canonicalized string, including sorting, lowercasing keys,
+     * trimming values, and newline termination.
+     */
+    canonicalHeaders: string;
+    /**
+     * Lowercase, sorted header names joined by ';'
+     */
+    signedHeaders: string;
+    /**
+     * Hex-encoded SHA256 hash of request body.
+     * For empty body, use SHA256('') constant.
+     */
+    payloadHash: string;
+}
+export declare function buildCanonicalRequest(input: CanonicalRequestInput): string;

package/dist/sigv4/canonical.js

@@ -0,0 +1,16 @@
+// src/sigv4/canonical.ts
+/**
+ * Build AWS SigV4 Canonical Request
+ * This module is PURE and deterministic.
+ * It does NOT sign anything.
+ */
+export function buildCanonicalRequest(input) {
+    return [
+        input.method.toUpperCase(),
+        input.canonicalUri,
+        input.query ?? "",
+        input.canonicalHeaders, // Bản thân cái này đã có \n cuối cùng rồi
+        input.signedHeaders,
+        input.payloadHash
+    ].join("\n");
+}

package/dist/sigv4/headers.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Canonicalize HTTP headers for AWS SigV4.
+ *
+ * Rules (AWS spec):
+ * - Header names: lowercase
+ * - Trim leading/trailing spaces in values
+ * - Collapse sequential spaces into one
+ * - Sort headers by name (ASCII)
+ * - Join as: `name:value\n`
+ *
+ * This function is PURE and side‑effect free.
+ */
+export interface CanonicalHeadersResult {
+    canonicalHeaders: string;
+    signedHeaders: string;
+}
+export declare function canonicalizeHeaders(headers: Record<string, string | undefined>): CanonicalHeadersResult;

package/dist/sigv4/headers.js

@@ -0,0 +1,38 @@
+/**
+ * Canonicalize HTTP headers for AWS SigV4.
+ *
+ * Rules (AWS spec):
+ * - Header names: lowercase
+ * - Trim leading/trailing spaces in values
+ * - Collapse sequential spaces into one
+ * - Sort headers by name (ASCII)
+ * - Join as: `name:value\n`
+ *
+ * This function is PURE and side‑effect free.
+ */
+export function canonicalizeHeaders(headers) {
+    const normalized = {};
+    for (const [key, value] of Object.entries(headers)) {
+        if (value === undefined)
+            continue;
+        const name = key.toLowerCase().trim();
+        if (!name)
+            continue;
+        // AWS requires:
+        // - trim
+        // - collapse multiple spaces into one
+        const cleanedValue = value
+            .trim()
+            .replace(/\s+/g, " ");
+        normalized[name] = cleanedValue;
+    }
+    const sortedHeaderNames = Object.keys(normalized).sort();
+    const canonicalHeaders = sortedHeaderNames
+        .map((name) => `${name}:${normalized[name]}\n`)
+        .join("");
+    const signedHeaders = sortedHeaderNames.join(";");
+    return {
+        canonicalHeaders,
+        signedHeaders,
+    };
+}

package/dist/sigv4/string-to-sign.d.ts

@@ -0,0 +1,16 @@
+export interface StringToSignInput {
+    algorithm: string;
+    amzDate: string;
+    credentialScope: string;
+    canonicalRequestHash: string;
+}
+/**
+ * Build SigV4 String-To-Sign
+ *
+ * Format:
+ *  AWS4-X509-ECDSA-SHA256
+ *  20240101T000000Z
+ *  20240101/ap-southeast-1/sts/aws4_request
+ *  <hex(canonicalRequestHash)>
+ */
+export declare function buildStringToSign(input: StringToSignInput): string;

package/dist/sigv4/string-to-sign.js

@@ -0,0 +1,24 @@
+// src/sigv4/string-to-sign.ts
+// Build AWS SigV4 String-To-Sign (X.509 / Roles Anywhere compatible)
+// PURE function: no crypto, no env, no side-effects.
+/**
+ * Build SigV4 String-To-Sign
+ *
+ * Format:
+ *  AWS4-X509-ECDSA-SHA256
+ *  20240101T000000Z
+ *  20240101/ap-southeast-1/sts/aws4_request
+ *  <hex(canonicalRequestHash)>
+ */
+export function buildStringToSign(input) {
+    const { algorithm, amzDate, credentialScope, canonicalRequestHash, } = input;
+    if (!algorithm || !amzDate || !credentialScope || !canonicalRequestHash) {
+        throw new Error("string_to_sign_missing_fields");
+    }
+    return [
+        algorithm,
+        amzDate,
+        credentialScope,
+        canonicalRequestHash,
+    ].join("\n");
+}

package/dist/sts/errors.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Base error type for viza-aws-bridge.
+ * This worker is a credential issuer and MUST NOT leak internals.
+ */
+export declare abstract class BridgeError extends Error {
+    readonly code: string;
+    readonly status: number;
+    protected constructor(code: string, status: number);
+}
+/**
+ * The request is invalid or malformed.
+ * This indicates a programmer or protocol error by the caller.
+ */
+export declare class InvalidRequestError extends BridgeError {
+    constructor(code?: string);
+}
+/**
+ * The operation is not permitted.
+ * Used when AWS rejects the assume or signing operation.
+ */
+export declare class UnauthorizedError extends BridgeError {
+    constructor(code?: string);
+}
+/**
+ * Internal failure inside the bridge.
+ * NEVER expose underlying AWS / crypto / parsing errors.
+ */
+export declare class InternalError extends BridgeError {
+    constructor(code?: string);
+}
+/**
+ * Normalize unknown errors into a safe HTTP response.
+ * This is the ONLY place where errors are translated to responses.
+ */
+export declare function normalizeError(err: unknown): {
+    status: number;
+    body: {
+        error: string;
+    };
+};

package/dist/sts/errors.js

@@ -0,0 +1,57 @@
+/**
+ * Base error type for viza-aws-bridge.
+ * This worker is a credential issuer and MUST NOT leak internals.
+ */
+export class BridgeError extends Error {
+    code;
+    status;
+    constructor(code, status) {
+        super(code);
+        this.code = code;
+        this.status = status;
+    }
+}
+/**
+ * The request is invalid or malformed.
+ * This indicates a programmer or protocol error by the caller.
+ */
+export class InvalidRequestError extends BridgeError {
+    constructor(code = "invalid_request") {
+        super(code, 400);
+    }
+}
+/**
+ * The operation is not permitted.
+ * Used when AWS rejects the assume or signing operation.
+ */
+export class UnauthorizedError extends BridgeError {
+    constructor(code = "unauthorized") {
+        super(code, 403);
+    }
+}
+/**
+ * Internal failure inside the bridge.
+ * NEVER expose underlying AWS / crypto / parsing errors.
+ */
+export class InternalError extends BridgeError {
+    constructor(code = "internal_error") {
+        super(code, 500);
+    }
+}
+/**
+ * Normalize unknown errors into a safe HTTP response.
+ * This is the ONLY place where errors are translated to responses.
+ */
+export function normalizeError(err) {
+    if (err instanceof BridgeError) {
+        return {
+            status: err.status,
+            body: { error: err.code },
+        };
+    }
+    // Absolute fallback: never leak
+    return {
+        status: 500,
+        body: { error: "internal_error" },
+    };
+}

package/dist/sts/issue.d.ts

@@ -0,0 +1,16 @@
+import type { AwsCredentialResult } from "../types";
+/**
+ * Issue short-lived AWS credentials via Roles Anywhere.
+ * Preserve:
+ *  - TTL per profile
+ *  - isolate-level signing material cache
+ */
+export declare function issueAwsCredentials(input: {
+    roleArn: string;
+    profileArn: string;
+    trustAnchorArn: string;
+    region: string;
+    certBase64: string;
+    privateKeyPkcs8Base64: string;
+    profile: string;
+}): Promise<AwsCredentialResult>;

package/dist/sts/issue.js

@@ -0,0 +1,153 @@
+import { canonicalizeHeaders } from "../sigv4/headers";
+import { buildCanonicalRequest } from "../sigv4/canonical";
+import { buildStringToSign } from "../sigv4/string-to-sign";
+import { signStringToSign } from "./signer";
+import { InternalError } from "./errors";
+// ---- isolate-level cached signing material ----
+let cachedSigningKey = null;
+let cachedCertBase64 = null;
+async function getSigningMaterial(input) {
+    if (cachedSigningKey && cachedCertBase64) {
+        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+    }
+    try {
+        cachedCertBase64 = input.certBase64;
+        const keyBuffer = base64ToArrayBuffer(input.privateKeyPkcs8Base64);
+        cachedSigningKey = await crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+    }
+    catch {
+        throw new InternalError("invalid_signing_material");
+    }
+}
+function resolveSessionTtlByProfile(profile) {
+    switch (profile) {
+        case "hub-console-ro":
+            return 12 * 60 * 60; // 12h
+        case "hub-billing-ro":
+        case "hub-billing-admin":
+            return 2 * 60 * 60; // 2h
+        case "hub-runtime":
+            return 90 * 60; // 1h30m
+        default:
+            // fail-safe
+            return 2 * 60 * 60;
+    }
+}
+/**
+ * Issue short-lived AWS credentials via Roles Anywhere.
+ * Preserve:
+ *  - TTL per profile
+ *  - isolate-level signing material cache
+ */
+export async function issueAwsCredentials(input) {
+    const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
+    if (!roleArn || !profileArn || !trustAnchorArn || !region) {
+        throw new InternalError("missing_aws_configuration");
+    }
+    const sessionTtl = resolveSessionTtlByProfile(profile);
+    const signingMaterial = await getSigningMaterial({
+        certBase64,
+        privateKeyPkcs8Base64,
+    });
+    const signingKey = signingMaterial.signingKey;
+    const method = "POST";
+    const service = "rolesanywhere";
+    const host = `rolesanywhere.${region}.amazonaws.com`;
+    const path = "/sessions";
+    const now = new Date();
+    const amzDate = now
+        .toISOString()
+        .replace(/\.\d{3}Z$/, "Z")
+        .replace(/[:-]/g, "");
+    const dateStamp = amzDate.slice(0, 8);
+    const body = JSON.stringify({
+        trustAnchorArn,
+        profileArn,
+        roleArn,
+        durationSeconds: sessionTtl,
+    });
+    const payloadHash = await sha256Hex(body);
+    const baseHeaders = {
+        host,
+        "content-type": "application/json",
+        "x-amz-date": amzDate,
+        "x-amz-x509-chain": certBase64,
+    };
+    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+    const canonicalRequest = buildCanonicalRequest({
+        method,
+        canonicalUri: path,
+        query: "",
+        canonicalHeaders,
+        signedHeaders,
+        payloadHash,
+    });
+    const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+    const stringToSign = buildStringToSign({
+        algorithm: "AWS4-X509-ECDSA-SHA256",
+        amzDate,
+        credentialScope,
+        canonicalRequestHash: await sha256Hex(canonicalRequest),
+    });
+    const signatureHex = await signStringToSign(stringToSign, signingKey);
+    const authorization = `AWS4-X509-ECDSA-SHA256 ` +
+        `Credential=${roleArn}/${credentialScope}, ` +
+        `SignedHeaders=${signedHeaders}, ` +
+        `Signature=${signatureHex}`;
+    const headers = {
+        ...baseHeaders,
+        Authorization: authorization,
+    };
+    let res;
+    try {
+        res = await fetch(`https://${host}${path}`, {
+            method,
+            headers,
+            body,
+        });
+    }
+    catch {
+        throw new InternalError("aws_unreachable");
+    }
+    if (!res.ok) {
+        throw new InternalError("aws_rejected");
+    }
+    let json;
+    try {
+        json = await res.json();
+    }
+    catch {
+        throw new InternalError("invalid_aws_response");
+    }
+    const creds = json?.credentialSet?.[0]?.credentials;
+    if (!creds?.accessKeyId ||
+        !creds?.secretAccessKey ||
+        !creds?.sessionToken ||
+        !creds?.expiration) {
+        throw new InternalError("malformed_aws_credentials");
+    }
+    return {
+        accessKeyId: creds.accessKeyId,
+        secretAccessKey: creds.secretAccessKey,
+        sessionToken: creds.sessionToken,
+        expiration: creds.expiration,
+    };
+}
+// ---- helpers ----
+async function sha256Hex(input) {
+    const data = new TextEncoder().encode(input);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    const bytes = new Uint8Array(hash);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
+}
+function base64ToArrayBuffer(base64) {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+}

package/dist/sts/signer.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Sign String-To-Sign using ECDSA (P-256, SHA-256).
+ *
+ * IMPORTANT:
+ * - Uses AWS4-X509-ECDSA-SHA256
+ * - WebCrypto returns DER-encoded signature
+ * - We convert DER -> hex (lowercase) as required by AWS
+ */
+export declare function signStringToSign(stringToSign: string, signingKey: CryptoKey): Promise<string>;

package/dist/sts/signer.js

@@ -0,0 +1,34 @@
+import { InternalError } from "./errors";
+/**
+ * Sign String-To-Sign using ECDSA (P-256, SHA-256).
+ *
+ * IMPORTANT:
+ * - Uses AWS4-X509-ECDSA-SHA256
+ * - WebCrypto returns DER-encoded signature
+ * - We convert DER -> hex (lowercase) as required by AWS
+ */
+export async function signStringToSign(stringToSign, signingKey) {
+    try {
+        const data = new TextEncoder().encode(stringToSign);
+        const signature = await crypto.subtle.sign({
+            name: "ECDSA",
+            hash: "SHA-256",
+        }, signingKey, data);
+        return arrayBufferToHex(signature);
+    }
+    catch {
+        throw new InternalError("signing_failed");
+    }
+}
+/**
+ * Convert ArrayBuffer → lowercase hex string.
+ * This matches AWS SigV4 expectations.
+ */
+function arrayBufferToHex(buf) {
+    const bytes = new Uint8Array(buf);
+    let hex = "";
+    for (let i = 0; i < bytes.length; i++) {
+        hex += bytes[i].toString(16).padStart(2, "0");
+    }
+    return hex;
+}

package/dist/types.d.ts

@@ -0,0 +1,6 @@
+export interface AwsCredentialResult {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string;
+    expiration: string;
+}

package/dist/types.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@vizamodo/aws-sts-core",
+  "version": "0.1.10",
+  "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": "./dist/index.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run build",
+    "dev": "ts-node bin/viza.ts",
+    "release:prod": "rm -rf dist && npx npm-check-updates -u && npm install && git add package.json package-lock.json && git commit -m 'chore(deps): auto update dependencies before release' || echo 'No changes' && node versioning.js && npm login && npm publish --tag latest --access public && git push"
+  },
+  "devDependencies": {
+    "typescript": "^5.9.3"
+  }
+}