@vizamodo/aws-sts-core 0.3.12 → 0.3.13

package/dist/sts/cache.d.ts

@@ -0,0 +1,3 @@
+import type { AwsCredentialResult } from "../types";
+export declare function getCachedCredentials(cacheKey: string): Promise<AwsCredentialResult | null>;
+export declare function setCachedCredentials(cacheKey: string, result: AwsCredentialResult): Promise<void>;

package/dist/sts/cache.js

@@ -0,0 +1,40 @@
+const CACHE_KEY_PREFIX = "https://sts-cache.internal/";
+const CACHE_TTL_BUFFER_SEC = 5 * 60; // 5 minutes safety buffer
+export async function getCachedCredentials(cacheKey) {
+    const cache = caches.default;
+    const req = new Request(CACHE_KEY_PREFIX + cacheKey);
+    const res = await cache.match(req);
+    if (!res)
+        return null;
+    try {
+        return (await res.json());
+    }
+    catch {
+        // corrupted cache entry → ignore
+        return null;
+    }
+}
+export async function setCachedCredentials(cacheKey, result) {
+    if (!result.expiration) {
+        // cache is optional; skip caching if expiration missing
+        return;
+    }
+    const expiresAt = Date.parse(result.expiration);
+    if (!Number.isFinite(expiresAt)) {
+        // invalid expiration → skip caching
+        return;
+    }
+    const ttlSec = Math.floor((expiresAt - Date.now()) / 1000) - CACHE_TTL_BUFFER_SEC;
+    if (ttlSec <= 0)
+        return;
+    const cache = caches.default;
+    const req = new Request(CACHE_KEY_PREFIX + cacheKey);
+    const body = JSON.stringify(result);
+    const res = new Response(body, {
+        headers: {
+            "Content-Type": "application/json",
+            "Cache-Control": `max-age=${ttlSec}`,
+        },
+    });
+    await cache.put(req, res);
+}

package/dist/sts/issue.js

@@ -1,3 +1,4 @@
+import { getCachedCredentials, setCachedCredentials } from "./cache";
 import { canonicalizeHeaders } from "../sigv4/headers";
 import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
@@ -133,18 +134,24 @@ export async function issueAwsCredentials(input) {
             throw new InternalError("invalid_cert_der");
         }
     }
-    // ---- STS credential cache lookup (using certificate serial) ----
+    // ---- cross-request cache lookup (Cloudflare Cache API) ----
     cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
+    const externalCached = await getCachedCredentials(cacheKey);
+    if (externalCached) {
+        console.log("[sts-cache] edge-hit", { cacheKey });
+        return externalCached;
+    }
+    // ---- isolate-level cache lookup (dedupe concurrent refresh within isolate) ----
     const cachedEntry = stsCredentialCache.get(cacheKey);
     if (cachedEntry) {
-        console.log("[sts-cache] hit", {
+        console.log("[sts-cache] isolate-hit", {
             cacheKey,
             expiresAt: cachedEntry.expiresAt,
             now: Date.now(),
         });
     }
     else {
-        console.log("[sts-cache] miss", { cacheKey });
+        console.log("[sts-cache] isolate-miss", { cacheKey });
     }
     // Only reuse cached credentials if they still have >10p remaining
     const MIN_REMAINING_MS = 5 * 60 * 1000;
@@ -238,6 +245,8 @@ export async function issueAwsCredentials(input) {
                 sessionToken: creds.sessionToken,
                 expiration: creds.expiration,
             };
+            // persist credential in edge cache (best effort)
+            setCachedCredentials(cacheKey, result).catch(() => { });
             // subtract small clock‑skew safety window (5s)
             const exp = new Date(creds.expiration).getTime() - 5000;
             // update cache expiration after success

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.12",
+  "version": "0.3.13",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",