@vizamodo/aws-sts-core 0.3.15 → 0.3.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/runtime/edge-cache.d.ts +0 -6
  2. package/dist/runtime/edge-cache.js +0 -16
  3. package/dist/sts/issue.js +16 -8
  4. package/package.json +1 -1
package/dist/runtime/edge-cache.d.ts CHANGED
@@ -1,4 +1,3 @@
1
- import type { AwsCredentialResult } from "../types";
2
1
  /**
3
2
  * Generic edge cache GET helper
4
3
  */
@@ -7,8 +6,3 @@ export declare function getEdgeCache<T>(key: string): Promise<T | null>;
7
6
  * Generic edge cache SET helper
8
7
  */
9
8
  export declare function setEdgeCache(key: string, value: unknown, ttlSec: number): Promise<void>;
10
- /**
11
- * ---- STS credential cache helpers ----
12
- */
13
- export declare function getCachedCredentials(cacheKey: string): Promise<AwsCredentialResult | null>;
14
- export declare function setCachedCredentials(cacheKey: string, result: AwsCredentialResult): Promise<void>;
package/dist/runtime/edge-cache.js CHANGED
@@ -1,5 +1,4 @@
1
1
  const CACHE_KEY_PREFIX = "https://edge-cache.internal/";
2
- const CACHE_TTL_BUFFER_SEC = 5 * 60; // 5 minutes safety buffer
3
2
  /**
4
3
  * Generic edge cache GET helper
5
4
  */
@@ -45,18 +44,3 @@ export async function setEdgeCache(key, value, ttlSec) {
45
44
  // cache write failure is non-fatal
46
45
  }
47
46
  }
48
- /**
49
- * ---- STS credential cache helpers ----
50
- */
51
- export async function getCachedCredentials(cacheKey) {
52
- return getEdgeCache(cacheKey);
53
- }
54
- export async function setCachedCredentials(cacheKey, result) {
55
- if (!result.expiration)
56
- return;
57
- const expiresAt = Date.parse(result.expiration);
58
- if (!Number.isFinite(expiresAt))
59
- return;
60
- const ttlSec = Math.floor((expiresAt - Date.now()) / 1000) - CACHE_TTL_BUFFER_SEC;
61
- await setEdgeCache(cacheKey, result, ttlSec);
62
- }
package/dist/sts/issue.js CHANGED
@@ -10,12 +10,12 @@ const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
10
10
  const SERVICE = "rolesanywhere";
11
11
  const PATH = "/sessions";
12
12
  const PROFILE_TTL = {
13
- Runtime: 30 * 60,
13
+ Runtime: 45 * 60,
14
14
  ConsoleReadOnly: 12 * 60 * 60,
15
15
  ConsoleViewOnlyProd: 12 * 60 * 60,
16
- BillingReadOnly: 2 * 60 * 60,
17
- BillingAdmin: 2 * 60 * 60,
18
- BillingAccountant: 2 * 60 * 60,
16
+ BillingReadOnly: 3 * 60 * 60,
17
+ BillingAdmin: 3 * 60 * 60,
18
+ BillingAccountant: 3 * 60 * 60,
19
19
  };
20
20
  const DEFAULT_TTL = 2 * 60 * 60;
21
21
  // ---- isolate-level cached signing material ----
@@ -62,7 +62,12 @@ async function getSigningMaterial(input) {
62
62
  }
63
63
  }
64
64
  function resolveSessionTtlByProfile(profile) {
65
- return PROFILE_TTL[profile] ?? DEFAULT_TTL;
65
+ const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
66
+ // Guard rails
67
+ const MIN_PROFILE_TTL = 45 * 60; // 45 minutes
68
+ const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 hours
69
+ // Clamp TTL to safe range
70
+ return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
66
71
  }
67
72
  /**
68
73
  * Issue short-lived AWS credentials via Roles Anywhere.
@@ -142,8 +147,9 @@ export async function issueAwsCredentials(input) {
142
147
  }
143
148
  // ---- isolate-level cache lookup (dedupe concurrent refresh within isolate) ----
144
149
  const cachedEntry = stsCredentialCache.get(cacheKey);
145
- // Only reuse cached credentials if they still have >10p remaining
146
- const MIN_REMAINING_MS = 5 * 60 * 1000;
150
+ // Ensure remaining TTL is at least 2/3 of the profile session TTL
151
+ // so console sessions (e.g. 12h) don't receive credentials close to expiry
152
+ const MIN_REMAINING_MS = Math.floor((sessionTtl * 2) / 3) * 1000;
147
153
  if (cachedEntry) {
148
154
  // If refresh already in-flight → await the same promise
149
155
  if (cachedEntry.expiresAt === 0) {
@@ -233,7 +239,9 @@ export async function issueAwsCredentials(input) {
233
239
  if (result.expiration) {
234
240
  const expiresAt = Date.parse(result.expiration);
235
241
  if (Number.isFinite(expiresAt)) {
236
- const ttlSec = Math.floor((expiresAt - Date.now()) / 1000) - (5 * 60);
242
+ // Cache only the last 1/3 of credential lifetime so refresh happens early
243
+ const remainingSec = Math.floor((expiresAt - Date.now()) / 1000);
244
+ const ttlSec = Math.max(0, remainingSec - Math.floor(sessionTtl / 3));
237
245
  setEdgeCache(cacheKey, result, ttlSec).catch(() => { });
238
246
  }
239
247
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vizamodo/aws-sts-core",
3
- "version": "0.3.15",
3
+ "version": "0.3.18",
4
4
  "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",