@vizamodo/aws-sts-core 0.3.17 → 0.3.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/sts/issue.js +16 -8
  2. package/package.json +1 -1
package/dist/sts/issue.js CHANGED
@@ -10,12 +10,12 @@ const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
10
10
  const SERVICE = "rolesanywhere";
11
11
  const PATH = "/sessions";
12
12
  const PROFILE_TTL = {
13
- Runtime: 30 * 60,
13
+ Runtime: 45 * 60,
14
14
  ConsoleReadOnly: 12 * 60 * 60,
15
15
  ConsoleViewOnlyProd: 12 * 60 * 60,
16
- BillingReadOnly: 2 * 60 * 60,
17
- BillingAdmin: 2 * 60 * 60,
18
- BillingAccountant: 2 * 60 * 60,
16
+ BillingReadOnly: 3 * 60 * 60,
17
+ BillingAdmin: 3 * 60 * 60,
18
+ BillingAccountant: 3 * 60 * 60,
19
19
  };
20
20
  const DEFAULT_TTL = 2 * 60 * 60;
21
21
  // ---- isolate-level cached signing material ----
@@ -62,7 +62,12 @@ async function getSigningMaterial(input) {
62
62
  }
63
63
  }
64
64
  function resolveSessionTtlByProfile(profile) {
65
- return PROFILE_TTL[profile] ?? DEFAULT_TTL;
65
+ const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
66
+ // Guard rails
67
+ const MIN_PROFILE_TTL = 45 * 60; // 45 minutes
68
+ const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 hours
69
+ // Clamp TTL to safe range
70
+ return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
66
71
  }
67
72
  /**
68
73
  * Issue short-lived AWS credentials via Roles Anywhere.
@@ -142,8 +147,9 @@ export async function issueAwsCredentials(input) {
142
147
  }
143
148
  // ---- isolate-level cache lookup (dedupe concurrent refresh within isolate) ----
144
149
  const cachedEntry = stsCredentialCache.get(cacheKey);
145
- // Only reuse cached credentials if they still have >10p remaining
146
- const MIN_REMAINING_MS = 5 * 60 * 1000;
150
+ // Ensure remaining TTL is at least 2/3 of the profile session TTL
151
+ // so console sessions (e.g. 12h) don't receive credentials close to expiry
152
+ const MIN_REMAINING_MS = Math.floor((sessionTtl * 2) / 3) * 1000;
147
153
  if (cachedEntry) {
148
154
  // If refresh already in-flight → await the same promise
149
155
  if (cachedEntry.expiresAt === 0) {
@@ -233,7 +239,9 @@ export async function issueAwsCredentials(input) {
233
239
  if (result.expiration) {
234
240
  const expiresAt = Date.parse(result.expiration);
235
241
  if (Number.isFinite(expiresAt)) {
236
- const ttlSec = Math.floor((expiresAt - Date.now()) / 1000) - (15 * 60);
242
+ // Cache only the last 1/3 of credential lifetime so refresh happens early
243
+ const remainingSec = Math.floor((expiresAt - Date.now()) / 1000);
244
+ const ttlSec = Math.max(0, remainingSec - Math.floor(sessionTtl / 3));
237
245
  setEdgeCache(cacheKey, result, ttlSec).catch(() => { });
238
246
  }
239
247
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vizamodo/aws-sts-core",
3
- "version": "0.3.17",
3
+ "version": "0.3.18",
4
4
  "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",