npm - @vizamodo/aws-sts-core - Versions diffs - 0.3.2 → 0.3.3 - Mend

@vizamodo/aws-sts-core 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/sts/issue.js +92 -59
package/package.json +1 -1

package/dist/sts/issue.js CHANGED Viewed

@@ -25,6 +25,7 @@ let cachedPrivateKeyBase64 = null;
 // ---- cached certificate serial (DER parse is expensive, cert rarely changes) ----
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
+const stsCredentialCache = new Map();
 // ---- shared encoder ----
 const textEncoder = new TextEncoder();
 // Precomputed hex table for fast byte→hex conversion (no per-byte toString alloc)
@@ -78,22 +79,7 @@ export async function issueAwsCredentials(input) {
     // Normalize certificate once so every subsystem (cache, DER parse, headers)
     // uses the exact same canonical string
     const normalizedCert = normalizeCert(certBase64);
-    const { signingKey } = await getSigningMaterial({
-        certBase64: normalizedCert,
-        privateKeyPkcs8Base64,
-    });
-    // 2. Setup constants
-    const host = `${SERVICE}.${region}.amazonaws.com`;
-    const path = PATH;
-    const now = new Date();
-    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
-    const dateStamp = amzDate.slice(0, 8);
-    const service = SERVICE;
-    // 3. Chuẩn bị Body & Cert
-    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-    const payloadHash = await getPayloadHash(body);
-    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
-    // const normalizedCert = normalizeCert(certBase64);
+    let cacheKey = "";
     // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
     // --- MINIMAL DER WALK: extract serial number ---
     let certSerialDec;
@@ -133,11 +119,12 @@ export async function issueAwsCredentials(input) {
             if (serial.length > 1 && serial[0] === 0x00) {
                 serial = serial.slice(1);
             }
-            let hex = "";
+            // Build BigInt directly from bytes (avoids hex string allocation)
+            let serialBig = 0n;
             for (let i = 0; i < serial.length; i++) {
-                hex += HEX_TABLE[serial[i]];
+                serialBig = (serialBig << 8n) | BigInt(serial[i]);
             }
-            certSerialDec = BigInt("0x" + hex).toString();
+            certSerialDec = serialBig.toString();
             cachedCertSerialDec = certSerialDec;
             cachedCertSerialSource = normalizedCert;
         }
@@ -146,6 +133,37 @@ export async function issueAwsCredentials(input) {
             throw new InternalError("invalid_cert_der");
         }
     }
+    // ---- STS credential cache lookup (using certificate serial) ----
+    cacheKey = `${region}|${roleArn}|${profileArn}|${certSerialDec}`;
+    const cachedEntry = stsCredentialCache.get(cacheKey);
+    // Only reuse cached credentials if they still have >1h1m remaining
+    const MIN_REMAINING_MS = 61 * 60 * 1000;
+    if (cachedEntry) {
+        // If credentials already resolved and still valid → reuse
+        if (cachedEntry.expiresAt > Date.now() + MIN_REMAINING_MS) {
+            return cachedEntry.promise;
+        }
+        // If a refresh is already in-flight → await same promise
+        if (cachedEntry.expiresAt === 0) {
+            return cachedEntry.promise;
+        }
+    }
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
+    });
+    // 2. Setup constants
+    const host = `${SERVICE}.${region}.amazonaws.com`;
+    const path = PATH;
+    const now = new Date();
+    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
+    const dateStamp = amzDate.slice(0, 8);
+    const service = SERVICE;
+    // 3. Chuẩn bị Body & Cert
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+    const payloadHash = await getPayloadHash(body);
+    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
+    // const normalizedCert = normalizeCert(certBase64);
     // 4. Tính toán Signature
     const baseHeaders = {
         "content-type": "application/json",
@@ -178,42 +196,58 @@ export async function issueAwsCredentials(input) {
         "X-Amz-X509": normalizedCert,
         "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
     });
-    try {
-        const res = await fetch(`https://${host}${path}`, {
-            method: "POST",
-            headers: finalHeaders,
-            body,
-        });
-        if (!res.ok) {
-            const errorBody = await res.text();
-            // Debug logs
-            console.error("[aws-rejected] Request details", {
-                status: res.status,
-                response: errorBody,
-                region,
-                profile,
-                amzDate
+    const refreshPromise = (async () => {
+        try {
+            const res = await fetch(`https://${host}${path}`, {
+                method: "POST",
+                headers: finalHeaders,
+                body,
             });
-            throw new InternalError("aws_rejected");
+            if (!res.ok) {
+                const errorBody = await res.text();
+                console.error("[aws-rejected] Request details", {
+                    status: res.status,
+                    response: errorBody,
+                    region,
+                    profile,
+                    amzDate
+                });
+                throw new InternalError("aws_rejected");
+            }
+            const json = await res.json();
+            const creds = json?.credentialSet?.[0]?.credentials;
+            if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+                console.error("[issueAwsCredentials] malformed AWS credential response", { json });
+                throw new InternalError("aws_malformed_credentials");
+            }
+            const result = {
+                accessKeyId: creds.accessKeyId,
+                secretAccessKey: creds.secretAccessKey,
+                sessionToken: creds.sessionToken,
+                expiration: creds.expiration,
+            };
+            const exp = new Date(creds.expiration).getTime();
+            // update cache expiration after success
+            const entry = stsCredentialCache.get(cacheKey);
+            if (entry) {
+                entry.expiresAt = exp;
+            }
+            return result;
         }
-        const json = await res.json();
-        const creds = json?.credentialSet?.[0]?.credentials;
-        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-            console.error("[issueAwsCredentials] malformed AWS credential response", { json });
-            throw new InternalError("aws_malformed_credentials");
+        catch (e) {
+            // remove broken cache entry so next call can retry
+            stsCredentialCache.delete(cacheKey);
+            if (e instanceof InternalError)
+                throw e;
+            throw new InternalError("aws_unreachable");
         }
-        return {
-            accessKeyId: creds.accessKeyId,
-            secretAccessKey: creds.secretAccessKey,
-            sessionToken: creds.sessionToken,
-            expiration: creds.expiration,
-        };
-    }
-    catch (e) {
-        if (e instanceof InternalError)
-            throw e;
-        throw new InternalError("aws_unreachable");
-    }
+    })();
+    // store promise immediately to deduplicate concurrent refresh
+    stsCredentialCache.set(cacheKey, {
+        promise: refreshPromise,
+        expiresAt: 0,
+    });
+    return refreshPromise;
 }
 // ---- helpers ----
 function normalizeCert(raw) {
@@ -223,15 +257,14 @@ function normalizeCert(raw) {
     return raw.trim();
 }
 async function sha256Hex(input) {
-    const data = textEncoder.encode(input);
-    const hash = await crypto.subtle.digest("SHA-256", data);
+    // Tận dụng textEncoder có sẵn
+    const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(input));
     const bytes = new Uint8Array(hash);
-    // build hex string with minimal allocations
-    let out = "";
-    for (let i = 0; i < bytes.length; i++) {
-        out += HEX_TABLE[bytes[i]];
+    const hexParts = new Array(32); // SHA-256 luôn là 32 bytes
+    for (let i = 0; i < 32; i++) {
+        hexParts[i] = HEX_TABLE[bytes[i]];
     }
-    return out;
+    return hexParts.join("");
 }
 async function getCanonicalRequestHash(canonicalRequest) {
     return sha256Hex(canonicalRequest);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.2",
+  "version": "0.3.3",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",