@vizamodo/aws-sts-core 0.3.21 → 0.3.25

package/dist/federation/login.d.ts

@@ -3,8 +3,10 @@ export declare function buildFederationLoginUrl(input: {
     secretAccessKey: string;
     sessionToken: string;
     region: string;
+    expiration: string;
     intent?: "console" | "billing" | "dynamodb" | "ssm";
 }): Promise<{
+    ok: true;
     loginUrl: string;
     shortUrl: string;
     region: string;

package/dist/federation/login.js

@@ -1,28 +1,29 @@
 import { sha256Hex } from "../crypto/sha256";
-import { getEdgeCache, setEdgeCache } from "../runtime/edge-cache";
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 export async function buildFederationLoginUrl(input) {
     const session = {
         sessionId: input.accessKeyId,
         sessionKey: input.secretAccessKey,
         sessionToken: input.sessionToken
     };
+    const expiresAtMs = Date.parse(input.expiration);
+    if (!Number.isFinite(expiresAtMs) || expiresAtMs <= Date.now()) {
+        throw new Error("[federation] invalid or expired credentials");
+    }
     const cacheKey = `aws-signin:${await sha256Hex(input.sessionToken)}`;
     const sessionJson = JSON.stringify(session);
     const encoded = encodeURIComponent(sessionJson);
-    let SigninToken;
-    const cached = await getEdgeCache(cacheKey);
-    if (cached) {
-        SigninToken = cached.SigninToken;
-    }
-    else {
+    const SigninToken = await getCachedOrFetch(cacheKey, async () => {
         const tokenResp = await fetch(`https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${encoded}`);
         const json = await tokenResp.json();
-        SigninToken = json.SigninToken;
-        if (!SigninToken)
+        const token = json.SigninToken;
+        if (!token)
             throw new Error("federation_failed");
-        // cache SigninToken (AWS token ~15 min → cache 10 min)
-        await setEdgeCache(cacheKey, { SigninToken }, 10 * 60).catch(() => { });
-    }
+        // SigninToken TTL ~15 minutes (AWS behavior)
+        const SIGNIN_TOKEN_TTL_SEC = 15 * 60;
+        return wrapResult(token, new Date(Date.now() + SIGNIN_TOKEN_TTL_SEC * 1000).toISOString());
+    }, { ttlSec: 60 } // fallback only if expiration invalid
+    );
     const baseLogin = `https://signin.aws.amazon.com/federation?Action=login` +
         `&Issuer=viza` +
         `&SigninToken=${SigninToken}`;
@@ -52,6 +53,7 @@ export async function buildFederationLoginUrl(input) {
     const shortUrl = loginUrl.slice(0, 40) + "..." +
         loginUrl.slice(-60);
     return {
+        ok: true,
         loginUrl,
         shortUrl,
         region: input.region

package/dist/index.d.ts

@@ -2,4 +2,3 @@ export * from "./types";
 export * from "./sts/issue";
 export * from "./federation/login";
 export * from "./sigv4/request";
-export * from "./runtime/cache";

package/dist/index.js

@@ -2,4 +2,3 @@ export * from "./types";
 export * from "./sts/issue";
 export * from "./federation/login";
 export * from "./sigv4/request";
-export * from "./runtime/cache";

package/dist/sts/issue.d.ts

@@ -1,7 +1,4 @@
 import type { AwsCredentialResult } from "../types";
-/**
- * Issue short-lived AWS credentials via Roles Anywhere.
- */
 export declare function issueAwsCredentials(input: {
     roleArn: string;
     profileArn: string;

package/dist/sts/issue.js

@@ -1,11 +1,11 @@
-import { getEdgeCache, setEdgeCache } from "../runtime/edge-cache";
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 import { canonicalizeHeaders } from "../sigv4/headers";
 import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
-// ---- constants (cleaner configuration, no runtime cost) ----
+// ---- constants ----
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
@@ -18,26 +18,29 @@ const PROFILE_TTL = {
     BillingAccountant: 3 * 60 * 60,
 };
 const DEFAULT_TTL = 2 * 60 * 60;
-// ---- isolate-level cached signing material ----
-// Promise-based cache to avoid cold-start race during concurrent imports
+const MIN_PROFILE_TTL = 45 * 60; // 45 min — lower guard
+const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 h  — upper guard
+// ---- isolate-level signing material cache ----
+// Single Promise-based slot avoids concurrent cold-start races.
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ---- cached certificate serial (DER parse is expensive, cert rarely changes) ----
+// ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
-const stsCredentialCache = new Map();
+// ---------------------------------------------------------------------------
+// Signing material
+// ---------------------------------------------------------------------------
 async function getSigningMaterial(input) {
+    // Fast path: same material already imported.
     if (cachedSigningKey &&
         cachedCertBase64 === input.certBase64 &&
         cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
         return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
     }
-    // Reset cache only after a signing key has been resolved and material actually changed
-    if (cachedSigningKey &&
-        (cachedCertBase64 !== input.certBase64 ||
-            cachedPrivateKeyBase64 !== input.privateKeyPkcs8Base64)) {
+    // Material rotated — discard the stale resolved key so we re-import.
+    if (cachedSigningKey) {
         signingKeyPromise = null;
         cachedSigningKey = null;
     }
@@ -57,131 +60,46 @@ async function getSigningMaterial(input) {
         return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
     }
     catch {
-        signingKeyPromise = null; // allow retry after failure
+        signingKeyPromise = null; // allow retry on next call
         throw new InternalError("invalid_signing_material");
     }
 }
+// ---------------------------------------------------------------------------
+// Profile TTL resolution
+// ---------------------------------------------------------------------------
 function resolveSessionTtlByProfile(profile) {
     const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
-    // Guard rails
-    const MIN_PROFILE_TTL = 45 * 60; // 45 minutes
-    const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 hours
-    // Clamp TTL to safe range
     return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
 }
-/**
- * Issue short-lived AWS credentials via Roles Anywhere.
- */
+// ---------------------------------------------------------------------------
+// Main export
+// ---------------------------------------------------------------------------
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, } = input;
-    // 1. Kiểm tra đầu vào & Fix TTL an toàn
     const sessionTtl = resolveSessionTtlByProfile(profile);
-    // Normalize certificate once so every subsystem (cache, DER parse, headers)
-    // uses the exact same canonical string
     const normalizedCert = normalizeCert(certBase64);
-    let cacheKey = "";
-    // --- REFACTOR: Parser ASN.1 an toàn để lấy Serial Number (DECIMAL) ---
-    // --- MINIMAL DER WALK: extract serial number ---
+    // ---- DER serial extraction (with isolate-level cache) ----
     let certSerialDec;
     if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
         certSerialDec = cachedCertSerialDec;
     }
     else {
-        try {
-            const der = base64ToBytes(normalizedCert);
-            let offset = 0;
-            function readLen() {
-                if (offset >= der.length)
-                    throw new Error("DER overflow");
-                const b = der[offset++];
-                if ((b & 0x80) === 0)
-                    return b;
-                const n = b & 0x7f;
-                let len = 0;
-                if (offset + n > der.length)
-                    throw new Error("DER overflow");
-                for (let i = 0; i < n; i++) {
-                    len = (len << 8) | der[offset++];
-                }
-                return len;
-            }
-            if (der[offset++] !== 0x30)
-                throw new Error("bad cert");
-            readLen();
-            if (der[offset++] !== 0x30)
-                throw new Error("bad tbs");
-            readLen();
-            if (der[offset] === 0xa0) {
-                offset++;
-                const vLen = readLen();
-                offset += vLen;
-            }
-            if (der[offset++] !== 0x02)
-                throw new Error("bad serial tag");
-            const serialLen = readLen();
-            if (offset + serialLen > der.length)
-                throw new Error("DER overflow");
-            let serial = der.slice(offset, offset + serialLen);
-            if (serial.length > 1 && serial[0] === 0x00) {
-                serial = serial.slice(1);
-            }
-            // Build BigInt directly from bytes (avoids hex string allocation)
-            let serialBig = 0n;
-            for (let i = 0; i < serial.length; i++) {
-                serialBig = (serialBig << 8n) | BigInt(serial[i]);
-            }
-            certSerialDec = serialBig.toString();
-            cachedCertSerialDec = certSerialDec;
-            cachedCertSerialSource = normalizedCert;
-        }
-        catch (e) {
-            console.error("[issueAwsCredentials] Failed to parse cert serial", e);
-            throw new InternalError("invalid_cert_der");
-        }
-    }
-    // ---- cross-request cache lookup (Cloudflare Cache API) ----
-    cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
-    const externalCached = await getEdgeCache(cacheKey);
-    if (externalCached?.expiration) {
-        const exp = Date.parse(externalCached.expiration);
-        // Ensure cached credentials still have at least 2/3 of session TTL remaining
-        const MIN_REMAINING_MS = Math.floor((sessionTtl * 2) / 3) * 1000;
-        if (Number.isFinite(exp) && exp > Date.now() + MIN_REMAINING_MS) {
-            return externalCached;
-        }
-    }
-    // ---- isolate-level cache lookup (dedupe concurrent refresh within isolate) ----
-    const cachedEntry = stsCredentialCache.get(cacheKey);
-    // Ensure remaining TTL is at least 2/3 of the profile session TTL
-    // so console sessions (e.g. 12h) don't receive credentials close to expiry
-    const MIN_REMAINING_MS = Math.floor((sessionTtl * 2) / 3) * 1000;
-    if (cachedEntry) {
-        // If refresh already in-flight → await the same promise
-        if (cachedEntry.expiresAt === 0) {
-            return cachedEntry.promise;
-        }
-        // If credentials still valid with safe remaining window → reuse
-        if (cachedEntry.expiresAt > Date.now() + MIN_REMAINING_MS) {
-            return cachedEntry.promise;
-        }
+        certSerialDec = parseCertSerialDec(normalizedCert); // throws InternalError on bad DER
+        cachedCertSerialDec = certSerialDec;
+        cachedCertSerialSource = normalizedCert;
     }
+    const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
+    // ---- Build SigV4 request ----
     const { signingKey } = await getSigningMaterial({
         certBase64: normalizedCert,
         privateKeyPkcs8Base64,
     });
-    // 2. Setup constants
     const host = `${SERVICE}.${region}.amazonaws.com`;
-    const path = PATH;
-    const iso = new Date().toISOString(); // e.g. 2026-03-07T12:00:00.000Z
-    const amzDate = `${iso.slice(0, 4)}${iso.slice(5, 7)}${iso.slice(8, 10)}T${iso.slice(11, 13)}${iso.slice(14, 16)}${iso.slice(17, 19)}Z`;
+    const iso = new Date().toISOString();
+    const amzDate = isoToAmzDate(iso);
     const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
-    const service = SERVICE;
-    // 3. Chuẩn bị Body & Cert
     const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-    const payloadHash = await getPayloadHash(body);
-    // --- REFACTOR: Làm sạch chứng chỉ chặt chẽ ---
-    // const normalizedCert = normalizeCert(certBase64);
-    // 4. Tính toán Signature
+    const payloadHash = await sha256Hex(body);
     const baseHeaders = {
         "content-type": "application/json",
         "host": host,
@@ -189,16 +107,16 @@ export async function issueAwsCredentials(input) {
         "x-amz-x509": normalizedCert,
     };
     const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-    const credentialScope = `${dateStamp}/${region}/${service}/aws4_request`;
+    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
     const canonicalRequest = buildCanonicalRequest({
         method: "POST",
-        canonicalUri: path,
+        canonicalUri: PATH,
         query: "",
         canonicalHeaders,
         signedHeaders,
         payloadHash,
     });
-    const canonicalRequestHash = await getCanonicalRequestHash(canonicalRequest);
+    const canonicalRequestHash = await sha256Hex(canonicalRequest);
     const stringToSign = buildStringToSign({
         algorithm: ALGORITHM,
         amzDate,
@@ -206,98 +124,131 @@ export async function issueAwsCredentials(input) {
         canonicalRequestHash,
     });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    // 5. Build Authorization Header với số Serial (DECIMAL)
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
         "X-Amz-Date": amzDate,
         "X-Amz-X509": normalizedCert,
-        "Authorization": `AWS4-X509-ECDSA-SHA256 Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`
+        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
     });
-    const refreshPromise = (async () => {
-        try {
-            const res = await fetch(`https://${host}${path}`, {
-                method: "POST",
-                headers: finalHeaders,
-                body,
-            });
-            if (!res.ok) {
-                console.warn("[aws-rejected]", {
-                    status: res.status,
-                    region,
-                    profile
-                });
-                throw new InternalError("aws_rejected");
-            }
-            const json = await res.json();
-            const creds = json?.credentialSet?.[0]?.credentials;
-            if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-                console.warn("[issueAwsCredentials] malformed AWS credential response");
-                throw new InternalError("aws_malformed_credentials");
-            }
-            const result = {
-                accessKeyId: creds.accessKeyId,
-                secretAccessKey: creds.secretAccessKey,
-                sessionToken: creds.sessionToken,
-                expiration: creds.expiration,
-            };
-            // persist credential in edge cache (best effort)
-            if (result.expiration) {
-                const expiresAt = Date.parse(result.expiration);
-                if (Number.isFinite(expiresAt)) {
-                    const remainingSec = Math.floor((expiresAt - Date.now()) / 1000);
-                    // Cache lifetime policy: only cache for 1/3 of requested session TTL
-                    const desiredTtl = Math.floor(sessionTtl / 3);
-                    // Ensure we never cache longer than the actual credential lifetime
-                    const ttlSec = Math.max(0, Math.min(desiredTtl, remainingSec));
-                    setEdgeCache(cacheKey, result, ttlSec).catch(() => { });
-                }
-            }
-            // subtract small clock‑skew safety window (5s)
-            const exp = new Date(creds.expiration).getTime() - 5000;
-            // update cache expiration after success
-            const entry = stsCredentialCache.get(cacheKey);
-            if (entry) {
-                entry.expiresAt = exp;
-            }
-            return result;
+    const issuedAt = Date.now(); // snapshot before the network round-trip
+    return getCachedOrFetch(cacheKey, async () => {
+        const res = await fetch(`https://${host}${PATH}`, {
+            method: "POST",
+            headers: finalHeaders,
+            body,
+        });
+        if (!res.ok) {
+            console.warn("[aws-rejected]", { status: res.status, region, profile });
+            throw new InternalError("aws_rejected");
         }
-        catch (e) {
-            // remove broken cache entry so next call can retry
-            stsCredentialCache.delete(cacheKey);
-            if (e instanceof InternalError)
-                throw e;
-            throw new InternalError("aws_unreachable");
+        const json = await res.json();
+        const creds = json?.credentialSet?.[0]?.credentials;
+        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+            console.warn("[issueAwsCredentials] malformed AWS credential response");
+            throw new InternalError("aws_malformed_credentials");
         }
-    })();
-    // store promise immediately to deduplicate concurrent refresh
-    stsCredentialCache.set(cacheKey, {
-        promise: refreshPromise,
-        expiresAt: 0,
-    });
-    return refreshPromise;
+        const value = {
+            accessKeyId: creds.accessKeyId,
+            secretAccessKey: creds.secretAccessKey,
+            sessionToken: creds.sessionToken,
+            expiration: creds.expiration,
+        };
+        // derive TTL = 1/3 lifetime
+        const expiresAtMs = Date.parse(creds.expiration);
+        const credLifetimeSec = Math.floor((expiresAtMs - issuedAt) / 1000);
+        if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
+            const edgeCacheTtlSec = Math.floor(credLifetimeSec / 3);
+            const edgeCacheExpiry = new Date(issuedAt + edgeCacheTtlSec * 1000).toISOString();
+            return wrapResult(value, edgeCacheExpiry);
+        }
+        return value;
+    }, { ttlSec: 60 });
 }
-// ---- helpers ----
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Strip whitespace and reject PEM-wrapped input. */
 function normalizeCert(raw) {
     if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
     }
-    // remove whitespace and newlines to ensure stable cache keys
     return raw.replace(/\s+/g, "");
 }
-async function getCanonicalRequestHash(canonicalRequest) {
-    return sha256Hex(canonicalRequest);
+/**
+ * Minimal DER walk to extract the certificate serial number as a decimal string.
+ * Throws InternalError("invalid_cert_der") on any parse failure.
+ */
+function parseCertSerialDec(normalizedCertBase64) {
+    try {
+        const der = base64ToBytes(normalizedCertBase64);
+        let offset = 0;
+        function readLen() {
+            if (offset >= der.length)
+                throw new Error("DER overflow");
+            const b = der[offset++];
+            if ((b & 0x80) === 0)
+                return b;
+            const n = b & 0x7f;
+            let len = 0;
+            if (offset + n > der.length)
+                throw new Error("DER overflow");
+            for (let i = 0; i < n; i++)
+                len = (len << 8) | der[offset++];
+            return len;
+        }
+        if (der[offset++] !== 0x30)
+            throw new Error("bad cert");
+        readLen();
+        if (der[offset++] !== 0x30)
+            throw new Error("bad tbs");
+        readLen();
+        // Skip optional [0] EXPLICIT version field.
+        if (der[offset] === 0xa0) {
+            offset++;
+            const vLen = readLen();
+            offset += vLen;
+        }
+        if (der[offset++] !== 0x02)
+            throw new Error("bad serial tag");
+        const serialLen = readLen();
+        if (offset + serialLen > der.length)
+            throw new Error("DER overflow");
+        let serial = der.slice(offset, offset + serialLen);
+        // Strip ASN.1 sign-extension padding byte.
+        if (serial.length > 1 && serial[0] === 0x00) {
+            serial = serial.slice(1);
+        }
+        // Accumulate directly to BigInt — avoids intermediate hex string allocation.
+        let serialBig = 0n;
+        for (let i = 0; i < serial.length; i++) {
+            serialBig = (serialBig << 8n) | BigInt(serial[i]);
+        }
+        return serialBig.toString();
+    }
+    catch (e) {
+        console.error("[parseCertSerialDec] failed", e);
+        throw new InternalError("invalid_cert_der");
+    }
 }
-async function getPayloadHash(body) {
-    // Payload changes are rare but SHA‑256 here is extremely cheap (~tens of µs),
-    // so caching adds complexity without measurable benefit.
-    return sha256Hex(body);
+/**
+ * Convert an ISO-8601 timestamp to the compact AMZ date-time format.
+ * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
+ */
+function isoToAmzDate(iso) {
+    return (iso.slice(0, 4) +
+        iso.slice(5, 7) +
+        iso.slice(8, 10) +
+        "T" +
+        iso.slice(11, 13) +
+        iso.slice(14, 16) +
+        iso.slice(17, 19) +
+        "Z");
 }
-// Faster base64 decode → Uint8Array (V8 optimized path using built‑in vectorized conversion)
+/** Faster base64 → Uint8Array using V8's vectorized atob path. */
 function base64ToBytes(base64) {
     const binary = atob(base64);
-    const len = binary.length;
-    const bytes = new Uint8Array(len);
-    for (let i = 0; i < len; i++) {
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
         bytes[i] = binary.charCodeAt(i);
     }
     return bytes;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.21",
+  "version": "0.3.25",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",
@@ -26,5 +26,8 @@
     "@vitest/coverage-v8": "^4.1.0",
     "typescript": "^5.9.3",
     "vitest": "^4.1.0"
+  },
+  "dependencies": {
+    "@vizamodo/edge-cache-core": "^0.3.29"
   }
 }

package/dist/runtime/cache.d.ts

@@ -1,5 +0,0 @@
-type Options = {
-    ttlSec?: number;
-};
-export declare function getCachedOrFetch<T>(key: string, fetcher: () => Promise<T>, options?: Options): Promise<T>;
-export {};

package/dist/runtime/cache.js

@@ -1,20 +0,0 @@
-import { getEdgeCache, setEdgeCache } from "./edge-cache";
-const memory = new Map();
-export async function getCachedOrFetch(key, fetcher, options) {
-    // L1: memory
-    if (memory.has(key)) {
-        return memory.get(key);
-    }
-    // L2: edge cache
-    const edge = await getEdgeCache(key);
-    if (edge) {
-        memory.set(key, edge);
-        return edge;
-    }
-    // L3: fetch
-    const value = await fetcher();
-    // write back
-    memory.set(key, value);
-    await setEdgeCache(key, value, options?.ttlSec ?? 3000);
-    return value;
-}

package/dist/runtime/edge-cache.d.ts

@@ -1,8 +0,0 @@
-/**
- * Generic edge cache GET helper
- */
-export declare function getEdgeCache<T>(key: string): Promise<T | null>;
-/**
- * Generic edge cache SET helper
- */
-export declare function setEdgeCache(key: string, value: unknown, ttlSec: number): Promise<void>;

package/dist/runtime/edge-cache.js

@@ -1,46 +0,0 @@
-const CACHE_KEY_PREFIX = "https://edge-cache.internal/";
-/**
- * Generic edge cache GET helper
- */
-export async function getEdgeCache(key) {
-    try {
-        const cache = caches.default;
-        const req = new Request(CACHE_KEY_PREFIX + key);
-        const res = await cache.match(req);
-        if (!res)
-            return null;
-        try {
-            return (await res.json());
-        }
-        catch {
-            // corrupted cache entry → ignore
-            return null;
-        }
-    }
-    catch {
-        // cache API failure should not break runtime
-        return null;
-    }
-}
-/**
- * Generic edge cache SET helper
- */
-export async function setEdgeCache(key, value, ttlSec) {
-    if (ttlSec <= 0)
-        return;
-    const cache = caches.default;
-    const req = new Request(CACHE_KEY_PREFIX + key);
-    const body = JSON.stringify(value);
-    const res = new Response(body, {
-        headers: {
-            "Content-Type": "application/json",
-            "Cache-Control": `max-age=${ttlSec}`,
-        },
-    });
-    try {
-        await cache.put(req, res);
-    }
-    catch {
-        // cache write failure is non-fatal
-    }
-}