npm - @vizamodo/aws-sts-core - Versions diffs - 0.3.47 → 0.3.48 - Mend

@vizamodo/aws-sts-core 0.3.47 → 0.3.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/federation/login.js CHANGED Viewed

@@ -11,29 +11,17 @@ export async function buildFederationLoginUrl(input) {
         throw new Error("[federation] invalid or expired credentials");
     }
     const tokenHash = await sha256Hex(input.sessionToken);
-    // TEMP DEBUG: force static key to verify cache behavior
-    const cacheKey = `aws-signin:test`;
+    // Use region and tokenHash for cache key
+    const cacheKey = `aws-signin:${input.region}:${tokenHash}`;
     const sessionJson = JSON.stringify(session);
     const encoded = encodeURIComponent(sessionJson);
     const SigninToken = await getCachedOrFetch(cacheKey, async () => {
-        console.debug("[signin] fetcher start", {
-            cacheKey,
-            expiration: input.expiration,
-            now: Date.now()
-        });
         const tokenResp = await fetch(`https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${encoded}`);
-        console.debug("[signin] fetch response", {
-            ok: tokenResp.ok,
-            status: tokenResp.status
-        });
         if (!tokenResp.ok) {
             // best-effort: do not cache failures
             throw new Error("[signin] failed to fetch SigninToken");
         }
         const json = await tokenResp.json();
-        console.debug("[signin] json parsed", {
-            hasToken: !!json?.SigninToken
-        });
         const token = json?.SigninToken;
         if (!token) {
             // do not cache invalid response
@@ -43,29 +31,12 @@ export async function buildFederationLoginUrl(input) {
         const SIGNIN_TOKEN_TTL_SEC = 15 * 60;
         // derive effective TTL = min(tokenTTL, credentialTTL)
         const credRemainingSec = Math.floor((Date.parse(input.expiration) - Date.now()) / 1000);
-        console.debug("[signin] TTL compute", {
-            credRemainingSec,
-            expiration: input.expiration,
-            now: Date.now()
-        });
         const effectiveTtlSec = Math.min(SIGNIN_TOKEN_TTL_SEC, credRemainingSec);
-        console.debug("[signin] effective TTL", {
-            effectiveTtlSec,
-            SIGNIN_TOKEN_TTL_SEC
-        });
         // if credential too close to expiry → skip caching
         if (effectiveTtlSec <= 0) {
-            console.debug("[signin] skip cache (ttl<=0)", {
-                effectiveTtlSec
-            });
             return token;
         }
         const expiryIso = new Date(Date.now() + effectiveTtlSec * 1000).toISOString();
-        console.debug("[signin] wrapResult", {
-            effectiveTtlSec,
-            expiryIso,
-            now: Date.now()
-        });
         // restore primitive storage (cache layer now handles primitive safely)
         return wrapResult(token, expiryIso);
     }, { ttlSec: 60, ...(input.forceRefresh !== undefined ? { forceRefresh: input.forceRefresh } : {}) } // allow caller-controlled retry

package/dist/sts/issue.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import type { AwsCredentialResult } from "../types";
-export declare function issueAwsCredentials(input: {
+export interface IssueAwsCredentialsInput {
     roleArn: string;
     profileArn: string;
     trustAnchorArn: string;
@@ -8,4 +8,13 @@ export declare function issueAwsCredentials(input: {
     privateKeyPkcs8Base64: string;
     profile: string;
     forceRefresh?: boolean;
-}): Promise<AwsCredentialResult>;
+}
+/**
+ * Reset isolate-level signing material and cert serial caches.
+ * ONLY for use in tests — forces re-import of signing key on next call.
+ *
+ * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
+ * there is no need to expose a cache-clear API from the core library.
+ */
+export declare function resetIsolateCache(): void;
+export declare function issueAwsCredentials(input: IssueAwsCredentialsInput): Promise<AwsCredentialResult>;

package/dist/sts/issue.js CHANGED Viewed

@@ -5,10 +5,14 @@ import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
-// ---- constants ----
+// ── Constants ──────────────────────────────────────────────────────────────
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
+/**
+ * Per-profile AWS session duration (seconds).
+ * Clamped to [MIN_SESSION_TTL, MAX_SESSION_TTL] at resolution time.
+ */
 const PROFILE_TTL = {
     Runtime: 45 * 60,
     ConsoleReadOnly: 12 * 60 * 60,
@@ -17,178 +21,183 @@ const PROFILE_TTL = {
     BillingAdmin: 3 * 60 * 60,
     BillingAccountant: 3 * 60 * 60,
 };
-const DEFAULT_TTL = 2 * 60 * 60;
-const MIN_PROFILE_TTL = 45 * 60; // 45 min — lower guard
-const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 h  — upper guard
-// ---- isolate-level signing material cache ----
-// Single Promise-based slot avoids concurrent cold-start races.
+const DEFAULT_SESSION_TTL = 2 * 60 * 60;
+const MIN_SESSION_TTL = 45 * 60; // 45 min
+const MAX_SESSION_TTL = 12 * 60 * 60; // 12 h
+// ── Isolate-level signing-material cache ───────────────────────────────────
+// Single Promise slot prevents concurrent cold-start import races.
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
+// ── Isolate-level cert-serial cache ───────────────────────────────────────
+// DER walk is CPU-bound; the cert rarely rotates within an isolate lifetime.
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
-// ---------------------------------------------------------------------------
-// Signing material
-// ---------------------------------------------------------------------------
-async function getSigningMaterial(input) {
-    // Fast path: same material already imported.
+// ── Test utilities ─────────────────────────────────────────────────────────
+/**
+ * Reset isolate-level signing material and cert serial caches.
+ * ONLY for use in tests — forces re-import of signing key on next call.
+ *
+ * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
+ * there is no need to expose a cache-clear API from the core library.
+ */
+export function resetIsolateCache() {
+    signingKeyPromise = null;
+    cachedSigningKey = null;
+    cachedCertBase64 = null;
+    cachedPrivateKeyBase64 = null;
+    cachedCertSerialDec = null;
+    cachedCertSerialSource = null;
+}
+// ── Signing material ───────────────────────────────────────────────────────
+async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
+    // Fast path: same material already imported in this isolate.
     if (cachedSigningKey &&
-        cachedCertBase64 === input.certBase64 &&
-        cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
-        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+        cachedCertBase64 === certBase64 &&
+        cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
+        return cachedSigningKey;
     }
-    // Material rotated — discard the stale resolved key so we re-import.
-    if (cachedSigningKey) {
-        signingKeyPromise = null;
+    // If material changed → reset cached key + promise (once)
+    if (cachedCertBase64 !== certBase64 ||
+        cachedPrivateKeyBase64 !== privateKeyPkcs8Base64) {
         cachedSigningKey = null;
+        signingKeyPromise = null;
     }
+    // Deduplicate concurrent imports
     if (!signingKeyPromise) {
-        try {
-            const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
-            signingKeyPromise = crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
-        }
-        catch {
+        signingKeyPromise = crypto.subtle
+            .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
+            .then((key) => {
+            cachedSigningKey = key;
+            cachedCertBase64 = certBase64;
+            cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
+            return key;
+        })
+            .catch(() => {
+            signingKeyPromise = null; // allow retry
             throw new InternalError("invalid_signing_material");
-        }
-    }
-    try {
-        cachedSigningKey = await signingKeyPromise;
-        cachedCertBase64 = input.certBase64;
-        cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
-        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
-    }
-    catch {
-        signingKeyPromise = null; // allow retry on next call
-        throw new InternalError("invalid_signing_material");
+        });
     }
+    return signingKeyPromise;
 }
-// ---------------------------------------------------------------------------
-// Profile TTL resolution
-// ---------------------------------------------------------------------------
-function resolveSessionTtlByProfile(profile) {
-    const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
-    return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
+// ── Session TTL ────────────────────────────────────────────────────────────
+function resolveSessionTtl(profile) {
+    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
+    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
 }
-// ---------------------------------------------------------------------------
-// Main export
-// ---------------------------------------------------------------------------
+// ── Main export ────────────────────────────────────────────────────────────
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
-    const sessionTtl = resolveSessionTtlByProfile(profile);
+    const sessionTtl = resolveSessionTtl(profile);
     const normalizedCert = normalizeCert(certBase64);
-    // ---- DER serial extraction (with isolate-level cache) ----
-    let certSerialDec;
-    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
-        certSerialDec = cachedCertSerialDec;
-    }
-    else {
-        certSerialDec = parseCertSerialDec(normalizedCert); // throws InternalError on bad DER
-        cachedCertSerialDec = certSerialDec;
-        cachedCertSerialSource = normalizedCert;
-    }
+    // Cert serial — use isolate cache to avoid redundant DER walks.
+    const certSerialDec = getCertSerialDec(normalizedCert);
     const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
-    console.debug("[issueAwsCredentials] cacheKey", { cacheKey, forceRefresh });
-    console.debug("[issueAwsCredentials] invoking cache layer", { cacheKey });
-    return getCachedOrFetch(cacheKey, async () => {
-        const issuedAt = Date.now();
-        const { signingKey } = await getSigningMaterial({
-            certBase64: normalizedCert,
-            privateKeyPkcs8Base64,
-        });
-        const host = `${SERVICE}.${region}.amazonaws.com`;
-        const iso = new Date().toISOString();
-        const amzDate = isoToAmzDate(iso);
-        const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
-        const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-        const payloadHash = await sha256Hex(body);
-        const baseHeaders = {
-            "content-type": "application/json",
-            "host": host,
-            "x-amz-date": amzDate,
-            "x-amz-x509": normalizedCert,
-        };
-        const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-        const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
-        const canonicalRequest = buildCanonicalRequest({
-            method: "POST",
-            canonicalUri: PATH,
-            query: "",
-            canonicalHeaders,
-            signedHeaders,
-            payloadHash,
-        });
-        const canonicalRequestHash = await sha256Hex(canonicalRequest);
-        const stringToSign = buildStringToSign({
-            algorithm: ALGORITHM,
-            amzDate,
-            credentialScope,
-            canonicalRequestHash,
-        });
-        const signatureHex = await signStringToSign(stringToSign, signingKey);
-        const finalHeaders = new Headers({
-            "Content-Type": "application/json",
-            "X-Amz-Date": amzDate,
-            "X-Amz-X509": normalizedCert,
-            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
-        });
-        const res = await fetch(`https://${host}${PATH}`, {
+    return getCachedOrFetch(cacheKey, () => fetchCredentials({
+        roleArn, profileArn, trustAnchorArn,
+        region, normalizedCert, privateKeyPkcs8Base64,
+        sessionTtl,
+    }), { ttlSec: 60, forceRefresh });
+}
+async function fetchCredentials(input) {
+    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, } = input;
+    const signingKey = await getSigningMaterial(normalizedCert, privateKeyPkcs8Base64);
+    const host = `${SERVICE}.${region}.amazonaws.com`;
+    const iso = new Date().toISOString();
+    const amzDate = isoToAmzDate(iso);
+    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+    const payloadHash = await sha256Hex(body);
+    const baseHeaders = {
+        "content-type": "application/json",
+        "host": host,
+        "x-amz-date": amzDate,
+        "x-amz-x509": normalizedCert,
+    };
+    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
+    const canonicalRequest = buildCanonicalRequest({
+        method: "POST",
+        canonicalUri: PATH,
+        query: "",
+        canonicalHeaders,
+        signedHeaders,
+        payloadHash,
+    });
+    const canonicalRequestHash = await sha256Hex(canonicalRequest);
+    const stringToSign = buildStringToSign({
+        algorithm: ALGORITHM,
+        amzDate,
+        credentialScope,
+        canonicalRequestHash,
+    });
+    const signatureHex = await signStringToSign(stringToSign, signingKey);
+    const certSerialDec = getCertSerialDec(normalizedCert);
+    const finalHeaders = new Headers({
+        "Content-Type": "application/json",
+        "X-Amz-Date": amzDate,
+        "X-Amz-X509": normalizedCert,
+        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+    });
+    let res;
+    try {
+        res = await fetch(`https://${host}${PATH}`, {
             method: "POST",
             headers: finalHeaders,
             body,
         });
-        if (!res.ok) {
-            console.warn("[aws-rejected]", { status: res.status, region, profile });
-            throw new InternalError("aws_rejected");
-        }
-        const json = await res.json();
-        const creds = json?.credentialSet?.[0]?.credentials;
-        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-            console.warn("[issueAwsCredentials] malformed AWS credential response");
-            throw new InternalError("aws_malformed_credentials");
-        }
-        console.debug("[issueAwsCredentials] fetched new credentials", {
-            accessKeyId: creds.accessKeyId,
-            expiration: creds.expiration
-        });
-        const value = {
-            accessKeyId: creds.accessKeyId,
-            secretAccessKey: creds.secretAccessKey,
-            sessionToken: creds.sessionToken,
-            expiration: creds.expiration,
-        };
-        // derive TTL = 1/3 lifetime
-        const expiresAtMs = Date.parse(creds.expiration);
-        const credLifetimeSec = Math.floor((expiresAtMs - issuedAt) / 1000);
-        if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
-            const edgeCacheTtlSec = Math.floor(credLifetimeSec / 3);
-            const edgeCacheExpiry = new Date(issuedAt + edgeCacheTtlSec * 1000).toISOString();
-            console.debug("[issueAwsCredentials] computed TTL", {
-                credLifetimeSec,
-                edgeCacheTtlSec
-            });
-            return wrapResult(value, edgeCacheExpiry);
-        }
-        console.debug("[issueAwsCredentials] fallback return (no TTL)", {
-            accessKeyId: value.accessKeyId
-        });
-        return value;
-    }, {
-        ttlSec: 60,
-        ...(forceRefresh !== undefined ? { forceRefresh } : {})
-    });
+    }
+    catch (err) {
+        console.warn("[aws-unreachable]", { region, err });
+        throw new InternalError("aws_unreachable");
+    }
+    if (!res.ok) {
+        console.warn("[aws-rejected]", { status: res.status, region });
+        throw new InternalError("aws_rejected");
+    }
+    const json = await res.json();
+    const creds = json?.credentialSet?.[0]?.credentials;
+    if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+        console.warn("[issueAwsCredentials] malformed AWS credential response");
+        throw new InternalError("aws_malformed_credentials");
+    }
+    const value = {
+        accessKeyId: creds.accessKeyId,
+        secretAccessKey: creds.secretAccessKey,
+        sessionToken: creds.sessionToken,
+        expiration: creds.expiration,
+    };
+    // Cache for 1/3 of the credential lifetime so it's refreshed well before expiry.
+    // deriveEdgeTtlSec in cache.ts will further subtract EDGE_BUFFER_SEC (5 min).
+    const expiresAtMs = Date.parse(creds.expiration);
+    const receivedAt = Date.now();
+    const credLifetimeSec = Math.floor((expiresAtMs - receivedAt) / 1000);
+    if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
+        const cacheTtlSec = Math.floor(credLifetimeSec / 3);
+        const cacheExpiry = new Date(receivedAt + cacheTtlSec * 1000).toISOString();
+        return wrapResult(value, cacheExpiry);
+    }
+    return value;
 }
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-/** Strip whitespace and reject PEM-wrapped input. */
+// ── Helpers ────────────────────────────────────────────────────────────────
+/** Strip whitespace; reject PEM-wrapped input. */
 function normalizeCert(raw) {
     if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
     }
     return raw.replace(/\s+/g, "");
 }
+/** Return cert serial as decimal string, using isolate-level cache. */
+function getCertSerialDec(normalizedCert) {
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        return cachedCertSerialDec;
+    }
+    const serial = parseCertSerialDec(normalizedCert);
+    cachedCertSerialDec = serial;
+    cachedCertSerialSource = normalizedCert;
+    return serial;
+}
 /**
  * Minimal DER walk to extract the certificate serial number as a decimal string.
  * Throws InternalError("invalid_cert_der") on any parse failure.
@@ -220,8 +229,7 @@ function parseCertSerialDec(normalizedCertBase64) {
         // Skip optional [0] EXPLICIT version field.
         if (der[offset] === 0xa0) {
             offset++;
-            const vLen = readLen();
-            offset += vLen;
+            offset += readLen();
         }
         if (der[offset++] !== 0x02)
             throw new Error("bad serial tag");
@@ -233,7 +241,6 @@ function parseCertSerialDec(normalizedCertBase64) {
         if (serial.length > 1 && serial[0] === 0x00) {
             serial = serial.slice(1);
         }
-        // Accumulate directly to BigInt — avoids intermediate hex string allocation.
         let serialBig = 0n;
         for (let i = 0; i < serial.length; i++) {
             serialBig = (serialBig << 8n) | BigInt(serial[i]);
@@ -246,7 +253,7 @@ function parseCertSerialDec(normalizedCertBase64) {
     }
 }
 /**
- * Convert an ISO-8601 timestamp to the compact AMZ date-time format.
+ * Convert ISO-8601 to compact AMZ date-time format.
  * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
  */
 function isoToAmzDate(iso) {
@@ -259,7 +266,7 @@ function isoToAmzDate(iso) {
         iso.slice(17, 19) +
         "Z");
 }
-/** Faster base64 → Uint8Array using V8's vectorized atob path. */
+/** base64 → Uint8Array via V8's vectorized atob path. */
 function base64ToBytes(base64) {
     const binary = atob(base64);
     const bytes = new Uint8Array(binary.length);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.47",
+  "version": "0.3.48",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",
@@ -28,6 +28,6 @@
     "vitest": "^4.1.0"
   },
   "dependencies": {
-    "@vizamodo/edge-cache-core": "^0.3.38"
+    "@vizamodo/edge-cache-core": "^0.3.40"
   }
 }