@vizamodo/aws-sts-core 0.3.47 → 0.3.49

package/dist/federation/login.js

@@ -11,29 +11,17 @@ export async function buildFederationLoginUrl(input) {
         throw new Error("[federation] invalid or expired credentials");
     }
     const tokenHash = await sha256Hex(input.sessionToken);
-    // TEMP DEBUG: force static key to verify cache behavior
-    const cacheKey = `aws-signin:test`;
+    // Use region and tokenHash for cache key
+    const cacheKey = `aws-signin:${input.region}:${tokenHash}`;
     const sessionJson = JSON.stringify(session);
     const encoded = encodeURIComponent(sessionJson);
     const SigninToken = await getCachedOrFetch(cacheKey, async () => {
-        console.debug("[signin] fetcher start", {
-            cacheKey,
-            expiration: input.expiration,
-            now: Date.now()
-        });
         const tokenResp = await fetch(`https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${encoded}`);
-        console.debug("[signin] fetch response", {
-            ok: tokenResp.ok,
-            status: tokenResp.status
-        });
         if (!tokenResp.ok) {
             // best-effort: do not cache failures
             throw new Error("[signin] failed to fetch SigninToken");
         }
         const json = await tokenResp.json();
-        console.debug("[signin] json parsed", {
-            hasToken: !!json?.SigninToken
-        });
         const token = json?.SigninToken;
         if (!token) {
             // do not cache invalid response
@@ -43,29 +31,12 @@ export async function buildFederationLoginUrl(input) {
         const SIGNIN_TOKEN_TTL_SEC = 15 * 60;
         // derive effective TTL = min(tokenTTL, credentialTTL)
         const credRemainingSec = Math.floor((Date.parse(input.expiration) - Date.now()) / 1000);
-        console.debug("[signin] TTL compute", {
-            credRemainingSec,
-            expiration: input.expiration,
-            now: Date.now()
-        });
         const effectiveTtlSec = Math.min(SIGNIN_TOKEN_TTL_SEC, credRemainingSec);
-        console.debug("[signin] effective TTL", {
-            effectiveTtlSec,
-            SIGNIN_TOKEN_TTL_SEC
-        });
         // if credential too close to expiry → skip caching
         if (effectiveTtlSec <= 0) {
-            console.debug("[signin] skip cache (ttl<=0)", {
-                effectiveTtlSec
-            });
             return token;
         }
         const expiryIso = new Date(Date.now() + effectiveTtlSec * 1000).toISOString();
-        console.debug("[signin] wrapResult", {
-            effectiveTtlSec,
-            expiryIso,
-            now: Date.now()
-        });
         // restore primitive storage (cache layer now handles primitive safely)
         return wrapResult(token, expiryIso);
     }, { ttlSec: 60, ...(input.forceRefresh !== undefined ? { forceRefresh: input.forceRefresh } : {}) } // allow caller-controlled retry

package/dist/sts/issue.d.ts

@@ -1,5 +1,5 @@
 import type { AwsCredentialResult } from "../types";
-export declare function issueAwsCredentials(input: {
+export interface IssueAwsCredentialsInput {
     roleArn: string;
     profileArn: string;
     trustAnchorArn: string;
@@ -8,4 +8,13 @@ export declare function issueAwsCredentials(input: {
     privateKeyPkcs8Base64: string;
     profile: string;
     forceRefresh?: boolean;
-}): Promise<AwsCredentialResult>;
+}
+/**
+ * Reset isolate-level signing material and cert serial caches.
+ * ONLY for use in tests — forces re-import of signing key on next call.
+ *
+ * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
+ * there is no need to expose a cache-clear API from the core library.
+ */
+export declare function resetIsolateCache(): void;
+export declare function issueAwsCredentials(input: IssueAwsCredentialsInput): Promise<AwsCredentialResult>;

package/dist/sts/issue.js

@@ -5,10 +5,14 @@ import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
-// ---- constants ----
+// ── Constants ──────────────────────────────────────────────────────────────
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
+/**
+ * Per-profile AWS session duration (seconds).
+ * Clamped to [MIN_SESSION_TTL, MAX_SESSION_TTL] at resolution time.
+ */
 const PROFILE_TTL = {
     Runtime: 45 * 60,
     ConsoleReadOnly: 12 * 60 * 60,
@@ -17,178 +21,176 @@ const PROFILE_TTL = {
     BillingAdmin: 3 * 60 * 60,
     BillingAccountant: 3 * 60 * 60,
 };
-const DEFAULT_TTL = 2 * 60 * 60;
-const MIN_PROFILE_TTL = 45 * 60; // 45 min — lower guard
-const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 h  — upper guard
-// ---- isolate-level signing material cache ----
-// Single Promise-based slot avoids concurrent cold-start races.
+const DEFAULT_SESSION_TTL = 2 * 60 * 60;
+const MIN_SESSION_TTL = 45 * 60; // 45 min
+const MAX_SESSION_TTL = 12 * 60 * 60; // 12 h
+// ── Isolate-level signing-material cache ───────────────────────────────────
+// Single Promise slot prevents concurrent cold-start import races.
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
+// ── Isolate-level cert-serial cache ───────────────────────────────────────
+// DER walk is CPU-bound; the cert rarely rotates within an isolate lifetime.
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
-// ---------------------------------------------------------------------------
-// Signing material
-// ---------------------------------------------------------------------------
-async function getSigningMaterial(input) {
-    // Fast path: same material already imported.
+// ── Test utilities ─────────────────────────────────────────────────────────
+/**
+ * Reset isolate-level signing material and cert serial caches.
+ * ONLY for use in tests — forces re-import of signing key on next call.
+ *
+ * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
+ * there is no need to expose a cache-clear API from the core library.
+ */
+export function resetIsolateCache() {
+    signingKeyPromise = null;
+    cachedSigningKey = null;
+    cachedCertBase64 = null;
+    cachedPrivateKeyBase64 = null;
+    cachedCertSerialDec = null;
+    cachedCertSerialSource = null;
+}
+// ── Signing material ───────────────────────────────────────────────────────
+async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
+    // Fast path: same material already imported in this isolate.
     if (cachedSigningKey &&
-        cachedCertBase64 === input.certBase64 &&
-        cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
-        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
-    }
-    // Material rotated — discard the stale resolved key so we re-import.
-    if (cachedSigningKey) {
-        signingKeyPromise = null;
-        cachedSigningKey = null;
+        cachedCertBase64 === certBase64 &&
+        cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
+        return cachedSigningKey;
     }
+    // Material rotated — discard stale state and re-import.
+    signingKeyPromise = null;
+    cachedSigningKey = null;
     if (!signingKeyPromise) {
-        try {
-            const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
-            signingKeyPromise = crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
-        }
-        catch {
+        signingKeyPromise = crypto.subtle
+            .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
+            .catch(() => {
+            signingKeyPromise = null; // allow retry
             throw new InternalError("invalid_signing_material");
-        }
-    }
-    try {
-        cachedSigningKey = await signingKeyPromise;
-        cachedCertBase64 = input.certBase64;
-        cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
-        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
-    }
-    catch {
-        signingKeyPromise = null; // allow retry on next call
-        throw new InternalError("invalid_signing_material");
+        });
     }
+    cachedSigningKey = await signingKeyPromise;
+    cachedCertBase64 = certBase64;
+    cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
+    return cachedSigningKey;
 }
-// ---------------------------------------------------------------------------
-// Profile TTL resolution
-// ---------------------------------------------------------------------------
-function resolveSessionTtlByProfile(profile) {
-    const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
-    return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
+// ── Session TTL ────────────────────────────────────────────────────────────
+function resolveSessionTtl(profile) {
+    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
+    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
 }
-// ---------------------------------------------------------------------------
-// Main export
-// ---------------------------------------------------------------------------
+// ── Main export ────────────────────────────────────────────────────────────
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
-    const sessionTtl = resolveSessionTtlByProfile(profile);
+    const sessionTtl = resolveSessionTtl(profile);
     const normalizedCert = normalizeCert(certBase64);
-    // ---- DER serial extraction (with isolate-level cache) ----
-    let certSerialDec;
-    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
-        certSerialDec = cachedCertSerialDec;
-    }
-    else {
-        certSerialDec = parseCertSerialDec(normalizedCert); // throws InternalError on bad DER
-        cachedCertSerialDec = certSerialDec;
-        cachedCertSerialSource = normalizedCert;
-    }
+    // Cert serial — use isolate cache to avoid redundant DER walks.
+    const certSerialDec = getCertSerialDec(normalizedCert);
     const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
-    console.debug("[issueAwsCredentials] cacheKey", { cacheKey, forceRefresh });
-    console.debug("[issueAwsCredentials] invoking cache layer", { cacheKey });
-    return getCachedOrFetch(cacheKey, async () => {
-        const issuedAt = Date.now();
-        const { signingKey } = await getSigningMaterial({
-            certBase64: normalizedCert,
-            privateKeyPkcs8Base64,
-        });
-        const host = `${SERVICE}.${region}.amazonaws.com`;
-        const iso = new Date().toISOString();
-        const amzDate = isoToAmzDate(iso);
-        const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
-        const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-        const payloadHash = await sha256Hex(body);
-        const baseHeaders = {
-            "content-type": "application/json",
-            "host": host,
-            "x-amz-date": amzDate,
-            "x-amz-x509": normalizedCert,
-        };
-        const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-        const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
-        const canonicalRequest = buildCanonicalRequest({
-            method: "POST",
-            canonicalUri: PATH,
-            query: "",
-            canonicalHeaders,
-            signedHeaders,
-            payloadHash,
-        });
-        const canonicalRequestHash = await sha256Hex(canonicalRequest);
-        const stringToSign = buildStringToSign({
-            algorithm: ALGORITHM,
-            amzDate,
-            credentialScope,
-            canonicalRequestHash,
-        });
-        const signatureHex = await signStringToSign(stringToSign, signingKey);
-        const finalHeaders = new Headers({
-            "Content-Type": "application/json",
-            "X-Amz-Date": amzDate,
-            "X-Amz-X509": normalizedCert,
-            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
-        });
-        const res = await fetch(`https://${host}${PATH}`, {
+    return getCachedOrFetch(cacheKey, () => fetchCredentials({
+        roleArn, profileArn, trustAnchorArn,
+        region, normalizedCert, privateKeyPkcs8Base64,
+        sessionTtl,
+    }), { ttlSec: 60, forceRefresh });
+}
+async function fetchCredentials(input) {
+    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, } = input;
+    const signingKey = await getSigningMaterial(normalizedCert, privateKeyPkcs8Base64);
+    const host = `${SERVICE}.${region}.amazonaws.com`;
+    const iso = new Date().toISOString();
+    const amzDate = isoToAmzDate(iso);
+    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+    const payloadHash = await sha256Hex(body);
+    const baseHeaders = {
+        "content-type": "application/json",
+        "host": host,
+        "x-amz-date": amzDate,
+        "x-amz-x509": normalizedCert,
+    };
+    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
+    const canonicalRequest = buildCanonicalRequest({
+        method: "POST",
+        canonicalUri: PATH,
+        query: "",
+        canonicalHeaders,
+        signedHeaders,
+        payloadHash,
+    });
+    const canonicalRequestHash = await sha256Hex(canonicalRequest);
+    const stringToSign = buildStringToSign({
+        algorithm: ALGORITHM,
+        amzDate,
+        credentialScope,
+        canonicalRequestHash,
+    });
+    const signatureHex = await signStringToSign(stringToSign, signingKey);
+    const certSerialDec = getCertSerialDec(normalizedCert);
+    const finalHeaders = new Headers({
+        "Content-Type": "application/json",
+        "X-Amz-Date": amzDate,
+        "X-Amz-X509": normalizedCert,
+        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+    });
+    let res;
+    try {
+        res = await fetch(`https://${host}${PATH}`, {
             method: "POST",
             headers: finalHeaders,
             body,
         });
-        if (!res.ok) {
-            console.warn("[aws-rejected]", { status: res.status, region, profile });
-            throw new InternalError("aws_rejected");
-        }
-        const json = await res.json();
-        const creds = json?.credentialSet?.[0]?.credentials;
-        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-            console.warn("[issueAwsCredentials] malformed AWS credential response");
-            throw new InternalError("aws_malformed_credentials");
-        }
-        console.debug("[issueAwsCredentials] fetched new credentials", {
-            accessKeyId: creds.accessKeyId,
-            expiration: creds.expiration
-        });
-        const value = {
-            accessKeyId: creds.accessKeyId,
-            secretAccessKey: creds.secretAccessKey,
-            sessionToken: creds.sessionToken,
-            expiration: creds.expiration,
-        };
-        // derive TTL = 1/3 lifetime
-        const expiresAtMs = Date.parse(creds.expiration);
-        const credLifetimeSec = Math.floor((expiresAtMs - issuedAt) / 1000);
-        if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
-            const edgeCacheTtlSec = Math.floor(credLifetimeSec / 3);
-            const edgeCacheExpiry = new Date(issuedAt + edgeCacheTtlSec * 1000).toISOString();
-            console.debug("[issueAwsCredentials] computed TTL", {
-                credLifetimeSec,
-                edgeCacheTtlSec
-            });
-            return wrapResult(value, edgeCacheExpiry);
-        }
-        console.debug("[issueAwsCredentials] fallback return (no TTL)", {
-            accessKeyId: value.accessKeyId
-        });
-        return value;
-    }, {
-        ttlSec: 60,
-        ...(forceRefresh !== undefined ? { forceRefresh } : {})
-    });
+    }
+    catch (err) {
+        console.warn("[aws-unreachable]", { region, err });
+        throw new InternalError("aws_unreachable");
+    }
+    if (!res.ok) {
+        console.warn("[aws-rejected]", { status: res.status, region });
+        throw new InternalError("aws_rejected");
+    }
+    const json = await res.json();
+    const creds = json?.credentialSet?.[0]?.credentials;
+    if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+        console.warn("[issueAwsCredentials] malformed AWS credential response");
+        throw new InternalError("aws_malformed_credentials");
+    }
+    const value = {
+        accessKeyId: creds.accessKeyId,
+        secretAccessKey: creds.secretAccessKey,
+        sessionToken: creds.sessionToken,
+        expiration: creds.expiration,
+    };
+    // Cache for 1/3 of the credential lifetime so it's refreshed well before expiry.
+    // deriveEdgeTtlSec in cache.ts will further subtract EDGE_BUFFER_SEC (5 min).
+    const expiresAtMs = Date.parse(creds.expiration);
+    const receivedAt = Date.now();
+    const credLifetimeSec = Math.floor((expiresAtMs - receivedAt) / 1000);
+    if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
+        const cacheTtlSec = Math.floor(credLifetimeSec / 3);
+        const cacheExpiry = new Date(receivedAt + cacheTtlSec * 1000).toISOString();
+        return wrapResult(value, cacheExpiry);
+    }
+    return value;
 }
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-/** Strip whitespace and reject PEM-wrapped input. */
+// ── Helpers ────────────────────────────────────────────────────────────────
+/** Strip whitespace; reject PEM-wrapped input. */
 function normalizeCert(raw) {
     if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
     }
     return raw.replace(/\s+/g, "");
 }
+/** Return cert serial as decimal string, using isolate-level cache. */
+function getCertSerialDec(normalizedCert) {
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        return cachedCertSerialDec;
+    }
+    const serial = parseCertSerialDec(normalizedCert);
+    cachedCertSerialDec = serial;
+    cachedCertSerialSource = normalizedCert;
+    return serial;
+}
 /**
  * Minimal DER walk to extract the certificate serial number as a decimal string.
  * Throws InternalError("invalid_cert_der") on any parse failure.
@@ -220,8 +222,7 @@ function parseCertSerialDec(normalizedCertBase64) {
         // Skip optional [0] EXPLICIT version field.
         if (der[offset] === 0xa0) {
             offset++;
-            const vLen = readLen();
-            offset += vLen;
+            offset += readLen();
         }
         if (der[offset++] !== 0x02)
             throw new Error("bad serial tag");
@@ -233,7 +234,6 @@ function parseCertSerialDec(normalizedCertBase64) {
         if (serial.length > 1 && serial[0] === 0x00) {
             serial = serial.slice(1);
         }
-        // Accumulate directly to BigInt — avoids intermediate hex string allocation.
         let serialBig = 0n;
         for (let i = 0; i < serial.length; i++) {
             serialBig = (serialBig << 8n) | BigInt(serial[i]);
@@ -246,7 +246,7 @@ function parseCertSerialDec(normalizedCertBase64) {
     }
 }
 /**
- * Convert an ISO-8601 timestamp to the compact AMZ date-time format.
+ * Convert ISO-8601 to compact AMZ date-time format.
  * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
  */
 function isoToAmzDate(iso) {
@@ -259,7 +259,7 @@ function isoToAmzDate(iso) {
         iso.slice(17, 19) +
         "Z");
 }
-/** Faster base64 → Uint8Array using V8's vectorized atob path. */
+/** base64 → Uint8Array via V8's vectorized atob path. */
 function base64ToBytes(base64) {
     const binary = atob(base64);
     const bytes = new Uint8Array(binary.length);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.47",
+  "version": "0.3.49",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",
@@ -28,6 +28,6 @@
     "vitest": "^4.1.0"
   },
   "dependencies": {
-    "@vizamodo/edge-cache-core": "^0.3.38"
+    "@vizamodo/edge-cache-core": "^0.3.40"
   }
 }