@vizamodo/aws-sts-core 0.3.49 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/sts/issue.js +22 -14
  2. package/package.json +1 -1
package/dist/sts/issue.js CHANGED
@@ -1,10 +1,10 @@
1
- import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
2
1
  import { canonicalizeHeaders } from "../sigv4/headers";
3
2
  import { buildCanonicalRequest } from "../sigv4/canonical";
4
3
  import { buildStringToSign } from "../sigv4/string-to-sign";
5
4
  import { signStringToSign } from "./signer";
6
5
  import { InternalError } from "./errors";
7
6
  import { sha256Hex } from "../crypto/sha256";
7
+ import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
8
8
  // ── Constants ──────────────────────────────────────────────────────────────
9
9
  const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
10
10
  const SERVICE = "rolesanywhere";
@@ -58,21 +58,29 @@ async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
58
58
  cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
59
59
  return cachedSigningKey;
60
60
  }
61
- // Material rotated discard stale state and re-import.
61
+ // Material changed or first call reset and re-import.
62
+ // Cache vars are updated inside .then() so concurrent callers
63
+ // awaiting the same promise all see consistent state after resolve.
62
64
  signingKeyPromise = null;
63
65
  cachedSigningKey = null;
64
- if (!signingKeyPromise) {
65
- signingKeyPromise = crypto.subtle
66
- .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
67
- .catch(() => {
68
- signingKeyPromise = null; // allow retry
69
- throw new InternalError("invalid_signing_material");
70
- });
71
- }
72
- cachedSigningKey = await signingKeyPromise;
73
- cachedCertBase64 = certBase64;
74
- cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
75
- return cachedSigningKey;
66
+ cachedCertBase64 = null;
67
+ cachedPrivateKeyBase64 = null;
68
+ signingKeyPromise = crypto.subtle
69
+ .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
70
+ .then((key) => {
71
+ // Update cache atomically after successful import.
72
+ // All concurrent callers awaiting this promise will see
73
+ // consistent state and hit the fast path on next call.
74
+ cachedSigningKey = key;
75
+ cachedCertBase64 = certBase64;
76
+ cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
77
+ return key;
78
+ })
79
+ .catch(() => {
80
+ signingKeyPromise = null; // allow retry on next call
81
+ throw new InternalError("invalid_signing_material");
82
+ });
83
+ return signingKeyPromise;
76
84
  }
77
85
  // ── Session TTL ────────────────────────────────────────────────────────────
78
86
  function resolveSessionTtl(profile) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vizamodo/aws-sts-core",
3
- "version": "0.3.49",
3
+ "version": "0.4.1",
4
4
  "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",