@vizamodo/aws-sts-core 0.3.5 → 0.3.8

package/dist/crypto/sha256.d.ts

@@ -0,0 +1,2 @@
+export declare function hex(buf: ArrayBuffer | Uint8Array): string;
+export declare function sha256Hex(input: string): Promise<string>;

package/dist/crypto/sha256.js

@@ -0,0 +1,22 @@
+const textEncoder = new TextEncoder();
+const HEX_TABLE = new Array(256);
+for (let i = 0; i < 256; i++) {
+    HEX_TABLE[i] = (i < 16 ? "0" : "") + i.toString(16);
+}
+export function hex(buf) {
+    const arr = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+    const out = new Array(arr.length);
+    for (let i = 0; i < arr.length; i++) {
+        out[i] = HEX_TABLE[arr[i]];
+    }
+    return out.join("");
+}
+export async function sha256Hex(input) {
+    const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(input));
+    const bytes = new Uint8Array(hash);
+    const hexParts = new Array(32);
+    for (let i = 0; i < 32; i++) {
+        hexParts[i] = HEX_TABLE[bytes[i]];
+    }
+    return hexParts.join("");
+}

package/dist/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./types";
 export * from "./sts/issue";
 export * from "./federation/login";
+export * from "./sigv4/request";

package/dist/index.js

@@ -1,3 +1,4 @@
 export * from "./types";
 export * from "./sts/issue";
 export * from "./federation/login";
+export * from "./sigv4/request";

package/dist/sigv4/request.d.ts

@@ -0,0 +1,17 @@
+export type AwsCredentials = {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+};
+export type BuildSignedAwsRequestInput = {
+    service: string;
+    region: string;
+    target: string;
+    body: string;
+    contentType?: string;
+    credentials: AwsCredentials;
+};
+/**
+ * Build signed AWS JSON API request
+ */
+export declare function buildSignedAwsRequest(input: BuildSignedAwsRequestInput): Promise<RequestInit>;

package/dist/sigv4/request.js

@@ -0,0 +1,124 @@
+/*
+SigV4 signed AWS JSON request builder.
+
+Designed for edge runtimes (Cloudflare Workers, Deno, Bun, Node 20+).
+No AWS SDK dependency.
+*/
+import { sha256Hex, hex } from "../crypto/sha256";
+const DEFAULT_CONTENT_TYPE = "application/x-amz-json-1.1";
+const encoder = new TextEncoder();
+const signingKeyCache = new Map();
+const MAX_SIGNING_KEY_CACHE = 64;
+const hmacKeyCache = new Map();
+/**
+ * HMAC SHA256
+ */
+async function hmac(key, data) {
+    const rawKey = key instanceof Uint8Array ? key : new Uint8Array(key);
+    const keyId = hex(rawKey);
+    let cryptoKey = hmacKeyCache.get(keyId);
+    if (!cryptoKey) {
+        cryptoKey = await crypto.subtle.importKey("raw", rawKey, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        hmacKeyCache.set(keyId, cryptoKey);
+    }
+    return crypto.subtle.sign("HMAC", cryptoKey, encoder.encode(data));
+}
+function toUint8(buf) {
+    return new Uint8Array(buf);
+}
+/**
+ * Derive SigV4 signing key
+ */
+async function getSignatureKey(secretKey, date, region, service) {
+    const kDate = await hmac(new TextEncoder().encode("AWS4" + secretKey), date);
+    const kRegion = await hmac(toUint8(kDate), region);
+    const kService = await hmac(toUint8(kRegion), service);
+    return hmac(toUint8(kService), "aws4_request");
+}
+/**
+ * Build signed AWS JSON API request
+ */
+export async function buildSignedAwsRequest(input) {
+    const { service, region, target, body, credentials } = input;
+    const contentType = input.contentType ?? DEFAULT_CONTENT_TYPE;
+    const host = `${service}.${region}.amazonaws.com`;
+    const now = new Date();
+    const iso = now.toISOString();
+    const amzDate = iso.slice(0, 4) +
+        iso.slice(5, 7) +
+        iso.slice(8, 10) +
+        "T" +
+        iso.slice(11, 13) +
+        iso.slice(14, 16) +
+        iso.slice(17, 19) +
+        "Z";
+    const dateStamp = amzDate.slice(0, 8);
+    const canonicalHeaders = `content-type:${contentType}\n` +
+        `host:${host}\n` +
+        `x-amz-date:${amzDate}\n` +
+        `x-amz-target:${target}\n` +
+        (credentials.sessionToken
+            ? `x-amz-security-token:${credentials.sessionToken}\n`
+            : "");
+    const signedHeaders = credentials.sessionToken
+        ? "content-type;host;x-amz-date;x-amz-security-token;x-amz-target"
+        : "content-type;host;x-amz-date;x-amz-target";
+    const payloadHash = await sha256Hex(body);
+    const canonicalRequest = "POST\n" +
+        "/\n" +
+        "\n" +
+        canonicalHeaders +
+        "\n" +
+        signedHeaders +
+        "\n" +
+        payloadHash;
+    const credentialScope = dateStamp +
+        "/" +
+        region +
+        "/" +
+        service +
+        "/aws4_request";
+    const stringToSign = "AWS4-HMAC-SHA256\n" +
+        amzDate +
+        "\n" +
+        credentialScope +
+        "\n" +
+        await sha256Hex(canonicalRequest);
+    const cacheKey = await sha256Hex(credentials.secretAccessKey +
+        "|" +
+        dateStamp +
+        "|" +
+        region +
+        "|" +
+        service);
+    let signingKey = signingKeyCache.get(cacheKey);
+    if (!signingKey) {
+        signingKey = await getSignatureKey(credentials.secretAccessKey, dateStamp, region, service);
+        if (signingKeyCache.size > MAX_SIGNING_KEY_CACHE) {
+            const firstKey = signingKeyCache.keys().next().value;
+            if (firstKey)
+                signingKeyCache.delete(firstKey);
+        }
+        signingKeyCache.set(cacheKey, signingKey);
+    }
+    const signature = hex(await hmac(signingKey, stringToSign));
+    const authorization = "AWS4-HMAC-SHA256 " +
+        `Credential=${credentials.accessKeyId}/${credentialScope}, ` +
+        `SignedHeaders=${signedHeaders}, ` +
+        `Signature=${signature}`;
+    const headers = {
+        "Content-Type": contentType,
+        "X-Amz-Date": amzDate,
+        "X-Amz-Target": target,
+        Authorization: authorization,
+        Host: host
+    };
+    if (credentials.sessionToken) {
+        headers["X-Amz-Security-Token"] = credentials.sessionToken;
+    }
+    return {
+        method: "POST",
+        headers,
+        body
+    };
+}

package/dist/sts/issue.js

@@ -3,6 +3,7 @@ import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
+import { sha256Hex } from "../crypto/sha256";
 // ---- constants (cleaner configuration, no runtime cost) ----
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
@@ -26,13 +27,6 @@ let cachedPrivateKeyBase64 = null;
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
 const stsCredentialCache = new Map();
-// ---- shared encoder ----
-const textEncoder = new TextEncoder();
-// Precomputed hex table for fast byte→hex conversion (no per-byte toString alloc)
-const HEX_TABLE = new Array(256);
-for (let i = 0; i < 256; i++) {
-    HEX_TABLE[i] = (i < 16 ? "0" : "") + i.toString(16);
-}
 async function getSigningMaterial(input) {
     if (cachedSigningKey &&
         cachedCertBase64 === input.certBase64 &&
@@ -261,16 +255,6 @@ function normalizeCert(raw) {
     // remove whitespace and newlines to ensure stable cache keys
     return raw.replace(/\s+/g, "");
 }
-async function sha256Hex(input) {
-    // Tận dụng textEncoder có sẵn
-    const hash = await crypto.subtle.digest("SHA-256", textEncoder.encode(input));
-    const bytes = new Uint8Array(hash);
-    const hexParts = new Array(32); // SHA-256 luôn là 32 bytes
-    for (let i = 0; i < 32; i++) {
-        hexParts[i] = HEX_TABLE[bytes[i]];
-    }
-    return hexParts.join("");
-}
 async function getCanonicalRequestHash(canonicalRequest) {
     return sha256Hex(canonicalRequest);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.3.5",
+  "version": "0.3.8",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",