@vizamodo/aws-sts-core 0.3.50 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sts/issue.js +23 -24
- package/package.json +1 -1
package/dist/sts/issue.js
CHANGED
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
2
1
|
import { canonicalizeHeaders } from "../sigv4/headers";
|
|
3
2
|
import { buildCanonicalRequest } from "../sigv4/canonical";
|
|
4
3
|
import { buildStringToSign } from "../sigv4/string-to-sign";
|
|
5
4
|
import { signStringToSign } from "./signer";
|
|
6
5
|
import { InternalError } from "./errors";
|
|
7
6
|
import { sha256Hex } from "../crypto/sha256";
|
|
7
|
+
import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
|
|
8
8
|
// ── Constants ──────────────────────────────────────────────────────────────
|
|
9
9
|
const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
|
|
10
10
|
const SERVICE = "rolesanywhere";
|
|
@@ -58,21 +58,29 @@ async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
|
|
|
58
58
|
cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
|
|
59
59
|
return cachedSigningKey;
|
|
60
60
|
}
|
|
61
|
-
// Material
|
|
61
|
+
// Material changed or first call — reset and re-import.
|
|
62
|
+
// Cache vars are updated inside .then() so concurrent callers
|
|
63
|
+
// awaiting the same promise all see consistent state after resolve.
|
|
62
64
|
signingKeyPromise = null;
|
|
63
65
|
cachedSigningKey = null;
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
66
|
+
cachedCertBase64 = null;
|
|
67
|
+
cachedPrivateKeyBase64 = null;
|
|
68
|
+
signingKeyPromise = crypto.subtle
|
|
69
|
+
.importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
|
|
70
|
+
.then((key) => {
|
|
71
|
+
// Update cache atomically after successful import.
|
|
72
|
+
// All concurrent callers awaiting this promise will see
|
|
73
|
+
// consistent state and hit the fast path on next call.
|
|
74
|
+
cachedSigningKey = key;
|
|
75
|
+
cachedCertBase64 = certBase64;
|
|
76
|
+
cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
|
|
77
|
+
return key;
|
|
78
|
+
})
|
|
79
|
+
.catch(() => {
|
|
80
|
+
signingKeyPromise = null; // allow retry on next call
|
|
81
|
+
throw new InternalError("invalid_signing_material");
|
|
82
|
+
});
|
|
83
|
+
return signingKeyPromise;
|
|
76
84
|
}
|
|
77
85
|
// ── Session TTL ────────────────────────────────────────────────────────────
|
|
78
86
|
function resolveSessionTtl(profile) {
|
|
@@ -133,10 +141,6 @@ async function fetchCredentials(input) {
|
|
|
133
141
|
"X-Amz-X509": normalizedCert,
|
|
134
142
|
"Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
|
|
135
143
|
});
|
|
136
|
-
// 🔍 DEBUG signing output (temporary)
|
|
137
|
-
console.debug("[aws-debug] canonicalRequest", canonicalRequest);
|
|
138
|
-
console.debug("[aws-debug] stringToSign", stringToSign);
|
|
139
|
-
console.debug("[aws-debug] authorization", finalHeaders.get("Authorization"));
|
|
140
144
|
let res;
|
|
141
145
|
try {
|
|
142
146
|
res = await fetch(`https://${host}${PATH}`, {
|
|
@@ -150,12 +154,7 @@ async function fetchCredentials(input) {
|
|
|
150
154
|
throw new InternalError("aws_unreachable");
|
|
151
155
|
}
|
|
152
156
|
if (!res.ok) {
|
|
153
|
-
|
|
154
|
-
console.error("[aws-rejected]", {
|
|
155
|
-
status: res.status,
|
|
156
|
-
body: text,
|
|
157
|
-
region,
|
|
158
|
-
});
|
|
157
|
+
console.warn("[aws-rejected]", { status: res.status, region });
|
|
159
158
|
throw new InternalError("aws_rejected");
|
|
160
159
|
}
|
|
161
160
|
const json = await res.json();
|