@vizamodo/aws-sts-core 0.4.17 → 0.4.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sts/issue.js +12 -18
- package/package.json +1 -1
package/dist/sts/issue.js
CHANGED
|
@@ -26,18 +26,12 @@ let signingKeyPromise = null;
|
|
|
26
26
|
let cachedSigningKey = null;
|
|
27
27
|
let cachedCertBase64 = null;
|
|
28
28
|
let cachedPrivateKeyBase64 = null;
|
|
29
|
-
// ── Cert serial cache ──────────────────────────────────────────────────────
|
|
30
|
-
// BUG 5 KEPT: stale isolate cache can return wrong serial across deploys.
|
|
31
|
-
let cachedCertSerialDec = null;
|
|
32
|
-
let cachedCertSerialSource = null;
|
|
33
29
|
// ── Test utilities ─────────────────────────────────────────────────────────
|
|
34
30
|
export function resetIsolateCache() {
|
|
35
31
|
signingKeyPromise = null;
|
|
36
32
|
cachedSigningKey = null;
|
|
37
33
|
cachedCertBase64 = null;
|
|
38
34
|
cachedPrivateKeyBase64 = null;
|
|
39
|
-
cachedCertSerialDec = null;
|
|
40
|
-
cachedCertSerialSource = null;
|
|
41
35
|
}
|
|
42
36
|
// ── Signing material ───────────────────────────────────────────────────────
|
|
43
37
|
async function getSigningMaterial(input) {
|
|
@@ -78,16 +72,8 @@ export async function issueAwsCredentials(input) {
|
|
|
78
72
|
const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
|
|
79
73
|
const sessionTtl = resolveSessionTtlByProfile(profile);
|
|
80
74
|
const normalizedCert = normalizeCert(certBase64);
|
|
81
|
-
//
|
|
82
|
-
|
|
83
|
-
if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
|
|
84
|
-
certSerialDec = cachedCertSerialDec;
|
|
85
|
-
}
|
|
86
|
-
else {
|
|
87
|
-
certSerialDec = parseCertSerialDec(normalizedCert);
|
|
88
|
-
cachedCertSerialDec = certSerialDec;
|
|
89
|
-
cachedCertSerialSource = normalizedCert;
|
|
90
|
-
}
|
|
75
|
+
// No isolate cache — stale cached values caused wrong-serial bugs.
|
|
76
|
+
const certSerialDec = parseCertSerialDec(normalizedCert);
|
|
91
77
|
const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
|
|
92
78
|
// BUG 1 KEPT: signing happens before getCachedOrFetch — runs on every
|
|
93
79
|
// request even when L1/L2 cache would have returned a hit.
|
|
@@ -139,8 +125,16 @@ export async function issueAwsCredentials(input) {
|
|
|
139
125
|
throw new InternalError("aws_unreachable");
|
|
140
126
|
}
|
|
141
127
|
if (!res.ok) {
|
|
142
|
-
const
|
|
143
|
-
console.error("[aws-rejected]", {
|
|
128
|
+
const errorBody = await res.text().catch(() => "<no-body>");
|
|
129
|
+
console.error("[aws-rejected]", {
|
|
130
|
+
status: res.status,
|
|
131
|
+
region,
|
|
132
|
+
profile,
|
|
133
|
+
errorBody,
|
|
134
|
+
certSerial: certSerialDec,
|
|
135
|
+
amzDate,
|
|
136
|
+
credentialScope,
|
|
137
|
+
});
|
|
144
138
|
throw new InternalError("aws_rejected");
|
|
145
139
|
}
|
|
146
140
|
const json = await res.json();
|