npm - @vizamodo/aws-sts-core - Versions diffs - 0.4.24 → 0.4.26 - Mend

@vizamodo/aws-sts-core 0.4.24 → 0.4.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/sts/issue.js +63 -56
package/package.json +1 -1

package/dist/sts/issue.js CHANGED Viewed

@@ -39,30 +39,37 @@ async function getSigningMaterial(input) {
         cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
         return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
     }
-    // Material rotated — discard the stale resolved key so we re-import.
-    if (cachedSigningKey) {
+    // If material rotated, reset promise so we re-import.
+    if (cachedSigningKey &&
+        (cachedCertBase64 !== input.certBase64 ||
+            cachedPrivateKeyBase64 !== input.privateKeyPkcs8Base64)) {
         signingKeyPromise = null;
         cachedSigningKey = null;
     }
     if (!signingKeyPromise) {
+        let keyBuffer;
         try {
-            const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
-            signingKeyPromise = crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+            keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
         }
         catch {
             throw new InternalError("invalid_signing_material");
         }
+        signingKeyPromise = crypto.subtle
+            .importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
+            .then((key) => {
+            // ✅ Atomic assignment inside then (no race)
+            cachedSigningKey = key;
+            cachedCertBase64 = input.certBase64;
+            cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
+            return key;
+        })
+            .catch(() => {
+            signingKeyPromise = null; // allow retry
+            throw new InternalError("invalid_signing_material");
+        });
     }
-    try {
-        cachedSigningKey = await signingKeyPromise;
-        cachedCertBase64 = input.certBase64;
-        cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
-        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
-    }
-    catch {
-        signingKeyPromise = null; // allow retry on next call
-        throw new InternalError("invalid_signing_material");
-    }
+    const key = await signingKeyPromise;
+    return { signingKey: key, certBase64: input.certBase64 };
 }
 // ---------------------------------------------------------------------------
 // Profile TTL resolution
@@ -89,49 +96,49 @@ export async function issueAwsCredentials(input) {
         cachedCertSerialSource = normalizedCert;
     }
     const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
-    // ---- Build SigV4 request ----
-    const { signingKey } = await getSigningMaterial({
-        certBase64: normalizedCert,
-        privateKeyPkcs8Base64,
-    });
-    const host = `${SERVICE}.${region}.amazonaws.com`;
-    const iso = new Date().toISOString();
-    const amzDate = isoToAmzDate(iso);
-    const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
-    const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-    const payloadHash = await sha256Hex(body);
-    const baseHeaders = {
-        "content-type": "application/json",
-        "host": host,
-        "x-amz-date": amzDate,
-        "x-amz-x509": normalizedCert,
-    };
-    const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-    const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
-    const canonicalRequest = buildCanonicalRequest({
-        method: "POST",
-        canonicalUri: PATH,
-        query: "",
-        canonicalHeaders,
-        signedHeaders,
-        payloadHash,
-    });
-    const canonicalRequestHash = await sha256Hex(canonicalRequest);
-    const stringToSign = buildStringToSign({
-        algorithm: ALGORITHM,
-        amzDate,
-        credentialScope,
-        canonicalRequestHash,
-    });
-    const signatureHex = await signStringToSign(stringToSign, signingKey);
-    const finalHeaders = new Headers({
-        "Content-Type": "application/json",
-        "X-Amz-Date": amzDate,
-        "X-Amz-X509": normalizedCert,
-        "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
-    });
-    const issuedAt = Date.now(); // snapshot before the network round-trip
     return getCachedOrFetch(cacheKey, async () => {
+        // ---- Build SigV4 request (moved inside fetcher) ----
+        const { signingKey } = await getSigningMaterial({
+            certBase64: normalizedCert,
+            privateKeyPkcs8Base64,
+        });
+        const host = `${SERVICE}.${region}.amazonaws.com`;
+        const iso = new Date().toISOString();
+        const amzDate = isoToAmzDate(iso);
+        const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+        const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+        const payloadHash = await sha256Hex(body);
+        const baseHeaders = {
+            "content-type": "application/json",
+            "host": host,
+            "x-amz-date": amzDate,
+            "x-amz-x509": normalizedCert,
+        };
+        const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+        const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
+        const canonicalRequest = buildCanonicalRequest({
+            method: "POST",
+            canonicalUri: PATH,
+            query: "",
+            canonicalHeaders,
+            signedHeaders,
+            payloadHash,
+        });
+        const canonicalRequestHash = await sha256Hex(canonicalRequest);
+        const stringToSign = buildStringToSign({
+            algorithm: ALGORITHM,
+            amzDate,
+            credentialScope,
+            canonicalRequestHash,
+        });
+        const signatureHex = await signStringToSign(stringToSign, signingKey);
+        const finalHeaders = new Headers({
+            "Content-Type": "application/json",
+            "X-Amz-Date": amzDate,
+            "X-Amz-X509": normalizedCert,
+            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+        });
+        const issuedAt = Date.now();
         const res = await fetch(`https://${host}${PATH}`, {
             method: "POST",
             headers: finalHeaders,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.24",
+  "version": "0.4.26",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",