@vizamodo/aws-sts-core 0.4.28 → 0.4.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/sts/issue.d.ts +1 -0
  2. package/dist/sts/issue.js +86 -53
  3. package/package.json +1 -1
package/dist/sts/issue.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  import type { AwsCredentialResult } from "../types";
2
+ export declare function resetIsolateCache(): void;
2
3
  export declare function issueAwsCredentials(input: {
3
4
  roleArn: string;
4
5
  profileArn: string;
package/dist/sts/issue.js CHANGED
@@ -26,6 +26,12 @@ let signingKeyPromise = null;
26
26
  let cachedSigningKey = null;
27
27
  let cachedCertBase64 = null;
28
28
  let cachedPrivateKeyBase64 = null;
29
+ export function resetIsolateCache() {
30
+ signingKeyPromise = null;
31
+ cachedSigningKey = null;
32
+ cachedCertBase64 = null;
33
+ cachedPrivateKeyBase64 = null;
34
+ }
29
35
  // ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
30
36
  let cachedCertSerialDec = null;
31
37
  let cachedCertSerialSource = null;
@@ -85,59 +91,58 @@ export async function issueAwsCredentials(input) {
85
91
  const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
86
92
  const sessionTtl = resolveSessionTtlByProfile(profile);
87
93
  const normalizedCert = normalizeCert(certBase64);
88
- // ---- DER serial extraction (with isolate-level cache) ----
89
- let certSerialDec;
90
- if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
91
- certSerialDec = cachedCertSerialDec;
92
- }
93
- else {
94
- certSerialDec = parseCertSerialDec(normalizedCert); // throws InternalError on bad DER
95
- cachedCertSerialDec = certSerialDec;
96
- cachedCertSerialSource = normalizedCert;
97
- }
94
+ // ---- DER serial extraction (no isolate cache — avoid stale bug) ----
95
+ const certSerialDec = parseCertSerialDec(normalizedCert);
98
96
  const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
99
97
  return getCachedOrFetch(cacheKey, async () => {
100
- // ---- Build SigV4 request (moved inside fetcher) ----
101
- const { signingKey } = await getSigningMaterial({
102
- certBase64: normalizedCert,
103
- privateKeyPkcs8Base64,
104
- });
105
- const host = `${SERVICE}.${region}.amazonaws.com`;
106
- const iso = new Date().toISOString();
107
- const amzDate = isoToAmzDate(iso);
108
- const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
109
- const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
110
- const payloadHash = await sha256Hex(body);
111
- const baseHeaders = {
112
- "content-type": "application/json",
113
- "host": host,
114
- "x-amz-date": amzDate,
115
- "x-amz-x509": normalizedCert,
116
- };
117
- const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
118
- const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
119
- const canonicalRequest = buildCanonicalRequest({
120
- method: "POST",
121
- canonicalUri: PATH,
122
- query: "",
123
- canonicalHeaders,
124
- signedHeaders,
125
- payloadHash,
126
- });
127
- const canonicalRequestHash = await sha256Hex(canonicalRequest);
128
- const stringToSign = buildStringToSign({
129
- algorithm: ALGORITHM,
130
- amzDate,
131
- credentialScope,
132
- canonicalRequestHash,
133
- });
134
- const signatureHex = await signStringToSign(stringToSign, signingKey);
135
- const finalHeaders = new Headers({
136
- "Content-Type": "application/json",
137
- "X-Amz-Date": amzDate,
138
- "X-Amz-X509": normalizedCert,
139
- "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
140
- });
98
+ async function buildSignedHeaders() {
99
+ const { signingKey } = await getSigningMaterial({
100
+ certBase64: normalizedCert,
101
+ privateKeyPkcs8Base64,
102
+ });
103
+ const host = `${SERVICE}.${region}.amazonaws.com`;
104
+ const iso = new Date().toISOString();
105
+ const amzDate = isoToAmzDate(iso);
106
+ const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
107
+ const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
108
+ const payloadHash = await sha256Hex(body);
109
+ const baseHeaders = {
110
+ "content-type": "application/json",
111
+ "host": host,
112
+ "x-amz-date": amzDate,
113
+ "x-amz-x509": normalizedCert,
114
+ };
115
+ const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
116
+ const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
117
+ const canonicalRequest = buildCanonicalRequest({
118
+ method: "POST",
119
+ canonicalUri: PATH,
120
+ query: "",
121
+ canonicalHeaders,
122
+ signedHeaders,
123
+ payloadHash,
124
+ });
125
+ const canonicalRequestHash = await sha256Hex(canonicalRequest);
126
+ const stringToSign = buildStringToSign({
127
+ algorithm: ALGORITHM,
128
+ amzDate,
129
+ credentialScope,
130
+ canonicalRequestHash,
131
+ });
132
+ const signatureHex = await signStringToSign(stringToSign, signingKey);
133
+ const headers = new Headers({
134
+ "Content-Type": "application/json",
135
+ "X-Amz-Date": amzDate,
136
+ "X-Amz-X509": normalizedCert,
137
+ "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
138
+ });
139
+ return {
140
+ headers,
141
+ body,
142
+ host,
143
+ };
144
+ }
145
+ const { headers: finalHeaders, body, host } = await buildSignedHeaders();
141
146
  const issuedAt = Date.now();
142
147
  let res;
143
148
  try {
@@ -152,7 +157,35 @@ export async function issueAwsCredentials(input) {
152
157
  throw new InternalError("aws_unreachable");
153
158
  }
154
159
  if (!res.ok) {
155
- console.warn("[aws-rejected]", { status: res.status, region, profile });
160
+ const status = res.status;
161
+ // Safe internal hard reset trigger:
162
+ // Only reset isolate cache on explicit forceRefresh AND first failure
163
+ if (forceRefresh && status === 403) {
164
+ console.warn("[aws-rejected][hard-reset-trigger]", { status, region });
165
+ resetIsolateCache();
166
+ const { headers: retryHeaders, body: retryBody, host: retryHost } = await buildSignedHeaders();
167
+ const retryRes = await fetch(`https://${retryHost}${PATH}`, {
168
+ method: "POST",
169
+ headers: retryHeaders,
170
+ body: retryBody,
171
+ });
172
+ if (!retryRes.ok) {
173
+ console.warn("[aws-rejected][after-hard-reset]", { status: retryRes.status, region });
174
+ throw new InternalError("aws_rejected");
175
+ }
176
+ const retryJson = await retryRes.json();
177
+ const retryCreds = retryJson?.credentialSet?.[0]?.credentials;
178
+ if (!retryCreds?.accessKeyId || !retryCreds?.secretAccessKey || !retryCreds?.sessionToken) {
179
+ throw new InternalError("aws_malformed_credentials");
180
+ }
181
+ return {
182
+ accessKeyId: retryCreds.accessKeyId,
183
+ secretAccessKey: retryCreds.secretAccessKey,
184
+ sessionToken: retryCreds.sessionToken,
185
+ expiration: retryCreds.expiration,
186
+ };
187
+ }
188
+ console.warn("[aws-rejected]", { status, region, profile });
156
189
  throw new InternalError("aws_rejected");
157
190
  }
158
191
  const json = await res.json();
@@ -178,7 +211,7 @@ export async function issueAwsCredentials(input) {
178
211
  return value;
179
212
  }, {
180
213
  ttlSec: 60,
181
- ...(forceRefresh !== undefined ? { forceRefresh } : {})
214
+ forceRefresh: !!forceRefresh
182
215
  });
183
216
  }
184
217
  // ---------------------------------------------------------------------------
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vizamodo/aws-sts-core",
3
- "version": "0.4.28",
3
+ "version": "0.4.31",
4
4
  "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",