@vizamodo/aws-sts-core 0.4.30 → 0.4.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/sts/issue.d.ts +1 -0
  2. package/dist/sts/issue.js +84 -43
  3. package/package.json +1 -1
package/dist/sts/issue.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  import type { AwsCredentialResult } from "../types";
2
+ export declare function resetIsolateCache(): void;
2
3
  export declare function issueAwsCredentials(input: {
3
4
  roleArn: string;
4
5
  profileArn: string;
package/dist/sts/issue.js CHANGED
@@ -26,6 +26,12 @@ let signingKeyPromise = null;
26
26
  let cachedSigningKey = null;
27
27
  let cachedCertBase64 = null;
28
28
  let cachedPrivateKeyBase64 = null;
29
+ export function resetIsolateCache() {
30
+ signingKeyPromise = null;
31
+ cachedSigningKey = null;
32
+ cachedCertBase64 = null;
33
+ cachedPrivateKeyBase64 = null;
34
+ }
29
35
  // ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
30
36
  let cachedCertSerialDec = null;
31
37
  let cachedCertSerialSource = null;
@@ -89,47 +95,54 @@ export async function issueAwsCredentials(input) {
89
95
  const certSerialDec = parseCertSerialDec(normalizedCert);
90
96
  const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
91
97
  return getCachedOrFetch(cacheKey, async () => {
92
- // ---- Build SigV4 request (moved inside fetcher) ----
93
- const { signingKey } = await getSigningMaterial({
94
- certBase64: normalizedCert,
95
- privateKeyPkcs8Base64,
96
- });
97
- const host = `${SERVICE}.${region}.amazonaws.com`;
98
- const iso = new Date().toISOString();
99
- const amzDate = isoToAmzDate(iso);
100
- const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
101
- const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
102
- const payloadHash = await sha256Hex(body);
103
- const baseHeaders = {
104
- "content-type": "application/json",
105
- "host": host,
106
- "x-amz-date": amzDate,
107
- "x-amz-x509": normalizedCert,
108
- };
109
- const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
110
- const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
111
- const canonicalRequest = buildCanonicalRequest({
112
- method: "POST",
113
- canonicalUri: PATH,
114
- query: "",
115
- canonicalHeaders,
116
- signedHeaders,
117
- payloadHash,
118
- });
119
- const canonicalRequestHash = await sha256Hex(canonicalRequest);
120
- const stringToSign = buildStringToSign({
121
- algorithm: ALGORITHM,
122
- amzDate,
123
- credentialScope,
124
- canonicalRequestHash,
125
- });
126
- const signatureHex = await signStringToSign(stringToSign, signingKey);
127
- const finalHeaders = new Headers({
128
- "Content-Type": "application/json",
129
- "X-Amz-Date": amzDate,
130
- "X-Amz-X509": normalizedCert,
131
- "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
132
- });
98
+ async function buildSignedHeaders() {
99
+ const { signingKey } = await getSigningMaterial({
100
+ certBase64: normalizedCert,
101
+ privateKeyPkcs8Base64,
102
+ });
103
+ const host = `${SERVICE}.${region}.amazonaws.com`;
104
+ const iso = new Date().toISOString();
105
+ const amzDate = isoToAmzDate(iso);
106
+ const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
107
+ const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
108
+ const payloadHash = await sha256Hex(body);
109
+ const baseHeaders = {
110
+ "content-type": "application/json",
111
+ "host": host,
112
+ "x-amz-date": amzDate,
113
+ "x-amz-x509": normalizedCert,
114
+ };
115
+ const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
116
+ const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
117
+ const canonicalRequest = buildCanonicalRequest({
118
+ method: "POST",
119
+ canonicalUri: PATH,
120
+ query: "",
121
+ canonicalHeaders,
122
+ signedHeaders,
123
+ payloadHash,
124
+ });
125
+ const canonicalRequestHash = await sha256Hex(canonicalRequest);
126
+ const stringToSign = buildStringToSign({
127
+ algorithm: ALGORITHM,
128
+ amzDate,
129
+ credentialScope,
130
+ canonicalRequestHash,
131
+ });
132
+ const signatureHex = await signStringToSign(stringToSign, signingKey);
133
+ const headers = new Headers({
134
+ "Content-Type": "application/json",
135
+ "X-Amz-Date": amzDate,
136
+ "X-Amz-X509": normalizedCert,
137
+ "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
138
+ });
139
+ return {
140
+ headers,
141
+ body,
142
+ host,
143
+ };
144
+ }
145
+ const { headers: finalHeaders, body, host } = await buildSignedHeaders();
133
146
  const issuedAt = Date.now();
134
147
  let res;
135
148
  try {
@@ -144,7 +157,35 @@ export async function issueAwsCredentials(input) {
144
157
  throw new InternalError("aws_unreachable");
145
158
  }
146
159
  if (!res.ok) {
147
- console.warn("[aws-rejected]", { status: res.status, region, profile });
160
+ const status = res.status;
161
+ // Safe internal hard reset trigger:
162
+ // Only reset isolate cache on explicit forceRefresh AND first failure
163
+ if (forceRefresh && status === 403) {
164
+ console.warn("[aws-rejected][hard-reset-trigger]", { status, region });
165
+ resetIsolateCache();
166
+ const { headers: retryHeaders, body: retryBody, host: retryHost } = await buildSignedHeaders();
167
+ const retryRes = await fetch(`https://${retryHost}${PATH}`, {
168
+ method: "POST",
169
+ headers: retryHeaders,
170
+ body: retryBody,
171
+ });
172
+ if (!retryRes.ok) {
173
+ console.warn("[aws-rejected][after-hard-reset]", { status: retryRes.status, region });
174
+ throw new InternalError("aws_rejected");
175
+ }
176
+ const retryJson = await retryRes.json();
177
+ const retryCreds = retryJson?.credentialSet?.[0]?.credentials;
178
+ if (!retryCreds?.accessKeyId || !retryCreds?.secretAccessKey || !retryCreds?.sessionToken) {
179
+ throw new InternalError("aws_malformed_credentials");
180
+ }
181
+ return {
182
+ accessKeyId: retryCreds.accessKeyId,
183
+ secretAccessKey: retryCreds.secretAccessKey,
184
+ sessionToken: retryCreds.sessionToken,
185
+ expiration: retryCreds.expiration,
186
+ };
187
+ }
188
+ console.warn("[aws-rejected]", { status, region, profile });
148
189
  throw new InternalError("aws_rejected");
149
190
  }
150
191
  const json = await res.json();
@@ -170,7 +211,7 @@ export async function issueAwsCredentials(input) {
170
211
  return value;
171
212
  }, {
172
213
  ttlSec: 60,
173
- ...(forceRefresh !== undefined ? { forceRefresh } : {})
214
+ forceRefresh: !!forceRefresh
174
215
  });
175
216
  }
176
217
  // ---------------------------------------------------------------------------
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@vizamodo/aws-sts-core",
3
- "version": "0.4.30",
3
+ "version": "0.4.31",
4
4
  "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",