npm - @vizamodo/aws-sts-core - Versions diffs - 0.4.32 → 0.4.34 - Mend

@vizamodo/aws-sts-core 0.4.32 → 0.4.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/federation/login.d.ts +5 -3
package/dist/federation/login.js +60 -66
package/dist/sts/issue.js +44 -101
package/package.json +1 -1

package/dist/federation/login.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export declare function buildFederationLoginUrl(input: {
+export interface BuildFederationLoginUrlInput {
     accessKeyId: string;
     secretAccessKey: string;
     sessionToken: string;
@@ -6,9 +6,11 @@ export declare function buildFederationLoginUrl(input: {
     expiration: string;
     intent?: "console" | "billing" | "dynamodb" | "ssm";
     forceRefresh?: boolean;
-}): Promise<{
+}
+export interface FederationLoginUrl {
     ok: true;
     loginUrl: string;
     shortUrl: string;
     region: string;
-}>;
+}
+export declare function buildFederationLoginUrl(input: BuildFederationLoginUrlInput): Promise<FederationLoginUrl>;

package/dist/federation/login.js CHANGED Viewed

@@ -1,82 +1,76 @@
 import { sha256Hex } from "../crypto/sha256";
 import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
+// ── Constants ──────────────────────────────────────────────────────────────
+/** AWS SigninToken TTL is ~15 minutes regardless of credential lifetime. */
+const SIGNIN_TOKEN_TTL_SEC = 15 * 60;
+// ── Main export ────────────────────────────────────────────────────────────
 export async function buildFederationLoginUrl(input) {
-    const session = {
-        sessionId: input.accessKeyId,
-        sessionKey: input.secretAccessKey,
-        sessionToken: input.sessionToken
-    };
-    const expiresAtMs = Date.parse(input.expiration);
+    const { accessKeyId, secretAccessKey, sessionToken, region, expiration, forceRefresh } = input;
+    const expiresAtMs = Date.parse(expiration);
     if (!Number.isFinite(expiresAtMs) || expiresAtMs <= Date.now()) {
         throw new Error("[federation] invalid or expired credentials");
     }
-    const tokenHash = await sha256Hex(input.sessionToken);
-    // Use region and tokenHash for cache key
-    const cacheKey = `aws-signin:${input.region}:${tokenHash}`;
-    const sessionJson = JSON.stringify(session);
-    const encoded = encodeURIComponent(sessionJson);
-    const SigninToken = await getCachedOrFetch(cacheKey, async () => {
-        const tokenResp = await fetch(`https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${encoded}`);
-        if (!tokenResp.ok) {
-            // best-effort: do not cache failures
-            throw new Error("[signin] failed to fetch SigninToken");
-        }
-        const json = await tokenResp.json();
-        const token = json?.SigninToken;
-        if (!token) {
-            // do not cache invalid response
-            throw new Error("[signin] empty SigninToken");
-        }
-        // SigninToken TTL ~15 minutes (AWS behavior)
-        const SIGNIN_TOKEN_TTL_SEC = 15 * 60;
-        // derive effective TTL = min(tokenTTL, credentialTTL)
-        const credRemainingSec = Math.floor((Date.parse(input.expiration) - Date.now()) / 1000);
-        const effectiveTtlSec = Math.min(SIGNIN_TOKEN_TTL_SEC, credRemainingSec);
-        // if credential too close to expiry → skip caching
-        if (effectiveTtlSec <= 0) {
-            return token;
-        }
-        const expiryIso = new Date(Date.now() + effectiveTtlSec * 1000).toISOString();
-        // restore primitive storage (cache layer now handles primitive safely)
-        return wrapResult(token, expiryIso);
-    }, { ttlSec: 60, ...(input.forceRefresh !== undefined ? { forceRefresh: input.forceRefresh } : {}) } // allow caller-controlled retry
-    );
-    if (!SigninToken) {
+    // Hash token for cache key — avoids exposing raw token in logs/storage.
+    const tokenHash = await sha256Hex(sessionToken);
+    const cacheKey = `aws-signin:${region}:${accessKeyId}:${tokenHash}`;
+    const signinToken = await getCachedOrFetch(cacheKey, () => fetchSigninToken({ accessKeyId, secretAccessKey, sessionToken, expiration }), { ttlSec: 60, forceRefresh });
+    if (!signinToken)
         throw new Error("[federation] unable to obtain SigninToken");
+    const loginUrl = buildLoginUrl(signinToken, region, input.intent ?? "console");
+    return {
+        ok: true,
+        loginUrl,
+        shortUrl: loginUrl.slice(0, 40) + "..." + loginUrl.slice(-60),
+        region,
+    };
+}
+async function fetchSigninToken(input) {
+    const { accessKeyId, secretAccessKey, sessionToken, expiration } = input;
+    const session = JSON.stringify({
+        sessionId: accessKeyId,
+        sessionKey: secretAccessKey,
+        sessionToken,
+    });
+    let res;
+    try {
+        res = await fetch(`https://signin.aws.amazon.com/federation?Action=getSigninToken&Session=${encodeURIComponent(session)}`);
+    }
+    catch {
+        throw new Error("[signin] unreachable");
     }
-    const rawToken = SigninToken;
-    const baseLogin = `https://signin.aws.amazon.com/federation?Action=login` +
+    if (!res.ok)
+        throw new Error("[signin] failed to fetch SigninToken");
+    const json = await res.json();
+    const token = json?.SigninToken;
+    if (!token)
+        throw new Error("[signin] empty SigninToken");
+    // Cache for min(SIGNIN_TOKEN_TTL, remaining credential lifetime).
+    const now = Date.now();
+    const credRemainingSec = Math.floor((Date.parse(expiration) - now) / 1000);
+    const cacheTtlSec = Math.min(SIGNIN_TOKEN_TTL_SEC, credRemainingSec);
+    if (cacheTtlSec <= 0)
+        return token; // credential too close to expiry — skip cache
+    const cacheExpiry = new Date(now + cacheTtlSec * 1000).toISOString();
+    return wrapResult(token, cacheExpiry);
+}
+// ── URL builder ────────────────────────────────────────────────────────────
+function buildLoginUrl(signinToken, region, intent) {
+    const destination = getDestinationUrl(region, intent);
+    return (`https://signin.aws.amazon.com/federation` +
+        `?Action=login` +
         `&Issuer=viza` +
-        `&SigninToken=${rawToken}`;
-    const intent = input.intent ?? "console";
-    let destinationUrl;
+        `&SigninToken=${signinToken}` +
+        `&Destination=${encodeURIComponent(destination)}`);
+}
+function getDestinationUrl(region, intent) {
     switch (intent) {
         case "billing":
-            destinationUrl =
-                `https://us-east-1.console.aws.amazon.com/costmanagement/home?region=${input.region}#/home`;
-            break;
+            return `https://us-east-1.console.aws.amazon.com/costmanagement/home?region=${region}#/home`;
         case "dynamodb":
-            destinationUrl =
-                `https://${input.region}.console.aws.amazon.com/dynamodbv2/home?region=${input.region}#dashboard`;
-            break;
+            return `https://${region}.console.aws.amazon.com/dynamodbv2/home?region=${region}#dashboard`;
         case "ssm":
-            destinationUrl =
-                `https://${input.region}.console.aws.amazon.com/systems-manager/parameters/?region=${input.region}&tab=Table`;
-            break;
+            return `https://${region}.console.aws.amazon.com/systems-manager/parameters/?region=${region}&tab=Table`;
         case "console":
-        default:
-            destinationUrl =
-                `https://console.aws.amazon.com/?region=${input.region}`;
-            break;
+            return `https://console.aws.amazon.com/?region=${region}`;
     }
-    const encodedDestination = encodeURIComponent(destinationUrl);
-    const loginUrl = `${baseLogin}&Destination=${encodedDestination}`;
-    const shortUrl = loginUrl.slice(0, 40) + "..." +
-        loginUrl.slice(-60);
-    return {
-        ok: true,
-        loginUrl,
-        shortUrl,
-        region: input.region
-    };
 }

package/dist/sts/issue.js CHANGED Viewed

@@ -26,19 +26,12 @@ let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ---- single-flight hard refresh guard + cooldown ----
-let hardRefreshPromise = null;
-let lastHardRefreshAt = 0;
-const HARD_REFRESH_COOLDOWN_MS = 2000;
 export function resetIsolateCache() {
     signingKeyPromise = null;
     cachedSigningKey = null;
     cachedCertBase64 = null;
     cachedPrivateKeyBase64 = null;
 }
-// ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
-let cachedCertSerialDec = null;
-let cachedCertSerialSource = null;
 // ---------------------------------------------------------------------------
 // Signing material
 // ---------------------------------------------------------------------------
@@ -99,55 +92,46 @@ export async function issueAwsCredentials(input) {
     const certSerialDec = parseCertSerialDec(normalizedCert);
     const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
     return getCachedOrFetch(cacheKey, async () => {
-        async function buildSignedHeaders() {
-            const { signingKey } = await getSigningMaterial({
-                certBase64: normalizedCert,
-                privateKeyPkcs8Base64,
-            });
-            const host = `${SERVICE}.${region}.amazonaws.com`;
-            const iso = new Date().toISOString();
-            const amzDate = isoToAmzDate(iso);
-            const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
-            const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
-            const payloadHash = await sha256Hex(body);
-            const baseHeaders = {
-                "content-type": "application/json",
-                "host": host,
-                "x-amz-date": amzDate,
-                "x-amz-x509": normalizedCert,
-            };
-            const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
-            const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
-            const canonicalRequest = buildCanonicalRequest({
-                method: "POST",
-                canonicalUri: PATH,
-                query: "",
-                canonicalHeaders,
-                signedHeaders,
-                payloadHash,
-            });
-            const canonicalRequestHash = await sha256Hex(canonicalRequest);
-            const stringToSign = buildStringToSign({
-                algorithm: ALGORITHM,
-                amzDate,
-                credentialScope,
-                canonicalRequestHash,
-            });
-            const signatureHex = await signStringToSign(stringToSign, signingKey);
-            const headers = new Headers({
-                "Content-Type": "application/json",
-                "X-Amz-Date": amzDate,
-                "X-Amz-X509": normalizedCert,
-                "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
-            });
-            return {
-                headers,
-                body,
-                host,
-            };
-        }
-        const { headers: finalHeaders, body, host } = await buildSignedHeaders();
-        const issuedAt = Date.now();
+        const { signingKey } = await getSigningMaterial({
+            certBase64: normalizedCert,
+            privateKeyPkcs8Base64,
+        });
+        const host = `${SERVICE}.${region}.amazonaws.com`;
+        const iso = new Date().toISOString();
+        const amzDate = isoToAmzDate(iso);
+        const dateStamp = iso.slice(0, 4) + iso.slice(5, 7) + iso.slice(8, 10);
+        const body = JSON.stringify({ trustAnchorArn, profileArn, roleArn, durationSeconds: sessionTtl });
+        const payloadHash = await sha256Hex(body);
+        const baseHeaders = {
+            "content-type": "application/json",
+            "host": host,
+            "x-amz-date": amzDate,
+            "x-amz-x509": normalizedCert,
+        };
+        const { canonicalHeaders, signedHeaders } = canonicalizeHeaders(baseHeaders);
+        const credentialScope = `${dateStamp}/${region}/${SERVICE}/aws4_request`;
+        const canonicalRequest = buildCanonicalRequest({
+            method: "POST",
+            canonicalUri: PATH,
+            query: "",
+            canonicalHeaders,
+            signedHeaders,
+            payloadHash,
+        });
+        const canonicalRequestHash = await sha256Hex(canonicalRequest);
+        const stringToSign = buildStringToSign({
+            algorithm: ALGORITHM,
+            amzDate,
+            credentialScope,
+            canonicalRequestHash,
+        });
+        const signatureHex = await signStringToSign(stringToSign, signingKey);
+        const finalHeaders = new Headers({
+            "Content-Type": "application/json",
+            "X-Amz-Date": amzDate,
+            "X-Amz-X509": normalizedCert,
+            "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
+        });
         let res;
         try {
             res = await fetch(`https://${host}${PATH}`, {
@@ -162,53 +146,12 @@ export async function issueAwsCredentials(input) {
         }
         if (!res.ok) {
             const status = res.status;
-            // Safe internal hard reset trigger:
-            // Only reset isolate cache on explicit forceRefresh AND first failure
-            if (forceRefresh && status === 403) {
-                const now = Date.now();
-                // Cooldown guard to avoid rapid consecutive hard resets
-                if (now - lastHardRefreshAt < HARD_REFRESH_COOLDOWN_MS) {
-                    console.warn("[aws-rejected][cooldown-skip-hard-reset]", { status, region });
-                    throw new InternalError("aws_rejected");
-                }
-                // Single-flight: only one request performs hard refresh
-                if (!hardRefreshPromise) {
-                    hardRefreshPromise = (async () => {
-                        console.warn("[aws-rejected][hard-reset-trigger]", { status, region });
-                        lastHardRefreshAt = Date.now();
-                        resetIsolateCache();
-                        const { headers: retryHeaders, body: retryBody, host: retryHost } = await buildSignedHeaders();
-                        const retryRes = await fetch(`https://${retryHost}${PATH}`, {
-                            method: "POST",
-                            headers: retryHeaders,
-                            body: retryBody,
-                        });
-                        if (!retryRes.ok) {
-                            console.warn("[aws-rejected][after-hard-reset]", { status: retryRes.status, region });
-                            throw new InternalError("aws_rejected");
-                        }
-                        const retryJson = await retryRes.json();
-                        const retryCreds = retryJson?.credentialSet?.[0]?.credentials;
-                        if (!retryCreds?.accessKeyId || !retryCreds?.secretAccessKey || !retryCreds?.sessionToken) {
-                            throw new InternalError("aws_malformed_credentials");
-                        }
-                        return {
-                            accessKeyId: retryCreds.accessKeyId,
-                            secretAccessKey: retryCreds.secretAccessKey,
-                            sessionToken: retryCreds.sessionToken,
-                            expiration: retryCreds.expiration,
-                        };
-                    })().finally(() => {
-                        hardRefreshPromise = null;
-                    });
-                }
-                return await hardRefreshPromise;
-            }
             console.warn("[aws-rejected]", { status, region, profile });
             throw new InternalError("aws_rejected");
         }
         const json = await res.json();
         const creds = json?.credentialSet?.[0]?.credentials;
+        const receivedAt = Date.now();
         if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
             console.warn("[issueAwsCredentials] malformed AWS credential response");
             throw new InternalError("aws_malformed_credentials");
@@ -221,16 +164,16 @@ export async function issueAwsCredentials(input) {
         };
         // derive TTL = 1/3 lifetime
         const expiresAtMs = Date.parse(creds.expiration);
-        const credLifetimeSec = Math.floor((expiresAtMs - issuedAt) / 1000);
+        const credLifetimeSec = Math.floor((expiresAtMs - receivedAt) / 1000);
         if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
             const edgeCacheTtlSec = Math.floor(credLifetimeSec / 3);
-            const edgeCacheExpiry = new Date(issuedAt + edgeCacheTtlSec * 1000).toISOString();
+            const edgeCacheExpiry = new Date(receivedAt + edgeCacheTtlSec * 1000).toISOString();
             return wrapResult(value, edgeCacheExpiry);
         }
         return value;
     }, {
         ttlSec: 60,
-        forceRefresh: !!forceRefresh
+        forceRefresh
     });
 }
 // ---------------------------------------------------------------------------

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.32",
+  "version": "0.4.34",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",