@vizamodo/aws-sts-core 0.4.7 → 0.4.9

package/dist/sts/issue.d.ts

@@ -1,5 +1,5 @@
 import type { AwsCredentialResult } from "../types";
-export interface IssueAwsCredentialsInput {
+export declare function issueAwsCredentials(input: {
     roleArn: string;
     profileArn: string;
     trustAnchorArn: string;
@@ -8,13 +8,4 @@ export interface IssueAwsCredentialsInput {
     privateKeyPkcs8Base64: string;
     profile: string;
     forceRefresh?: boolean;
-}
-/**
- * Reset isolate-level signing material and cert serial caches.
- * ONLY for use in tests — forces re-import of signing key on next call.
- *
- * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
- * there is no need to expose a cache-clear API from the core library.
- */
-export declare function resetIsolateCache(): void;
-export declare function issueAwsCredentials(input: IssueAwsCredentialsInput): Promise<AwsCredentialResult>;
+}): Promise<AwsCredentialResult>;

package/dist/sts/issue.js

@@ -1,18 +1,14 @@
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
 import { canonicalizeHeaders } from "../sigv4/headers";
 import { buildCanonicalRequest } from "../sigv4/canonical";
 import { buildStringToSign } from "../sigv4/string-to-sign";
 import { signStringToSign } from "./signer";
 import { InternalError } from "./errors";
 import { sha256Hex } from "../crypto/sha256";
-import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
-// ── Constants ──────────────────────────────────────────────────────────────
+// ---- constants ----
 const ALGORITHM = "AWS4-X509-ECDSA-SHA256";
 const SERVICE = "rolesanywhere";
 const PATH = "/sessions";
-/**
- * Per-profile AWS session duration (seconds).
- * Clamped to [MIN_SESSION_TTL, MAX_SESSION_TTL] at resolution time.
- */
 const PROFILE_TTL = {
     Runtime: 45 * 60,
     ConsoleReadOnly: 12 * 60 * 60,
@@ -21,89 +17,83 @@ const PROFILE_TTL = {
     BillingAdmin: 3 * 60 * 60,
     BillingAccountant: 3 * 60 * 60,
 };
-const DEFAULT_SESSION_TTL = 2 * 60 * 60;
-const MIN_SESSION_TTL = 45 * 60; // 45 min
-const MAX_SESSION_TTL = 12 * 60 * 60; // 12 h
-// ── Isolate-level signing-material cache ───────────────────────────────────
-// Single Promise slot prevents concurrent cold-start import races.
+const DEFAULT_TTL = 2 * 60 * 60;
+const MIN_PROFILE_TTL = 45 * 60; // 45 min — lower guard
+const MAX_PROFILE_TTL = 12 * 60 * 60; // 12 h  — upper guard
+// ---- isolate-level signing material cache ----
+// Single Promise-based slot avoids concurrent cold-start races.
 let signingKeyPromise = null;
 let cachedSigningKey = null;
 let cachedCertBase64 = null;
 let cachedPrivateKeyBase64 = null;
-// ── Isolate-level cert-serial cache ───────────────────────────────────────
-// DER walk is CPU-bound; the cert rarely rotates within an isolate lifetime.
+// ---- certificate serial cache (DER walk is CPU-bound, cert rarely rotates) ----
 let cachedCertSerialDec = null;
 let cachedCertSerialSource = null;
-// ── Test utilities ─────────────────────────────────────────────────────────
-/**
- * Reset isolate-level signing material and cert serial caches.
- * ONLY for use in tests — forces re-import of signing key on next call.
- *
- * L1 cache is bypassed in tests via `forceRefresh: true` on each call —
- * there is no need to expose a cache-clear API from the core library.
- */
-export function resetIsolateCache() {
-    signingKeyPromise = null;
-    cachedSigningKey = null;
-    cachedCertBase64 = null;
-    cachedPrivateKeyBase64 = null;
-    cachedCertSerialDec = null;
-    cachedCertSerialSource = null;
-}
-// ── Signing material ───────────────────────────────────────────────────────
-async function getSigningMaterial(certBase64, privateKeyPkcs8Base64) {
-    // Fast path: same material already imported in this isolate.
+// ---------------------------------------------------------------------------
+// Signing material
+// ---------------------------------------------------------------------------
+async function getSigningMaterial(input) {
+    // Fast path: same material already imported.
     if (cachedSigningKey &&
-        cachedCertBase64 === certBase64 &&
-        cachedPrivateKeyBase64 === privateKeyPkcs8Base64) {
-        return cachedSigningKey;
+        cachedCertBase64 === input.certBase64 &&
+        cachedPrivateKeyBase64 === input.privateKeyPkcs8Base64) {
+        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+    }
+    // Material rotated — discard the stale resolved key so we re-import.
+    if (cachedSigningKey) {
+        signingKeyPromise = null;
+        cachedSigningKey = null;
+    }
+    if (!signingKeyPromise) {
+        try {
+            const keyBuffer = base64ToBytes(input.privateKeyPkcs8Base64);
+            signingKeyPromise = crypto.subtle.importKey("pkcs8", keyBuffer, { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"]);
+        }
+        catch {
+            throw new InternalError("invalid_signing_material");
+        }
     }
-    // Material changed or first call — reset and re-import.
-    // Cache vars are updated inside .then() so concurrent callers
-    // awaiting the same promise all see consistent state after resolve.
-    signingKeyPromise = null;
-    cachedSigningKey = null;
-    cachedCertBase64 = null;
-    cachedPrivateKeyBase64 = null;
-    signingKeyPromise = crypto.subtle
-        .importKey("pkcs8", base64ToBytes(privateKeyPkcs8Base64), { name: "ECDSA", namedCurve: "P-256" }, false, ["sign"])
-        .then((key) => {
-        // Update cache atomically after successful import.
-        // All concurrent callers awaiting this promise will see
-        // consistent state and hit the fast path on next call.
-        cachedSigningKey = key;
-        cachedCertBase64 = certBase64;
-        cachedPrivateKeyBase64 = privateKeyPkcs8Base64;
-        return key;
-    })
-        .catch(() => {
+    try {
+        cachedSigningKey = await signingKeyPromise;
+        cachedCertBase64 = input.certBase64;
+        cachedPrivateKeyBase64 = input.privateKeyPkcs8Base64;
+        return { signingKey: cachedSigningKey, certBase64: cachedCertBase64 };
+    }
+    catch {
         signingKeyPromise = null; // allow retry on next call
         throw new InternalError("invalid_signing_material");
-    });
-    return signingKeyPromise;
+    }
 }
-// ── Session TTL ────────────────────────────────────────────────────────────
-function resolveSessionTtl(profile) {
-    const ttl = PROFILE_TTL[profile] ?? DEFAULT_SESSION_TTL;
-    return Math.min(Math.max(ttl, MIN_SESSION_TTL), MAX_SESSION_TTL);
+// ---------------------------------------------------------------------------
+// Profile TTL resolution
+// ---------------------------------------------------------------------------
+function resolveSessionTtlByProfile(profile) {
+    const ttl = PROFILE_TTL[profile] ?? DEFAULT_TTL;
+    return Math.min(Math.max(ttl, MIN_PROFILE_TTL), MAX_PROFILE_TTL);
 }
-// ── Main export ────────────────────────────────────────────────────────────
+// ---------------------------------------------------------------------------
+// Main export
+// ---------------------------------------------------------------------------
 export async function issueAwsCredentials(input) {
     const { roleArn, profileArn, trustAnchorArn, region, certBase64, privateKeyPkcs8Base64, profile, forceRefresh, } = input;
-    const sessionTtl = resolveSessionTtl(profile);
+    const sessionTtl = resolveSessionTtlByProfile(profile);
     const normalizedCert = normalizeCert(certBase64);
-    // Cert serial — use isolate cache to avoid redundant DER walks.
-    const certSerialDec = getCertSerialDec(normalizedCert);
+    // ---- DER serial extraction (with isolate-level cache) ----
+    let certSerialDec;
+    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
+        certSerialDec = cachedCertSerialDec;
+    }
+    else {
+        certSerialDec = parseCertSerialDec(normalizedCert); // throws InternalError on bad DER
+        cachedCertSerialDec = certSerialDec;
+        cachedCertSerialSource = normalizedCert;
+    }
     const cacheKey = `${region}|${roleArn}|${profileArn}|${trustAnchorArn}|${certSerialDec}`;
-    return getCachedOrFetch(cacheKey, () => fetchCredentials({
-        roleArn, profileArn, trustAnchorArn,
-        region, normalizedCert, privateKeyPkcs8Base64,
-        sessionTtl,
-    }), { ttlSec: 60, forceRefresh });
-}
-async function fetchCredentials(input) {
-    const { roleArn, profileArn, trustAnchorArn, region, normalizedCert, privateKeyPkcs8Base64, sessionTtl, } = input;
-    const signingKey = await getSigningMaterial(normalizedCert, privateKeyPkcs8Base64);
+    // ---- Build SigV4 request ----
+    const { signingKey } = await getSigningMaterial({
+        certBase64: normalizedCert,
+        privateKeyPkcs8Base64,
+    });
     const host = `${SERVICE}.${region}.amazonaws.com`;
     const iso = new Date().toISOString();
     const amzDate = isoToAmzDate(iso);
@@ -134,105 +124,59 @@ async function fetchCredentials(input) {
         canonicalRequestHash,
     });
     const signatureHex = await signStringToSign(stringToSign, signingKey);
-    const certSerialDec = getCertSerialDec(normalizedCert);
-    // 🔍 Deep debug helper (compare with working version)
-    function debugAwsSigning() {
-        try {
-            console.debug("[aws-debug][input]", {
-                roleArn,
-                profileArn,
-                trustAnchorArn,
-                region,
-                sessionTtl,
-            });
-            console.debug("[aws-debug][cert]", {
-                length: normalizedCert.length,
-                preview: normalizedCert.slice(0, 30),
-            });
-            console.debug("[aws-debug][serial]", {
-                serialDec: certSerialDec,
-                serialHex: BigInt(certSerialDec).toString(16),
-            });
-            console.debug("[aws-debug][headers]", baseHeaders);
-            console.debug("[aws-debug][signedHeaders]", signedHeaders);
-            console.debug("[aws-debug][canonicalRequest]", canonicalRequest);
-            console.debug("[aws-debug][stringToSign]", stringToSign);
-            console.debug("[aws-debug][signatureHex]", signatureHex);
-        }
-        catch (e) {
-            console.warn("[aws-debug][error]", e);
-        }
-    }
-    debugAwsSigning();
     const finalHeaders = new Headers({
         "Content-Type": "application/json",
         "X-Amz-Date": amzDate,
         "X-Amz-X509": normalizedCert,
         "Authorization": `${ALGORITHM} Credential=${certSerialDec}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signatureHex}`,
     });
-    let res;
-    try {
-        res = await fetch(`https://${host}${PATH}`, {
+    const issuedAt = Date.now(); // snapshot before the network round-trip
+    return getCachedOrFetch(cacheKey, async () => {
+        const res = await fetch(`https://${host}${PATH}`, {
             method: "POST",
             headers: finalHeaders,
             body,
         });
-    }
-    catch (err) {
-        console.warn("[aws-unreachable]", { region, err });
-        throw new InternalError("aws_unreachable");
-    }
-    if (!res.ok) {
-        const text = await res.text().catch(() => "<no-body>");
-        console.error("[aws-rejected]", {
-            status: res.status,
-            body: text,
-            region,
-        });
-        throw new InternalError("aws_rejected");
-    }
-    const json = await res.json();
-    const creds = json?.credentialSet?.[0]?.credentials;
-    if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
-        console.warn("[issueAwsCredentials] malformed AWS credential response");
-        throw new InternalError("aws_malformed_credentials");
-    }
-    const value = {
-        accessKeyId: creds.accessKeyId,
-        secretAccessKey: creds.secretAccessKey,
-        sessionToken: creds.sessionToken,
-        expiration: creds.expiration,
-    };
-    // Cache for 1/3 of the credential lifetime so it's refreshed well before expiry.
-    // deriveEdgeTtlSec in cache.ts will further subtract EDGE_BUFFER_SEC (5 min).
-    const expiresAtMs = Date.parse(creds.expiration);
-    const receivedAt = Date.now();
-    const credLifetimeSec = Math.floor((expiresAtMs - receivedAt) / 1000);
-    if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
-        const cacheTtlSec = Math.floor(credLifetimeSec / 3);
-        const cacheExpiry = new Date(receivedAt + cacheTtlSec * 1000).toISOString();
-        return wrapResult(value, cacheExpiry);
-    }
-    return value;
+        if (!res.ok) {
+            console.warn("[aws-rejected]", { status: res.status, region, profile });
+            throw new InternalError("aws_rejected");
+        }
+        const json = await res.json();
+        const creds = json?.credentialSet?.[0]?.credentials;
+        if (!creds?.accessKeyId || !creds?.secretAccessKey || !creds?.sessionToken) {
+            console.warn("[issueAwsCredentials] malformed AWS credential response");
+            throw new InternalError("aws_malformed_credentials");
+        }
+        const value = {
+            accessKeyId: creds.accessKeyId,
+            secretAccessKey: creds.secretAccessKey,
+            sessionToken: creds.sessionToken,
+            expiration: creds.expiration,
+        };
+        // derive TTL = 1/3 lifetime
+        const expiresAtMs = Date.parse(creds.expiration);
+        const credLifetimeSec = Math.floor((expiresAtMs - issuedAt) / 1000);
+        if (Number.isFinite(expiresAtMs) && credLifetimeSec > 0) {
+            const edgeCacheTtlSec = Math.floor(credLifetimeSec / 3);
+            const edgeCacheExpiry = new Date(issuedAt + edgeCacheTtlSec * 1000).toISOString();
+            return wrapResult(value, edgeCacheExpiry);
+        }
+        return value;
+    }, {
+        ttlSec: 60,
+        ...(forceRefresh !== undefined ? { forceRefresh } : {})
+    });
 }
-// ── Helpers ────────────────────────────────────────────────────────────────
-/** Strip whitespace; reject PEM-wrapped input. */
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Strip whitespace and reject PEM-wrapped input. */
 function normalizeCert(raw) {
     if (raw.includes("BEGIN CERTIFICATE")) {
         throw new InternalError("pem_not_allowed");
     }
     return raw.replace(/\s+/g, "");
 }
-/** Return cert serial as decimal string, using isolate-level cache. */
-function getCertSerialDec(normalizedCert) {
-    if (cachedCertSerialDec && cachedCertSerialSource === normalizedCert) {
-        return cachedCertSerialDec;
-    }
-    const serial = parseCertSerialDec(normalizedCert);
-    cachedCertSerialDec = serial;
-    cachedCertSerialSource = normalizedCert;
-    return serial;
-}
 /**
  * Minimal DER walk to extract the certificate serial number as a decimal string.
  * Throws InternalError("invalid_cert_der") on any parse failure.
@@ -255,30 +199,29 @@ function parseCertSerialDec(normalizedCertBase64) {
                 len = (len << 8) | der[offset++];
             return len;
         }
-        // Certificate ::= SEQUENCE
         if (der[offset++] !== 0x30)
             throw new Error("bad cert");
         readLen();
-        // tbsCertificate ::= SEQUENCE
         if (der[offset++] !== 0x30)
             throw new Error("bad tbs");
         readLen();
-        // Optional version [0] EXPLICIT
+        // Skip optional [0] EXPLICIT version field.
         if (der[offset] === 0xa0) {
-            offset++; // tag
-            offset += readLen(); // skip content
+            offset++;
+            const vLen = readLen();
+            offset += vLen;
         }
-        // 👉 SERIAL MUST be the next INTEGER after optional version
         if (der[offset++] !== 0x02)
             throw new Error("bad serial tag");
-        const len = readLen();
-        if (offset + len > der.length)
+        const serialLen = readLen();
+        if (offset + serialLen > der.length)
             throw new Error("DER overflow");
-        let serial = der.slice(offset, offset + len);
-        // Strip leading 0x00 only if it's padding for signed INTEGER
+        let serial = der.slice(offset, offset + serialLen);
+        // Strip ASN.1 sign-extension padding byte.
         if (serial.length > 1 && serial[0] === 0x00) {
             serial = serial.slice(1);
         }
+        // Accumulate directly to BigInt — avoids intermediate hex string allocation.
         let serialBig = 0n;
         for (let i = 0; i < serial.length; i++) {
             serialBig = (serialBig << 8n) | BigInt(serial[i]);
@@ -291,7 +234,7 @@ function parseCertSerialDec(normalizedCertBase64) {
     }
 }
 /**
- * Convert ISO-8601 to compact AMZ date-time format.
+ * Convert an ISO-8601 timestamp to the compact AMZ date-time format.
  * e.g. "2026-03-07T12:00:00.000Z" → "20260307T120000Z"
  */
 function isoToAmzDate(iso) {
@@ -304,7 +247,7 @@ function isoToAmzDate(iso) {
         iso.slice(17, 19) +
         "Z");
 }
-/** base64 → Uint8Array via V8's vectorized atob path. */
+/** Faster base64 → Uint8Array using V8's vectorized atob path. */
 function base64ToBytes(base64) {
     const binary = atob(base64);
     const bytes = new Uint8Array(binary.length);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vizamodo/aws-sts-core",
-  "version": "0.4.7",
+  "version": "0.4.9",
   "description": "Pure AWS STS + SigV4 (X509 Roles Anywhere) core logic",
   "type": "module",
   "main": "dist/index.js",