crypta-client 0.1.1

package/.prettierrc

@@ -0,0 +1,6 @@
+{
+	"singleQuote": true,
+	"trailingComma": "none",
+	"semi": false,
+	"tabWidth": 2
+}

package/.sequelizerc

@@ -0,0 +1,8 @@
+const path = require('path')
+
+module.exports = {
+  config: path.resolve('config', 'config.js'),
+  'models-path': path.resolve('db', 'models'),
+  'seeders-path': path.resolve('db', 'seeders'),
+  'migrations-path': path.resolve('db', 'migrations')
+}

package/README.md

@@ -0,0 +1,226 @@
+# crypta-client
+
+[![npm version](https://img.shields.io/npm/v/crypta-client.svg)](https://www.npmjs.com/package/crypta-client)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+A Node.js client library for interacting with the Crypta Secret Manager. Securely manage and access secrets using service account authentication with JWT.
+
+## Features
+
+- 🔐 **Secure Authentication** - Service account-based authentication using JWT
+- 🔄 **Automatic Token Management** - Built-in token caching and refresh
+- 🚀 **Simple API** - Easy-to-use interface for secret retrieval
+- ⚡ **Lightweight** - Minimal dependencies
+- 🛡️ **Error Handling** - Comprehensive error handling and custom error types
+
+## Installation
+
+```bash
+npm install crypta-client
+```
+
+## Quick Start
+
+```javascript
+const { CryptaClient } = require('crypta-client')
+
+// Initialize the client
+const client = new CryptaClient({
+  baseUrl: 'https://your-crypta-instance.com',
+  clientId: 'your-service-account-client-id',
+  privateKeyPem: `-----BEGIN PRIVATE KEY-----
+your-private-key-here
+-----END PRIVATE KEY-----`
+})
+
+// Get a secret
+async function getMySecret() {
+  try {
+    const secret = await client.getSecret('my-secret-name')
+    console.log('Secret value:', secret.payload)
+  } catch (error) {
+    console.error('Error:', error.message)
+  }
+}
+
+getMySecret()
+```
+
+## API Reference
+
+### `new CryptaClient(options)`
+
+Creates a new Crypta client instance.
+
+#### Parameters
+
+- `options` (Object)
+  - `baseUrl` (string, required) - The base URL of your Crypta instance
+  - `clientId` (string, required) - Your service account client ID
+  - `privateKeyPem` (string, required) - Your service account private key in PEM format
+
+#### Example
+
+```javascript
+const client = new CryptaClient({
+  baseUrl: 'https://crypta.example.com',
+  clientId: 'sa-12345',
+  privateKeyPem: process.env.CRYPTA_PRIVATE_KEY
+})
+```
+
+### `client.getSecret(name)`
+
+Retrieves the latest version of a secret.
+
+#### Parameters
+
+- `name` (string, required) - The name/path of the secret to retrieve
+
+#### Returns
+
+Returns a Promise that resolves to an object containing:
+
+- `payload` (string) - The secret value
+- Additional metadata about the secret
+
+#### Example
+
+```javascript
+const secret = await client.getSecret('database/password')
+console.log(secret.payload) // The actual secret value
+```
+
+#### Error Handling
+
+```javascript
+try {
+  const secret = await client.getSecret('my-secret')
+  console.log(secret.payload)
+} catch (error) {
+  if (error.statusCode === 404) {
+    console.error('Secret not found')
+  } else if (error.statusCode === 401) {
+    console.error('Authentication failed')
+  } else {
+    console.error('Error:', error.message)
+  }
+}
+```
+
+## Environment Variables
+
+It's recommended to store sensitive information in environment variables:
+
+```javascript
+require('dotenv').config() // If using dotenv
+
+const client = new CryptaClient({
+  baseUrl: process.env.CRYPTA_BASE_URL,
+  clientId: process.env.CRYPTA_CLIENT_ID,
+  privateKeyPem: process.env.CRYPTA_PRIVATE_KEY
+})
+```
+
+Example `.env` file:
+
+```env
+CRYPTA_BASE_URL=https://crypta.example.com
+CRYPTA_CLIENT_ID=sa-12345
+CRYPTA_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMIIE...\n-----END PRIVATE KEY-----"
+```
+
+## Advanced Usage
+
+### Token Management
+
+The client automatically manages authentication tokens, including caching and refresh. You don't need to handle tokens manually.
+
+### Custom Error Handling
+
+The library provides custom error types for better error handling:
+
+```javascript
+const { CryptaClient } = require('crypta-client')
+
+try {
+  const secret = await client.getSecret('my-secret')
+} catch (error) {
+  console.error('Status Code:', error.statusCode)
+  console.error('Message:', error.message)
+}
+```
+
+### Multiple Secrets
+
+```javascript
+async function getMultipleSecrets() {
+  const secretNames = ['db-password', 'api-key', 'encryption-key']
+
+  try {
+    const secrets = await Promise.all(
+      secretNames.map((name) => client.getSecret(name))
+    )
+
+    return secrets.reduce((acc, secret, index) => {
+      acc[secretNames[index]] = secret.payload
+      return acc
+    }, {})
+  } catch (error) {
+    console.error('Failed to fetch secrets:', error.message)
+    throw error
+  }
+}
+```
+
+## Requirements
+
+- Node.js >= 14.x
+- A Crypta Secret Manager instance
+- A service account with appropriate permissions
+
+## Dependencies
+
+- `axios` - HTTP client
+- `jsonwebtoken` - JWT token generation
+
+## Error Codes
+
+| Status Code | Description                                 |
+| ----------- | ------------------------------------------- |
+| 401         | Authentication failed - Invalid credentials |
+| 403         | Forbidden - Insufficient permissions        |
+| 404         | Secret not found                            |
+| 500         | Internal server error                       |
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+
+## Support
+
+For issues and questions:
+
+- Open an issue on [GitHub](https://github.com/rayhanzz772/crypta-client/issues)
+- Contact: [Your contact information]
+
+## Changelog
+
+### v0.1.0
+
+- Initial release
+- Service account authentication
+- Secret retrieval functionality
+- Automatic token management
+
+## Author
+
+Rayhan
+
+---
+
+**Note**: Make sure to keep your private keys secure and never commit them to version control.

package/index.js

@@ -0,0 +1,2 @@
+const CryptaClient = require('./src/client')
+module.exports = { CryptaClient }

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "crypta-client",
+  "version": "0.1.1",
+  "description": "Crypta Secret Manager client library for Node.js",
+  "main": "index.js",
+  "type": "commonjs",
+  "license": "MIT",
+  "author": "Rayhan",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/yourusername/crypta-client"
+  },
+  "keywords": [
+    "secret-manager",
+    "vault",
+    "cryptography",
+    "security",
+    "jwt",
+    "service-account"
+  ],
+  "dependencies": {
+    "axios": "^1.7.0",
+    "jsonwebtoken": "^9.0.2"
+  }
+}

package/src/assertion.js

@@ -0,0 +1,19 @@
+const jwt = require('jsonwebtoken')
+
+function generateAssertion({ clientId, privateKeyPem, audience }) {
+  const now = Math.floor(Date.now() / 1000)
+
+  return jwt.sign(
+    {
+      iss: clientId,
+      sub: clientId,
+      aud: audience,
+      iat: now,
+      exp: now + 120 // 2 menit
+    },
+    privateKeyPem,
+    { algorithm: 'RS256' }
+  )
+}
+
+module.exports = { generateAssertion }

package/src/client.js

@@ -0,0 +1,46 @@
+const { createHttp } = require('./http')
+const { TokenManager } = require('./token')
+const { CryptaError } = require('./errors')
+
+class CryptaClient {
+  constructor({ baseUrl, clientId, privateKeyPem }) {
+    if (!baseUrl || !clientId || !privateKeyPem) {
+      throw new Error('baseUrl, clientId, dan privateKeyPem wajib diisi')
+    }
+
+    this.baseUrl = baseUrl.replace(/\/+$/, '')
+    this.clientId = clientId
+    this.privateKeyPem = privateKeyPem
+
+    this.http = createHttp(this.baseUrl)
+
+    this.tokenManager = new TokenManager({
+      http: this.http,
+      clientId: this.clientId,
+      privateKeyPem: this.privateKeyPem,
+      audience: `${this.baseUrl}/public-api/auth/token`
+    })
+  }
+
+  async getSecret(name) {
+    if (!name) throw new Error('secret name wajib diisi')
+
+    const token = await this.tokenManager.getToken()
+
+    try {
+      const res = await this.http.get(
+        `/v1/secrets/${name}/versions/latest:access`,
+        {
+          headers: { Authorization: `Bearer ${token}` }
+        }
+      )
+      return res.data.data
+    } catch (err) {
+      const status = err.response?.status
+      const message = err.response?.data?.message || 'Failed to get secret'
+      throw new CryptaError(message, status)
+    }
+  }
+}
+
+module.exports = CryptaClient

package/src/errors.js

@@ -0,0 +1,9 @@
+class CryptaError extends Error {
+  constructor(message, status) {
+    super(message)
+    this.name = 'CryptaError'
+    this.status = status
+  }
+}
+
+module.exports = { CryptaError }

package/src/http.js

@@ -0,0 +1,10 @@
+const axios = require('axios')
+
+function createHttp(baseUrl) {
+  return axios.create({
+    baseURL: baseUrl,
+    timeout: 10_000
+  })
+}
+
+module.exports = { createHttp }

package/src/token.js

@@ -0,0 +1,40 @@
+const { generateAssertion } = require('./assertion')
+
+class TokenManager {
+  constructor({ http, clientId, privateKeyPem, audience }) {
+    this.http = http
+    this.clientId = clientId
+    this.privateKeyPem = privateKeyPem
+    this.audience = audience
+
+    this.accessToken = null
+    this.expiresAt = 0
+  }
+
+  isExpired() {
+    return !this.accessToken || Date.now() >= this.expiresAt
+  }
+
+  async fetchToken() {
+    const assertion = generateAssertion({
+      clientId: this.clientId,
+      privateKeyPem: this.privateKeyPem,
+      audience: this.audience
+    })
+
+    const res = await this.http.post('/public-api/auth/token', { assertion })
+
+    this.accessToken = res.data.access_token
+    // 1 menit buffer
+    this.expiresAt = Date.now() + 9 * 60 * 1000
+  }
+
+  async getToken() {
+    if (this.isExpired()) {
+      await this.fetchToken()
+    }
+    return this.accessToken
+  }
+}
+
+module.exports = { TokenManager }