lambda-essentials-ts 4.1.4 → 5.1.0

package/CHANGELOG.md

@@ -4,6 +4,30 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 
+## [5.1.0] - 2022-09-05
+
+### Changed
+
+Dependencies aren't pinned to a fixed version to allow users of the library to independently upgrade minor (devDependencies) and patch (dependencies) versions. This will simplify fixing security alerts faster than in this library, for example by applying `npm audit fix`.
+
+## [5.0.0] - 2022-02-22
+
+### Changed
+
+- **[Breaking change]** `TokenProvider` was replaced by more specific `KmsTokenProvider` class.
+  The functionality and interface remains the same, the imports need to be changed.
+
+### Added
+
+- New `SecretsManagerTokenProvider` that relies on AWS Secrets Manager to retrieve client ID and client secret.
+  The advantage of using AWS Secrets Manager is that it can be supplied with a secret rotation function.
+
+## [4.1.5] - 2022-02-10
+
+### Changed
+
+`ClientException` now maps `HTTP 422` client responses to `HTTP 422` server responses (was `HTTP 503` before).
+
 ## [4.1.2] - 2021-12-02
 
 ### Changed

package/README.md

@@ -88,15 +88,55 @@ let axiosClient = axios.create({ timeout: 3000 });
 new HttpClient({ client: axiosClient });
 ```
 
-### TokenProvider
+### SecretsManagerTokenProvider
+
+It uses AWS Secrets Manager to retrieve the client ID and secret and then calls the specified token endpoint the retrieve JWT.
+
+CloudFormation to create a secret. Also allow the lambda function to access the secret by attaching `AWSSecretsManagerGetSecretValuePolicy` IAM Policy.
+
+```yaml
+Auth0Secret:
+  Type: AWS::SecretsManager::Secret
+  Properties:
+    Description: 'Auth0 Client ID/Secret'
+    GenerateSecretString:
+      SecretStringTemplate: '{"Auth0ClientID": "client_id", "Auth0ClientSecret": "client_secret"}'
+      GenerateStringKey: 'Auth0ClientSecret'
+```
+
+```typescript
+import {
+  SecretsManagerTokenProvider,
+  SecretsManagerTokenConfiguration,
+} from 'lambda-essentials-ts';
+
+const configuration: SecretsManagerTokenConfiguration = {
+  clientSecretId: 'arn:aws:secretsmanager:eu-west-1:<aws_account_id>:secret:<secret_id>',
+  audience: 'https://example.com/',
+  tokenEndpoint: 'https://example.com/oauth/token',
+};
+
+const secretsManagerClient = new aws.SecretsManager({ region: 'eu-west-1' });
+const tokenProvider = new SecretsManagerTokenProvider({
+  secretsManagerClient: secretsManagerClient,
+  tokenConfiguration: configuration,
+});
+
+// recommended way to retrieve token (utilizes caching and takes care of token expiration)
+const accessToken = await tokenProvider.getToken();
+
+// or bypass caching and get a new fresh token
+const freshAccessToken = await tokenProvider.getTokenWithoutCache();
+```
+
+### KmsTokenProvider
 
 It uses AWS KMS to decrypt the client secret and then calls the specified token endpoint the retrieve JWT.
 
 ```typescript
-import axios from 'axios';
-import { TokenProvider, TokenConfiguration } from 'lambda-essentials-ts';
+import { KmsTokenProvider, KmsTokenConfiguration } from 'lambda-essentials-ts';
 
-const configuration: TokenConfiguration = {
+const configuration: KmsTokenConfiguration = {
   clientId: 'CLIENT_ID',
   encryptedClientSecret: 'BASE64_KMS_ENCRYPTED_CLIENT_SECRET',
   audience: 'https://example.com/',
@@ -104,17 +144,16 @@ const configuration: TokenConfiguration = {
 };
 
 const kmsClient = new aws.KMS({ region: 'eu-west-1' });
-const tokenProvider = new TokenProvider({
-  httpClient: axios.create(),
+const tokenProvider = new KmsTokenProvider({
   kmsClient: kmsClient,
   tokenConfiguration: configuration,
 });
 
 // recommended way to retrieve token (utilizes caching and takes care of token expiration)
-let accessToken = await tokenProvider.getToken();
+const accessToken = await tokenProvider.getToken();
 
-// or bypass caching and get new token
-accessToken = await tokenProvider.getTokenWithoutCache();
+// or bypass caching and get a new fresh token
+const freshAccessToken = await tokenProvider.getTokenWithoutCache();
 ```
 
 ### Exceptions

package/lib/exceptions/clientException.js

@@ -22,4 +22,5 @@ ClientException.statusCodeMap = {
     401: 401,
     403: 403,
     404: 422,
+    422: 422,
 };

package/lib/exceptions/exception.js

@@ -6,7 +6,7 @@ class Exception extends Error {
     constructor(message, statusCode, details) {
         super(message);
         this.statusCode = statusCode;
-        this.details = details ? util_1.serializeObject(details) : details;
+        this.details = details ? (0, util_1.serializeObject)(details) : details;
     }
 }
 exports.Exception = Exception;

package/lib/httpClient/httpClient.js

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };
@@ -47,6 +51,7 @@ class HttpClient {
     /**
      * Create a new Instance of the HttpClient
      */
+    // eslint-disable-next-line complexity
     constructor(options) {
         var _a, _b, _c, _d, _e;
         // eslint-disable-next-line no-console
@@ -56,26 +61,27 @@ class HttpClient {
         this.correlationIdResolverFunction = options === null || options === void 0 ? void 0 : options.correlationIdResolver;
         this.enableCache = (_c = options === null || options === void 0 ? void 0 : options.enableCache) !== null && _c !== void 0 ? _c : false;
         this.enableRetry = (_d = options === null || options === void 0 ? void 0 : options.enableRetry) !== null && _d !== void 0 ? _d : false;
-        this.client = (_e = options === null || options === void 0 ? void 0 : options.client) !== null && _e !== void 0 ? _e : axios_1.default.create({
-            adapter: (() => {
-                let adapters = axios_1.default.defaults.adapter;
-                if (this.enableCache) {
-                    const cache = axios_cache_adapter_1.setupCache({
-                        maxAge: 5 * 60 * 1000,
-                        readHeaders: false,
-                        readOnError: true,
-                        exclude: {
-                            query: false,
-                        },
-                        ...options === null || options === void 0 ? void 0 : options.cacheOptions,
-                        key: (req) => HttpClient.generateCacheKey(req),
-                    });
-                    // debounce concurrent calls with the same cacheKey so that only one HTTP request is made
-                    adapters = deduplicateRequestAdapter_1.createDebounceRequestAdapter(cache.adapter, HttpClient.generateCacheKey);
-                }
-                return adapters;
-            })(),
-        });
+        this.client =
+            (_e = options === null || options === void 0 ? void 0 : options.client) !== null && _e !== void 0 ? _e : axios_1.default.create({
+                adapter: (() => {
+                    let adapters = axios_1.default.defaults.adapter;
+                    if (this.enableCache) {
+                        const cache = (0, axios_cache_adapter_1.setupCache)({
+                            maxAge: 5 * 60 * 1000,
+                            readHeaders: false,
+                            readOnError: true,
+                            exclude: {
+                                query: false, // also cache requests with query parameters
+                            },
+                            ...options === null || options === void 0 ? void 0 : options.cacheOptions,
+                            key: (req) => HttpClient.generateCacheKey(req),
+                        });
+                        // debounce concurrent calls with the same cacheKey so that only one HTTP request is made
+                        adapters = (0, deduplicateRequestAdapter_1.createDebounceRequestAdapter)(cache.adapter, HttpClient.generateCacheKey);
+                    }
+                    return adapters;
+                })(),
+            });
         if (this.enableRetry) {
             this.client.defaults.raxConfig = {
                 ...options === null || options === void 0 ? void 0 : options.retryOptions,
@@ -88,7 +94,7 @@ class HttpClient {
                         level: 'INFO',
                         retryAttempt: (_b = (_a = err.config) === null || _a === void 0 ? void 0 : _a.raxConfig) === null || _b === void 0 ? void 0 : _b.currentRetryAttempt,
                         ...HttpClient.extractRequestLogData(err.config),
-                        error: util_1.serializeAxiosError(err),
+                        error: (0, util_1.serializeAxiosError)(err),
                     });
                 },
             };
@@ -109,7 +115,7 @@ class HttpClient {
             return config;
         }, (error) => {
             var _a;
-            const serializedAxiosError = util_1.serializeAxiosError(error);
+            const serializedAxiosError = (0, util_1.serializeAxiosError)(error);
             this.logFunction({
                 title: 'HTTP Request Error',
                 level: 'WARN',
@@ -136,7 +142,7 @@ class HttpClient {
             if (error instanceof clientException_1.ClientException) {
                 throw error;
             }
-            const serializedAxiosError = util_1.serializeAxiosError(error);
+            const serializedAxiosError = (0, util_1.serializeAxiosError)(error);
             if (error.message === invalidToken) {
                 this.logFunction({
                     title: 'HTTP call skipped due to a token error',
@@ -166,18 +172,20 @@ class HttpClient {
             method: requestConfig.method,
             url: requestConfig.url,
             query: requestConfig.params,
-            request: util_1.safeJsonParse(requestConfig.data, requestConfig.data),
+            request: (0, util_1.safeJsonParse)(requestConfig.data, requestConfig.data),
             correlationId: (_a = requestConfig.headers) === null || _a === void 0 ? void 0 : _a[shared_1.orionCorrelationIdRoot],
         };
     }
     // implemented based on https://github.com/RasCarlito/axios-cache-adapter/blob/master/src/cache.js#L77
     static generateCacheKey(req) {
         var _a, _b;
-        const prefix = ((_a = req.headers) === null || _a === void 0 ? void 0 : _a.Authorization) ? (_b = util_1.safeJwtCanonicalIdParse(req.headers.Authorization.replace('Bearer ', ''))) !== null && _b !== void 0 ? _b : uuid.v4() : 'shared';
+        const prefix = ((_a = req.headers) === null || _a === void 0 ? void 0 : _a.Authorization)
+            ? (_b = (0, util_1.safeJwtCanonicalIdParse)(req.headers.Authorization.replace('Bearer ', ''))) !== null && _b !== void 0 ? _b : uuid.v4()
+            : 'shared';
         const url = `${req.baseURL ? req.baseURL : ''}${req.url}`;
         const query = req.params ? JSON.stringify(req.params) : ''; // possible improvement: optimize cache-hit ratio by sorting the query params
         const key = `${prefix}/${url}${query}`;
-        return `${key}${req.data ? md5_1.default(req.data) : ''}`;
+        return `${key}${req.data ? (0, md5_1.default)(req.data) : ''}`;
     }
     /**
      * Resolves the token with the token provider and adds it to the headers

package/lib/index.d.ts

@@ -3,7 +3,9 @@ import Logger, { LoggerConfiguration, SuggestedLogObject } from './logger/logger
 import OpenApiWrapper from './openApi/openApiWrapper';
 import { ApiResponse } from './openApi/apiResponseModel';
 import { ApiRequest, GetRequest, PostRequest, PutRequest } from './openApi/apiRequestModel';
-import TokenProvider, { TokenConfiguration, TokenProviderOptions, TokenProviderHttpClient } from './tokenProvider/tokenProvider';
+import { TokenProviderHttpClient } from './tokenProvider/tokenProvider';
+import KmsTokenProvider, { KmsTokenProviderOptions, KmsTokenConfiguration } from './tokenProvider/kmsTokenProvider';
+import SecretsManagerTokenProvider, { SecretsManagerTokenProviderOptions, SecretsManagerTokenConfiguration } from './tokenProvider/secretsManagerTokenProvider';
 import { ClientException } from './exceptions/clientException';
 import { ConflictException } from './exceptions/conflictException';
 import { Exception } from './exceptions/exception';
@@ -13,5 +15,5 @@ import { InvalidDataException } from './exceptions/invalidDataException';
 import { NotFoundException } from './exceptions/notFoundException';
 import { ValidationException } from './exceptions/validationException';
 import { serializeObject, serializeAxiosError } from './util';
-export { Logger, OpenApiWrapper, ApiResponse, HttpClient, HttpLogType, TokenProvider, ValidationException, NotFoundException, InvalidDataException, InternalException, ForbiddenException, Exception, ConflictException, ClientException, serializeObject, serializeAxiosError, };
-export type { LoggerConfiguration, SuggestedLogObject, HttpClientOptions, HttpLogOptions, ApiRequest, GetRequest, PostRequest, PutRequest, TokenConfiguration, TokenProviderOptions, TokenProviderHttpClient, };
+export { Logger, OpenApiWrapper, ApiResponse, HttpClient, HttpLogType, KmsTokenProvider, SecretsManagerTokenProvider, ValidationException, NotFoundException, InvalidDataException, InternalException, ForbiddenException, Exception, ConflictException, ClientException, serializeObject, serializeAxiosError, };
+export type { LoggerConfiguration, SuggestedLogObject, HttpClientOptions, HttpLogOptions, ApiRequest, GetRequest, PostRequest, PutRequest, TokenProviderHttpClient, KmsTokenProviderOptions, KmsTokenConfiguration, SecretsManagerTokenProviderOptions, SecretsManagerTokenConfiguration, };

package/lib/index.js

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };
@@ -22,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.serializeAxiosError = exports.serializeObject = exports.ClientException = exports.ConflictException = exports.Exception = exports.ForbiddenException = exports.InternalException = exports.InvalidDataException = exports.NotFoundException = exports.ValidationException = exports.TokenProvider = exports.HttpLogType = exports.HttpClient = exports.ApiResponse = exports.OpenApiWrapper = exports.Logger = void 0;
+exports.serializeAxiosError = exports.serializeObject = exports.ClientException = exports.ConflictException = exports.Exception = exports.ForbiddenException = exports.InternalException = exports.InvalidDataException = exports.NotFoundException = exports.ValidationException = exports.SecretsManagerTokenProvider = exports.KmsTokenProvider = exports.HttpLogType = exports.HttpClient = exports.ApiResponse = exports.OpenApiWrapper = exports.Logger = void 0;
 const httpClient_1 = __importStar(require("./httpClient/httpClient"));
 exports.HttpClient = httpClient_1.default;
 Object.defineProperty(exports, "HttpLogType", { enumerable: true, get: function () { return httpClient_1.HttpLogType; } });
@@ -32,8 +36,10 @@ const openApiWrapper_1 = __importDefault(require("./openApi/openApiWrapper"));
 exports.OpenApiWrapper = openApiWrapper_1.default;
 const apiResponseModel_1 = require("./openApi/apiResponseModel");
 Object.defineProperty(exports, "ApiResponse", { enumerable: true, get: function () { return apiResponseModel_1.ApiResponse; } });
-const tokenProvider_1 = __importDefault(require("./tokenProvider/tokenProvider"));
-exports.TokenProvider = tokenProvider_1.default;
+const kmsTokenProvider_1 = __importDefault(require("./tokenProvider/kmsTokenProvider"));
+exports.KmsTokenProvider = kmsTokenProvider_1.default;
+const secretsManagerTokenProvider_1 = __importDefault(require("./tokenProvider/secretsManagerTokenProvider"));
+exports.SecretsManagerTokenProvider = secretsManagerTokenProvider_1.default;
 const clientException_1 = require("./exceptions/clientException");
 Object.defineProperty(exports, "ClientException", { enumerable: true, get: function () { return clientException_1.ClientException; } });
 const conflictException_1 = require("./exceptions/conflictException");

package/lib/logger/logger.js

@@ -2,7 +2,11 @@
 /* eslint-disable no-console */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -15,7 +19,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };
@@ -70,8 +74,8 @@ class Logger {
         const truncateToken = (innerPayload) => {
             return innerPayload.replace(/(eyJ[a-zA-Z0-9_-]{5,}\.eyJ[a-zA-Z0-9_-]{5,})\.[a-zA-Z0-9_-]*/gi, (m, p1) => `${p1}.<sig>`);
         };
-        const replacer = (key, value) => (is_error_1.default(value) ? Logger.errorToObject(value) : value);
-        let stringifiedPayload = truncateToken(fast_safe_stringify_1.default(payload, replacer, this.jsonSpace));
+        const replacer = (key, value) => ((0, is_error_1.default)(value) ? Logger.errorToObject(value) : value);
+        let stringifiedPayload = truncateToken((0, fast_safe_stringify_1.default)(payload, replacer, this.jsonSpace));
         // https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html 256KB => 32768 characters
         if (stringifiedPayload.length >= 32768) {
             const replacementPayload = {
@@ -82,7 +86,7 @@ class Logger {
                     truncatedPayload: stringifiedPayload.substring(0, 10000),
                 },
             };
-            stringifiedPayload = fast_safe_stringify_1.default(replacementPayload, replacer, this.jsonSpace);
+            stringifiedPayload = (0, fast_safe_stringify_1.default)(replacementPayload, replacer, this.jsonSpace);
         }
         this.logFunction(stringifiedPayload);
     }

package/lib/openApi/openApiWrapper.js

@@ -1,7 +1,11 @@
 "use strict";
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
 }) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
@@ -14,7 +18,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };
@@ -43,8 +47,10 @@ class OpenApiWrapper {
                 const correlationId = this.generateCorrelationId(request.headers);
                 requestLogger.startInvocation(null, correlationId);
                 // TODO: restrict the alternative way of resolving token and principal only for localhost
-                this.userToken = (_b = (_a = request.requestContext.authorizer) === null || _a === void 0 ? void 0 : _a.jwt) !== null && _b !== void 0 ? _b : (_c = request.headers.Authorization) === null || _c === void 0 ? void 0 : _c.split(' ')[1];
-                this.userPrincipal = (_f = (_e = (_d = request.requestContext.authorizer) === null || _d === void 0 ? void 0 : _d.canonicalId) !== null && _e !== void 0 ? _e : util_1.safeJwtCanonicalIdParse(this.userToken)) !== null && _f !== void 0 ? _f : 'unknown';
+                this.userToken =
+                    (_b = (_a = request.requestContext.authorizer) === null || _a === void 0 ? void 0 : _a.jwt) !== null && _b !== void 0 ? _b : (_c = request.headers.Authorization) === null || _c === void 0 ? void 0 : _c.split(' ')[1];
+                this.userPrincipal =
+                    (_f = (_e = (_d = request.requestContext.authorizer) === null || _d === void 0 ? void 0 : _d.canonicalId) !== null && _e !== void 0 ? _e : (0, util_1.safeJwtCanonicalIdParse)(this.userToken)) !== null && _f !== void 0 ? _f : 'unknown';
                 this.requestId = request.requestContext.requestId;
                 requestLogger.log({
                     title: 'RequestLogger',
@@ -71,7 +77,7 @@ class OpenApiWrapper {
             errorMiddleware: (request, error) => {
                 const { correlationId } = this;
                 this.clearContext();
-                const serializedError = util_1.serializeObject(error);
+                const serializedError = (0, util_1.serializeObject)(error);
                 if (error instanceof exception_1.Exception) {
                     if (error.statusCode === 500) {
                         requestLogger.log({ title: 'ErrorLogger', level: 'ERROR', ...serializedError });

package/lib/tokenProvider/kmsTokenProvider.d.ts

@@ -0,0 +1,28 @@
+import { KMS } from 'aws-sdk';
+import TokenProvider, { Auth0Secret, TokenConfiguration, TokenProviderOptions } from './tokenProvider';
+export default class KmsTokenProvider extends TokenProvider {
+    private kmsClient;
+    private kmsConfiguration;
+    constructor(options: KmsTokenProviderOptions);
+    getClientSecret(): Promise<Auth0Secret | undefined>;
+}
+export interface KmsTokenProviderOptions extends TokenProviderOptions {
+    /**
+     * AWS KMS Client
+     */
+    kmsClient: KMS;
+    /**
+     * Configuration needed for the token
+     */
+    tokenConfiguration: KmsTokenConfiguration;
+}
+export interface KmsTokenConfiguration extends TokenConfiguration {
+    /**
+     * Username or ClientId
+     */
+    clientId: string;
+    /**
+     * KMS Encrypted client secret
+     */
+    encryptedClientSecret: string;
+}

package/lib/tokenProvider/kmsTokenProvider.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const tokenProvider_1 = __importDefault(require("./tokenProvider"));
+class KmsTokenProvider extends tokenProvider_1.default {
+    constructor(options) {
+        super(options);
+        this.kmsClient = options.kmsClient;
+        this.kmsConfiguration = options.tokenConfiguration;
+    }
+    async getClientSecret() {
+        const secret = await this.kmsClient
+            .decrypt({
+            CiphertextBlob: Buffer.from(this.kmsConfiguration.encryptedClientSecret, 'base64'),
+        })
+            .promise()
+            .then((data) => { var _a; return (_a = data.Plaintext) === null || _a === void 0 ? void 0 : _a.toString(); });
+        if (!secret) {
+            throw new Error('Request error: failed to decrypt secret using KMS');
+        }
+        return { Auth0ClientSecret: secret, Auth0ClientID: this.kmsConfiguration.clientId };
+    }
+}
+exports.default = KmsTokenProvider;

package/lib/tokenProvider/secretsManagerTokenProvider.d.ts

@@ -0,0 +1,29 @@
+import { SecretsManager } from 'aws-sdk';
+import TokenProvider, { Auth0Secret, TokenConfiguration, TokenProviderOptions } from './tokenProvider';
+export default class SecretsManagerTokenProvider extends TokenProvider {
+    private secretsManagerClient;
+    private secretsManagerConfiguration;
+    constructor(options: SecretsManagerTokenProviderOptions);
+    getClientSecret(): Promise<Auth0Secret | undefined>;
+}
+export interface SecretsManagerTokenProviderOptions extends TokenProviderOptions {
+    /**
+     * AWS Secrets Manager Client
+     */
+    secretsManagerClient: SecretsManager;
+    /**
+     * Configuration needed for the token
+     */
+    tokenConfiguration: SecretsManagerTokenConfiguration;
+}
+export interface SecretsManagerTokenConfiguration extends TokenConfiguration {
+    /**
+     * The ID of a secret stored in AWS Secrets Manager.
+     * The expected secret format is:
+     * {
+     *   Auth0ClientID: "string",
+     *   Auth0ClientSecret: "string"
+     * }
+     */
+    clientSecretId: string;
+}

package/lib/tokenProvider/secretsManagerTokenProvider.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const tokenProvider_1 = __importDefault(require("./tokenProvider"));
+class SecretsManagerTokenProvider extends tokenProvider_1.default {
+    constructor(options) {
+        super(options);
+        this.secretsManagerClient = options.secretsManagerClient;
+        this.secretsManagerConfiguration = options.tokenConfiguration;
+    }
+    async getClientSecret() {
+        const secret = await this.secretsManagerClient
+            .getSecretValue({ SecretId: this.secretsManagerConfiguration.clientSecretId })
+            .promise();
+        if (!(secret === null || secret === void 0 ? void 0 : secret.SecretString)) {
+            throw new Error('Request error: failed to retrieve secret from Secrets Manager');
+        }
+        return JSON.parse(secret.SecretString);
+    }
+}
+exports.default = SecretsManagerTokenProvider;

package/lib/tokenProvider/tokenProvider.d.ts

@@ -1,14 +1,12 @@
-import { KMS } from 'aws-sdk';
 import { AxiosRequestConfig, AxiosResponse } from 'axios';
-export default class TokenProvider {
+export default abstract class TokenProvider {
     private httpClient;
-    private kmsClient;
     private configuration;
     private currentTokenPromise?;
     /**
      * Create a new Instance of the TokenProvider
      */
-    constructor(options: TokenProviderOptions);
+    protected constructor(options: TokenProviderOptions);
     /**
      * Get access token. Subsequent calls are cached and the token is renewed only if it is expired.
      */
@@ -17,30 +15,23 @@ export default class TokenProvider {
      * Get access token.
      */
     getTokenWithoutCache(): Promise<string>;
+    abstract getClientSecret(): Promise<Auth0Secret | undefined>;
+}
+export interface Auth0Secret {
+    Auth0ClientID: string;
+    Auth0ClientSecret: string;
 }
 export interface TokenProviderOptions {
     /**
      * Either an Axios instance or an @atsquad/httpclient instance, by default it creates an axios instance
      */
     httpClient?: TokenProviderHttpClient;
-    /**
-     * AWS KMS Client
-     */
-    kmsClient: KMS;
     /**
      * Configuration needed for the token
      */
     tokenConfiguration: TokenConfiguration;
 }
 export interface TokenConfiguration {
-    /**
-     * Username or ClientId
-     */
-    clientId: string;
-    /**
-     * KMS Encrypted client secret
-     */
-    encryptedClientSecret: string;
     audience: string;
     tokenEndpoint: string;
 }

package/lib/tokenProvider/tokenProvider.js

@@ -12,24 +12,7 @@ class TokenProvider {
     constructor(options) {
         var _a;
         this.httpClient = (_a = options.httpClient) !== null && _a !== void 0 ? _a : axios_1.default.create();
-        if (!options.kmsClient) {
-            throw new Error('KMS Client is missing');
-        }
-        this.kmsClient = options.kmsClient;
-        const configuration = options.tokenConfiguration;
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.clientId)) {
-            throw new Error('Configuration error: missing required property "clientId"');
-        }
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.encryptedClientSecret)) {
-            throw new Error('Configuration error: missing required property "encryptedClientSecret"');
-        }
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.audience)) {
-            throw new Error('Configuration error: missing required property "audience"');
-        }
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.tokenEndpoint)) {
-            throw new Error('Configuration error: missing required property "tokenEndpoint"');
-        }
-        this.configuration = configuration;
+        this.configuration = options.tokenConfiguration;
     }
     /**
      * Get access token. Subsequent calls are cached and the token is renewed only if it is expired.
@@ -43,10 +26,10 @@ class TokenProvider {
         try {
             const jwtToken = await this.currentTokenPromise;
             // lower the token expiry time by 10s so that the returned token will be not immediately expired
-            if (!jwtToken || ((_a = jsonwebtoken_1.default.decode(jwtToken)) === null || _a === void 0 ? void 0 : _a['exp']) < Date.now() / 1000 - 10) {
+            if (!jwtToken || ((_a = jsonwebtoken_1.default.decode(jwtToken)) === null || _a === void 0 ? void 0 : _a.exp) < Date.now() / 1000 - 10) {
                 this.currentTokenPromise = this.getTokenWithoutCache();
             }
-            return this.currentTokenPromise;
+            return await this.currentTokenPromise;
         }
         catch (error) {
             this.currentTokenPromise = this.getTokenWithoutCache();
@@ -57,14 +40,14 @@ class TokenProvider {
      * Get access token.
      */
     async getTokenWithoutCache() {
-        const secret = await this.kmsClient
-            .decrypt({ CiphertextBlob: Buffer.from(this.configuration.encryptedClientSecret, 'base64') })
-            .promise()
-            .then((data) => { var _a; return (_a = data.Plaintext) === null || _a === void 0 ? void 0 : _a.toString(); });
+        const secret = await this.getClientSecret();
+        if (!(secret === null || secret === void 0 ? void 0 : secret.Auth0ClientID) || !secret.Auth0ClientSecret) {
+            throw new Error('Request error: failed to retrieve Auth0 Client ID/Secret');
+        }
         const headers = { 'Content-Type': 'application/json' };
         const body = {
-            client_id: this.configuration.clientId,
-            client_secret: secret,
+            client_id: secret.Auth0ClientID,
+            client_secret: secret.Auth0ClientSecret,
             audience: this.configuration.audience,
             grant_type: 'client_credentials',
         };

package/lib/util.js

@@ -43,7 +43,7 @@ function serializeAxiosError(error) {
     const { status, data } = error.response;
     return {
         status: (_a = data.originalStatusCode) !== null && _a !== void 0 ? _a : status,
-        details: data.details ? data.details : data,
+        details: data.details ? data.details : data, // Prevent wrapping of Exception
     };
 }
 exports.serializeAxiosError = serializeAxiosError;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lambda-essentials-ts",
-  "version": "4.1.4",
+  "version": "5.1.0",
   "description": "A selection of the finest modules supporting authorization, API routing, error handling, logging and sending HTTP requests.",
   "main": "lib/index.js",
   "private": false,
@@ -26,28 +26,28 @@
   },
   "homepage": "https://github.com/Cimpress-MCP/lambda-essentials-ts#readme",
   "dependencies": {
-    "aws-sdk": "2.939.0",
-    "axios": "0.21.1",
-    "axios-cache-adapter": "2.7.3",
-    "fast-safe-stringify": "2.0.7",
-    "is-error": "2.2.2",
-    "jsonwebtoken": "8.5.1",
-    "md5": "2.3.0",
+    "aws-sdk": "^2.1078.0",
+    "axios": "~0.21.3",
+    "axios-cache-adapter": "~2.7.3",
+    "fast-safe-stringify": "~2.0.7",
+    "is-error": "~2.2.2",
+    "jsonwebtoken": "~8.5.1",
+    "md5": "~2.3.0",
     "openapi-factory": "5.2.17",
-    "retry-axios": "2.6.0",
-    "uuid": "8.3.2"
+    "retry-axios": "~2.6.0",
+    "uuid": "~8.3.2"
   },
   "devDependencies": {
-    "@types/jest": "26.0.20",
-    "eslint": "7.18.0",
-    "eslint-config-cimpress-atsquad": "2.1.2",
-    "husky": "4.2.5",
-    "jest": "26.2.2",
-    "lint-staged": "10.2.13",
-    "prettier": "2.0.5",
-    "ts-jest": "26.1.4",
-    "ts-node": "8.10.2",
-    "typescript": "3.9.7"
+    "@types/jest": "^26.0.20",
+    "eslint": "^7.18.0",
+    "eslint-config-cimpress-atsquad": "^2.1.2",
+    "husky": "^4.2.5",
+    "jest": "^26.2.2",
+    "lint-staged": "^10.2.13",
+    "prettier": "^2.7.1",
+    "ts-jest": "^26.1.4",
+    "ts-node": "^10.9.1",
+    "typescript": "^4.8.2"
   },
   "eslintConfig": {
     "extends": "cimpress-atsquad"