lambda-essentials-ts 4.1.5 → 5.0.0

package/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 
+## [5.0.0] - 2022-02-22
+
+### Changed
+
+- **[Breaking change]** `TokenProvider` was replaced by more specific `KmsTokenProvider` class.
+  The functionality and interface remains the same, the imports need to be changed.
+
+### Added
+
+- New `SecretsManagerTokenProvider` that relies on AWS Secrets Manager to retrieve client ID and client secret.
+  The advantage of using AWS Secrets Manager is that it can be supplied with a secret rotation function.
+
 ## [4.1.5] - 2022-02-10
 
 ### Changed

package/README.md

@@ -88,15 +88,55 @@ let axiosClient = axios.create({ timeout: 3000 });
 new HttpClient({ client: axiosClient });
 ```
 
-### TokenProvider
+### SecretsManagerTokenProvider
+
+It uses AWS Secrets Manager to retrieve the client ID and secret and then calls the specified token endpoint the retrieve JWT.
+
+CloudFormation to create a secret. Also allow the lambda function to access the secret by attaching `AWSSecretsManagerGetSecretValuePolicy` IAM Policy.
+
+```yaml
+Auth0Secret:
+  Type: AWS::SecretsManager::Secret
+  Properties:
+    Description: 'Auth0 Client ID/Secret'
+    GenerateSecretString:
+      SecretStringTemplate: '{"Auth0ClientID": "client_id", "Auth0ClientSecret": "client_secret"}'
+      GenerateStringKey: 'Auth0ClientSecret'
+```
+
+```typescript
+import {
+  SecretsManagerTokenProvider,
+  SecretsManagerTokenConfiguration,
+} from 'lambda-essentials-ts';
+
+const configuration: SecretsManagerTokenConfiguration = {
+  clientSecretId: 'arn:aws:secretsmanager:eu-west-1:<aws_account_id>:secret:<secret_id>',
+  audience: 'https://example.com/',
+  tokenEndpoint: 'https://example.com/oauth/token',
+};
+
+const secretsManagerClient = new aws.SecretsManager({ region: 'eu-west-1' });
+const tokenProvider = new SecretsManagerTokenProvider({
+  secretsManagerClient: secretsManagerClient,
+  tokenConfiguration: configuration,
+});
+
+// recommended way to retrieve token (utilizes caching and takes care of token expiration)
+const accessToken = await tokenProvider.getToken();
+
+// or bypass caching and get a new fresh token
+const freshAccessToken = await tokenProvider.getTokenWithoutCache();
+```
+
+### KmsTokenProvider
 
 It uses AWS KMS to decrypt the client secret and then calls the specified token endpoint the retrieve JWT.
 
 ```typescript
-import axios from 'axios';
-import { TokenProvider, TokenConfiguration } from 'lambda-essentials-ts';
+import { KmsTokenProvider, KmsTokenConfiguration } from 'lambda-essentials-ts';
 
-const configuration: TokenConfiguration = {
+const configuration: KmsTokenConfiguration = {
   clientId: 'CLIENT_ID',
   encryptedClientSecret: 'BASE64_KMS_ENCRYPTED_CLIENT_SECRET',
   audience: 'https://example.com/',
@@ -104,17 +144,16 @@ const configuration: TokenConfiguration = {
 };
 
 const kmsClient = new aws.KMS({ region: 'eu-west-1' });
-const tokenProvider = new TokenProvider({
-  httpClient: axios.create(),
+const tokenProvider = new KmsTokenProvider({
   kmsClient: kmsClient,
   tokenConfiguration: configuration,
 });
 
 // recommended way to retrieve token (utilizes caching and takes care of token expiration)
-let accessToken = await tokenProvider.getToken();
+const accessToken = await tokenProvider.getToken();
 
-// or bypass caching and get new token
-accessToken = await tokenProvider.getTokenWithoutCache();
+// or bypass caching and get a new fresh token
+const freshAccessToken = await tokenProvider.getTokenWithoutCache();
 ```
 
 ### Exceptions

package/lib/index.d.ts

@@ -3,7 +3,9 @@ import Logger, { LoggerConfiguration, SuggestedLogObject } from './logger/logger
 import OpenApiWrapper from './openApi/openApiWrapper';
 import { ApiResponse } from './openApi/apiResponseModel';
 import { ApiRequest, GetRequest, PostRequest, PutRequest } from './openApi/apiRequestModel';
-import TokenProvider, { TokenConfiguration, TokenProviderOptions, TokenProviderHttpClient } from './tokenProvider/tokenProvider';
+import { TokenProviderHttpClient } from './tokenProvider/tokenProvider';
+import KmsTokenProvider, { KmsTokenProviderOptions, KmsTokenConfiguration } from './tokenProvider/kmsTokenProvider';
+import SecretsManagerTokenProvider, { SecretsManagerTokenProviderOptions, SecretsManagerTokenConfiguration } from './tokenProvider/secretsManagerTokenProvider';
 import { ClientException } from './exceptions/clientException';
 import { ConflictException } from './exceptions/conflictException';
 import { Exception } from './exceptions/exception';
@@ -13,5 +15,5 @@ import { InvalidDataException } from './exceptions/invalidDataException';
 import { NotFoundException } from './exceptions/notFoundException';
 import { ValidationException } from './exceptions/validationException';
 import { serializeObject, serializeAxiosError } from './util';
-export { Logger, OpenApiWrapper, ApiResponse, HttpClient, HttpLogType, TokenProvider, ValidationException, NotFoundException, InvalidDataException, InternalException, ForbiddenException, Exception, ConflictException, ClientException, serializeObject, serializeAxiosError, };
-export type { LoggerConfiguration, SuggestedLogObject, HttpClientOptions, HttpLogOptions, ApiRequest, GetRequest, PostRequest, PutRequest, TokenConfiguration, TokenProviderOptions, TokenProviderHttpClient, };
+export { Logger, OpenApiWrapper, ApiResponse, HttpClient, HttpLogType, KmsTokenProvider, SecretsManagerTokenProvider, ValidationException, NotFoundException, InvalidDataException, InternalException, ForbiddenException, Exception, ConflictException, ClientException, serializeObject, serializeAxiosError, };
+export type { LoggerConfiguration, SuggestedLogObject, HttpClientOptions, HttpLogOptions, ApiRequest, GetRequest, PostRequest, PutRequest, TokenProviderHttpClient, KmsTokenProviderOptions, KmsTokenConfiguration, SecretsManagerTokenProviderOptions, SecretsManagerTokenConfiguration, };

package/lib/index.js

@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.serializeAxiosError = exports.serializeObject = exports.ClientException = exports.ConflictException = exports.Exception = exports.ForbiddenException = exports.InternalException = exports.InvalidDataException = exports.NotFoundException = exports.ValidationException = exports.TokenProvider = exports.HttpLogType = exports.HttpClient = exports.ApiResponse = exports.OpenApiWrapper = exports.Logger = void 0;
+exports.serializeAxiosError = exports.serializeObject = exports.ClientException = exports.ConflictException = exports.Exception = exports.ForbiddenException = exports.InternalException = exports.InvalidDataException = exports.NotFoundException = exports.ValidationException = exports.SecretsManagerTokenProvider = exports.KmsTokenProvider = exports.HttpLogType = exports.HttpClient = exports.ApiResponse = exports.OpenApiWrapper = exports.Logger = void 0;
 const httpClient_1 = __importStar(require("./httpClient/httpClient"));
 exports.HttpClient = httpClient_1.default;
 Object.defineProperty(exports, "HttpLogType", { enumerable: true, get: function () { return httpClient_1.HttpLogType; } });
@@ -32,8 +32,10 @@ const openApiWrapper_1 = __importDefault(require("./openApi/openApiWrapper"));
 exports.OpenApiWrapper = openApiWrapper_1.default;
 const apiResponseModel_1 = require("./openApi/apiResponseModel");
 Object.defineProperty(exports, "ApiResponse", { enumerable: true, get: function () { return apiResponseModel_1.ApiResponse; } });
-const tokenProvider_1 = __importDefault(require("./tokenProvider/tokenProvider"));
-exports.TokenProvider = tokenProvider_1.default;
+const kmsTokenProvider_1 = __importDefault(require("./tokenProvider/kmsTokenProvider"));
+exports.KmsTokenProvider = kmsTokenProvider_1.default;
+const secretsManagerTokenProvider_1 = __importDefault(require("./tokenProvider/secretsManagerTokenProvider"));
+exports.SecretsManagerTokenProvider = secretsManagerTokenProvider_1.default;
 const clientException_1 = require("./exceptions/clientException");
 Object.defineProperty(exports, "ClientException", { enumerable: true, get: function () { return clientException_1.ClientException; } });
 const conflictException_1 = require("./exceptions/conflictException");

package/lib/tokenProvider/kmsTokenProvider.d.ts

@@ -0,0 +1,28 @@
+import { KMS } from 'aws-sdk';
+import TokenProvider, { Auth0Secret, TokenConfiguration, TokenProviderOptions } from './tokenProvider';
+export default class KmsTokenProvider extends TokenProvider {
+    private kmsClient;
+    private kmsConfiguration;
+    constructor(options: KmsTokenProviderOptions);
+    getClientSecret(): Promise<Auth0Secret | undefined>;
+}
+export interface KmsTokenProviderOptions extends TokenProviderOptions {
+    /**
+     * AWS KMS Client
+     */
+    kmsClient: KMS;
+    /**
+     * Configuration needed for the token
+     */
+    tokenConfiguration: KmsTokenConfiguration;
+}
+export interface KmsTokenConfiguration extends TokenConfiguration {
+    /**
+     * Username or ClientId
+     */
+    clientId: string;
+    /**
+     * KMS Encrypted client secret
+     */
+    encryptedClientSecret: string;
+}

package/lib/tokenProvider/kmsTokenProvider.js

@@ -0,0 +1,26 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const tokenProvider_1 = __importDefault(require("./tokenProvider"));
+class KmsTokenProvider extends tokenProvider_1.default {
+    constructor(options) {
+        super(options);
+        this.kmsClient = options.kmsClient;
+        this.kmsConfiguration = options.tokenConfiguration;
+    }
+    async getClientSecret() {
+        const secret = await this.kmsClient
+            .decrypt({
+            CiphertextBlob: Buffer.from(this.kmsConfiguration.encryptedClientSecret, 'base64'),
+        })
+            .promise()
+            .then((data) => { var _a; return (_a = data.Plaintext) === null || _a === void 0 ? void 0 : _a.toString(); });
+        if (!secret) {
+            throw new Error('Request error: failed to decrypt secret using KMS');
+        }
+        return { Auth0ClientSecret: secret, Auth0ClientID: this.kmsConfiguration.clientId };
+    }
+}
+exports.default = KmsTokenProvider;

package/lib/tokenProvider/secretsManagerTokenProvider.d.ts

@@ -0,0 +1,29 @@
+import { SecretsManager } from 'aws-sdk';
+import TokenProvider, { Auth0Secret, TokenConfiguration, TokenProviderOptions } from './tokenProvider';
+export default class SecretsManagerTokenProvider extends TokenProvider {
+    private secretsManagerClient;
+    private secretsManagerConfiguration;
+    constructor(options: SecretsManagerTokenProviderOptions);
+    getClientSecret(): Promise<Auth0Secret | undefined>;
+}
+export interface SecretsManagerTokenProviderOptions extends TokenProviderOptions {
+    /**
+     * AWS Secrets Manager Client
+     */
+    secretsManagerClient: SecretsManager;
+    /**
+     * Configuration needed for the token
+     */
+    tokenConfiguration: SecretsManagerTokenConfiguration;
+}
+export interface SecretsManagerTokenConfiguration extends TokenConfiguration {
+    /**
+     * The ID of a secret stored in AWS Secrets Manager.
+     * The expected secret format is:
+     * {
+     *   Auth0ClientID: "string",
+     *   Auth0ClientSecret: "string"
+     * }
+     */
+    clientSecretId: string;
+}

package/lib/tokenProvider/secretsManagerTokenProvider.js

@@ -0,0 +1,23 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const tokenProvider_1 = __importDefault(require("./tokenProvider"));
+class SecretsManagerTokenProvider extends tokenProvider_1.default {
+    constructor(options) {
+        super(options);
+        this.secretsManagerClient = options.secretsManagerClient;
+        this.secretsManagerConfiguration = options.tokenConfiguration;
+    }
+    async getClientSecret() {
+        const secret = await this.secretsManagerClient
+            .getSecretValue({ SecretId: this.secretsManagerConfiguration.clientSecretId })
+            .promise();
+        if (!(secret === null || secret === void 0 ? void 0 : secret.SecretString)) {
+            throw new Error('Request error: failed to retrieve secret from Secrets Manager');
+        }
+        return JSON.parse(secret.SecretString);
+    }
+}
+exports.default = SecretsManagerTokenProvider;

package/lib/tokenProvider/tokenProvider.d.ts

@@ -1,14 +1,12 @@
-import { KMS } from 'aws-sdk';
 import { AxiosRequestConfig, AxiosResponse } from 'axios';
-export default class TokenProvider {
+export default abstract class TokenProvider {
     private httpClient;
-    private kmsClient;
     private configuration;
     private currentTokenPromise?;
     /**
      * Create a new Instance of the TokenProvider
      */
-    constructor(options: TokenProviderOptions);
+    protected constructor(options: TokenProviderOptions);
     /**
      * Get access token. Subsequent calls are cached and the token is renewed only if it is expired.
      */
@@ -17,30 +15,23 @@ export default class TokenProvider {
      * Get access token.
      */
     getTokenWithoutCache(): Promise<string>;
+    abstract getClientSecret(): Promise<Auth0Secret | undefined>;
+}
+export interface Auth0Secret {
+    Auth0ClientID: string;
+    Auth0ClientSecret: string;
 }
 export interface TokenProviderOptions {
     /**
      * Either an Axios instance or an @atsquad/httpclient instance, by default it creates an axios instance
      */
     httpClient?: TokenProviderHttpClient;
-    /**
-     * AWS KMS Client
-     */
-    kmsClient: KMS;
     /**
      * Configuration needed for the token
      */
     tokenConfiguration: TokenConfiguration;
 }
 export interface TokenConfiguration {
-    /**
-     * Username or ClientId
-     */
-    clientId: string;
-    /**
-     * KMS Encrypted client secret
-     */
-    encryptedClientSecret: string;
     audience: string;
     tokenEndpoint: string;
 }

package/lib/tokenProvider/tokenProvider.js

@@ -12,24 +12,7 @@ class TokenProvider {
     constructor(options) {
         var _a;
         this.httpClient = (_a = options.httpClient) !== null && _a !== void 0 ? _a : axios_1.default.create();
-        if (!options.kmsClient) {
-            throw new Error('KMS Client is missing');
-        }
-        this.kmsClient = options.kmsClient;
-        const configuration = options.tokenConfiguration;
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.clientId)) {
-            throw new Error('Configuration error: missing required property "clientId"');
-        }
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.encryptedClientSecret)) {
-            throw new Error('Configuration error: missing required property "encryptedClientSecret"');
-        }
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.audience)) {
-            throw new Error('Configuration error: missing required property "audience"');
-        }
-        if (!(configuration === null || configuration === void 0 ? void 0 : configuration.tokenEndpoint)) {
-            throw new Error('Configuration error: missing required property "tokenEndpoint"');
-        }
-        this.configuration = configuration;
+        this.configuration = options.tokenConfiguration;
     }
     /**
      * Get access token. Subsequent calls are cached and the token is renewed only if it is expired.
@@ -43,10 +26,10 @@ class TokenProvider {
         try {
             const jwtToken = await this.currentTokenPromise;
             // lower the token expiry time by 10s so that the returned token will be not immediately expired
-            if (!jwtToken || ((_a = jsonwebtoken_1.default.decode(jwtToken)) === null || _a === void 0 ? void 0 : _a['exp']) < Date.now() / 1000 - 10) {
+            if (!jwtToken || ((_a = jsonwebtoken_1.default.decode(jwtToken)) === null || _a === void 0 ? void 0 : _a.exp) < Date.now() / 1000 - 10) {
                 this.currentTokenPromise = this.getTokenWithoutCache();
             }
-            return this.currentTokenPromise;
+            return await this.currentTokenPromise;
         }
         catch (error) {
             this.currentTokenPromise = this.getTokenWithoutCache();
@@ -57,14 +40,14 @@ class TokenProvider {
      * Get access token.
      */
     async getTokenWithoutCache() {
-        const secret = await this.kmsClient
-            .decrypt({ CiphertextBlob: Buffer.from(this.configuration.encryptedClientSecret, 'base64') })
-            .promise()
-            .then((data) => { var _a; return (_a = data.Plaintext) === null || _a === void 0 ? void 0 : _a.toString(); });
+        const secret = await this.getClientSecret();
+        if (!(secret === null || secret === void 0 ? void 0 : secret.Auth0ClientID) || !secret.Auth0ClientSecret) {
+            throw new Error('Request error: failed to retrieve Auth0 Client ID/Secret');
+        }
         const headers = { 'Content-Type': 'application/json' };
         const body = {
-            client_id: this.configuration.clientId,
-            client_secret: secret,
+            client_id: secret.Auth0ClientID,
+            client_secret: secret.Auth0ClientSecret,
             audience: this.configuration.audience,
             grant_type: 'client_credentials',
         };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lambda-essentials-ts",
-  "version": "4.1.5",
+  "version": "5.0.0",
   "description": "A selection of the finest modules supporting authorization, API routing, error handling, logging and sending HTTP requests.",
   "main": "lib/index.js",
   "private": false,
@@ -26,7 +26,7 @@
   },
   "homepage": "https://github.com/Cimpress-MCP/lambda-essentials-ts#readme",
   "dependencies": {
-    "aws-sdk": "2.939.0",
+    "aws-sdk": "2.1078.0",
     "axios": "0.21.1",
     "axios-cache-adapter": "2.7.3",
     "fast-safe-stringify": "2.0.7",