vaultkeeper 0.5.1 → 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +18 -11
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +18 -11
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -1592,7 +1592,13 @@ function validateConfig(config) {
|
|
|
1592
1592
|
if (typeof config.defaults.ttlMinutes !== "number" || config.defaults.ttlMinutes <= 0) {
|
|
1593
1593
|
throw new Error("Config defaults.ttlMinutes must be a positive number");
|
|
1594
1594
|
}
|
|
1595
|
-
|
|
1595
|
+
let tier = config.defaults.trustTier;
|
|
1596
|
+
if (typeof tier === "string") {
|
|
1597
|
+
const parsed = Number(tier);
|
|
1598
|
+
if (!Number.isNaN(parsed)) {
|
|
1599
|
+
tier = parsed;
|
|
1600
|
+
}
|
|
1601
|
+
}
|
|
1596
1602
|
if (tier !== 1 && tier !== 2 && tier !== 3) {
|
|
1597
1603
|
throw new Error("Config defaults.trustTier must be 1, 2, or 3");
|
|
1598
1604
|
}
|
|
@@ -1994,7 +2000,6 @@ var SecretAccessorTarget = class {
|
|
|
1994
2000
|
};
|
|
1995
2001
|
function createSecretAccessor(secretValue) {
|
|
1996
2002
|
let consumed = false;
|
|
1997
|
-
const revokeHolder = { fn: void 0 };
|
|
1998
2003
|
function readImpl(callback) {
|
|
1999
2004
|
if (consumed) {
|
|
2000
2005
|
throw new Error("SecretAccessor has already been consumed \u2014 call getSecret() again to obtain a new accessor");
|
|
@@ -2005,7 +2010,6 @@ function createSecretAccessor(secretValue) {
|
|
|
2005
2010
|
callback(buf);
|
|
2006
2011
|
} finally {
|
|
2007
2012
|
buf.fill(0);
|
|
2008
|
-
revokeHolder.fn?.();
|
|
2009
2013
|
}
|
|
2010
2014
|
}
|
|
2011
2015
|
function inspectImpl() {
|
|
@@ -2063,9 +2067,7 @@ function createSecretAccessor(secretValue) {
|
|
|
2063
2067
|
return ["read", INSPECT_CUSTOM];
|
|
2064
2068
|
}
|
|
2065
2069
|
};
|
|
2066
|
-
|
|
2067
|
-
revokeHolder.fn = revoke;
|
|
2068
|
-
return proxy;
|
|
2070
|
+
return new Proxy(target, handler);
|
|
2069
2071
|
}
|
|
2070
2072
|
|
|
2071
2073
|
// src/access/sign-util.ts
|
|
@@ -2311,6 +2313,7 @@ function buildCheckList(platform) {
|
|
|
2311
2313
|
|
|
2312
2314
|
// src/vault.ts
|
|
2313
2315
|
var usageCounts = /* @__PURE__ */ new Map();
|
|
2316
|
+
var USAGE_MAP_MAX_SIZE = 1e4;
|
|
2314
2317
|
var VaultKeeper = class _VaultKeeper {
|
|
2315
2318
|
#config;
|
|
2316
2319
|
#keyManager;
|
|
@@ -2406,12 +2409,16 @@ var VaultKeeper = class _VaultKeeper {
|
|
|
2406
2409
|
const jti = claims.jti;
|
|
2407
2410
|
const currentCount = usageCounts.get(jti) ?? 0;
|
|
2408
2411
|
validateClaims(claims, currentCount);
|
|
2409
|
-
|
|
2410
|
-
|
|
2411
|
-
usageCounts.delete(jti);
|
|
2412
|
-
blockToken(jti);
|
|
2413
|
-
} else {
|
|
2412
|
+
if (claims.use !== null) {
|
|
2413
|
+
const newCount = currentCount + 1;
|
|
2414
2414
|
usageCounts.set(jti, newCount);
|
|
2415
|
+
if (usageCounts.size > USAGE_MAP_MAX_SIZE) {
|
|
2416
|
+
const oldest = usageCounts.keys().next().value;
|
|
2417
|
+
if (oldest !== void 0) {
|
|
2418
|
+
usageCounts.delete(oldest);
|
|
2419
|
+
blockToken(oldest);
|
|
2420
|
+
}
|
|
2421
|
+
}
|
|
2415
2422
|
}
|
|
2416
2423
|
const token = createCapabilityToken(claims);
|
|
2417
2424
|
const response = { keyStatus };
|