refactor: add support for secure options in StaticCredentialsProvider

Signed-off-by: Vladislav Polyakov <[email protected]>

Author: polRk

.changeset/ten-carrots-repair.md

@@ -0,0 +1,5 @@
+---
+'@ydbjs/auth': patch
+---
+
+Support secure options for static credentials provider

packages/auth/tests/static.e2e.test.ts renamed to packages/auth/src/static.test.ts

@@ -1,32 +1,65 @@
-import { afterEach, describe, expect, inject, test, vi } from 'vitest'
-import { createClientFactory } from 'nice-grpc'
-
-import { StaticCredentialsProvider } from '../dist/esm/static.js'
-
-let username = inject('credentialsUsername')
-let password = inject('credentialsPassword')
-let endpoint = inject('credentialsEndpoint')
+import * as crypto from 'node:crypto'
+import * as fs from 'node:fs/promises'
+import * as os from 'node:os'
+import * as path from 'node:path'
+
+import { create } from '@bufbuild/protobuf'
+import { anyPack } from '@bufbuild/protobuf/wkt'
+import { AuthServiceDefinition, LoginResponseSchema, LoginResultSchema } from '@ydbjs/api/auth'
+import { StatusIds_StatusCode } from '@ydbjs/api/operation'
+import { type ServiceImplementation, createServer } from 'nice-grpc'
+import { afterAll, afterEach, describe, expect, test, vi } from 'vitest'
+
+import { StaticCredentialsProvider } from './static.js'
+
+let AuthServiceTestImpl: ServiceImplementation<typeof AuthServiceDefinition> = {
+	login: async () => {
+		return create(LoginResponseSchema, {
+			operation: {
+				status: StatusIds_StatusCode.SUCCESS,
+				result: anyPack(LoginResultSchema, create(LoginResultSchema, {
+					token: crypto.randomUUID()
+				})),
+			}
+		})
+	}
+}
 
 describe('StaticCredentialsProvider', async () => {
 	let calls = 0
-	let clientFactory = createClientFactory().use((call, options) => {
+
+	let server = createServer().use((call, options) => {
 		calls++
 		return call.next(call.request, options)
 	})
 
+	server.add(AuthServiceDefinition, AuthServiceTestImpl)
+
 	afterEach(() => {
 		calls = 0
 	})
 
+	afterAll(async () => {
+		await server.shutdown()
+		await fs.rm(socket, { force: true });
+	})
+
+	let socket = path.join(os.tmpdir(), `test-grpc-server-${Date.now()}.sock`);
+	let endpoint = `unix:${socket}`
+	let username = 'test'
+	let password = '1234'
+
+	await server.listen(endpoint)
+
 	test('valid token', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let token = await provider.getToken(false)
 		expect(token, 'Token is not empty').not.empty
 	})
 
 	test('reuse token', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let token = await provider.getToken(false)
 		let token2 = await provider.getToken(false)
@@ -36,7 +69,7 @@ describe('StaticCredentialsProvider', async () => {
 	})
 
 	test('force refresh token', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let token = await provider.getToken(false)
 		let token2 = await provider.getToken(true)
@@ -46,7 +79,7 @@ describe('StaticCredentialsProvider', async () => {
 	})
 
 	test('auto refresh expired token', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let token = await provider.getToken(false)
 		vi.useFakeTimers({ now: new Date(2100, 0, 1) })
@@ -58,7 +91,7 @@ describe('StaticCredentialsProvider', async () => {
 	})
 
 	test('multiple token aquisition', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let tokens = await Promise.all([provider.getToken(false), provider.getToken(false), provider.getToken(false)])
 
@@ -67,7 +100,7 @@ describe('StaticCredentialsProvider', async () => {
 	})
 
 	test('abort token aquisition', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let controller = new AbortController()
 		controller.abort()
@@ -77,7 +110,7 @@ describe('StaticCredentialsProvider', async () => {
 	})
 
 	test('timeout token aquisition', async () => {
-		let provider = new StaticCredentialsProvider({ username, password }, endpoint, clientFactory)
+		let provider = new StaticCredentialsProvider({ username, password }, endpoint)
 
 		let token = provider.getToken(false, AbortSignal.timeout(0))
 

packages/auth/src/static.ts

@@ -1,11 +1,14 @@
+import * as tls from 'node:tls'
+
 import { anyUnpack } from '@bufbuild/protobuf/wkt'
+import { type ChannelOptions, credentials } from '@grpc/grpc-js'
 import { AuthServiceDefinition, LoginResultSchema } from '@ydbjs/api/auth'
 import { StatusIds_StatusCode } from '@ydbjs/api/operation'
-import { type Client, ClientError, type ClientFactory, Status, createChannel, createClientFactory } from 'nice-grpc'
+import { YDBError } from '@ydbjs/error'
+import { defaultRetryConfig, retry } from '@ydbjs/retry'
+import { type Client, ClientError, Status, createChannel, createClient } from 'nice-grpc'
 
 import { CredentialsProvider } from './index.js'
-import { defaultRetryConfig, retry } from '@ydbjs/retry'
-import { YDBError } from '@ydbjs/error'
 
 export type StaticCredentialsToken = {
 	value: string
@@ -37,16 +40,28 @@ export class StaticCredentialsProvider extends CredentialsProvider {
 	#password: string
 
 	constructor(
-		credentials: StaticCredentials,
+		{ username, password }: StaticCredentials,
 		endpoint: string,
-		clientFactory: ClientFactory = createClientFactory()
+		secureOptions?: tls.SecureContextOptions | undefined,
+		channelOptions?: ChannelOptions
 	) {
 		super()
-		this.#username = credentials.username
-		this.#password = credentials.password
+		this.#username = username
+		this.#password = password
+
+		let cs = new URL(endpoint)
 
-		let cs = new URL(endpoint.replace(/^grpc/, 'http'))
-		this.#client = clientFactory.create(AuthServiceDefinition, createChannel(cs.origin))
+		if (['unix:', 'http:', 'https:', 'grpc:', 'grpcs:'].includes(cs.protocol) === false) {
+			throw new Error('Invalid connection string protocol. Must be one of unix, grpc, grpcs, http, https')
+		}
+
+		let address = `${cs.protocol}//${cs.host}${cs.pathname}`
+
+		let channelCredentials = secureOptions ?
+			credentials.createFromSecureContext(tls.createSecureContext(secureOptions)) :
+			credentials.createInsecure()
+
+		this.#client = createClient(AuthServiceDefinition, createChannel(address, channelCredentials, channelOptions))
 	}
 
 	/**
@@ -66,7 +81,6 @@ export class StaticCredentialsProvider extends CredentialsProvider {
 
 		this.#promise = retry({ ...defaultRetryConfig, signal, idempotent: true }, async () => {
 			let response = await this.#client.login({ user: this.#username, password: this.#password }, { signal })
-
 			if (!response.operation) {
 				throw new ClientError(AuthServiceDefinition.login.path, Status.UNKNOWN, 'No operation in response')
 			}
@@ -80,13 +94,25 @@ export class StaticCredentialsProvider extends CredentialsProvider {
 				throw new ClientError(AuthServiceDefinition.login.path, Status.UNKNOWN, 'No result in operation')
 			}
 
-			// Parse the JWT token to extract expiration time
-			const [, payload] = result.token.split('.')
-			const decodedPayload = JSON.parse(Buffer.from(payload, 'base64').toString())
-
-			this.#token = {
-				value: result.token,
-				...decodedPayload,
+			// The result.token is a JWT in the format header.payload.signature.
+			// We attempt to decode the payload to extract token metadata (aud, exp, iat, sub).
+			// If the token is not in the expected format, we fallback to default values.
+			let [header, payload, signature] = result.token.split('.')
+			if (header && payload && signature) {
+				let decodedPayload = JSON.parse(Buffer.from(payload, 'base64').toString())
+
+				this.#token = {
+					value: result.token,
+					...decodedPayload,
+				}
+			} else {
+				this.#token = {
+					value: result.token,
+					aud: [],
+					exp: Math.floor(Date.now() / 1000) + 5 * 60, // fallback: 5 minutes from now
+					iat: Math.floor(Date.now() / 1000),
+					sub: '',
+				}
 			}
 
 			return this.#token!.value!