@graphql-hive/plugin-aws-sigv4/dist/index.js

import { STS } from '@aws-sdk/client-sts';
import { subgraphNameByExecutionRequest } from '@graphql-mesh/fusion-runtime';
import aws4 from 'aws4';

function isBufferOrString(body) {
  return typeof body === "string" || globalThis.Buffer?.isBuffer(body);
}
function useAWSSigv4(opts) {
  const optionsFactory = typeof opts === "function" ? opts : () => opts || true;
  return {
    async onFetch({ url, options, setURL, setOptions, executionRequest }) {
      const subgraphName = executionRequest && subgraphNameByExecutionRequest.get(executionRequest);
      if (!isBufferOrString(options.body)) {
        return;
      }
      const factoryResult = optionsFactory({ url, options, subgraphName });
      if (factoryResult === false) {
        return;
      }
      let signQuery = false;
      let accessKeyId = process.env["AWS_ACCESS_KEY_ID"] || process.env["AWS_ACCESS_KEY"];
      let secretAccessKey = process.env["AWS_SECRET_ACCESS_KEY"] || process.env["AWS_SECRET_KEY"];
      let sessionToken = process.env["AWS_SESSION_TOKEN"];
      let service;
      let region;
      let roleArn = process.env["AWS_ROLE_ARN"];
      let roleSessionName = process.env["AWS_IAM_ROLE_SESSION_NAME"];
      if (typeof factoryResult === "object" && factoryResult != null) {
        signQuery = factoryResult.signQuery || false;
        accessKeyId = factoryResult.accessKeyId || process.env["AWS_ACCESS_KEY_ID"] || process.env["AWS_ACCESS_KEY"];
        secretAccessKey = factoryResult.secretAccessKey || process.env["AWS_SECRET_ACCESS_KEY"] || process.env["AWS_SECRET_KEY"];
        sessionToken = factoryResult.sessionToken || process.env["AWS_SESSION_TOKEN"];
        roleArn = factoryResult.roleArn;
        roleSessionName = factoryResult.roleSessionName || process.env["AWS_IAM_ROLE_SESSION_NAME"];
        service = factoryResult.serviceName;
        region = factoryResult.region;
      }
      if (roleArn && roleSessionName) {
        const sts = new STS({
          region
        });
        const { Credentials } = await sts.assumeRole({
          RoleArn: roleArn,
          RoleSessionName: roleSessionName
        });
        accessKeyId = Credentials?.AccessKeyId || accessKeyId;
        secretAccessKey = Credentials?.SecretAccessKey || secretAccessKey;
        sessionToken = Credentials?.SessionToken || sessionToken;
      }
      const parsedUrl = new URL(url);
      const aws4Request = {
        host: parsedUrl.host,
        method: options.method,
        path: `${parsedUrl.pathname}${parsedUrl.search}`,
        body: options.body,
        headers: options.headers,
        signQuery,
        service,
        region
      };
      const modifiedAws4Request = aws4.sign(aws4Request, {
        accessKeyId,
        secretAccessKey,
        sessionToken
      });
      setURL(
        `${parsedUrl.protocol}//${modifiedAws4Request.host}${modifiedAws4Request.path}`
      );
      setOptions({
        ...options,
        method: modifiedAws4Request.method,
        headers: modifiedAws4Request.headers,
        body: modifiedAws4Request.body
      });
    }
  };
}

export { useAWSSigv4 };