UNPKG

@graphql-hive/plugin-aws-sigv4

Version:

graphql-hive/gateway

320 lines (314 loc) • 11.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
import { UnifiedGraphPlugin, Instrumentation as Instrumentation$2 } from '@graphql-mesh/fusion-runtime'; import { Plugin, YogaInitialContext, Instrumentation as Instrumentation$1 } from 'graphql-yoga'; import { MeshFetch, Logger, MeshPubSub, KeyValueCache, OnFetchHook } from '@graphql-mesh/types'; import { FetchInstrumentation } from '@graphql-mesh/utils'; import { MaybePromise } from '@graphql-tools/utils'; import { MaybePromise as MaybePromise$1 } from '@whatwg-node/promise-helpers'; import { ServerAdapterInitialContext } from '@whatwg-node/server'; interface GatewayConfigContext { /** * WHATWG compatible Fetch implementation. */ fetch: MeshFetch; /** * The logger to use throught Mesh and it's plugins. */ logger: Logger; /** * Current working directory. */ cwd: string; /** * Event bus for pub/sub. */ pubsub?: MeshPubSub; /** * Cache Storage */ cache?: KeyValueCache; } interface GatewayContext extends GatewayConfigContext, YogaInitialContext { /** * Environment agnostic HTTP headers provided with the request. */ headers: Record<string, string>; /** * Runtime context available within WebSocket connections. */ connectionParams: Record<string, string>; } type GatewayPlugin<TPluginContext extends Record<string, any> = Record<string, any>, TContext extends Record<string, any> = Record<string, any>> = Plugin<Partial<TPluginContext> & GatewayContext & TContext> & UnifiedGraphPlugin<Partial<TPluginContext> & GatewayContext & TContext> & { onFetch?: OnFetchHook<Partial<TPluginContext> & GatewayContext & TContext>; onCacheGet?: OnCacheGetHook; onCacheSet?: OnCacheSetHook; onCacheDelete?: OnCacheDeleteHook; /** * An Instrumentation instance that will wrap each phases of the request pipeline. * This should be used primarily as an observability tool (for monitoring, tracing, etc...). * * Note: The wrapped functions in instrumentation should always be called. Use hooks to * conditionally skip a phase. */ instrumentation?: Instrumentation<TPluginContext & TContext & GatewayContext>; }; type OnCacheGetHook = (payload: OnCacheGetHookEventPayload) => MaybePromise<OnCacheGetHookResult | void>; interface OnCacheGetHookEventPayload { cache: KeyValueCache; key: string; ttl?: number; } interface OnCacheGetHookResult { onCacheHit?: OnCacheHitHook; onCacheMiss?: OnCacheMissHook; onCacheGetError?: OnCacheErrorHook; } type OnCacheErrorHook = (payload: OnCacheErrorHookPayload) => void; interface OnCacheErrorHookPayload { error: Error; } type OnCacheHitHook = (payload: OnCacheHitHookEventPayload) => void; interface OnCacheHitHookEventPayload { value: any; } type OnCacheMissHook = () => void; type OnCacheSetHook = (payload: OnCacheSetHookEventPayload) => MaybePromise<OnCacheSetHookResult | void>; interface OnCacheSetHookResult { onCacheSetDone?: () => void; onCacheSetError?: OnCacheErrorHook; } interface OnCacheSetHookEventPayload { cache: KeyValueCache; key: string; value: any; ttl?: number; } type OnCacheDeleteHook = (payload: OnCacheDeleteHookEventPayload) => MaybePromise<OnCacheDeleteHookResult | void>; interface OnCacheDeleteHookResult { onCacheDeleteDone?: () => void; onCacheDeleteError?: OnCacheErrorHook; } interface OnCacheDeleteHookEventPayload { cache: KeyValueCache; key: string; } type Instrumentation<TContext extends Record<string, any>> = Instrumentation$1<TContext> & Instrumentation$2 & FetchInstrumentation; declare global { var DEBUG: string; } interface AWSSignv4PluginOptions { /** * Outgoing options for signing outgoing requests. */ outgoing?: AWSSignv4PluginOutgoingOptions | AWSSignv4PluginOutgoingOptionsFactory; /** * Incoming options for validating incoming requests. */ incoming?: AWSSignv4PluginIncomingOptions | boolean; } interface AWSSignv4PluginOutgoingOptions { /** * To sign the query instead of adding an Authorization header * @default false */ signQuery?: boolean; /** * Service name to use when signing the request. * By default, it is inferred from the hostname. */ serviceName?: string; /** * Region name to use when signing the request. * By default, it is inferred from the hostname. */ region?: string; /** * ACCESS_KEY_ID * @default process.env.AWS_ACCESS_KEY_ID || process.env.AWS_ACCESS_KEY */ accessKeyId?: string; /** * AWS_SECRET_ACCESS_KEY * @default process.env.AWS_SECRET_ACCESS_KEY || process.env.AWS_SECRET_KEY */ secretAccessKey?: string; /** * AWS_SESSION_TOKEN * @default process.env.AWS_SESSION_TOKEN */ sessionToken?: string; /** * An identifier for the assumed role session. * * @default process.env.AWS_ROLE_ARN */ roleArn?: string; /** * The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role. * * @default process.env.AWS_IAM_ROLE_SESSION_NAME */ roleSessionName?: string; } interface AWSSignv4PluginOutgoingOptionsFactoryOptions { url: string; options: RequestInit; subgraphName: string; } type AWSSignv4PluginOutgoingOptionsFactory = (factoryOptions: AWSSignv4PluginOutgoingOptionsFactoryOptions) => AWSSignv4PluginOutgoingOptions | undefined | false | true; interface AWSSignv4PluginIncomingPayload { /** * HTTP request */ request: Request; /** * Context */ serverContext: ServerAdapterInitialContext; /** * Incoming authorization headers string. Required. */ authorization: string; /** * DateTime from incoming header. Required. */ xAmzDate: string; /** * Additional header to set message exiration time even if signature message is valid. Optional. */ xAmzExpires?: number; /** * Sha256 + formated hex for body. Empty body has own bodyHash. If there is no need to sign body for performance reason you can put UNSIGNED-PAYLOAD in request headers['x-amz-content-sha256']. */ bodyHash: string; /** * accessKey used to sign this message. */ accessKey: string; /** * Date used in authorization header. */ date: string; /** * Region used in authorization header. Here can be any value. */ region: string; /** * Service used in authorization header. Here can be any value. */ service: string; /** * For aws4 will be aws4_request. Here can be any value. */ requestType: string; /** * List of signed headers separated with semicolon. */ signedHeaders: string; /** * Formated encoded header paris. */ canonicalHeaders: string; secretAccessKey?: string; } interface AssumeRolePayload { /** * Region name to use when signing the request. * By default, it is inferred from the hostname. */ region?: string; /** * An identifier for the assumed role session. * * @default process.env.AWS_ROLE_ARN */ roleArn?: string; /** * The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role. * * @default process.env.AWS_IAM_ROLE_SESSION_NAME */ roleSessionName?: string; } interface AWSSignv4PluginIncomingOptions { /** * Callback for secretKey. You have to provide process to get proper secret or return undefined secret. * By default it uses `accessKey` to get secret from `process.env.AWS_SECRET_ACCESS_KEY` or `process.env.AWS_SECRET_KEY`. * Should return secretKey on incoming parameters - but if secret is missing which it will be normal case when someone want to guess - you should return undefined; */ secretAccessKey?: (payload: AWSSignv4PluginIncomingPayload) => MaybePromise$1<string | undefined> | string | undefined; /** * An identifier for the assumed role session. * * @default process.env.AWS_ROLE_ARN */ assumeRole?: (payload: AWSSignv4PluginIncomingPayload) => MaybePromise$1<AssumeRolePayload | undefined> | AssumeRolePayload | undefined; /** * Callback for changes in incoming headers before it goes through parse process. Help to more sophisticated changes to preserve proper headers. */ headers?: (headers: Headers) => Headers; /** * You can skip aws signature validation. It is useful when you want to use it only for some requests. */ enabled?: (request: Request, serverContext: ServerAdapterInitialContext) => MaybePromise$1<boolean>; /** * Callback on header missing. Validation stops here. Default value `onMissingHeaders: () => { throw new GraphQLError('Headers are missing for auth', { extensions: { http: { status: 401, } } }); },` */ onMissingHeaders?: (request: Request, serverContext: ServerAdapterInitialContext) => MaybePromise$1<void>; /** * Custom response on signature mismatch. Validation stops here. Default value `onSignatureMismatch: () => { throw new GraphQLError('The signature does not match', { extensions: { http: { status: 401, } } }); },` */ onSignatureMismatch?: (request: Request, serverContext: ServerAdapterInitialContext) => MaybePromise$1<void>; /** * Custom response on exired time signature. Validation stops here. Default value `onExpired: () => { throw new GraphQLError('Request is expired', { extensions: { http: { status: 401, } } }); },` */ onExpired?: (request: Request, serverContext: ServerAdapterInitialContext) => MaybePromise$1<void>; /** * Custom callback before standard parser comes. On false validation stops here. Default value `onBeforeParse: () => true,` * * Should return true if you need to let parse request further. */ onBeforeParse?: (request: Request, serverContext: ServerAdapterInitialContext) => MaybePromise$1<boolean>; /** * Custom callback after standard parser done. On false validation stops here. Default value `onAfterParse: () => true,` * Should return true if you need to let parse request further. */ onAfterParse?: (payload: AWSSignv4PluginIncomingPayload) => MaybePromise$1<boolean>; /** * Last callback after when validation signature is done. You can even stop here process. */ onSuccess?: (payload: AWSSignv4PluginIncomingPayload) => MaybePromise$1<void>; } declare enum AWSSignV4Headers { 'Authorization' = "authorization", 'XAmzDate' = "x-amz-date", 'XAmzContentSha256' = "x-amz-content-sha256", 'XAmzExpires' = "x-amz-expires" } declare function useAWSSigv4<TContext extends Record<string, any>>(opts: AWSSignv4PluginOptions): GatewayPlugin<TContext>; export { AWSSignV4Headers, type AWSSignv4PluginIncomingOptions, type AWSSignv4PluginIncomingPayload, type AWSSignv4PluginOptions, type AWSSignv4PluginOutgoingOptions, type AWSSignv4PluginOutgoingOptionsFactory, type AWSSignv4PluginOutgoingOptionsFactoryOptions, type AssumeRolePayload, useAWSSigv4 };