UNPKG

openai

Version:

The official TypeScript library for the OpenAI API

github.com/openai/openai-node

openai/openai-node

123 lines (100 loc) 3.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
import type { WorkloadIdentity, TokenExchangeResponse } from './types'; import type { Fetch } from '../internal/builtin-types'; import * as Shims from '../internal/shims'; import { APIError, OAuthError } from '../core/error'; interface CachedToken { token: string; expiresAt: number; } const SUBJECT_TOKEN_TYPES: Record<WorkloadIdentity['provider']['tokenType'], string> = { jwt: 'urn:ietf:params:oauth:token-type:jwt', id: 'urn:ietf:params:oauth:token-type:id_token', }; const TOKEN_EXCHANGE_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:token-exchange'; export class WorkloadIdentityAuth { private cachedToken: CachedToken | null = null; private refreshPromise: Promise<string> | null = null; private readonly config: WorkloadIdentity; private readonly tokenExchangeUrl: string = 'https://auth.openai.com/oauth/token'; private readonly fetch: Fetch; constructor(config: WorkloadIdentity, fetch?: Fetch) { this.config = config; this.fetch = fetch ?? Shims.getDefaultFetch(); } async getToken(): Promise<string> { if (!this.cachedToken || this.isTokenExpired(this.cachedToken)) { if (this.refreshPromise) { return await this.refreshPromise; } this.refreshPromise = this.refreshToken(); try { const token = await this.refreshPromise; return token; } finally { this.refreshPromise = null; } } if (this.needsRefresh(this.cachedToken) && !this.refreshPromise) { this.refreshPromise = this.refreshToken().finally(() => { this.refreshPromise = null; }); } return this.cachedToken.token; } private async refreshToken(): Promise<string> { const subjectToken = await this.config.provider.getToken(); const body: Record<string, string> = { grant_type: TOKEN_EXCHANGE_GRANT_TYPE, subject_token: subjectToken, subject_token_type: SUBJECT_TOKEN_TYPES[this.config.provider.tokenType], identity_provider_id: this.config.identityProviderId, service_account_id: this.config.serviceAccountId, }; if (this.config.clientId) { body['client_id'] = this.config.clientId; } const response = await this.fetch(this.tokenExchangeUrl, { method: 'POST', headers: { 'Content-Type': 'application/json', }, body: JSON.stringify(body), }); if (!response.ok) { const errorText = await response.text(); let body: any = undefined; try { body = JSON.parse(errorText); } catch {} if (response.status === 400 || response.status === 401 || response.status === 403) { throw new OAuthError(response.status as 400 | 401 | 403, body, response.headers); } throw APIError.generate( response.status, body, `Token exchange failed with status ${response.status}`, response.headers, ); } const tokenResponse = (await response.json()) as TokenExchangeResponse; const expiresIn = tokenResponse.expires_in || 3600; const expiresAt = Date.now() + expiresIn * 1000; this.cachedToken = { token: tokenResponse.access_token, expiresAt, }; return tokenResponse.access_token; } private isTokenExpired(cachedToken: CachedToken): boolean { return Date.now() >= cachedToken.expiresAt; } private needsRefresh(cachedToken: CachedToken): boolean { const bufferSeconds = this.config.refreshBufferSeconds ?? 1200; const bufferMs = bufferSeconds * 1000; return Date.now() >= cachedToken.expiresAt - bufferMs; } invalidateToken(): void { this.cachedToken = null; this.refreshPromise = null; } }