google-auth-library - npm Package Compare versions

Comparing version 8.7.0 to 8.8.0

build/src/auth/awsclient.d.ts

@@ -42,4 +42,2 @@ import { BaseExternalAccountClient, BaseExternalAccountClientOptions } from './baseexternalclient';
     private validateEnvironmentId;
-    private validateMetadataServerURLs;
-    private validateMetadataURL;
     /**
@@ -94,2 +92,5 @@ * Triggered when an external subject token is needed to be exchanged for a
     private getAwsSecurityCredentials;
+    private shouldUseMetadataServer;
+    private get regionFromEnv();
+    private get securityCredentialsFromEnv();
 }

build/src/auth/awsclient.js

@@ -50,5 +50,4 @@ "use strict";
         this.region = '';
-        // data validators
+        // Data validators.
         this.validateEnvironmentId();
-        this.validateMetadataServerURLs();
     }
@@ -65,16 +64,2 @@ validateEnvironmentId() {
     }
-    validateMetadataServerURLs() {
-        this.validateMetadataURL(this.regionUrl, 'region_url');
-        this.validateMetadataURL(this.securityCredentialsUrl, 'url');
-        this.validateMetadataURL(this.imdsV2SessionTokenUrl, 'imdsv2_session_token_url');
-    }
-    validateMetadataURL(value, prop) {
-        if (!value)
-            return;
-        const url = new URL(value);
-        if (url.hostname !== AwsClient.AWS_EC2_METADATA_IPV4_ADDRESS &&
-            url.hostname !== `[${AwsClient.AWS_EC2_METADATA_IPV6_ADDRESS}]`) {
-            throw new RangeError(`Invalid host "${url.hostname}" for "${prop}". Expecting ${AwsClient.AWS_EC2_METADATA_IPV4_ADDRESS} or ${AwsClient.AWS_EC2_METADATA_IPV6_ADDRESS}.`);
-        }
-    }
     /**
@@ -108,3 +93,8 @@ * Triggered when an external subject token is needed to be exchanged for a
             const metadataHeaders = {};
-            if (this.imdsV2SessionTokenUrl) {
+            // Only retrieve the IMDSv2 session token if both the security credentials and region are
+            // not retrievable through the environment.
+            // The credential config contains all the URLs by default but clients may be running this
+            // where the metadata server is not available and returning the credentials through the environment.
+            // Removing this check may break them.
+            if (this.shouldUseMetadataServer() && this.imdsV2SessionTokenUrl) {
                 metadataHeaders['x-aws-ec2-metadata-token'] =
@@ -117,10 +107,4 @@ await this.getImdsV2SessionToken();
                 // https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
-                if (process.env['AWS_ACCESS_KEY_ID'] &&
-                    process.env['AWS_SECRET_ACCESS_KEY']) {
-                    return {
-                        accessKeyId: process.env['AWS_ACCESS_KEY_ID'],
-                        secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY'],
-                        // This is normally not available for permanent credentials.
-                        token: process.env['AWS_SESSION_TOKEN'],
-                    };
+                if (this.securityCredentialsFromEnv) {
+                    return this.securityCredentialsFromEnv;
                 }
@@ -201,4 +185,4 @@ // Since the role on a VM can change, we don't need to cache it.
         // AWS_REGION > AWS_DEFAULT_REGION > metadata server.
-        if (process.env['AWS_REGION'] || process.env['AWS_DEFAULT_REGION']) {
-            return (process.env['AWS_REGION'] || process.env['AWS_DEFAULT_REGION']);
+        if (this.regionFromEnv) {
+            return this.regionFromEnv;
         }
@@ -255,2 +239,24 @@ if (!this.regionUrl) {
     }
+    shouldUseMetadataServer() {
+        // The metadata server must be used when either the AWS region or AWS security
+        // credentials cannot be retrieved through their defined environment variables.
+        return !this.regionFromEnv || !this.securityCredentialsFromEnv;
+    }
+    get regionFromEnv() {
+        // The AWS region can be provided through AWS_REGION or AWS_DEFAULT_REGION.
+        // Only one is required.
+        return (process.env['AWS_REGION'] || process.env['AWS_DEFAULT_REGION'] || null);
+    }
+    get securityCredentialsFromEnv() {
+        // Both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required.
+        if (process.env['AWS_ACCESS_KEY_ID'] &&
+            process.env['AWS_SECRET_ACCESS_KEY']) {
+            return {
+                accessKeyId: process.env['AWS_ACCESS_KEY_ID'],
+                secretAccessKey: process.env['AWS_SECRET_ACCESS_KEY'],
+                token: process.env['AWS_SESSION_TOKEN'],
+            };
+        }
+        return null;
+    }
 }
@@ -257,0 +263,0 @@ exports.AwsClient = AwsClient;

build/src/auth/awsrequestsigner.d.ts

@@ -7,3 +7,3 @@ import { GaxiosOptions } from 'gaxios';
  */
-interface AwsSecurityCredentials {
+export interface AwsSecurityCredentials {
     accessKeyId: string;
@@ -42,2 +42,1 @@ secretAccessKey: string;
 }
-export {};

build/src/auth/baseexternalclient.d.ts

@@ -213,10 +213,3 @@ import { GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios';
     private getScopesArray;
-    /**
-     * Checks whether Google APIs URL is valid.
-     * @param apiName The apiName of url.
-     * @param url The Google API URL to validate.
-     * @return Whether the URL is valid or not.
-     */
-    private validateGoogleAPIsUrl;
 }
 export {};

build/src/auth/baseexternalclient.js

@@ -30,6 +30,2 @@ "use strict";
 const DEFAULT_OAUTH_SCOPE = 'https://www.googleapis.com/auth/cloud-platform';
-/** The google apis domain pattern. */
-const GOOGLE_APIS_DOMAIN_PATTERN = '\\.googleapis\\.com$';
-/** The variable portion pattern in a Google APIs domain. */
-const VARIABLE_PORTION_PATTERN = '[^\\.\\s\\/\\\\]+';
 /** Default impersonated token lifespan in seconds.*/
@@ -86,5 +82,2 @@ const DEFAULT_TOKEN_LIFESPAN = 3600;
             : undefined;
-        if (!this.validateGoogleAPIsUrl('sts', options.token_url)) {
-            throw new Error(`"${options.token_url}" is not a valid token url.`);
-        }
         this.stsCredential = new sts.StsCredentials(options.token_url, this.clientAuth);
@@ -104,7 +97,2 @@ // Default OAuth scope. This could be overridden via public property.
         }
-        if (typeof options.service_account_impersonation_url !== 'undefined' &&
-            !this.validateGoogleAPIsUrl('iamcredentials', options.service_account_impersonation_url)) {
-            throw new Error(`"${options.service_account_impersonation_url}" is ` +
-                'not a valid service account impersonation url.');
-        }
         this.serviceAccountImpersonationUrl =
@@ -415,55 +403,4 @@ options.service_account_impersonation_url;
     }
-    /**
-     * Checks whether Google APIs URL is valid.
-     * @param apiName The apiName of url.
-     * @param url The Google API URL to validate.
-     * @return Whether the URL is valid or not.
-     */
-    validateGoogleAPIsUrl(apiName, url) {
-        let parsedUrl;
-        // Return false if error is thrown during parsing URL.
-        try {
-            parsedUrl = new URL(url);
-        }
-        catch (e) {
-            return false;
-        }
-        const urlDomain = parsedUrl.hostname;
-        // Check the protocol is https.
-        if (parsedUrl.protocol !== 'https:') {
-            return false;
-        }
-        const googleAPIsDomainPatterns = [
-            new RegExp('^' +
-                VARIABLE_PORTION_PATTERN +
-                '\\.' +
-                apiName +
-                GOOGLE_APIS_DOMAIN_PATTERN),
-            new RegExp('^' + apiName + GOOGLE_APIS_DOMAIN_PATTERN),
-            new RegExp('^' +
-                apiName +
-                '\\.' +
-                VARIABLE_PORTION_PATTERN +
-                GOOGLE_APIS_DOMAIN_PATTERN),
-            new RegExp('^' +
-                VARIABLE_PORTION_PATTERN +
-                '\\-' +
-                apiName +
-                GOOGLE_APIS_DOMAIN_PATTERN),
-            new RegExp('^' +
-                apiName +
-                '\\-' +
-                VARIABLE_PORTION_PATTERN +
-                '\\.p' +
-                GOOGLE_APIS_DOMAIN_PATTERN),
-        ];
-        for (const googleAPIsDomainPattern of googleAPIsDomainPatterns) {
-            if (urlDomain.match(googleAPIsDomainPattern)) {
-                return true;
-            }
-        }
-        return false;
-    }
 }
 exports.BaseExternalAccountClient = BaseExternalAccountClient;
 //# sourceMappingURL=baseexternalclient.js.map

build/src/auth/externalclient.d.ts

@@ -6,3 +6,3 @@ import { RefreshOptions } from './oauth2client';
 import { PluggableAuthClientOptions } from './pluggable-auth-client';
-export declare type ExternalAccountClientOptions = IdentityPoolClientOptions | AwsClientOptions | PluggableAuthClientOptions;
+export type ExternalAccountClientOptions = IdentityPoolClientOptions | AwsClientOptions | PluggableAuthClientOptions;
 /**
@@ -9,0 +9,0 @@ * Dummy class with no constructor. Developers are expected to use fromJSON.

build/src/auth/googleauth.d.ts

@@ -16,2 +16,3 @@ /// <reference types="node" />
 import { AuthClient } from './authclient';
+import { ExternalAccountAuthorizedUserClient } from './externalAccountAuthorizedUserClient';
 /**
@@ -21,3 +22,3 @@ * Defines all types of explicit clients that are determined via ADC JSON
  */
-export declare type JSONClient = JWT | UserRefreshClient | BaseExternalAccountClient | Impersonated;
+export type JSONClient = JWT | UserRefreshClient | BaseExternalAccountClient | ExternalAccountAuthorizedUserClient | Impersonated;
 export interface ProjectIdCallback {
@@ -24,0 +25,0 @@ (err?: Error | null, projectId?: string | null): void;

build/src/auth/googleauth.js

@@ -32,2 +32,3 @@ "use strict";
 const baseexternalclient_1 = require("./baseexternalclient");
+const externalAccountAuthorizedUserClient_1 = require("./externalAccountAuthorizedUserClient");
 exports.CLOUD_SDK_CLIENT_ID = '764086051850-6qr4p6gpi6hn506pt8ejuq83di341hur.apps.googleusercontent.com';
@@ -40,2 +41,7 @@ const GoogleAuthExceptionMessages = {
 class GoogleAuth {
+    // Note:  this properly is only public to satisify unit tests.
+    // https://github.com/Microsoft/TypeScript/issues/5228
+    get isGCE() {
+        return this.checkIsGCE;
+    }
     constructor(opts) {
@@ -59,7 +65,2 @@ /**
     }
-    // Note:  this properly is only public to satisify unit tests.
-    // https://github.com/Microsoft/TypeScript/issues/5228
-    get isGCE() {
-        return this.checkIsGCE;
-    }
     // GAPIC client libraries should always use self-signed JWTs. The following
@@ -362,9 +363,6 @@ // variables are set on the JWT client in order to indicate the type of library,
      */
-    fromJSON(json, options) {
+    fromJSON(json, options = {}) {
         let client;
-        if (!json) {
-            throw new Error('Must pass in a JSON object containing the Google auth settings.');
-        }
         options = options || {};
-        if (json.type === 'authorized_user') {
+        if (json.type === refreshclient_1.USER_REFRESH_ACCOUNT_TYPE) {
             client = new refreshclient_1.UserRefreshClient(options);
@@ -380,2 +378,5 @@ client.fromJSON(json);
         }
+        else if (json.type === externalAccountAuthorizedUserClient_1.EXTERNAL_ACCOUNT_AUTHORIZED_USER_TYPE) {
+            client = new externalAccountAuthorizedUserClient_1.ExternalAccountAuthorizedUserClient(json, options);
+        }
         else {
@@ -397,22 +398,3 @@ options.scopes = this.scopes;
     _cacheClientFromJSON(json, options) {
-        let client;
-        // create either a UserRefreshClient or JWT client.
-        options = options || {};
-        if (json.type === 'authorized_user') {
-            client = new refreshclient_1.UserRefreshClient(options);
-            client.fromJSON(json);
-        }
-        else if (json.type === impersonated_1.IMPERSONATED_ACCOUNT_TYPE) {
-            client = this.fromImpersonatedJSON(json);
-        }
-        else if (json.type === baseexternalclient_1.EXTERNAL_ACCOUNT_TYPE) {
-            client = externalclient_1.ExternalAccountClient.fromJSON(json, options);
-            client.scopes = this.getAnyScopes();
-        }
-        else {
-            options.scopes = this.scopes;
-            client = new jwtclient_1.JWT(options);
-            this.setGapicJWTValues(client);
-            client.fromJSON(json);
-        }
+        const client = this.fromJSON(json, options);
         // cache both raw data used to instantiate client and client itself.
@@ -419,0 +401,0 @@ this.jsonContent = json;

build/src/auth/identitypoolclient.d.ts

 import { BaseExternalAccountClient, BaseExternalAccountClientOptions } from './baseexternalclient';
 import { RefreshOptions } from './oauth2client';
-declare type SubjectTokenFormatType = 'json' | 'text';
+type SubjectTokenFormatType = 'json' | 'text';
 /**
@@ -5,0 +5,0 @@ * Url-sourced/file-sourced credentials json interface.

build/src/auth/oauth2client.d.ts

@@ -0,2 +1,4 @@
+/// <reference types="node" />
 import { GaxiosError, GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios';
+import * as querystring from 'querystring';
 import { JwkCertificate } from '../crypto/crypto';
@@ -237,2 +239,7 @@ import { BodyResponseCallback } from '../transporters';
     code_challenge?: string;
+    /**
+     * A way for developers and/or the auth team to provide a set of key value
+     * pairs to be added as query parameters to the authorization url.
+     */
+    [key: string]: querystring.ParsedUrlQueryInput[keyof querystring.ParsedUrlQueryInput];
 }
@@ -239,0 +246,0 @@ export interface AccessTokenResponse {

build/src/auth/oauth2common.d.ts

@@ -6,3 +6,3 @@ import { GaxiosOptions } from 'gaxios';
  */
-declare type OAuthErrorCode = 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' | 'unsupported_grant_type' | 'invalid_scope' | string;
+type OAuthErrorCode = 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' | 'unsupported_grant_type' | 'invalid_scope' | string;
 /**
@@ -21,3 +21,3 @@ * The standard OAuth error response.
  */
-export declare type ConfidentialClientType = 'basic' | 'request-body';
+export type ConfidentialClientType = 'basic' | 'request-body';
 /**
@@ -24,0 +24,0 @@ * Defines the client authentication credentials for basic and request-body

build/src/auth/refreshclient.d.ts

@@ -5,2 +5,3 @@ /// <reference types="node" />
 import { GetTokenResponse, OAuth2Client, RefreshOptions } from './oauth2client';
+export declare const USER_REFRESH_ACCOUNT_TYPE = "authorized_user";
 export interface UserRefreshClientOptions extends RefreshOptions {
@@ -7,0 +8,0 @@ clientId?: string;

build/src/auth/refreshclient.js

@@ -16,4 +16,5 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UserRefreshClient = void 0;
+exports.UserRefreshClient = exports.USER_REFRESH_ACCOUNT_TYPE = void 0;
 const oauth2client_1 = require("./oauth2client");
+exports.USER_REFRESH_ACCOUNT_TYPE = 'authorized_user';
 class UserRefreshClient extends oauth2client_1.OAuth2Client {
@@ -20,0 +21,0 @@ constructor(optionsOrClientId, clientSecret, refreshToken, eagerRefreshThresholdMillis, forceRefreshOnFailure) {

build/src/transporters.d.ts

@@ -13,3 +13,3 @@ import { GaxiosError, GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios';
 }
-export declare class DefaultTransporter {
+export declare class DefaultTransporter implements Transporter {
     /**
@@ -16,0 +16,0 @@ * Default user agent.

package.json

 {
   "name": "google-auth-library",
-  "version": "8.7.0",
+  "version": "8.8.0",
   "author": "Google Inc.",
@@ -25,3 +25,3 @@ "description": "Google APIs Authentication Client Library for Node.js",
     "gaxios": "^5.0.0",
-    "gcp-metadata": "^5.0.0",
+    "gcp-metadata": "^5.2.0",
     "gtoken": "^6.1.0",
@@ -42,3 +42,2 @@ "jws": "^4.0.0",
     "@types/sinon": "^10.0.0",
-    "@types/tmp": "^0.2.0",
     "assert-rejects": "^1.0.0",
@@ -56,3 +55,3 @@ "c8": "^7.0.0",
     "karma-mocha": "^2.0.0",
-    "karma-sourcemap-loader": "^0.3.7",
+    "karma-sourcemap-loader": "^0.4.0",
     "karma-webpack": "^5.0.0",
@@ -67,4 +66,3 @@ "keypair": "^1.0.4",
     "puppeteer": "^18.0.0",
-    "sinon": "^14.0.0",
-    "tmp": "^0.2.0",
+    "sinon": "^15.0.0",
     "ts-loader": "^8.0.0",
@@ -71,0 +69,0 @@ "typescript": "^4.6.3",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

513886

increased by3.18%

Dev dependency count

37

decreased by-5.13%

Number of package files

68

increased by3.03%

Lines of code

8485

increased by2.9%

Number of lines in readme file

1306

increased by2.03%

Number of low supply chain risk alerts

27

decreased by-6.9%

Dependency changes

• Updatedgcp-metadata@^5.2.0