You've already forked node-redis
mirror of
https://github.com/redis/node-redis.git
synced 2025-08-04 15:02:09 +03:00
6d21de3f31
* feat(auth): refactor authentication mechanism to use CredentialsProvider - Introduce new credential providers: AsyncCredentialsProvider, StreamingCredentialsProvider - Update client handshake process to use the new CredentialsProviders and to support async credentials fetch / credentials refresh - Internal conversion of username/password to a CredentialsProvider - Modify URL parsing to accommodate the new authentication structure - Tests * feat(auth): auth extensions Introduces TokenManager and supporting classes to handle token acquisition, automatic refresh, and updates via identity providers. This foundation enables consistent authentication token management across different identity provider implementations. Key additions: - Add TokenManager to obtain and maintain auth tokens from identity providers with automated refresh scheduling based on TTL and configurable thresholds - Add IdentityProvider interface for token acquisition from auth providers - Implement Token class for managing token state and TTL tracking - Include configurable retry mechanism with exponential backoff and jitter - Add comprehensive test suite covering refresh cycles and error handling This change establishes the core infrastructure needed for reliable token lifecycle management across different authentication providers. * feat(auth): add Entra ID identity provider integration Introduces Entra ID (former Azure AD) authentication support with multiple authentication flows and automated token lifecycle management. Key additions: - Add EntraIdCredentialsProvider for handling Entra ID authentication flows - Implement MSALIdentityProvider to integrate with MSAL/EntraID authentication library - Add support for multiple authentication methods: - Managed identities (system and user-assigned) - Client credentials with certificate - Client credentials with secret - Authorization Code flow with PKCE - Add factory class with builder methods for each authentication flow - Include sample Express server implementation for Authorization Code flow - Add comprehensive configuration options for authority and token management * feat(test-utils): improve cluster testing - Add support for configuring replica authentication with 'masterauth' - Allow default client configuration during test cluster creation This improves the testing framework's flexibility by automatically configuring replica authentication when '--requirepass' is used and enabling custom client configurations across cluster nodes. * feat(auth): add EntraId integration tests - Add integration tests for token renewal and re-authentication flows - Update credentials provider to use uniqueId as username instead of account username - Add test utilities for loading Redis endpoint configurations - Split TypeScript configs into separate files for samples and integration tests - Remove `@redis/authx` package and nest it under `@`
102 lines
3.4 KiB
TypeScript
102 lines
3.4 KiB
TypeScript
import { Disposable } from './disposable';
|
|
/**
|
|
* Provides credentials asynchronously.
|
|
*/
|
|
export interface AsyncCredentialsProvider {
|
|
readonly type: 'async-credentials-provider';
|
|
credentials: () => Promise<BasicAuth>
|
|
}
|
|
|
|
/**
|
|
* Provides credentials asynchronously with support for continuous updates via a subscription model.
|
|
* This is useful for environments where credentials are frequently rotated or updated or can be revoked.
|
|
*/
|
|
export interface StreamingCredentialsProvider {
|
|
readonly type: 'streaming-credentials-provider';
|
|
|
|
/**
|
|
* Provides initial credentials and subscribes to subsequent updates. This is used internally by the node-redis client
|
|
* to handle credential rotation and re-authentication.
|
|
*
|
|
* Note: The node-redis client manages the subscription lifecycle automatically. Users only need to implement
|
|
* onReAuthenticationError if they want to be notified about authentication failures.
|
|
*
|
|
* Error handling:
|
|
* - Errors received via onError indicate a fatal issue with the credentials stream
|
|
* - The stream is automatically closed(disposed) when onError occurs
|
|
* - onError typically mean the provider failed to fetch new credentials after retrying
|
|
*
|
|
* @example
|
|
* ```ts
|
|
* const provider = getStreamingProvider();
|
|
* const [initialCredentials, disposable] = await provider.subscribe({
|
|
* onNext: (newCredentials) => {
|
|
* // Handle credential update
|
|
* },
|
|
* onError: (error) => {
|
|
* // Handle fatal stream error
|
|
* }
|
|
* });
|
|
*
|
|
* @param listener - Callbacks to handle credential updates and errors
|
|
* @returns A Promise resolving to [initial credentials, cleanup function]
|
|
*/
|
|
subscribe: (listener: StreamingCredentialsListener<BasicAuth>) => Promise<[BasicAuth, Disposable]>
|
|
|
|
/**
|
|
* Called when authentication fails or credentials cannot be renewed in time.
|
|
* Implement this to handle authentication errors in your application.
|
|
*
|
|
* @param error - Either a CredentialsError (invalid/expired credentials) or
|
|
* UnableToObtainNewCredentialsError (failed to fetch new credentials on time)
|
|
*/
|
|
onReAuthenticationError: (error: ReAuthenticationError) => void;
|
|
|
|
}
|
|
|
|
/**
|
|
* Type representing basic authentication credentials.
|
|
*/
|
|
export type BasicAuth = { username?: string, password?: string }
|
|
|
|
/**
|
|
* Callback to handle credential updates and errors.
|
|
*/
|
|
export type StreamingCredentialsListener<T> = {
|
|
onNext: (credentials: T) => void;
|
|
onError: (e: Error) => void;
|
|
}
|
|
|
|
|
|
/**
|
|
* Providers that can supply authentication credentials
|
|
*/
|
|
export type CredentialsProvider = AsyncCredentialsProvider | StreamingCredentialsProvider
|
|
|
|
/**
|
|
* Errors that can occur during re-authentication.
|
|
*/
|
|
export type ReAuthenticationError = CredentialsError | UnableToObtainNewCredentialsError
|
|
|
|
/**
|
|
* Thrown when re-authentication fails with provided credentials .
|
|
* e.g. when the credentials are invalid, expired or revoked.
|
|
*
|
|
*/
|
|
export class CredentialsError extends Error {
|
|
constructor(message: string) {
|
|
super(`Re-authentication with latest credentials failed: ${message}`);
|
|
this.name = 'CredentialsError';
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
* Thrown when new credentials cannot be obtained before current ones expire
|
|
*/
|
|
export class UnableToObtainNewCredentialsError extends Error {
|
|
constructor(message: string) {
|
|
super(`Unable to obtain new credentials : ${message}`);
|
|
this.name = 'UnableToObtainNewCredentialsError';
|
|
}
|
|
} |