Class UpdatingSecrets<Secrets>

constructor

• new UpdatingSecrets<const Secrets extends Readonly<SecretDefinitions>>(
      secrets: Readonly<Secrets>,
      adapters: readonly Readonly<BaseSecretsAdapter>[],
      options?: Readonly<UpdatingSecretsOptions>,
  ): UpdatingSecrets<Secrets>

  Type Parameters

  • const Secrets extends Readonly<SecretDefinitions>

  Parameters

  • secrets: Readonly<Secrets>
  • adapters: readonly Readonly<BaseSecretsAdapter>[]

    A list of adapters to load secrets from. Order here matters: all values loaded from the last adapters will override the previous values. Meaning, the first adapter can be used as a "default" value source while all subsequent adapters will override its values.
  • options: Readonly<UpdatingSecretsOptions> = {}

  Returns UpdatingSecrets<Secrets>

ReadonlyisDestroyed

get

• get get(): SecretValues<Secrets>

  Get the latest secret values.

  Returns SecretValues<Secrets>

compareRotatableSecret

• compareRotatableSecret(
      underComparison: string,
      actualRotatableSecretValue: { current: string; legacy?: string },
  ): boolean

  Compare a value underComparison to a secret's currently known secret value that was defined with rotatableSecretShape.

  Parameters

  • underComparison: string

    The uncontrolled string to compare to your secrets.

    This could be, for example, an API key used by someone else trying to authenticate with your service.
  • actualRotatableSecretValue: { current: string; legacy?: string }

    The current value of the secret as obtained by UpdatingSecrets.get.

    • current: string

      The latest up-to-date version of the secret's value.

    • Optionallegacy?: string

      The optional legacy value for the secret. Use for graceful secret rotation.

  Returns boolean

  Example

  import {
      createUpdatingSecrets,
      rotatableSecretShape,
      defineSecrets,
      StaticSecretsAdapter,
  } from 'updating-secrets';
  
  const updatingSecrets = await createUpdatingSecrets(
      defineSecrets({
          apiKey: {
              description: '',
              whereToFind: '',
              shape: rotatableSecretShape,
          },
      }),
      [
          new StaticSecretsAdapter({
              apiKey: {
                  current: 'latest key',
                  legacy: 'old key',
              },
          }),
      ],
  );
  
  export async function handleApiRequest(request: Request) {
      const apiKey = request.headers.get('apiKey');
      if (!apiKey) {
          throw new Error('API request missing the required API key.');
      } else if (
          !updatingSecrets.compareRotatableSecret(apiKey, updatingSecrets.get.apiKey)
      ) {
          throw new Error('Invalid API key.');
      }
  }
  Copy

destroy

• destroy(): void

  Stop the auto updating and destroy all adapters.

  Returns void

loadSecrets

• loadSecrets(): Promise<SecretValues<Secrets>>

  Loads all secrets and populates or updates UpdatingSecrets.get. This must be called and awaited at least once before UpdatingSecrets.get can work, otherwise UpdatingSecrets.get will error out. Consider using createUpdatingSecrets, instead of constructing UpdatingSecrets directly, which automatically handles calling this for the first time.

  Only one secret update can be active at a time, so calling this multiple times in quick succession will simply return the same promise of the latest-running update.

  Returns Promise<SecretValues<Secrets>>