ibm-functions / iam-token-manager-nodejs Goto Github PK

The OpenWhisk SDK uses the iam-token-manager package to plug in IAM token support as the default authHandler for openwhisk client instances that interact with IAM namespaces.

When customers try to invoke many actions from one other action, they inadvertently trigger a lot of getAuthHeader() calls on the iam-token-manager 'concurrently'. The word 'concurrently' is in quotation marks, as nodejs is single threaded, yet while the getToken() request is in-flight, all the other getAuthHeader() calls trigger many more (unnecessary) getToken() requests.

This leads to a 429 'Too many request' Denial of Service protection error from the IAM token API.

Therefore, the caching behavior for the tokenInfo (Token Request response JSON) and the logic for when to request another token needs to be improved.

For simple scenarios, the code is working just fine, so this issue could be considered an enhancement as well.

Fyi: I have some code that addresses this issue ready soon.

npm WARN notsup Unsupported engine for @ibm-functions/[email protected]: wanted: {"node":"^12.x","npm":"6.4.1"} (current: {"node":"12.17.0","npm":"6.14.4"})

Why does the engine: field have npm: 6.4.1 exactly? Seems like it should be npm: ^6.x or unspecified.

Currently, the token manager uses the refreshToken to obtain a new access token, in case the access token has been expired. This may lead to unforeseen issues, if the refresh token expired as well. There is logic in place that should handle this case, but we do have the indication that the mechanism does not work properly.

The token manager should in all cases use the API key to obtain a new access token.

The Readme shows getToken() instead of getAuthHeader in the example

For containers API, they require the refresh_token to be sent at the header. For some of its API.

Refer:
https://containers.cloud.ibm.com/global/swagger-global-api/#/clusters/GetClusterConfig