aws-observability
diff --git a/‎src/CommandQueue.ts‎
Lines changed: 5 additions & 2 deletions b/‎src/CommandQueue.ts‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎src/dispatch/Authentication.ts‎
Lines changed: 30 additions & 61 deletions b/‎src/dispatch/Authentication.ts‎
Lines changed: 30 additions & 61 deletions
diff --git a/‎src/dispatch/BasicAuthentication.ts‎
Lines changed: 57 additions & 0 deletions b/‎src/dispatch/BasicAuthentication.ts‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎src/dispatch/CognitoIdentityClient.ts‎
Lines changed: 2 additions & 15 deletions b/‎src/dispatch/CognitoIdentityClient.ts‎
Lines changed: 2 additions & 15 deletions
diff --git a/‎src/dispatch/Dispatch.ts‎
Lines changed: 10 additions & 4 deletions b/‎src/dispatch/Dispatch.ts‎
Lines changed: 10 additions & 4 deletions
@@ -1,4 +1,7 @@
-import { CredentialProvider, Credentials } from '@aws-sdk/types';
+import {
+    AwsCredentialIdentity,
+    AwsCredentialIdentityProvider
+} from '@aws-sdk/types';
 import { Plugin } from 'plugins/Plugin';
 import { INSTALL_SCRIPT } from './utils/constants';
 import { PartialConfig, Orchestration } from './orchestration/Orchestration';
@@ -52,7 +55,7 @@ export class CommandQueue {
 
     private commandHandlerMap: CommandFunctions = {
         setAwsCredentials: (
-            payload: Credentials | CredentialProvider
+            payload: AwsCredentialIdentity | AwsCredentialIdentityProvider
         ): void => {
             this.orchestration.setAwsCredentials(payload);
         },
 
@@ -1,23 +1,17 @@
 import { CognitoIdentityClient } from './CognitoIdentityClient';
 import { Config } from '../orchestration/Orchestration';
-import { Credentials } from '@aws-sdk/types';
+import { AwsCredentialIdentity } from '@aws-sdk/types';
 import { FetchHttpHandler } from '@aws-sdk/fetch-http-handler';
-import { StsClient } from './StsClient';
 import { CRED_KEY, CRED_RENEW_MS } from '../utils/constants';
 
-export class Authentication {
-    private cognitoIdentityClient: CognitoIdentityClient;
-    private stsClient: StsClient;
-    private config: Config;
-    private credentials: Credentials | undefined;
+export abstract class Authentication {
+    protected cognitoIdentityClient: CognitoIdentityClient;
+    protected config: Config;
+    protected credentials: AwsCredentialIdentity | undefined;
 
     constructor(config: Config) {
         const region: string = config.identityPoolId!.split(':')[0];
         this.config = config;
-        this.stsClient = new StsClient({
-            fetchRequestHandler: new FetchHttpHandler(),
-            region
-        });
         this.cognitoIdentityClient = new CognitoIdentityClient({
             fetchRequestHandler: new FetchHttpHandler(),
             region
@@ -33,7 +27,7 @@ export class Authentication {
      * re-authenticate every time the client loads, which (1) improves the performance of the RUM web client and (2)
      * reduces the load on AWS services Cognito and STS.
      *
-     * While storing credentials in localStorage puts the cookie at greater risk of being leaked through an
+     * While storing credentials in localStorage puts the credential at greater risk of being leaked through an
      * XSS attack, there is no impact if the credentials were to be leaked. This is because (1) the identity pool ID
      * and role ARN are public and (2) the credentials are for an anonymous (guest) user.
      *
@@ -51,10 +45,10 @@ export class Authentication {
      * Taken together, (1) and (2) mean that if these temporary credentials were to be leaked, the leaked credentials
      * would not allow a bad actor to gain access to anything which they did not already have public access to.
      *
-     * Implements CredentialsProvider = Provider<Credentials>
+     * Implements AwsCredentialIdentityProvider = Provider<AwsCredentialIdentity>
      */
     public ChainAnonymousCredentialsProvider =
-        async (): Promise<Credentials> => {
+        async (): Promise<AwsCredentialIdentity> => {
             return this.AnonymousCredentialsProvider()
                 .catch(this.AnonymousStorageCredentialsProvider)
                 .catch(this.AnonymousCognitoCredentialsProvider);
@@ -63,27 +57,28 @@ export class Authentication {
     /**
      * Provides credentials for an anonymous (guest) user. These credentials are read from a member variable.
      *
-     * Implements CredentialsProvider = Provider<Credentials>
+     * Implements AwsCredentialIdentityProvider = Provider<AwsCredentialIdentity>
      */
-    private AnonymousCredentialsProvider = async (): Promise<Credentials> => {
-        return new Promise<Credentials>((resolve, reject) => {
-            if (this.renewCredentials()) {
-                // The credentials have expired.
-                return reject();
-            }
-            resolve(this.credentials!);
-        });
-    };
+    private AnonymousCredentialsProvider =
+        async (): Promise<AwsCredentialIdentity> => {
+            return new Promise<AwsCredentialIdentity>((resolve, reject) => {
+                if (this.renewCredentials()) {
+                    // The credentials have expired.
+                    return reject();
+                }
+                resolve(this.credentials!);
+            });
+        };
 
     /**
      * Provides credentials for an anonymous (guest) user. These credentials are read from localStorage.
      *
-     * Implements CredentialsProvider = Provider<Credentials>
+     * Implements AwsCredentialIdentityProvider = Provider<AwsCredentialIdentity>
      */
     private AnonymousStorageCredentialsProvider =
-        async (): Promise<Credentials> => {
-            return new Promise<Credentials>((resolve, reject) => {
-                let credentials: Credentials;
+        async (): Promise<AwsCredentialIdentity> => {
+            return new Promise<AwsCredentialIdentity>((resolve, reject) => {
+                let credentials: AwsCredentialIdentity;
                 try {
                     credentials = JSON.parse(localStorage.getItem(CRED_KEY)!);
                 } catch (e) {
@@ -106,44 +101,18 @@ export class Authentication {
         };
 
     /**
-     * Provides credentials for an anonymous (guest) user. These credentials are retrieved from Cognito's basic
-     * (classic) authflow.
+     * Provides credentials for an anonymous (guest) user. These credentials are retrieved from Cognito's enhanced
+     * authflow.
      *
      * See https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
      *
-     * Implements CredentialsProvider = Provider<Credentials>
+     * Implements AwsCredentialIdentityProvider = Provider<AwsCredentialIdentity>
      */
-    private AnonymousCognitoCredentialsProvider =
-        async (): Promise<Credentials> => {
-            return this.cognitoIdentityClient
-                .getId({
-                    IdentityPoolId: this.config.identityPoolId as string
-                })
-                .then((getIdResponse) =>
-                    this.cognitoIdentityClient.getOpenIdToken(getIdResponse)
-                )
-                .then((getOpenIdTokenResponse) =>
-                    this.stsClient.assumeRoleWithWebIdentity({
-                        RoleArn: this.config.guestRoleArn as string,
-                        RoleSessionName: 'cwr',
-                        WebIdentityToken: getOpenIdTokenResponse.Token
-                    })
-                )
-                .then((credentials: Credentials) => {
-                    this.credentials = credentials;
-                    try {
-                        localStorage.setItem(
-                            CRED_KEY,
-                            JSON.stringify(credentials)
-                        );
-                    } catch (e) {
-                        // Ignore
-                    }
-
-                    return credentials;
-                });
-        };
+    protected abstract AnonymousCognitoCredentialsProvider: () => Promise<AwsCredentialIdentity>;
 
+    /**
+     * Returns {@code true} when the credentials need to be renewed.
+     */
     private renewCredentials(): boolean {
         if (!this.credentials || !this.credentials.expiration) {
             return true;
 
@@ -0,0 +1,57 @@
+import { Config } from '../orchestration/Orchestration';
+import { AwsCredentialIdentity } from '@aws-sdk/types';
+import { FetchHttpHandler } from '@aws-sdk/fetch-http-handler';
+import { StsClient } from './StsClient';
+import { CRED_KEY } from '../utils/constants';
+import { Authentication } from './Authentication';
+
+export class BasicAuthentication extends Authentication {
+    private stsClient: StsClient;
+
+    constructor(config: Config) {
+        super(config);
+        const region: string = config.identityPoolId!.split(':')[0];
+        this.stsClient = new StsClient({
+            fetchRequestHandler: new FetchHttpHandler(),
+            region
+        });
+    }
+
+    /**
+     * Provides credentials for an anonymous (guest) user. These credentials are retrieved from Cognito's basic
+     * (classic) authflow.
+     *
+     * See https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
+     *
+     * Implements AwsCredentialIdentityProvider = Provider<AwsCredentialIdentity>
+     */
+    protected AnonymousCognitoCredentialsProvider =
+        async (): Promise<AwsCredentialIdentity> => {
+            return this.cognitoIdentityClient
+                .getId({
+                    IdentityPoolId: this.config.identityPoolId as string
+                })
+                .then((getIdResponse) =>
+                    this.cognitoIdentityClient.getOpenIdToken(getIdResponse)
+                )
+                .then((getOpenIdTokenResponse) =>
+                    this.stsClient.assumeRoleWithWebIdentity({
+                        RoleArn: this.config.guestRoleArn as string,
+                        RoleSessionName: 'cwr',
+                        WebIdentityToken: getOpenIdTokenResponse.Token
+                    })
+                )
+                .then((credentials: AwsCredentialIdentity) => {
+                    this.credentials = credentials;
+                    try {
+                        localStorage.setItem(
+                            CRED_KEY,
+                            JSON.stringify(credentials)
+                        );
+                    } catch (e) {
+                        // Ignore
+                    }
+                    return credentials;
+                });
+        };
+}
@@ -1,6 +1,6 @@
 /* eslint-disable no-underscore-dangle */
 import { HttpHandler, HttpRequest } from '@aws-sdk/protocol-http';
-import { Credentials } from '@aws-sdk/types';
+import { AwsCredentialIdentity } from '@aws-sdk/types';
 import { responseToJson } from './utils';
 import { IDENTITY_KEY } from '../utils/constants';
 
@@ -14,19 +14,6 @@ const GET_TOKEN_TARGET = 'AWSCognitoIdentityService.GetOpenIdToken';
 const GET_CREDENTIALS_TARGET =
     'AWSCognitoIdentityService.GetCredentialsForIdentity';
 
-interface CognitoProviderParameters {
-    /**
-     * The unique identifier for the identity pool from which an identity should
-     * be retrieved or generated.
-     */
-    identityPoolId: string;
-    /**
-     * The SDK client with which the credential provider will contact the Amazon
-     * Cognito service.
-     */
-    client: CognitoIdentityClient;
-}
-
 interface CognitoCredentials {
     AccessKeyId: string;
     Expiration: number;
@@ -123,7 +110,7 @@ export class CognitoIdentityClient {
 
     public getCredentialsForIdentity = async (
         identityId: string
-    ): Promise<Credentials> => {
+    ): Promise<AwsCredentialIdentity> => {
         try {
             const requestPayload = JSON.stringify({ IdentityId: identityId });
             const credentialRequest = this.getHttpRequest(
 
@@ -1,4 +1,8 @@
-import { CredentialProvider, Credentials, HttpResponse } from '@aws-sdk/types';
+import {
+    AwsCredentialIdentityProvider,
+    AwsCredentialIdentity,
+    HttpResponse
+} from '@aws-sdk/types';
 import { EventCache } from '../event-cache/EventCache';
 import { DataPlaneClient } from './DataPlaneClient';
 import { BeaconHttpHandler } from './BeaconHttpHandler';
@@ -22,7 +26,7 @@ const NO_CRED_MSG = 'CWR: Cannot dispatch; no AWS credentials.';
 export type ClientBuilder = (
     endpoint: URL,
     region: string,
-    credentials: CredentialProvider | Credentials | undefined
+    credentials?: AwsCredentialIdentity | AwsCredentialIdentityProvider
 ) => DataPlaneClient;
 
 export class Dispatch {
@@ -85,7 +89,9 @@ export class Dispatch {
      * @param credentials A set of AWS credentials from the application's authflow.
      */
     public setAwsCredentials(
-        credentialProvider: Credentials | CredentialProvider
+        credentialProvider:
+            | AwsCredentialIdentity
+            | AwsCredentialIdentityProvider
     ): void {
         this.rum = this.buildClient(
             this.endpoint,
@@ -95,7 +101,7 @@ export class Dispatch {
         if (typeof credentialProvider === 'function') {
             // In case a beacon in the first dispatch, we must pre-fetch credentials into a cookie so there is no delay
             // to fetch credentials while the page is closing.
-            (credentialProvider as () => Promise<Credentials>)();
+            (credentialProvider as () => Promise<AwsCredentialIdentity>)();
         }
     }