Stale RAB retry now has its own flag. RAB refresh now triggered at the requestAsync level. RAB urls now have googleapis as universe domain.

Author: vverman

packages/google-auth-library-nodejs/src/auth/authclient.ts

@@ -444,13 +444,28 @@ export abstract class AuthClient
       headers.set('x-goog-user-project', this.quotaProjectId);
     }
 
+    return headers;
+  }
+
+  /**
+   * Applies regional access boundary rules to the provided headers.
+   * This includes adding the x-allowed-locations header and triggering
+   * a background refresh if needed.
+   * @param headers The headers to update.
+   * @param url Optional destination URL of the request. If missing, assumed global.
+   */
+  protected applyRegionalAccessBoundary(
+    headers: Headers,
+    url?: string | URL,
+  ): void {
     const rabHeader =
-      this.regionalAccessBoundaryManager.getRegionalAccessBoundaryHeader();
+      this.regionalAccessBoundaryManager.getRegionalAccessBoundaryHeader(
+        url,
+        headers,
+      );
     if (rabHeader) {
       headers.set('x-allowed-locations', rabHeader);
     }
-
-    return headers;
   }
 
   /**
@@ -478,7 +493,7 @@ export abstract class AuthClient
       target.set('authorization', authorizationHeader);
     }
 
-    if (xGoogAllowedLocs || xGoogAllowedLocs === '') {
+    if (xGoogAllowedLocs) {
       target.set('x-allowed-locations', xGoogAllowedLocs);
     }
 
@@ -620,21 +635,6 @@ export abstract class AuthClient
     };
   }
 
-  /**
-   * Triggers an asynchronous regional access boundary refresh if needed.
-   * @param url The endpoint URL being accessed.
-   * @param accessToken The access token to use for the lookup.
-   */
-  protected maybeTriggerRegionalAccessBoundaryRefresh(
-    url: string | URL | undefined,
-    accessToken: string,
-  ) {
-    this.regionalAccessBoundaryManager.maybeTriggerRegionalAccessBoundaryRefresh(
-      url,
-      accessToken,
-    );
-  }
-
   /**
    * Returns whether the provided credentials are expired or will expire within
    * eagerRefreshThresholdMillismilliseconds.

packages/google-auth-library-nodejs/src/auth/baseexternalclient.ts

@@ -429,10 +429,7 @@ export abstract class BaseExternalAccountClient extends AuthClient {
     const headers = new Headers({
       authorization: `Bearer ${accessTokenResponse.token}`,
     });
-    this.maybeTriggerRegionalAccessBoundaryRefresh(
-      url,
-      accessTokenResponse.token!,
-    );
+    this.applyRegionalAccessBoundary(headers, url);
     return this.addSharedMetadataHeaders(headers);
   }
 
@@ -504,28 +501,32 @@ export abstract class BaseExternalAccountClient extends AuthClient {
    * returned response.
    * @param opts The HTTP request options.
    * @param reAuthRetried Whether the current attempt is a retry after a failed attempt due to an auth failure.
+   * @param retryWithoutRAB Whether the current attempt is a retry after a failed attempt due to a stale regional access boundary.
    * @return A promise that resolves with the successful response.
    */
   protected async requestAsync<T>(
     opts: GaxiosOptions,
     reAuthRetried = false,
+    retryWithoutRAB = false,
   ): Promise<GaxiosResponse<T>> {
     let response: GaxiosResponse;
     const requestOpts = {...opts};
     try {
-      const requestHeaders = await this.getRequestHeaders();
+      const requestHeaders = await this.getRequestHeaders(opts.url);
       requestOpts.headers = Gaxios.mergeHeaders(requestOpts.headers);
 
       this.applyHeadersFromSource(requestOpts.headers, requestHeaders);
 
+      this.applyRegionalAccessBoundary(requestOpts.headers, opts.url);
+
       response = await this.transporter.request<T>(requestOpts);
     } catch (e) {
       if (
         this.isStaleRegionalAccessBoundaryError(e as GaxiosError) &&
-        !reAuthRetried
+        !retryWithoutRAB
       ) {
         this.clearRegionalAccessBoundaryCache();
-        return await this.requestAsync<T>(opts, true);
+        return await this.requestAsync<T>(opts, reAuthRetried, true);
       }
       const res = (e as GaxiosError).response;
       if (res) {
@@ -544,7 +545,7 @@ export abstract class BaseExternalAccountClient extends AuthClient {
           this.forceRefreshOnFailure
         ) {
           await this.refreshAccessTokenAsync();
-          return await this.requestAsync<T>(opts, true);
+          return await this.requestAsync<T>(opts, true, retryWithoutRAB);
         }
       }
       throw e;
@@ -740,27 +741,28 @@ export abstract class BaseExternalAccountClient extends AuthClient {
         );
       }
       return SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
-        '{universe_domain}',
-        this.universeDomain,
-      ).replace('{service_account_email}', encodeURIComponent(email));
+        '{service_account_email}',
+        encodeURIComponent(email),
+      );
     }
 
     // Check if the audience corresponds to a workload identity pool.
     const wfPoolId = getWorkforcePoolIdFromAudience(this.audience);
     if (wfPoolId) {
       return WORKFORCE_LOOKUP_ENDPOINT.replace(
-        '{universe_domain}',
-        this.universeDomain,
-      ).replace('{pool_id}', encodeURIComponent(wfPoolId));
+        '{pool_id}',
+        encodeURIComponent(wfPoolId),
+      );
     }
 
     // Check if the audience corresponds to a workforce identity pool.
     const wlPoolId = getWorkloadPoolIdFromAudience(this.audience);
     const projectNumber = this.getProjectNumber(this.audience);
     if (wlPoolId && projectNumber) {
-      return WORKLOAD_LOOKUP_ENDPOINT.replace('{project_id}', projectNumber)
-        .replace('{pool_id}', wlPoolId)
-        .replace('{universe_domain}', this.universeDomain);
+      return WORKLOAD_LOOKUP_ENDPOINT.replace(
+        '{project_id}',
+        projectNumber,
+      ).replace('{pool_id}', wlPoolId);
     }
 
     throw new RangeError(

packages/google-auth-library-nodejs/src/auth/externalAccountAuthorizedUserClient.ts

@@ -221,15 +221,20 @@ export class ExternalAccountAuthorizedUserClient extends AuthClient {
     };
   }
 
+  /**
+   * The main authentication interface. It takes an optional url which when
+   * present is the endpoint being accessed, and returns a Promise which
+   * resolves with authorization header fields.
+   *
+   * @param url The URI being authorized.
+   * @returns A promise that resolves with authorization header fields.
+   */
   async getRequestHeaders(url?: string | URL): Promise<Headers> {
     const accessTokenResponse = await this.getAccessToken();
     const headers = new Headers({
       authorization: `Bearer ${accessTokenResponse.token}`,
     });
-    this.maybeTriggerRegionalAccessBoundaryRefresh(
-      url,
-      accessTokenResponse.token!,
-    );
+    this.applyRegionalAccessBoundary(headers, url);
     return this.addSharedMetadataHeaders(headers);
   }
 
@@ -256,28 +261,32 @@ export class ExternalAccountAuthorizedUserClient extends AuthClient {
    * returned response.
    * @param opts The HTTP request options.
    * @param reAuthRetried Whether the current attempt is a retry after a failed attempt due to an auth failure.
+   * @param retryWithoutRAB Whether the current attempt is a retry after a failed attempt due to a stale regional access boundary.
    * @return A promise that resolves with the successful response.
    */
   protected async requestAsync<T>(
     opts: GaxiosOptions,
     reAuthRetried = false,
+    retryWithoutRAB = false,
   ): Promise<GaxiosResponse<T>> {
     let response: GaxiosResponse;
     const requestOpts = {...opts};
     try {
-      const requestHeaders = await this.getRequestHeaders();
+      const requestHeaders = await this.getRequestHeaders(opts.url);
       requestOpts.headers = Gaxios.mergeHeaders(requestOpts.headers);
 
       this.applyHeadersFromSource(requestOpts.headers, requestHeaders);
 
+      this.applyRegionalAccessBoundary(requestOpts.headers, opts.url);
+
       response = await this.transporter.request<T>(requestOpts);
     } catch (e) {
       if (
         this.isStaleRegionalAccessBoundaryError(e as GaxiosError) &&
-        !reAuthRetried
+        !retryWithoutRAB
       ) {
         this.clearRegionalAccessBoundaryCache();
-        return await this.requestAsync<T>(opts, true);
+        return await this.requestAsync<T>(opts, reAuthRetried, true);
       }
       const res = (e as GaxiosError).response;
       if (res) {
@@ -296,7 +305,7 @@ export class ExternalAccountAuthorizedUserClient extends AuthClient {
           this.forceRefreshOnFailure
         ) {
           await this.refreshAccessTokenAsync();
-          return await this.requestAsync<T>(opts, true);
+          return await this.requestAsync<T>(opts, true, retryWithoutRAB);
         }
       }
       throw e;
@@ -347,8 +356,8 @@ export class ExternalAccountAuthorizedUserClient extends AuthClient {
       );
     }
     return WORKFORCE_LOOKUP_ENDPOINT.replace(
-      '{universe_domain}',
-      this.universeDomain,
-    ).replace('{pool_id}', encodeURIComponent(poolId));
+      '{pool_id}',
+      encodeURIComponent(poolId),
+    );
   }
 }

packages/google-auth-library-nodejs/src/auth/impersonated.ts

@@ -271,9 +271,9 @@ export class Impersonated extends OAuth2Client implements IdTokenProvider {
       );
     }
     const regionalAccessBoundaryUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
-      '{universe_domain}',
-      this.universeDomain,
-    ).replace('{service_account_email}', encodeURIComponent(targetPrincipal));
+      '{service_account_email}',
+      encodeURIComponent(targetPrincipal),
+    );
     return regionalAccessBoundaryUrl;
   }
 }

packages/google-auth-library-nodejs/src/auth/jwtclient.ts

@@ -141,10 +141,6 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
         ).target_audience
       ) {
         const {tokens} = await this.refreshToken();
-        this.maybeTriggerRegionalAccessBoundaryRefresh(
-          url ?? undefined,
-          (tokens.access_token ?? tokens.id_token)!,
-        );
         return {
           headers: this.addSharedMetadataHeaders(
             new Headers({
@@ -184,13 +180,6 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
           useScopes ? scopes : undefined,
         );
 
-        const authHeader = headers.get('authorization');
-        if (authHeader && authHeader.startsWith('Bearer ')) {
-          this.maybeTriggerRegionalAccessBoundaryRefresh(
-            url ?? undefined,
-            authHeader.substring(7),
-          );
-        }
         return {headers: this.addSharedMetadataHeaders(headers)};
       }
     } else if (this.hasAnyScopes() || this.apiKey) {
@@ -427,9 +416,9 @@ export class JWT extends OAuth2Client implements IdTokenProvider {
       );
     }
     const regionalAccessBoundaryUrl = SERVICE_ACCOUNT_LOOKUP_ENDPOINT.replace(
-      '{universe_domain}',
-      this.universeDomain,
-    ).replace('{service_account_email}', encodeURIComponent(this.email));
+      '{service_account_email}',
+      encodeURIComponent(this.email),
+    );
     return regionalAccessBoundaryUrl;
   }
 }

packages/google-auth-library-nodejs/src/auth/oauth2client.ts

@@ -938,6 +938,7 @@ export class OAuth2Client extends AuthClient {
    */
   async getRequestHeaders(url?: string | URL): Promise<Headers> {
     const headers = (await this.getRequestMetadataAsync(url)).headers;
+    this.applyRegionalAccessBoundary(headers, url);
     return headers;
   }
 
@@ -962,10 +963,6 @@ export class OAuth2Client extends AuthClient {
       const headers = new Headers({
         authorization: thisCreds.token_type + ' ' + thisCreds.access_token,
       });
-      this.maybeTriggerRegionalAccessBoundaryRefresh(
-        url ?? undefined,
-        thisCreds.access_token,
-      );
       return {headers: this.addSharedMetadataHeaders(headers)};
     }
 
@@ -978,10 +975,6 @@ export class OAuth2Client extends AuthClient {
         const headers = new Headers({
           authorization: 'Bearer ' + this.credentials.access_token,
         });
-        this.maybeTriggerRegionalAccessBoundaryRefresh(
-          url ?? undefined,
-          this.credentials.access_token!,
-        );
         return {headers: this.addSharedMetadataHeaders(headers)};
       }
     }
@@ -1012,10 +1005,6 @@ export class OAuth2Client extends AuthClient {
     const headers = new Headers({
       authorization: credentials.token_type + ' ' + tokens.access_token,
     });
-    this.maybeTriggerRegionalAccessBoundaryRefresh(
-      url ?? undefined,
-      tokens.access_token!,
-    );
     return {headers: this.addSharedMetadataHeaders(headers), res: r.res};
   }
 
@@ -1128,6 +1117,7 @@ export class OAuth2Client extends AuthClient {
   protected async requestAsync<T>(
     opts: GaxiosOptions,
     reAuthRetried = false,
+    retryWithoutRAB = false,
   ): Promise<GaxiosResponse<T>> {
     const requestOpts = {...opts};
     try {
@@ -1140,15 +1130,17 @@ export class OAuth2Client extends AuthClient {
         requestOpts.headers.set('X-Goog-Api-Key', this.apiKey);
       }
 
+      this.applyRegionalAccessBoundary(requestOpts.headers, opts.url);
+
       return await this.transporter.request<T>(requestOpts);
     } catch (e) {
       if (
         this.isStaleRegionalAccessBoundaryError(e as GaxiosError) &&
-        !reAuthRetried
+        !retryWithoutRAB
       ) {
         this.clearRegionalAccessBoundaryCache();
         // Background refresh is triggered by getRequestMetadataAsync in the retry
-        return await this.requestAsync<T>(opts, true);
+        return await this.requestAsync<T>(opts, reAuthRetried, true);
       }
       const res = (e as GaxiosError).response;
       if (res) {
@@ -1194,7 +1186,7 @@ export class OAuth2Client extends AuthClient {
           mayRequireRefresh
         ) {
           await this.refreshAccessTokenAsync();
-          return this.requestAsync<T>(opts, true);
+          return this.requestAsync<T>(opts, true, retryWithoutRAB);
         } else if (
           !reAuthRetried &&
           isAuthErr &&
@@ -1206,7 +1198,7 @@ export class OAuth2Client extends AuthClient {
           if (refreshedAccessToken?.access_token) {
             this.setCredentials(refreshedAccessToken);
           }
-          return this.requestAsync<T>(opts, true);
+          return this.requestAsync<T>(opts, true, retryWithoutRAB);
         }
       }
       throw e;