Merge branch 'zhiyuanliang/secret-refresh' of https://github.com/Azure/AppConfiguration-JavaScriptProvider into zhiyuanliang/secret-refresh

Author: zhiyuanliang-ms

src/AzureAppConfigurationImpl.ts

@@ -176,7 +176,7 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
             const { secretRefreshIntervalInMs } = options.keyVaultOptions;
             if (secretRefreshIntervalInMs !== undefined) {
                 if (secretRefreshIntervalInMs < MIN_SECRET_REFRESH_INTERVAL_IN_MS) {
-                    throw new RangeError(`The key vault secret refresh interval cannot be less than ${MIN_SECRET_REFRESH_INTERVAL_IN_MS} milliseconds.`);
+                    throw new RangeError(`The Key Vault secret refresh interval cannot be less than ${MIN_SECRET_REFRESH_INTERVAL_IN_MS} milliseconds.`);
                 }
                 this.#secretRefreshEnabled = true;
                 this.#secretRefreshTimer = new RefreshTimer(secretRefreshIntervalInMs);

src/keyvault/AzureKeyVaultSecretProvider.ts

@@ -31,21 +31,22 @@ export class AzureKeyVaultSecretProvider {
     }
 
     async getSecretValue(secretIdentifier: KeyVaultSecretIdentifier): Promise<unknown> {
-        // The map key is a combination of sourceId and version: "{sourceId}\n{version}"
+        // The map key is a combination of sourceId and version: "{sourceId}\n{version}".
         const identifierKey = `${secretIdentifier.sourceId}\n${secretIdentifier.version ?? ""}`;
+
+        // If the secret has a version, always use the cached value if available.
+        if (secretIdentifier.version && this.#cachedSecretValue.has(identifierKey)) {
+            return this.#cachedSecretValue.get(identifierKey);
+        }
+
         if (this.#refreshTimer && !this.#refreshTimer.canRefresh()) {
-            // return the cached secret value if it exists
+            // If the refresh interval is not expired, return the cached value if available.
             if (this.#cachedSecretValue.has(identifierKey)) {
-                const cachedValue = this.#cachedSecretValue.get(identifierKey);
-                return cachedValue;
+                return this.#cachedSecretValue.get(identifierKey);
             }
-            // not found in cache, get the secret value from key vault
-            const secretValue = await this.#getSecretValueFromKeyVault(secretIdentifier);
-            this.#cachedSecretValue.set(identifierKey, secretValue);
-            return secretValue;
         }
 
-        // Always reload the secret value from key vault when the refresh timer expires.
+        // Fallback to fetching the secret value from Key Vault.
         const secretValue = await this.#getSecretValueFromKeyVault(secretIdentifier);
         this.#cachedSecretValue.set(identifierKey, secretValue);
         return secretValue;
@@ -85,7 +86,7 @@ export class AzureKeyVaultSecretProvider {
             return client;
         }
         if (this.#keyVaultOptions?.credential) {
-            client = new SecretClient(vaultUrl.toString(), this.#keyVaultOptions.credential);
+            client = new SecretClient(vaultUrl.toString(), this.#keyVaultOptions.credential, this.#keyVaultOptions.clientOptions);
             this.#secretClients.set(vaultUrl.host, client);
             return client;
         }

src/keyvault/KeyVaultOptions.ts

@@ -2,7 +2,7 @@
 // Licensed under the MIT license.
 
 import { TokenCredential } from "@azure/identity";
-import { SecretClient } from "@azure/keyvault-secrets";
+import { SecretClient, SecretClientOptions } from "@azure/keyvault-secrets";
 
 export const MIN_SECRET_REFRESH_INTERVAL_IN_MS = 60_000;
 
@@ -21,16 +21,25 @@ export interface KeyVaultOptions {
     credential?: TokenCredential;
 
     /**
-     * Specifies the refresh interval in milliseconds for periodically reloading secret from Key Vault.
+     * * Configures the client options used when connecting to key vaults that have no registered SecretClient.
+     *
      * @remarks
-     * If specified, the value must be greater than 60 seconds.
+     * The client options will not affect the registered SecretClient instances.
      */
-    secretRefreshIntervalInMs?: number;
+    clientOptions?: SecretClientOptions;
 
     /**
      * Specifies the callback used to resolve key vault references that have no applied SecretClient.
      * @param keyVaultReference The Key Vault reference to resolve.
      * @returns The secret value.
      */
     secretResolver?: (keyVaultReference: URL) => string | Promise<string>;
+
+    /**
+     * Specifies the refresh interval in milliseconds for periodically reloading secret from Key Vault.
+     *
+     * @remarks
+     * If specified, the value must be greater than 60 seconds.
+     */
+    secretRefreshIntervalInMs?: number;
 }

test/keyvault.test.ts

@@ -155,7 +155,7 @@ describe("key vault secret refresh", function () {
                 secretRefreshIntervalInMs: 59999 // less than 60_000 milliseconds
             }
         });
-        return expect(loadWithInvalidSecretRefreshInterval).eventually.rejectedWith("The key vault secret refresh interval cannot be less than 60000 milliseconds.");
+        return expect(loadWithInvalidSecretRefreshInterval).eventually.rejectedWith("The Key Vault secret refresh interval cannot be less than 60000 milliseconds.");
     });
 
     it("should reload key vault secret when there is no change to key-values", async () => {