OS-154 Type https

ARSN-108 Fix test suites
ARSN-108 Type auth/auth
2022-04-14 14:13:30 +02:00 · 2022-03-29 16:19:11 +02:00 · 2022-03-29 16:19:11 +02:00 · 2022-03-29 16:19:11 +02:00 · 2022-03-29 16:19:11 +02:00 · 2022-03-29 16:19:11 +02:00
52 changed files with 1487 additions and 1761 deletions
--- a/index.ts
+++ b/index.ts
@ -1,18 +1,14 @@
-export const auth = require('./lib/auth/auth');
-export const constants = require('./lib/constants');
+export * as auth from './lib/auth/auth'
+export * as constants from './lib/constants';
+export * as https from './lib/https'
 export const db = require('./lib/db');
-export const errors = require('./lib/errors.js');
+export const errors = require('./lib/errors.js')
 export const shuffle = require('./lib/shuffle');
 export const stringHash = require('./lib/stringHash');
 export const ipCheck = require('./lib/ipCheck');
 export const jsutil = require('./lib/jsutil');
 export const Clustering = require('./lib/Clustering');

-export const https = {
-    ciphers: require('./lib/https/ciphers.js'),
-    dhparam: require('./lib/https/dh2048.js'),
-};
-
 export const algorithms = {
    list: {
        Basic: require('./lib/algos/list/basic').List,
--- a/lib/auth/AuthInfo.ts
+++ b/lib/auth/AuthInfo.ts
@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
-
-const constants = require('../constants');
+import * as constants from '../constants';

 /**
 * Class containing requester's information received from Vault
@ -8,9 +6,15 @@ const constants = require('../constants');
 * shortid, email, accountDisplayName and IAMdisplayName (if applicable)
 * @return {AuthInfo} an AuthInfo instance
 */
+export default class AuthInfo {
+    arn: string;
+    canonicalID: string;
+    shortid: string;
+    email: string;
+    accountDisplayName: string;
+    IAMdisplayName: string;

-class AuthInfo {
-    constructor(objectFromVault) {
+    constructor(objectFromVault: any) {
        // amazon resource name for IAM user (if applicable)
        this.arn = objectFromVault.arn;
        // account canonicalID
@ -53,10 +57,8 @@ class AuthInfo {
        return this.canonicalID.startsWith(
            `${constants.zenkoServiceAccount}/`);
    }
-    isRequesterThisServiceAccount(serviceName) {
-        return this.canonicalID ===
-            `${constants.zenkoServiceAccount}/${serviceName}`;
+    isRequesterThisServiceAccount(serviceName: string) {
+        const computedCanonicalID = `${constants.zenkoServiceAccount}/${serviceName}`;
+        return this.canonicalID === computedCanonicalID;
    }
 }
-
-module.exports = AuthInfo;
--- a/lib/auth/Vault.ts
+++ b/lib/auth/Vault.ts
@ -1,16 +1,22 @@
-const errors = require('../errors');
-const AuthInfo = require('./AuthInfo');
+import { Logger } from 'werelogs';
+import errors from '../errors';
+import AuthInfo from './AuthInfo';

 /** vaultSignatureCb parses message from Vault and instantiates
- * @param {object} err - error from vault
- * @param {object} authInfo - info from vault
- * @param {object} log - log for request
- * @param {function} callback - callback to authCheck functions
- * @param {object} [streamingV4Params] - present if v4 signature;
+ * @param err - error from vault
+ * @param authInfo - info from vault
+ * @param log - log for request
+ * @param callback - callback to authCheck functions
+ * @param [streamingV4Params] - present if v4 signature;
 * items used to calculate signature on chunks if streaming auth
- * @return {undefined}
 */
-function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
+function vaultSignatureCb(
+    err: Error | null,
+    authInfo: { message: { body: any } },
+    log: Logger,
+    callback: (err: Error | null, data?: any, results?: any, params?: any) => void,
+    streamingV4Params?: any
+) {
    // vaultclient API guarantees that it returns:
    // - either `err`, an Error object with `code` and `message` properties set
    // - or `err == null` and `info` is an object with `message.code` and
@ -24,11 +30,13 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
    const info = authInfo.message.body;
    const userInfo = new AuthInfo(info.userInfo);
    const authorizationResults = info.authorizationResults;
-    const auditLog = { accountDisplayName: userInfo.getAccountDisplayName() };
+    const auditLog: { accountDisplayName: string, IAMdisplayName?: string } =
+        { accountDisplayName: userInfo.getAccountDisplayName() };
    const iamDisplayName = userInfo.getIAMdisplayName();
    if (iamDisplayName) {
        auditLog.IAMdisplayName = iamDisplayName;
    }
+    // @ts-ignore
    log.addDefaultFields(auditLog);
    return callback(null, userInfo, authorizationResults, streamingV4Params);
 }
@ -39,43 +47,63 @@ function vaultSignatureCb(err, authInfo, log, callback, streamingV4Params) {
 * authentication backends.
 * @class Vault
 */
-class Vault {
+export default class Vault {
+    client: any;
+    implName: string;
+
    /**
     * @constructor
     * @param {object} client - authentication backend or vault client
     * @param {string} implName - implementation name for auth backend
     */
-    constructor(client, implName) {
+    constructor(client: any, implName: string) {
        this.client = client;
        this.implName = implName;
    }
    /**
     * authenticateV2Request
     *
-     * @param {string} params - the authentication parameters as returned by
+     * @param params - the authentication parameters as returned by
     *                          auth.extractParams
-     * @param {number} params.version - shall equal 2
-     * @param {string} params.data.accessKey - the user's accessKey
-     * @param {string} params.data.signatureFromRequest - the signature read
+     * @param params.version - shall equal 2
+     * @param params.data.accessKey - the user's accessKey
+     * @param params.data.signatureFromRequest - the signature read
     *                                                    from the request
-     * @param {string} params.data.stringToSign - the stringToSign
-     * @param {string} params.data.algo - the hashing algorithm used for the
+     * @param params.data.stringToSign - the stringToSign
+     * @param params.data.algo - the hashing algorithm used for the
     *                                    signature
-     * @param {string} params.data.authType - the type of authentication (query
+     * @param params.data.authType - the type of authentication (query
     *                                        or header)
-     * @param {string} params.data.signatureVersion - the version of the
+     * @param params.data.signatureVersion - the version of the
     *                                                signature (AWS or AWS4)
-     * @param {number} [params.data.signatureAge] - the age of the signature in
+     * @param [params.data.signatureAge] - the age of the signature in
     *                                              ms
-     * @param {string} params.data.log - the logger object
+     * @param params.data.log - the logger object
     * @param {RequestContext []} requestContexts - an array of RequestContext
     * instances which contain information for policy authorization check
-     * @param {function} callback - callback with either error or user info
-     * @returns {undefined}
+     * @param callback - callback with either error or user info
     */
-    authenticateV2Request(params, requestContexts, callback) {
+    authenticateV2Request(
+        params: {
+            version: 2;
+            log: Logger;
+            data: {
+                securityToken: string;
+                accessKey: string;
+                signatureFromRequest: string;
+                stringToSign: string;
+                algo: string;
+                authType: 'query' | 'header';
+                signatureVersion: string;
+                signatureAge?: number;
+                log: Logger;
+            };
+        },
+        requestContexts: any[],
+        callback: (err: Error | null, data?: any) => void
+    ) {
        params.log.debug('authenticating V2 request');
-        let serializedRCsArr;
+        let serializedRCsArr: any;
        if (requestContexts) {
            serializedRCsArr = requestContexts.map(rc => rc.serialize());
        }
@ -85,44 +113,66 @@ class Vault {
            params.data.accessKey,
            {
                algo: params.data.algo,
+                // @ts-ignore
                reqUid: params.log.getSerializedUids(),
                logger: params.log,
                securityToken: params.data.securityToken,
                requestContext: serializedRCsArr,
            },
-            (err, userInfo) => vaultSignatureCb(err, userInfo,
-                                                params.log, callback)
+            (err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
+                params.log, callback),
        );
    }

    /** authenticateV4Request
-     * @param {object} params - the authentication parameters as returned by
+     * @param params - the authentication parameters as returned by
     *                          auth.extractParams
-     * @param {number} params.version - shall equal 4
-     * @param {string} params.data.log - the logger object
-     * @param {string} params.data.accessKey - the user's accessKey
-     * @param {string} params.data.signatureFromRequest - the signature read
+     * @param params.version - shall equal 4
+     * @param params.data.log - the logger object
+     * @param params.data.accessKey - the user's accessKey
+     * @param params.data.signatureFromRequest - the signature read
     *                                                    from the request
-     * @param {string} params.data.region - the AWS region
-     * @param {string} params.data.stringToSign - the stringToSign
-     * @param {string} params.data.scopeDate - the timespan to allow the request
-     * @param {string} params.data.authType - the type of authentication (query
+     * @param params.data.region - the AWS region
+     * @param params.data.stringToSign - the stringToSign
+     * @param params.data.scopeDate - the timespan to allow the request
+     * @param params.data.authType - the type of authentication (query
     *                                        or header)
-     * @param {string} params.data.signatureVersion - the version of the
+     * @param params.data.signatureVersion - the version of the
     *                                                signature (AWS or AWS4)
-     * @param {number} params.data.signatureAge - the age of the signature in ms
-     * @param {number} params.data.timestamp - signaure timestamp
-     * @param {string} params.credentialScope - credentialScope for signature
+     * @param params.data.signatureAge - the age of the signature in ms
+     * @param params.data.timestamp - signaure timestamp
+     * @param params.credentialScope - credentialScope for signature
     * @param {RequestContext [] | null} requestContexts -
     * an array of RequestContext or null if authenticaiton of a chunk
     * in streamingv4 auth
     * instances which contain information for policy authorization check
-     * @param {function} callback - callback with either error or user info
-     * @return {undefined}
+     * @param callback - callback with either error or user info
    */
-    authenticateV4Request(params, requestContexts, callback) {
+    authenticateV4Request(
+        params: {
+            version: 4;
+            log: Logger;
+            data: {
+                accessKey: string;
+                signatureFromRequest: string;
+                region: string;
+                stringToSign: string;
+                scopeDate: string;
+                authType: 'query' | 'header';
+                signatureVersion: string;
+                signatureAge?: number;
+                timestamp: number;
+                credentialScope: string;
+                securityToken: string;
+                algo: string;
+                log: Logger;
+            };
+        },
+        requestContexts: any[],
+        callback: (err: Error | null, data?: any) => void
+    ) {
        params.log.debug('authenticating V4 request');
-        let serializedRCs;
+        let serializedRCs: any;
        if (requestContexts) {
            serializedRCs = requestContexts.map(rc => rc.serialize());
        }
@ -140,31 +190,39 @@ class Vault {
            params.data.region,
            params.data.scopeDate,
            {
+                // @ts-ignore
                reqUid: params.log.getSerializedUids(),
                logger: params.log,
                securityToken: params.data.securityToken,
                requestContext: serializedRCs,
            },
-            (err, userInfo) => vaultSignatureCb(err, userInfo,
-                params.log, callback, streamingV4Params)
+            (err: Error | null, userInfo?: any) => vaultSignatureCb(err, userInfo,
+                params.log, callback, streamingV4Params),
        );
    }

    /** getCanonicalIds -- call Vault to get canonicalIDs based on email
     * addresses
-     * @param {array} emailAddresses - list of emailAddresses
-     * @param {object} log - log object
-     * @param {function} callback - callback with either error or an array
+     * @param emailAddresses - list of emailAddresses
+     * @param log - log object
+     * @param callback - callback with either error or an array
     * of objects with each object containing the canonicalID and emailAddress
     * of an account as properties
-     * @return {undefined}
    */
-    getCanonicalIds(emailAddresses, log, callback) {
+    getCanonicalIds(
+        emailAddresses: string[],
+        log: Logger,
+        callback: (
+            err: Error | null,
+            data?: { canonicalID: string; email: string }[]
+        ) => void
+    ) {
        log.trace('getting canonicalIDs from Vault based on emailAddresses',
            { emailAddresses });
        this.client.getCanonicalIds(emailAddresses,
+            // @ts-ignore
            { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                if (err) {
                    log.debug('received error message from auth provider',
                        { errorMessage: err });
@ -172,17 +230,17 @@ class Vault {
                }
                const infoFromVault = info.message.body;
                log.trace('info received from vault', { infoFromVault });
-                const foundIds = [];
+                const foundIds: { canonicalID: string; email: string }[] = [];
                for (let i = 0; i < Object.keys(infoFromVault).length; i++) {
                    const key = Object.keys(infoFromVault)[i];
                    if (infoFromVault[key] === 'WrongFormat'
                    || infoFromVault[key] === 'NotFound') {
                        return callback(errors.UnresolvableGrantByEmailAddress);
                    }
-                    const obj = {};
-                    obj.email = key;
-                    obj.canonicalID = infoFromVault[key];
-                    foundIds.push(obj);
+                    foundIds.push({
+                        email: key,
+                        canonicalID: infoFromVault[key],
+                    })
                }
                return callback(null, foundIds);
            });
@ -190,18 +248,22 @@ class Vault {

    /** getEmailAddresses -- call Vault to get email addresses based on
     * canonicalIDs
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} log - log object
-     * @param {function} callback - callback with either error or an object
+     * @param canonicalIDs - list of canonicalIDs
+     * @param log - log object
+     * @param callback - callback with either error or an object
     * with canonicalID keys and email address values
-     * @return {undefined}
    */
-    getEmailAddresses(canonicalIDs, log, callback) {
+    getEmailAddresses(
+        canonicalIDs: string[],
+        log: Logger,
+        callback: (err: Error | null, data?: { [key: string]: any }) => void
+    ) {
        log.trace('getting emailAddresses from Vault based on canonicalIDs',
            { canonicalIDs });
        this.client.getEmailAddresses(canonicalIDs,
+            // @ts-ignore
            { reqUid: log.getSerializedUids() },
-            (err, info) => {
+            (err: Error | null, info?: any) => {
                if (err) {
                    log.debug('received error message from vault',
                        { errorMessage: err });
@ -224,27 +286,31 @@ class Vault {

    /** getAccountIds -- call Vault to get accountIds based on
     * canonicalIDs
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} log - log object
-     * @param {function} callback - callback with either error or an object
+     * @param canonicalIDs - list of canonicalIDs
+     * @param log - log object
+     * @param callback - callback with either error or an object
     * with canonicalID keys and accountId values
-     * @return {undefined}
    */
-    getAccountIds(canonicalIDs, log, callback) {
+    getAccountIds(
+        canonicalIDs: string[],
+        log: Logger,
+        callback: (err: Error | null, data?: { [key: string]: string }) => void
+    ) {
        log.trace('getting accountIds from Vault based on canonicalIDs',
        { canonicalIDs });
        this.client.getAccountIds(canonicalIDs,
-        { reqUid: log.getSerializedUids() },
-        (err, info) => {
-            if (err) {
-                log.debug('received error message from vault',
-                    { errorMessage: err });
-                return callback(err);
-            }
-            const infoFromVault = info.message.body;
-            log.trace('info received from vault', { infoFromVault });
-            const result = {};
-            /* If the accountId was not found in Vault, do not
+            // @ts-expect-error
+            { reqUid: log.getSerializedUids() },
+            (err: Error | null, info?: any) => {
+                if (err) {
+                    log.debug('received error message from vault',
+                        { errorMessage: err });
+                    return callback(err);
+                }
+                const infoFromVault = info.message.body;
+                log.trace('info received from vault', { infoFromVault });
+                const result = {};
+                /* If the accountId was not found in Vault, do not
            send the canonicalID back to the API */
            Object.keys(infoFromVault).forEach(key => {
                if (infoFromVault[key] !== 'NotFound' &&
@ -268,14 +334,19 @@ class Vault {
     * @param {object} log - log object
     * @param {function} callback - callback with either error or an array
     * of authorization results
-     * @return {undefined}
    */
-    checkPolicies(requestContextParams, userArn, log, callback) {
+    checkPolicies(
+        requestContextParams: any[],
+        userArn: string,
+        log: Logger,
+        callback: (err: Error | null, data?: any[]) => void
+    ) {
        log.trace('sending request context params to vault to evaluate' +
        'policies');
        this.client.checkPolicies(requestContextParams, userArn, {
+            // @ts-ignore
            reqUid: log.getSerializedUids(),
-        }, (err, info) => {
+        }, (err: Error | null, info?: any) => {
            if (err) {
                log.debug('received error message from auth provider',
                    { error: err });
@ -286,13 +357,14 @@ class Vault {
        });
    }

-    checkHealth(log, callback) {
+    checkHealth(log: Logger, callback: (err: Error | null, data?: any) => void) {
        if (!this.client.healthcheck) {
            const defResp = {};
            defResp[this.implName] = { code: 200, message: 'OK' };
            return callback(null, defResp);
        }
-        return this.client.healthcheck(log.getSerializedUids(), (err, obj) => {
+        // @ts-ignore
+        return this.client.healthcheck(log.getSerializedUids(), (err: Error | null, obj?: any) => {
            const respBody = {};
            if (err) {
                log.debug(`error from ${this.implName}`, { error: err });
@ -312,5 +384,3 @@ class Vault {
        });
    }
 }
-
-module.exports = Vault;
--- a/lib/auth/auth.ts
+++ b/lib/auth/auth.ts
@ -1,22 +1,21 @@
-'use strict'; // eslint-disable-line strict
+import * as crypto from 'crypto';
+import { Logger } from 'werelogs';
+import errors from '../errors';
+import * as queryString from 'querystring';
+import AuthInfo from './AuthInfo';
+import * as v2 from './v2/authV2';
+import * as v4 from './v4/authV4';
+import * as constants from '../constants';
+import constructStringToSignV2 from './v2/constructStringToSign';
+import constructStringToSignV4 from './v4/constructStringToSign';
+import { convertUTCtoISO8601 } from './v4/timeUtils';
+import * as vaultUtilities from './in_memory/vaultUtilities';
+import * as backend from './in_memory/Backend';
+import validateAuthConfig from './in_memory/validateAuthConfig';
+import AuthLoader from './in_memory/AuthLoader';
+import Vault from './Vault';

-const crypto = require('crypto');
-const errors = require('../errors');
-const queryString = require('querystring');
-const AuthInfo = require('./AuthInfo');
-const v2 = require('./v2/authV2');
-const v4 = require('./v4/authV4');
-const constants = require('../constants');
-const constructStringToSignV2 = require('./v2/constructStringToSign');
-const constructStringToSignV4 = require('./v4/constructStringToSign');
-const convertUTCtoISO8601 = require('./v4/timeUtils').convertUTCtoISO8601;
-const vaultUtilities = require('./in_memory/vaultUtilities');
-const backend = require('./in_memory/Backend');
-const validateAuthConfig = require('./in_memory/validateAuthConfig');
-const AuthLoader = require('./in_memory/AuthLoader');
-const Vault = require('./Vault');
-
-let vault = null;
+let vault: Vault | null = null;
 const auth = {};
 const checkFunctions = {
    v2: {
@ -33,7 +32,7 @@ const checkFunctions = {
 // 'All Users Group' so use this group as the canonicalID for the publicUser
 const publicUserInfo = new AuthInfo({ canonicalID: constants.publicId });

-function setAuthHandler(handler) {
+function setAuthHandler(handler: Vault) {
    vault = handler;
    return auth;
 }
@ -41,25 +40,30 @@ function setAuthHandler(handler) {
 /**
 * This function will check validity of request parameters to authenticate
 *
- * @param {Http.Request} request - Http request object
- * @param {object} log - Logger object
- * @param {string} awsService - Aws service related
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param request - Http request object
+ * @param log - Logger object
+ * @param awsService - Aws service related
+ * @param data - Parameters from queryString parsing or body of
 *      POST request
 *
- * @return {object} ret
- * @return {object} ret.err - arsenal.errors object if any error was found
- * @return {object} ret.params - auth parameters to use later on for signature
+ * @return ret
+ * @return ret.err - arsenal.errors object if any error was found
+ * @return ret.params - auth parameters to use later on for signature
 *                               computation and check
- * @return {object} ret.params.version - the auth scheme version
+ * @return ret.params.version - the auth scheme version
 *                                       (undefined, 2, 4)
- * @return {object} ret.params.data - the auth scheme's specific data
+ * @return ret.params.data - the auth scheme's specific data
 */
-function extractParams(request, log, awsService, data) {
+function extractParams(
+    request: any,
+    log: Logger,
+    awsService: string,
+    data: { [key: string]: string }
+) {
    log.trace('entered', { method: 'Arsenal.auth.server.extractParams' });
    const authHeader = request.headers.authorization;
-    let version = null;
-    let method = null;
+    let version: 'v2' |'v4' | null = null;
+    let method: 'query' | 'headers' | null = null;

    // Identify auth version and method to dispatch to the right check function
    if (authHeader) {
@ -102,16 +106,21 @@ function extractParams(request, log, awsService, data) {
 /**
 * This function will check validity of request parameters to authenticate
 *
- * @param {Http.Request} request - Http request object
- * @param {object} log - Logger object
- * @param {function} cb - the callback
- * @param {string} awsService - Aws service related
+ * @param request - Http request object
+ * @param log - Logger object
+ * @param cb - the callback
+ * @param awsService - Aws service related
 * @param {RequestContext[] | null} requestContexts - array of RequestContext
 * or null if no requestContexts to be sent to Vault (for instance,
 * in multi-object delete request)
- * @return {undefined}
 */
-function doAuth(request, log, cb, awsService, requestContexts) {
+function doAuth(
+    request: any,
+    log: Logger,
+    cb: (err: Error | null, data?: any) => void,
+    awsService: string,
+    requestContexts: any[] | null
+) {
    const res = extractParams(request, log, awsService, request.query);
    if (res.err) {
        return cb(res.err);
@ -119,23 +128,31 @@ function doAuth(request, log, cb, awsService, requestContexts) {
        return cb(null, res.params);
    }
    if (requestContexts) {
-        requestContexts.forEach(requestContext => {
-            requestContext.setAuthType(res.params.data.authType);
-            requestContext.setSignatureVersion(res.params
-                .data.signatureVersion);
-            requestContext.setSignatureAge(res.params.data.signatureAge);
-            requestContext.setSecurityToken(res.params.data.securityToken);
+        requestContexts.forEach((requestContext) => {
+            const { params } = res
+            if ('data' in params) {
+                const { data } = params
+                requestContext.setAuthType(data.authType);
+                requestContext.setSignatureVersion(data.signatureVersion);
+                requestContext.setSecurityToken(data.securityToken);
+                if ('signatureAge' in data) {
+                    requestContext.setSignatureAge(data.signatureAge);
+                }
+            }
        });
    }

    // Corner cases managed, we're left with normal auth
+    // TODO What's happening here?
+    // @ts-ignore
    res.params.log = log;
    if (res.params.version === 2) {
-        return vault.authenticateV2Request(res.params, requestContexts, cb);
+        // @ts-ignore
+        return vault!.authenticateV2Request(res.params, requestContexts, cb);
    }
    if (res.params.version === 4) {
-        return vault.authenticateV4Request(res.params, requestContexts, cb,
-            awsService);
+        // @ts-ignore
+        return vault!.authenticateV4Request(res.params, requestContexts, cb);
    }

    log.error('authentication method not found', {
@ -147,19 +164,25 @@ function doAuth(request, log, cb, awsService, requestContexts) {
 /**
 * This function will generate a version 4 header
 *
- * @param {Http.Request} request - Http request object
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param request - Http request object
+ * @param data - Parameters from queryString parsing or body of
 *                        POST request
- * @param {string} accessKey - the accessKey
- * @param {string} secretKeyValue - the secretKey
- * @param {string} awsService - Aws service related
- * @param {sting} [proxyPath] - path that gets proxied by reverse proxy
- * @param {string} [sessionToken] - security token if the access/secret keys
+ * @param accessKey - the accessKey
+ * @param secretKeyValue - the secretKey
+ * @param awsService - Aws service related
+ * @param [proxyPath] - path that gets proxied by reverse proxy
+ * @param [sessionToken] - security token if the access/secret keys
 *                                are temporary credentials from STS
- * @return {undefined}
 */
-function generateV4Headers(request, data, accessKey, secretKeyValue,
-                           awsService, proxyPath, sessionToken) {
+function generateV4Headers(
+    request: any,
+    data: { [key: string]: string },
+    accessKey: string,
+    secretKeyValue: string,
+    awsService: string,
+    proxyPath: string,
+    sessionToken: string
+) {
    Object.assign(request, { headers: {} });
    const amzDate = convertUTCtoISO8601(Date.now());
    // get date without time
@ -173,7 +196,7 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,

    let payload = '';
    if (request.method === 'POST') {
-        payload = queryString.stringify(data, null, null, {
+        payload = queryString.stringify(data, undefined, undefined, {
            encodeURIComponent,
        });
    }
@ -203,7 +226,7 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
                                                          scopeDate,
                                                          service);
    const signature = crypto.createHmac('sha256', signingKey)
-        .update(stringToSign, 'binary').digest('hex');
+        .update(stringToSign as string, 'binary').digest('hex');
    const authorizationHeader = `${algorithm} Credential=${accessKey}` +
        `/${credentialScope}, SignedHeaders=${signedHeaders}, ` +
        `Signature=${signature}`;
@ -211,21 +234,11 @@ function generateV4Headers(request, data, accessKey, secretKeyValue,
    Object.assign(request, { headers: {} });
 }

-module.exports = {
-    setHandler: setAuthHandler,
-    server: {
-        extractParams,
-        doAuth,
-    },
-    client: {
-        generateV4Headers,
-        constructStringToSignV2,
-    },
-    inMemory: {
-        backend,
-        validateAuthConfig,
-        AuthLoader,
-    },
+export const server = { extractParams, doAuth }
+export const client = { generateV4Headers, constructStringToSignV2 }
+export const inMemory = { backend, validateAuthConfig, AuthLoader }
+export {
+    setAuthHandler as setHandler,
    AuthInfo,
-    Vault,
-};
+    Vault
+}
--- a/lib/auth/in_memory/AuthLoader.js
+++ b/lib/auth/in_memory/AuthLoader.js
@ -1,223 +0,0 @@
-const fs = require('fs');
-const glob = require('simple-glob');
-const joi = require('@hapi/joi');
-const werelogs = require('werelogs');
-
-const ARN = require('../../models/ARN');
-
-/**
- * Load authentication information from files or pre-loaded account
- * objects
- *
- * @class AuthLoader
- */
-class AuthLoader {
-    constructor(logApi) {
-        this._log = new (logApi || werelogs).Logger('S3');
-        this._authData = { accounts: [] };
-        // null: unknown validity, true/false: valid or invalid
-        this._isValid = null;
-
-        this._joiKeysValidator = joi.array()
-            .items({
-                access: joi.string().required(),
-                secret: joi.string().required(),
-            })
-            .required();
-
-        const accountsJoi = joi.array()
-                .items({
-                    name: joi.string().required(),
-                    email: joi.string().email().required(),
-                    arn: joi.string().required(),
-                    canonicalID: joi.string().required(),
-                    shortid: joi.string().regex(/^[0-9]{12}$/).required(),
-                    keys: this._joiKeysValidator,
-                    // backward-compat
-                    users: joi.array(),
-                })
-                .required()
-                .unique('arn')
-                .unique('email')
-                .unique('canonicalID');
-        this._joiValidator = joi.object({ accounts: accountsJoi });
-    }
-
-    /**
-     * add one or more accounts to the authentication info
-     *
-     * @param {object} authData - authentication data
-     * @param {object[]} authData.accounts - array of account data
-     * @param {string} authData.accounts[].name - account name
-     * @param {string} authData.accounts[].email: email address
-     * @param {string} authData.accounts[].arn: account ARN,
-     *   e.g. 'arn:aws:iam::123456789012:root'
-     * @param {string} authData.accounts[].canonicalID account
-     *   canonical ID
-     * @param {string} authData.accounts[].shortid account ID number,
-     *   e.g. '123456789012'
-     * @param {object[]} authData.accounts[].keys array of
-     *   access/secret keys
-     * @param {object[]} authData.accounts[].keys[].access access key
-     * @param {object[]} authData.accounts[].keys[].secret secret key
-     * @param {string} [filePath] - optional file path info for
-     *   logging purpose
-     * @return {undefined}
-     */
-    addAccounts(authData, filePath) {
-        const isValid = this._validateData(authData, filePath);
-        if (isValid) {
-            this._authData.accounts =
-                this._authData.accounts.concat(authData.accounts);
-            // defer validity checking when getting data to avoid
-            // logging multiple times the errors (we need to validate
-            // all accounts at once to detect duplicate values)
-            if (this._isValid) {
-                this._isValid = null;
-            }
-        } else {
-            this._isValid = false;
-        }
-    }
-
-    /**
-     * add account information from a file
-     *
-     * @param {string} filePath - file path containing JSON
-     *   authentication info (see {@link addAccounts()} for format)
-     * @return {undefined}
-     */
-    addFile(filePath) {
-        const authData = JSON.parse(fs.readFileSync(filePath));
-        this.addAccounts(authData, filePath);
-    }
-
-    /**
-     * add account information from a filesystem path
-     *
-     * @param {string|string[]} globPattern - filesystem glob pattern,
-     *   can be a single string or an array of glob patterns. Globs
-     *   can be simple file paths or can contain glob matching
-     *   characters, like '/a/b/*.json'. The matching files are
-     *   individually loaded as JSON and accounts are added. See
-     *   {@link addAccounts()} for JSON format.
-     * @return {undefined}
-     */
-    addFilesByGlob(globPattern) {
-        const files = glob(globPattern);
-        files.forEach(filePath => this.addFile(filePath));
-    }
-
-    /**
-     * perform validation on authentication info previously
-     * loaded. Note that it has to be done on the entire set after an
-     * update to catch duplicate account IDs or access keys.
-     *
-     * @return {boolean} true if authentication info is valid
-     *                   false otherwise
-     */
-    validate() {
-        if (this._isValid === null) {
-            this._isValid = this._validateData(this._authData);
-        }
-        return this._isValid;
-    }
-
-    /**
-     * get authentication info as a plain JS object containing all accounts
-     * under the "accounts" attribute, with validation.
-     *
-     * @return {object|null} the validated authentication data
-     *                       null if invalid
-     */
-    getData() {
-        return this.validate() ? this._authData : null;
-    }
-
-    _validateData(authData, filePath) {
-        const res = joi.validate(authData, this._joiValidator,
-                                 { abortEarly: false });
-        if (res.error) {
-            this._dumpJoiErrors(res.error.details, filePath);
-            return false;
-        }
-        let allKeys = [];
-        let arnError = false;
-        const validatedAuth = res.value;
-        validatedAuth.accounts.forEach(account => {
-            // backward-compat: ignore arn if starts with 'aws:' and log a
-            // warning
-            if (account.arn.startsWith('aws:')) {
-                this._log.error(
-                    'account must have a valid AWS ARN, legacy examples ' +
-                        'starting with \'aws:\' are not supported anymore. ' +
-                        'Please convert to a proper account entry (see ' +
-                        'examples at https://github.com/scality/S3/blob/' +
-                        'master/conf/authdata.json). Also note that support ' +
-                        'for account users has been dropped.',
-                    { accountName: account.name, accountArn: account.arn,
-                      filePath });
-                arnError = true;
-                return;
-            }
-            if (account.users) {
-                this._log.error(
-                    'support for account users has been dropped, consider ' +
-                        'turning users into account entries (see examples at ' +
-                        'https://github.com/scality/S3/blob/master/conf/' +
-                        'authdata.json)',
-                    { accountName: account.name, accountArn: account.arn,
-                      filePath });
-                arnError = true;
-                return;
-            }
-            const arnObj = ARN.createFromString(account.arn);
-            if (arnObj.error) {
-                this._log.error(
-                    'authentication config validation error',
-                    { reason: arnObj.error.description,
-                      accountName: account.name, accountArn: account.arn,
-                      filePath });
-                arnError = true;
-                return;
-            }
-            if (!arnObj.isIAMAccount()) {
-                this._log.error(
-                    'authentication config validation error',
-                    { reason: 'not an IAM account ARN',
-                      accountName: account.name, accountArn: account.arn,
-                      filePath });
-                arnError = true;
-                return;
-            }
-            allKeys = allKeys.concat(account.keys);
-        });
-        if (arnError) {
-            return false;
-        }
-        const uniqueKeysRes = joi.validate(
-            allKeys, this._joiKeysValidator.unique('access'));
-        if (uniqueKeysRes.error) {
-            this._dumpJoiErrors(uniqueKeysRes.error.details, filePath);
-            return false;
-        }
-        return true;
-    }
-
-    _dumpJoiErrors(errors, filePath) {
-        errors.forEach(err => {
-            const logInfo = { item: err.path, filePath };
-            if (err.type === 'array.unique') {
-                logInfo.reason = `duplicate value '${err.context.path}'`;
-                logInfo.dupValue = err.context.value[err.context.path];
-            } else {
-                logInfo.reason = err.message;
-                logInfo.context = err.context;
-            }
-            this._log.error('authentication config validation error',
-                            logInfo);
-        });
-    }
-}
-
-module.exports = AuthLoader;
--- a/lib/auth/in_memory/AuthLoader.ts
+++ b/lib/auth/in_memory/AuthLoader.ts
@ -0,0 +1,205 @@
+import * as fs from 'fs';
+import glob from 'simple-glob';
+import joi from 'joi';
+import werelogs from 'werelogs';
+import * as types from './types';
+import { Account, Accounts } from './types';
+
+const ARN = require('../../models/ARN');
+
+/** Load authentication information from files or pre-loaded account objects */
+export default class AuthLoader {
+    #log: werelogs.Logger;
+    #authData: Accounts;
+    #isValid: 'waiting-for-validation' | 'valid' | 'invalid';
+
+    constructor(logApi: { Logger: typeof werelogs.Logger } = werelogs) {
+        this.#log = new logApi.Logger('S3');
+        this.#authData = { accounts: [] };
+        this.#isValid = 'waiting-for-validation';
+    }
+
+    /** Add one or more accounts to the authentication info */
+    addAccounts(authData: Accounts, filePath?: string) {
+        const isValid = this.#isAuthDataValid(authData, filePath);
+        if (isValid) {
+            this.#authData.accounts = [
+                ...this.#authData.accounts,
+                ...authData.accounts,
+            ];
+            // defer validity checking when getting data to avoid
+            // logging multiple times the errors (we need to validate
+            // all accounts at once to detect duplicate values)
+            if (this.#isValid === 'valid') {
+                this.#isValid = 'waiting-for-validation';
+            }
+        } else {
+            this.#isValid = 'invalid';
+        }
+    }
+
+    /**
+     * Add account information from a file. Use { legacy: false } as an option
+     *  to use the new, Promise-based version.
+     *
+     * @param filePath - file path containing JSON
+     *   authentication info (see {@link addAccounts()} for format)
+     */
+    addFile(filePath: string, options: { legacy: false }): Promise<void>;
+    /** @deprecated Please use Promise-version instead. */
+    addFile(filePath: string, options?: { legacy: true }): void;
+    addFile(filePath: string, options = { legacy: true }) {
+        // On deprecation, remove the legacy part and keep the promises.
+        const fn: any = options.legacy ? fs.readFileSync : fs.promises.readFile;
+        const temp = fn(filePath, 'utf8') as Promise<string> | string;
+        const prom = Promise.resolve(temp).then((data) => {
+            const authData = JSON.parse(data);
+            this.addAccounts(authData, filePath);
+        });
+        return options.legacy ? undefined : prom;
+    }
+
+    /**
+     * Add account information from a filesystem path
+     *
+     * @param globPattern - filesystem glob pattern,
+     *   can be a single string or an array of glob patterns. Globs
+     *   can be simple file paths or can contain glob matching
+     *   characters, like '/a/b/*.json'. The matching files are
+     *   individually loaded as JSON and accounts are added. See
+     *   {@link addAccounts()} for JSON format.
+     */
+    addFilesByGlob(globPattern: string | string[]) {
+        // FIXME switch glob to async version
+        const files = glob(globPattern);
+        files.forEach((filePath) => this.addFile(filePath));
+    }
+
+    /**
+     * Perform validation on authentication info previously
+     * loaded. Note that it has to be done on the entire set after an
+     * update to catch duplicate account IDs or access keys.
+     */
+    validate() {
+        if (this.#isValid === 'waiting-for-validation') {
+            const isValid = this.#isAuthDataValid(this.#authData);
+            this.#isValid = isValid ? 'valid' : 'invalid';
+        }
+        return this.#isValid === 'valid';
+    }
+
+    /**
+     * Get authentication info as a plain JS object containing all accounts
+     * under the "accounts" attribute, with validation.
+     */
+    get data() {
+        return this.validate() ? this.#authData : null;
+    }
+
+    /** backward-compat: ignore arn if starts with 'aws:' and log a warning */
+    #isNotLegacyAWSARN(account: Account, filePath?: string) {
+        if (account.arn.startsWith('aws:')) {
+            const { name: accountName, arn: accountArn } = account;
+            this.#log.error(
+                'account must have a valid AWS ARN, legacy examples ' +
+                    "starting with 'aws:' are not supported anymore. " +
+                    'Please convert to a proper account entry (see ' +
+                    'examples at https://github.com/scality/S3/blob/' +
+                    'master/conf/authdata.json). Also note that support ' +
+                    'for account users has been dropped.',
+                { accountName, accountArn, filePath }
+            );
+            return false;
+        }
+        return true;
+    }
+
+    #isValidUsers(account: Account, filePath?: string) {
+        if (account.users) {
+            const { name: accountName, arn: accountArn } = account;
+            this.#log.error(
+                'support for account users has been dropped, consider ' +
+                    'turning users into account entries (see examples at ' +
+                    'https://github.com/scality/S3/blob/master/conf/' +
+                    'authdata.json)',
+                { accountName, accountArn, filePath }
+            );
+            return false;
+        }
+        return true;
+    }
+
+    #isValidARN(account: Account, filePath?: string) {
+        const arnObj = ARN.createFromString(account.arn);
+        const { name: accountName, arn: accountArn } = account;
+        if (arnObj instanceof ARN) {
+            if (!arnObj.isIAMAccount()) {
+                this.#log.error('authentication config validation error', {
+                    reason: 'not an IAM account ARN',
+                    accountName,
+                    accountArn,
+                    filePath,
+                });
+                return false;
+            }
+        } else {
+            this.#log.error('authentication config validation error', {
+                reason: arnObj.error.description,
+                accountName,
+                accountArn,
+                filePath,
+            });
+            return false;
+        }
+        return true;
+    }
+
+    #isAuthDataValid(authData: any, filePath?: string) {
+        const options = { abortEarly: true };
+        const response = types.validators.accounts.validate(authData, options);
+        if (response.error) {
+            this.#dumpJoiErrors(response.error.details, filePath);
+            return false;
+        }
+        const validAccounts = response.value.accounts.filter(
+            (account: Account) =>
+                this.#isNotLegacyAWSARN(account, filePath) &&
+                this.#isValidUsers(account, filePath) &&
+                this.#isValidARN(account, filePath)
+        );
+        const areSomeInvalidAccounts =
+            validAccounts.length !== response.value.accounts.length;
+        if (areSomeInvalidAccounts) {
+            return false;
+        }
+        const keys = validAccounts.flatMap((account) => account.keys);
+        const uniqueKeysValidator = types.validators.keys.unique('access');
+        const areKeysUnique = uniqueKeysValidator.validate(keys);
+        if (areKeysUnique.error) {
+            this.#dumpJoiErrors(areKeysUnique.error.details, filePath);
+            return false;
+        }
+        return true;
+    }
+
+    #dumpJoiErrors(errors: joi.ValidationErrorItem[], filePath?: string) {
+        errors.forEach((err) => {
+            const baseLogInfo = { item: err.path, filePath };
+            const logInfo = () => {
+                if (err.type === 'array.unique') {
+                    const reason = `duplicate value '${err.context?.path}'`;
+                    const dupValue = err.context?.value[err.context.path];
+                    return { ...baseLogInfo, reason, dupValue };
+                } else {
+                    const reason = err.message;
+                    const context = err.context;
+                    return { ...baseLogInfo, reason, context };
+                }
+            };
+            this.#log.error(
+                'authentication config validation error',
+                logInfo()
+            );
+        });
+    }
+}
--- a/lib/auth/in_memory/Backend.js
+++ b/lib/auth/in_memory/Backend.js
@ -1,217 +0,0 @@
-'use strict'; // eslint-disable-line strict
-
-const crypto = require('crypto');
-
-const errors = require('../../errors');
-const calculateSigningKey = require('./vaultUtilities').calculateSigningKey;
-const hashSignature = require('./vaultUtilities').hashSignature;
-const Indexer = require('./Indexer');
-
-function _formatResponse(userInfoToSend) {
-    return {
-        message: {
-            body: { userInfo: userInfoToSend },
-        },
-    };
-}
-
-/**
- * Class that provides a memory backend for verifying signatures and getting
- * emails and canonical ids associated with an account.
- *
- * @class Backend
- */
-class Backend {
-    /**
-     * @constructor
-     * @param {string} service - service identifer for construction arn
-     * @param {Indexer} indexer - indexer instance for retrieving account info
-     * @param {function} formatter - function which accepts user info to send
-     * back and returns it in an object
-     */
-    constructor(service, indexer, formatter) {
-        this.service = service;
-        this.indexer = indexer;
-        this.formatResponse = formatter;
-    }
-
-    /** verifySignatureV2
-    * @param {string} stringToSign - string to sign built per AWS rules
-    * @param {string} signatureFromRequest - signature sent with request
-    * @param {string} accessKey - account accessKey
-    * @param {object} options - contains algorithm (SHA1 or SHA256)
-    * @param {function} callback - callback with either error or user info
-    * @return {function} calls callback
-    */
-    verifySignatureV2(stringToSign, signatureFromRequest,
-        accessKey, options, callback) {
-        const entity = this.indexer.getEntityByKey(accessKey);
-        if (!entity) {
-            return callback(errors.InvalidAccessKeyId);
-        }
-        const secretKey = this.indexer.getSecretKey(entity, accessKey);
-        const reconstructedSig =
-            hashSignature(stringToSign, secretKey, options.algo);
-        if (signatureFromRequest !== reconstructedSig) {
-            return callback(errors.SignatureDoesNotMatch);
-        }
-        const userInfoToSend = {
-            accountDisplayName: this.indexer.getAcctDisplayName(entity),
-            canonicalID: entity.canonicalID,
-            arn: entity.arn,
-            IAMdisplayName: entity.IAMdisplayName,
-        };
-        const vaultReturnObject = this.formatResponse(userInfoToSend);
-        return callback(null, vaultReturnObject);
-    }
-
-
-    /** verifySignatureV4
-     * @param {string} stringToSign - string to sign built per AWS rules
-     * @param {string} signatureFromRequest - signature sent with request
-     * @param {string} accessKey - account accessKey
-     * @param {string} region - region specified in request credential
-     * @param {string} scopeDate - date specified in request credential
-     * @param {object} options - options to send to Vault
-     * (just contains reqUid for logging in Vault)
-     * @param {function} callback - callback with either error or user info
-     * @return {function} calls callback
-     */
-    verifySignatureV4(stringToSign, signatureFromRequest, accessKey,
-        region, scopeDate, options, callback) {
-        const entity = this.indexer.getEntityByKey(accessKey);
-        if (!entity) {
-            return callback(errors.InvalidAccessKeyId);
-        }
-        const secretKey = this.indexer.getSecretKey(entity, accessKey);
-        const signingKey = calculateSigningKey(secretKey, region, scopeDate);
-        const reconstructedSig = crypto.createHmac('sha256', signingKey)
-            .update(stringToSign, 'binary').digest('hex');
-        if (signatureFromRequest !== reconstructedSig) {
-            return callback(errors.SignatureDoesNotMatch);
-        }
-        const userInfoToSend = {
-            accountDisplayName: this.indexer.getAcctDisplayName(entity),
-            canonicalID: entity.canonicalID,
-            arn: entity.arn,
-            IAMdisplayName: entity.IAMdisplayName,
-        };
-        const vaultReturnObject = this.formatResponse(userInfoToSend);
-        return callback(null, vaultReturnObject);
-    }
-
-    /**
-     * Gets canonical ID's for a list of accounts
-     * based on email associated with account
-     * @param {array} emails - list of email addresses
-     * @param {object} log - log object
-     * @param {function} cb - callback to calling function
-     * @returns {function} callback with either error or
-     * object with email addresses as keys and canonical IDs
-     * as values
-     */
-    getCanonicalIds(emails, log, cb) {
-        const results = {};
-        emails.forEach(email => {
-            const lowercasedEmail = email.toLowerCase();
-            const entity = this.indexer.getEntityByEmail(lowercasedEmail);
-            if (!entity) {
-                results[email] = 'NotFound';
-            } else {
-                results[email] =
-                    entity.canonicalID;
-            }
-        });
-        const vaultReturnObject = {
-            message: {
-                body: results,
-            },
-        };
-        return cb(null, vaultReturnObject);
-    }
-
-    /**
-     * Gets email addresses (referred to as diplay names for getACL's)
-     * for a list of accounts based on canonical IDs associated with account
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} options - to send log id to vault
-     * @param {function} cb - callback to calling function
-     * @returns {function} callback with either error or
-     * an object from Vault containing account canonicalID
-     * as each object key and an email address as the value (or "NotFound")
-     */
-    getEmailAddresses(canonicalIDs, options, cb) {
-        const results = {};
-        canonicalIDs.forEach(canonicalId => {
-            const foundEntity = this.indexer.getEntityByCanId(canonicalId);
-            if (!foundEntity || !foundEntity.email) {
-                results[canonicalId] = 'NotFound';
-            } else {
-                results[canonicalId] = foundEntity.email;
-            }
-        });
-        const vaultReturnObject = {
-            message: {
-                body: results,
-            },
-        };
-        return cb(null, vaultReturnObject);
-    }
-
-    /**
-     * Gets accountIds for a list of accounts based on
-     * the canonical IDs associated with the account
-     * @param {array} canonicalIDs - list of canonicalIDs
-     * @param {object} options - to send log id to vault
-     * @param {function} cb - callback to calling function
-     * @returns {function} callback with either error or
-     * an object from Vault containing account canonicalID
-     * as each object key and an accountId as the value (or "NotFound")
-     */
-    getAccountIds(canonicalIDs, options, cb) {
-        const results = {};
-        canonicalIDs.forEach(canonicalID => {
-            const foundEntity = this.indexer.getEntityByCanId(canonicalID);
-            if (!foundEntity || !foundEntity.shortid) {
-                results[canonicalID] = 'Not Found';
-            } else {
-                results[canonicalID] = foundEntity.shortid;
-            }
-        });
-        const vaultReturnObject = {
-            message: {
-                body: results,
-            },
-        };
-        return cb(null, vaultReturnObject);
-    }
-}
-
-
-class S3AuthBackend extends Backend {
-    /**
-     * @constructor
-     * @param {object} authdata - the authentication config file's data
-     * @param {object[]} authdata.accounts - array of account objects
-     * @param {string=} authdata.accounts[].name - account name
-     * @param {string} authdata.accounts[].email - account email
-     * @param {string} authdata.accounts[].arn - IAM resource name
-     * @param {string} authdata.accounts[].canonicalID - account canonical ID
-     * @param {string} authdata.accounts[].shortid - short account ID
-     * @param {object[]=} authdata.accounts[].keys - array of key objects
-     * @param {string} authdata.accounts[].keys[].access - access key
-     * @param {string} authdata.accounts[].keys[].secret - secret key
-     * @return {undefined}
-     */
-    constructor(authdata) {
-        super('s3', new Indexer(authdata), _formatResponse);
-    }
-
-    refreshAuthData(authData) {
-        this.indexer = new Indexer(authData);
-    }
-}
-
-module.exports = {
-    s3: S3AuthBackend,
-};
--- a/lib/auth/in_memory/Backend.ts
+++ b/lib/auth/in_memory/Backend.ts
@ -0,0 +1,194 @@
+import * as crypto from 'crypto';
+import errors from '../../errors';
+import { calculateSigningKey, hashSignature } from './vaultUtilities';
+import Indexer from './Indexer';
+import { Accounts } from './types';
+
+function _formatResponse(userInfoToSend: any) {
+    return {
+        message: {
+            body: { userInfo: userInfoToSend },
+        },
+    };
+}
+
+/**
+ * Class that provides a memory backend for verifying signatures and getting
+ * emails and canonical ids associated with an account.
+ */
+class Backend {
+    indexer: Indexer;
+    service: string;
+
+    constructor(service: string, indexer: Indexer) {
+        this.service = service;
+        this.indexer = indexer;
+    }
+
+    // CODEQUALITY-TODO-SYNC Should be synchronous
+    verifySignatureV2(
+        stringToSign: string,
+        signatureFromRequest: string,
+        accessKey: string,
+        options: { algo: 'SHA256' | 'SHA1' },
+        callback: (
+            error: Error | null,
+            data?: ReturnType<typeof _formatResponse>
+        ) => void
+    ) {
+        const entity = this.indexer.getEntityByKey(accessKey);
+        if (!entity) {
+            return callback(errors.InvalidAccessKeyId);
+        }
+        const secretKey = this.indexer.getSecretKey(entity, accessKey);
+        const reconstructedSig =
+            hashSignature(stringToSign, secretKey, options.algo);
+        if (signatureFromRequest !== reconstructedSig) {
+            return callback(errors.SignatureDoesNotMatch);
+        }
+        const userInfoToSend = {
+            accountDisplayName: this.indexer.getAcctDisplayName(entity),
+            canonicalID: entity.canonicalID,
+            arn: entity.arn,
+            // TODO Why?
+            // @ts-ignore
+            IAMdisplayName: entity.IAMdisplayName,
+        };
+        const vaultReturnObject = _formatResponse(userInfoToSend);
+        return callback(null, vaultReturnObject);
+    }
+
+    // TODO Options not used. Why ?
+    // CODEQUALITY-TODO-SYNC Should be synchronous
+    verifySignatureV4(
+        stringToSign: string,
+        signatureFromRequest: string,
+        accessKey: string,
+        region: string,
+        scopeDate: string,
+        _options: { algo: 'SHA256' | 'SHA1' },
+        callback: (
+            err: Error | null,
+            data?: ReturnType<typeof _formatResponse>
+        ) => void
+    ) {
+        const entity = this.indexer.getEntityByKey(accessKey);
+        if (!entity) {
+            return callback(errors.InvalidAccessKeyId);
+        }
+        const secretKey = this.indexer.getSecretKey(entity, accessKey);
+        const signingKey = calculateSigningKey(secretKey, region, scopeDate);
+        const reconstructedSig = crypto.createHmac('sha256', signingKey)
+            .update(stringToSign, 'binary').digest('hex');
+        if (signatureFromRequest !== reconstructedSig) {
+            return callback(errors.SignatureDoesNotMatch);
+        }
+        const userInfoToSend = {
+            accountDisplayName: this.indexer.getAcctDisplayName(entity),
+            canonicalID: entity.canonicalID,
+            arn: entity.arn,
+            // TODO Why?
+            // @ts-ignore
+            IAMdisplayName: entity.IAMdisplayName,
+        };
+        const vaultReturnObject = _formatResponse(userInfoToSend);
+        return callback(null, vaultReturnObject);
+    }
+
+    // TODO log not used. Why ?
+    // CODEQUALITY-TODO-SYNC Should be synchronous
+    getCanonicalIds(
+        emails: string[],
+        _log: any,
+        cb: (err: null, data: { message: { body: any } }) => void
+    ) {
+        const results = {};
+        emails.forEach(email => {
+            const lowercasedEmail = email.toLowerCase();
+            const entity = this.indexer.getEntityByEmail(lowercasedEmail);
+            if (!entity) {
+                results[email] = 'NotFound';
+            } else {
+                results[email] =
+                    entity.canonicalID;
+            }
+        });
+        const vaultReturnObject = {
+            message: {
+                body: results,
+            },
+        };
+        return cb(null, vaultReturnObject);
+    }
+
+    // TODO options not used. Why ?
+    // CODEQUALITY-TODO-SYNC Should be synchronous
+    getEmailAddresses(
+        canonicalIDs: string[],
+        _options: any,
+        cb: (err: null, data: { message: { body: any } }) => void
+    ) {
+        const results = {};
+        canonicalIDs.forEach(canonicalId => {
+            const foundEntity = this.indexer.getEntityByCanId(canonicalId);
+            if (!foundEntity || !foundEntity.email) {
+                results[canonicalId] = 'NotFound';
+            } else {
+                results[canonicalId] = foundEntity.email;
+            }
+        });
+        const vaultReturnObject = {
+            message: {
+                body: results,
+            },
+        };
+        return cb(null, vaultReturnObject);
+    }
+
+    // TODO options not used. Why ?
+    // CODEQUALITY-TODO-SYNC Should be synchronous
+    /**
+     * Gets accountIds for a list of accounts based on
+     * the canonical IDs associated with the account
+     * @param canonicalIDs - list of canonicalIDs
+     * @param _options - to send log id to vault
+     * @param cb - callback to calling function
+     * @returns The next is wrong. Here to keep archives.
+     * callback with either error or
+     * an object from Vault containing account canonicalID
+     * as each object key and an accountId as the value (or "NotFound")
+     */
+    getAccountIds(
+        canonicalIDs: string[],
+        _options: any,
+        cb: (err: null, data: { message: { body: any } }) => void
+    ) {
+        const results = {};
+        canonicalIDs.forEach(canonicalID => {
+            const foundEntity = this.indexer.getEntityByCanId(canonicalID);
+            if (!foundEntity || !foundEntity.shortid) {
+                results[canonicalID] = 'Not Found';
+            } else {
+                results[canonicalID] = foundEntity.shortid;
+            }
+        });
+        const vaultReturnObject = {
+            message: {
+                body: results,
+            },
+        };
+        return cb(null, vaultReturnObject);
+    }
+}
+
+class S3AuthBackend extends Backend {
+    constructor(authdata: Accounts) {
+        super('s3', new Indexer(authdata));
+    }
+
+    refreshAuthData(authData: Accounts) {
+        this.indexer = new Indexer(authData);
+    }
+}
+
+export { S3AuthBackend as s3 };
--- a/lib/auth/in_memory/Indexer.js
+++ b/lib/auth/in_memory/Indexer.js
@ -1,145 +0,0 @@
-/**
- * Class that provides an internal indexing over the simple data provided by
- * the authentication configuration file for the memory backend. This allows
- * accessing the different authentication entities through various types of
- * keys.
- *
- * @class Indexer
- */
-class Indexer {
-    /**
-     * @constructor
-     * @param {object} authdata - the authentication config file's data
-     * @param {object[]} authdata.accounts - array of account objects
-     * @param {string=} authdata.accounts[].name - account name
-     * @param {string} authdata.accounts[].email - account email
-     * @param {string} authdata.accounts[].arn - IAM resource name
-     * @param {string} authdata.accounts[].canonicalID - account canonical ID
-     * @param {string} authdata.accounts[].shortid - short account ID
-     * @param {object[]=} authdata.accounts[].keys - array of key objects
-     * @param {string} authdata.accounts[].keys[].access - access key
-     * @param {string} authdata.accounts[].keys[].secret - secret key
-     * @return {undefined}
-     */
-    constructor(authdata) {
-        this.accountsBy = {
-            canId: {},
-            accessKey: {},
-            email: {},
-        };
-
-        /*
-         * This may happen if the application is configured to use another
-         * authentication backend than in-memory.
-         * As such, we're managing the error here to avoid screwing up there.
-         */
-        if (!authdata) {
-            return;
-        }
-
-        this._build(authdata);
-    }
-
-    _indexAccount(account) {
-        const accountData = {
-            arn: account.arn,
-            canonicalID: account.canonicalID,
-            shortid: account.shortid,
-            accountDisplayName: account.name,
-            email: account.email.toLowerCase(),
-            keys: [],
-        };
-        this.accountsBy.canId[accountData.canonicalID] = accountData;
-        this.accountsBy.email[accountData.email] = accountData;
-        if (account.keys !== undefined) {
-            account.keys.forEach(key => {
-                accountData.keys.push(key);
-                this.accountsBy.accessKey[key.access] = accountData;
-            });
-        }
-    }
-
-    _build(authdata) {
-        authdata.accounts.forEach(account => {
-            this._indexAccount(account);
-        });
-    }
-
-    /**
-     * This method returns the account associated to a canonical ID.
-     *
-     * @param {string} canId - The canonicalId of the account
-     * @return {Object} account - The account object
-     * @return {Object} account.arn - The account's ARN
-     * @return {Object} account.canonicalID - The account's canonical ID
-     * @return {Object} account.shortid - The account's internal shortid
-     * @return {Object} account.accountDisplayName - The account's display name
-     * @return {Object} account.email - The account's lowercased email
-     */
-    getEntityByCanId(canId) {
-        return this.accountsBy.canId[canId];
-    }
-
-    /**
-     * This method returns the entity (either an account or a user) associated
-     * to a canonical ID.
-     *
-     * @param {string} key - The accessKey of the entity
-     * @return {Object} entity - The entity object
-     * @return {Object} entity.arn - The entity's ARN
-     * @return {Object} entity.canonicalID - The canonical ID for the entity's
-     *                                       account
-     * @return {Object} entity.shortid - The entity's internal shortid
-     * @return {Object} entity.accountDisplayName - The entity's account
-     *                                              display name
-     * @return {Object} entity.IAMDisplayName - The user's display name
-     *                                          (if the entity is an user)
-     * @return {Object} entity.email - The entity's lowercased email
-     */
-    getEntityByKey(key) {
-        return this.accountsBy.accessKey[key];
-    }
-
-    /**
-     * This method returns the entity (either an account or a user) associated
-     * to an email address.
-     *
-     * @param {string} email - The email address
-     * @return {Object} entity - The entity object
-     * @return {Object} entity.arn - The entity's ARN
-     * @return {Object} entity.canonicalID - The canonical ID for the entity's
-     *                                       account
-     * @return {Object} entity.shortid - The entity's internal shortid
-     * @return {Object} entity.accountDisplayName - The entity's account
-     *                                              display name
-     * @return {Object} entity.IAMDisplayName - The user's display name
-     *                                          (if the entity is an user)
-     * @return {Object} entity.email - The entity's lowercased email
-     */
-    getEntityByEmail(email) {
-        const lowerCasedEmail = email.toLowerCase();
-        return this.accountsBy.email[lowerCasedEmail];
-    }
-
-    /**
-    * This method returns the secret key associated with the entity.
-    * @param {Object} entity - the entity object
-    * @param {string} accessKey - access key
-    * @returns {string} secret key
-    */
-    getSecretKey(entity, accessKey) {
-        return entity.keys
-            .filter(kv => kv.access === accessKey)[0].secret;
-    }
-
-    /**
-    * This method returns the account display name associated with the entity.
-    * @param {Object} entity - the entity object
-    * @returns {string} account display name
-    */
-    getAcctDisplayName(entity) {
-        return entity.accountDisplayName;
-    }
-}
-
-module.exports = Indexer;
--- a/lib/auth/in_memory/Indexer.ts
+++ b/lib/auth/in_memory/Indexer.ts
@ -0,0 +1,93 @@
+import { Accounts, Account, Entity } from './types';
+
+/**
+ * Class that provides an internal indexing over the simple data provided by
+ * the authentication configuration file for the memory backend. This allows
+ * accessing the different authentication entities through various types of
+ * keys.
+ */
+export default class Indexer {
+    accountsBy: {
+        canId: { [id: string]: Entity | undefined },
+        accessKey: { [id: string]: Entity | undefined },
+        email: { [id: string]: Entity | undefined },
+    }
+
+    constructor(authdata?: Accounts) {
+        this.accountsBy = {
+            canId: {},
+            accessKey: {},
+            email: {},
+        };
+
+        /*
+         * This may happen if the application is configured to use another
+         * authentication backend than in-memory.
+         * As such, we're managing the error here to avoid screwing up there.
+         */
+        if (!authdata) {
+            return;
+        }
+
+        this.#build(authdata);
+    }
+
+    #indexAccount(account: Account) {
+        const accountData: Entity = {
+            arn: account.arn,
+            canonicalID: account.canonicalID,
+            shortid: account.shortid,
+            accountDisplayName: account.name,
+            email: account.email.toLowerCase(),
+            keys: [],
+        };
+        this.accountsBy.canId[accountData.canonicalID] = accountData;
+        this.accountsBy.email[accountData.email] = accountData;
+        if (account.keys !== undefined) {
+            account.keys.forEach(key => {
+                accountData.keys.push(key);
+                this.accountsBy.accessKey[key.access] = accountData;
+            });
+        }
+    }
+
+    #build(authdata: Accounts) {
+        authdata.accounts.forEach(account => {
+            this.#indexAccount(account);
+        });
+    }
+
+    /** This method returns the account associated to a canonical ID. */
+    getEntityByCanId(canId: string): Entity | undefined {
+        return this.accountsBy.canId[canId];
+    }
+
+    /**
+     * This method returns the entity (either an account or a user) associated
+     * to a canonical ID.
+     * @param {string} key - The accessKey of the entity
+     */
+    getEntityByKey(key: string): Entity | undefined {
+        return this.accountsBy.accessKey[key];
+    }
+
+    /**
+     * This method returns the entity (either an account or a user) associated
+     * to an email address.
+     */
+    getEntityByEmail(email: string): Entity | undefined {
+        const lowerCasedEmail = email.toLowerCase();
+        return this.accountsBy.email[lowerCasedEmail];
+    }
+
+    /** This method returns the secret key associated with the entity. */
+    getSecretKey(entity: Entity, accessKey: string) {
+        const keys = entity.keys.filter(kv => kv.access === accessKey);
+        return keys[0].secret;
+    }
+
+    /** This method returns the account display name associated with the entity. */
+    getAcctDisplayName(entity: Entity) {
+        return entity.accountDisplayName;
+    }
+}
--- a/lib/auth/in_memory/types.ts
+++ b/lib/auth/in_memory/types.ts
@ -0,0 +1,51 @@
+import joi from 'joi';
+
+export type Callback<Data = any> = (err: Error | null | undefined, data?: Data) => void;
+
+export type Key = { access: string; secret: string };
+export type Base = {
+    arn: string;
+    canonicalID: string;
+    shortid: string;
+    email: string;
+    keys: Key[];
+};
+export type Account = Base & { name: string; users: any[] };
+export type Accounts = { accounts: Account[] };
+export type Entity = Base & { accountDisplayName: string };
+
+const keys = ((): joi.ArraySchema => {
+    const str = joi.string().required();
+    const items = { access: str, secret: str };
+    return joi.array().items(items).required();
+})();
+
+const account = (() => {
+    return joi.object<Account>({
+        name: joi.string().required(),
+        email: joi.string().email().required(),
+        arn: joi.string().required(),
+        canonicalID: joi.string().required(),
+        shortid: joi
+            .string()
+            .regex(/^[0-9]{12}$/)
+            .required(),
+        keys: keys,
+        // backward-compat
+        users: joi.array(),
+    });
+})();
+
+const accounts = (() => {
+    return joi.object<Accounts>({
+        accounts: joi
+            .array()
+            .items(account)
+            .required()
+            .unique('arn')
+            .unique('email')
+            .unique('canonicalID'),
+    });
+})();
+
+export const validators = { keys, account, accounts };
--- a/lib/auth/in_memory/validateAuthConfig.js
+++ b/lib/auth/in_memory/validateAuthConfig.js
@ -1,18 +0,0 @@
-const AuthLoader = require('./AuthLoader');
-
-/**
- * @deprecated please use {@link AuthLoader} class instead
- *
- * @param {object} authdata - the authentication config file's data
- * @param {werelogs.API} logApi - object providing a constructor function
- *                                for the Logger object
- * @return {boolean} true on erroneous data
- *                   false on success
- */
-function validateAuthConfig(authdata, logApi) {
-    const authLoader = new AuthLoader(logApi);
-    authLoader.addAccounts(authdata);
-    return !authLoader.validate();
-}
-
-module.exports = validateAuthConfig;
--- a/lib/auth/in_memory/validateAuthConfig.ts
+++ b/lib/auth/in_memory/validateAuthConfig.ts
@ -0,0 +1,16 @@
+import { Logger } from 'werelogs';
+import AuthLoader from './AuthLoader';
+import { Accounts } from './types';
+
+/**
+ * @deprecated please use {@link AuthLoader} class instead
+ * @return true on erroneous data false on success
+ */
+export default function validateAuthConfig(
+    authdata: Accounts,
+    logApi?: { Logger: typeof Logger }
+) {
+    const authLoader = new AuthLoader(logApi);
+    authLoader.addAccounts(authdata);
+    return !authLoader.validate();
+}
--- a/lib/auth/in_memory/vaultUtilities.ts
+++ b/lib/auth/in_memory/vaultUtilities.ts
@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
-
-const crypto = require('crypto');
+import * as crypto from 'crypto';

 /** hashSignature for v2 Auth
 * @param {string} stringToSign - built string to sign per AWS rules
@ -8,11 +6,19 @@ const crypto = require('crypto');
 * @param {string} algorithm - either SHA256 or SHA1
 * @return {string} reconstructed signature
 */
-function hashSignature(stringToSign, secretKey, algorithm) {
+export function hashSignature(
+    stringToSign: string,
+    secretKey: string,
+    algorithm: 'SHA256' | 'SHA1'
+): string {
    const hmacObject = crypto.createHmac(algorithm, secretKey);
    return hmacObject.update(stringToSign, 'binary').digest('base64');
 }

+const sha256 = (key: string | Buffer, data: string) => {
+    return crypto.createHmac('sha256', key).update(data, 'binary').digest();
+};
+
 /** calculateSigningKey for v4 Auth
 * @param {string} secretKey - requester's secretKey
 * @param {string} region - region included in request
@ -20,16 +26,15 @@ function hashSignature(stringToSign, secretKey, algorithm) {
 * @param {string} [service] - To specify another service than s3
 * @return {string} signingKey - signingKey to calculate signature
 */
-function calculateSigningKey(secretKey, region, scopeDate, service) {
-    const dateKey = crypto.createHmac('sha256', `AWS4${secretKey}`)
-        .update(scopeDate, 'binary').digest();
-    const dateRegionKey = crypto.createHmac('sha256', dateKey)
-        .update(region, 'binary').digest();
-    const dateRegionServiceKey = crypto.createHmac('sha256', dateRegionKey)
-        .update(service || 's3', 'binary').digest();
-    const signingKey = crypto.createHmac('sha256', dateRegionServiceKey)
-        .update('aws4_request', 'binary').digest();
+export function calculateSigningKey(
+    secretKey: string,
+    region: string,
+    scopeDate: string,
+    service?: string
+): Buffer {
+    const dateKey = sha256(`AWS4${secretKey}`, scopeDate);
+    const dateRegionKey = sha256(dateKey, region);
+    const dateRegionServiceKey = sha256(dateRegionKey, service || 's3');
+    const signingKey = sha256(dateRegionServiceKey, 'aws4_request');
    return signingKey;
 }
-
-module.exports = { hashSignature, calculateSigningKey };
--- a/lib/auth/v2/algoCheck.ts
+++ b/lib/auth/v2/algoCheck.ts
@ -1,7 +1,5 @@
-'use strict'; // eslint-disable-line strict
-
-function algoCheck(signatureLength) {
-    let algo;
+export default function algoCheck(signatureLength: number) {
+    let algo: 'sha256' | 'sha1';
    // If the signature sent is 44 characters,
    // this means that sha256 was used:
    // 44 characters in base64
@ -13,7 +11,6 @@ function algoCheck(signatureLength) {
    if (signatureLength === SHA1LEN) {
        algo = 'sha1';
    }
+    // @ts-ignore
    return algo;
 }
-
-module.exports = algoCheck;
--- a/lib/auth/v2/authV2.js
+++ b/lib/auth/v2/authV2.js
@ -1,11 +0,0 @@
-'use strict'; // eslint-disable-line strict
-
-const headerAuthCheck = require('./headerAuthCheck');
-const queryAuthCheck = require('./queryAuthCheck');
-
-const authV2 = {
-    header: headerAuthCheck,
-    query: queryAuthCheck,
-};
-
-module.exports = authV2;
--- a/lib/auth/v2/authV2.ts
+++ b/lib/auth/v2/authV2.ts
@ -0,0 +1,2 @@
+export * as header from './headerAuthCheck';
+export * as query from './queryAuthCheck';
--- a/lib/auth/v2/checkRequestExpiry.ts
+++ b/lib/auth/v2/checkRequestExpiry.ts
@ -1,9 +1,9 @@
-'use strict'; // eslint-disable-line strict
-const errors = require('../../errors');
+import { Logger } from 'werelogs';
+import errors from '../../errors';

 const epochTime = new Date('1970-01-01').getTime();

-function checkRequestExpiry(timestamp, log) {
+export default function checkRequestExpiry(timestamp: number, log: Logger) {
    // If timestamp is before epochTime, the request is invalid and return
    // errors.AccessDenied
    if (timestamp < epochTime) {
@ -32,5 +32,3 @@ function checkRequestExpiry(timestamp, log) {

    return undefined;
 }
-
-module.exports = checkRequestExpiry;
--- a/lib/auth/v2/constructStringToSign.ts
+++ b/lib/auth/v2/constructStringToSign.ts
@ -1,11 +1,14 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
+import utf8 from 'utf8';
+import getCanonicalizedAmzHeaders from './getCanonicalizedAmzHeaders';
+import getCanonicalizedResource from './getCanonicalizedResource';

-const utf8 = require('utf8');
-
-const getCanonicalizedAmzHeaders = require('./getCanonicalizedAmzHeaders');
-const getCanonicalizedResource = require('./getCanonicalizedResource');
-
-function constructStringToSign(request, data, log, clientType) {
+export default function constructStringToSign(
+    request: any,
+    data: { [key: string]: string },
+    log: Logger,
+    clientType?: any
+) {
    /*
    Build signature per AWS requirements:
    StringToSign = HTTP-Verb + '\n' +
@ -42,5 +45,3 @@ function constructStringToSign(request, data, log, clientType) {
        + getCanonicalizedResource(request, clientType);
    return utf8.encode(stringToSign);
 }
-
-module.exports = constructStringToSign;
--- a/lib/auth/v2/getCanonicalizedAmzHeaders.ts
+++ b/lib/auth/v2/getCanonicalizedAmzHeaders.ts
@ -1,14 +1,12 @@
-'use strict'; // eslint-disable-line strict
-
-function getCanonicalizedAmzHeaders(headers, clientType) {
+export default function getCanonicalizedAmzHeaders(headers: Headers, clientType: string) {
    /*
    Iterate through headers and pull any headers that are x-amz headers.
    Need to include 'x-amz-date' here even though AWS docs
    ambiguous on this.
    */
    const filterFn = clientType === 'GCP' ?
-        val => val.substr(0, 7) === 'x-goog-' :
-        val => val.substr(0, 6) === 'x-amz-';
+        (val: string) => val.substr(0, 7) === 'x-goog-' :
+        (val: string) => val.substr(0, 6) === 'x-amz-';
    const amzHeaders = Object.keys(headers)
        .filter(filterFn)
        .map(val => [val.trim(), headers[val].trim()]);
@ -43,5 +41,3 @@ function getCanonicalizedAmzHeaders(headers, clientType) {
        `${headerStr}${current[0]}:${current[1]}\n`,
        '');
 }
-
-module.exports = getCanonicalizedAmzHeaders;
--- a/lib/auth/v2/getCanonicalizedResource.ts
+++ b/lib/auth/v2/getCanonicalizedResource.ts
@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
-
-const url = require('url');
+import * as url from 'url';

 const gcpSubresources = [
    'acl',
@ -41,7 +39,7 @@ const awsSubresources = [
    'website',
 ];

-function getCanonicalizedResource(request, clientType) {
+export default function getCanonicalizedResource(request: any, clientType: string) {
    /*
    This variable is used to determine whether to insert
    a '?' or '&'.  Once a query parameter is added to the resourceString,
@ -117,5 +115,3 @@ function getCanonicalizedResource(request, clientType) {
    }
    return resourceString;
 }
-
-module.exports = getCanonicalizedResource;
--- a/lib/auth/v2/headerAuthCheck.ts
+++ b/lib/auth/v2/headerAuthCheck.ts
@ -1,12 +1,11 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
+import errors from '../../errors';
+import * as constants from '../../constants';
+import constructStringToSign from './constructStringToSign';
+import checkRequestExpiry from './checkRequestExpiry';
+import algoCheck from './algoCheck';

-const errors = require('../../errors');
-const constants = require('../../constants');
-const constructStringToSign = require('./constructStringToSign');
-const checkRequestExpiry = require('./checkRequestExpiry');
-const algoCheck = require('./algoCheck');
-
-function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
    log.trace('running header auth check');
    const headers = request.headers;

@ -52,6 +51,7 @@ function check(request, log, data) {
        log.trace('invalid authorization header', { authInfo });
        return { err: errors.MissingSecurityHeader };
    }
+    // @ts-ignore
    log.addDefaultFields({ accessKey });

    const signatureFromRequest = authInfo.substring(semicolonIndex + 1).trim();
@ -80,5 +80,3 @@ function check(request, log, data) {
        },
    };
 }
-
-module.exports = { check };
--- a/lib/auth/v2/queryAuthCheck.ts
+++ b/lib/auth/v2/queryAuthCheck.ts
@ -1,11 +1,10 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';
+import errors from '../../errors';
+import * as constants from '../../constants';
+import algoCheck from './algoCheck';
+import constructStringToSign from './constructStringToSign';

-const errors = require('../../errors');
-const constants = require('../../constants');
-const algoCheck = require('./algoCheck');
-const constructStringToSign = require('./constructStringToSign');
-
-function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
    log.trace('running query auth check');
    if (request.method === 'POST') {
        log.debug('query string auth not supported for post requests');
@ -51,6 +50,7 @@ function check(request, log, data) {
        return { err: errors.RequestTimeTooSkewed };
    }
    const accessKey = data.AWSAccessKeyId;
+    // @ts-ignore
    log.addDefaultFields({ accessKey });

    const signatureFromRequest = decodeURIComponent(data.Signature);
@ -82,5 +82,3 @@ function check(request, log, data) {
        },
    };
 }
-
-module.exports = { check };
--- a/lib/auth/v4/authV4.js
+++ b/lib/auth/v4/authV4.js
@ -1,11 +0,0 @@
-'use strict'; // eslint-disable-line strict
-
-const headerAuthCheck = require('./headerAuthCheck');
-const queryAuthCheck = require('./queryAuthCheck');
-
-const authV4 = {
-    header: headerAuthCheck,
-    query: queryAuthCheck,
-};
-
-module.exports = authV4;
--- a/lib/auth/v4/authV4.ts
+++ b/lib/auth/v4/authV4.ts
@ -0,0 +1,2 @@
+export * as header from './headerAuthCheck';
+export * as query from './queryAuthCheck';
--- a/lib/auth/v4/awsURIencode.ts
+++ b/lib/auth/v4/awsURIencode.ts
@ -1,5 +1,3 @@
-'use strict'; // eslint-disable-line strict
-
 /*
 AWS's URI encoding rules:
 URI encode every byte. Uri-Encode() must enforce the following rules:
@ -19,7 +17,7 @@ See http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
 */

 // converts utf8 character to hex and pads "%" before every two hex digits
-function _toHexUTF8(char) {
+function _toHexUTF8(char: string) {
    const hexRep = Buffer.from(char, 'utf8').toString('hex').toUpperCase();
    let res = '';
    hexRep.split('').forEach((v, n) => {
@ -32,7 +30,11 @@ function _toHexUTF8(char) {
    return res;
 }

-function awsURIencode(input, encodeSlash, noEncodeStar) {
+export default function awsURIencode(
+    input: string,
+    encodeSlash?: boolean,
+    noEncodeStar?: boolean
+) {
    const encSlash = encodeSlash === undefined ? true : encodeSlash;
    let encoded = '';
    /**
@ -62,5 +64,3 @@ function awsURIencode(input, encodeSlash, noEncodeStar) {
    }
    return encoded;
 }
-
-module.exports = awsURIencode;
--- a/lib/auth/v4/constructStringToSign.ts
+++ b/lib/auth/v4/constructStringToSign.ts
@ -1,17 +1,33 @@
-'use strict'; // eslint-disable-line strict
-
-const crypto = require('crypto');
-
-const createCanonicalRequest = require('./createCanonicalRequest');
+import * as crypto from 'crypto';
+import { Logger } from 'werelogs';
+import createCanonicalRequest from './createCanonicalRequest';

 /**
 * constructStringToSign - creates V4 stringToSign
 * @param {object} params - params object
 * @returns {string} - stringToSign
 */
-function constructStringToSign(params) {
-    const { request, signedHeaders, payloadChecksum, credentialScope, timestamp,
-        query, log, proxyPath } = params;
+export default function constructStringToSign(params: {
+    request: any;
+    signedHeaders: any;
+    payloadChecksum: any;
+    credentialScope: string;
+    timestamp: string;
+    query: { [key: string]: string };
+    log?: Logger;
+    proxyPath?: string;
+    awsService: string;
+}): string | Error {
+    const {
+        request,
+        signedHeaders,
+        payloadChecksum,
+        credentialScope,
+        timestamp,
+        query,
+        log,
+        proxyPath,
+    } = params;
    const path = proxyPath || request.path;

    const canonicalReqResult = createCanonicalRequest({
@ -24,6 +40,8 @@ function constructStringToSign(params) {
        service: params.awsService,
    });

+    // TODO Why that line?
+    // @ts-ignore
    if (canonicalReqResult instanceof Error) {
        if (log) {
            log.error('error creating canonicalRequest');
@ -40,5 +58,3 @@ function constructStringToSign(params) {
    `${credentialScope}\n${canonicalHex}`;
    return stringToSign;
 }
-
-module.exports = constructStringToSign;
--- a/lib/auth/v4/createCanonicalRequest.ts
+++ b/lib/auth/v4/createCanonicalRequest.ts
@ -1,27 +1,33 @@
-'use strict'; // eslint-disable-line strict
-
-const awsURIencode = require('./awsURIencode');
-const crypto = require('crypto');
-const queryString = require('querystring');
+import * as crypto from 'crypto';
+import * as queryString from 'querystring';
+import awsURIencode from './awsURIencode';

 /**
 * createCanonicalRequest - creates V4 canonical request
- * @param {object} params - contains pHttpVerb (request type),
+ * @param params - contains pHttpVerb (request type),
 * pResource (parsed from URL), pQuery (request query),
 * pHeaders (request headers), pSignedHeaders (signed headers from request),
 * payloadChecksum (from request)
- * @returns {string} - canonicalRequest
+ * @returns - canonicalRequest
 */
-function createCanonicalRequest(params) {
+export default function createCanonicalRequest(
+    params: {
+        pHttpVerb: string;
+        pResource: string;
+        pQuery: { [key: string]: string };
+        pHeaders: any;
+        pSignedHeaders: any;
+        service: string;
+        payloadChecksum: string;
+    }
+) {
    const pHttpVerb = params.pHttpVerb;
    const pResource = params.pResource;
    const pQuery = params.pQuery;
    const pHeaders = params.pHeaders;
    const pSignedHeaders = params.pSignedHeaders;
    const service = params.service;
-
    let payloadChecksum = params.payloadChecksum;
-
    if (!payloadChecksum) {
        if (pHttpVerb === 'GET') {
            payloadChecksum = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b' +
@ -34,7 +40,7 @@ function createCanonicalRequest(params) {
            if (/aws-sdk-java\/[0-9.]+/.test(pHeaders['user-agent'])) {
                notEncodeStar = true;
            }
-            let payload = queryString.stringify(pQuery, null, null, {
+            let payload = queryString.stringify(pQuery, undefined, undefined, {
                encodeURIComponent: input => awsURIencode(input, true,
                    notEncodeStar),
            });
@ -61,11 +67,11 @@ function createCanonicalRequest(params) {

    // signed headers
    const signedHeadersList = pSignedHeaders.split(';');
-    signedHeadersList.sort((a, b) => a.localeCompare(b));
+    signedHeadersList.sort((a: any, b: any) => a.localeCompare(b));
    const signedHeaders = signedHeadersList.join(';');

    // canonical headers
-    const canonicalHeadersList = signedHeadersList.map(signedHeader => {
+    const canonicalHeadersList = signedHeadersList.map((signedHeader: any) => {
        if (pHeaders[signedHeader] !== undefined) {
            const trimmedHeader = pHeaders[signedHeader]
                .trim().replace(/\s+/g, ' ');
@ -87,5 +93,3 @@ function createCanonicalRequest(params) {
        `${signedHeaders}\n${payloadChecksum}`;
    return canonicalRequest;
 }
-
-module.exports = createCanonicalRequest;
--- a/lib/auth/v4/headerAuthCheck.ts
+++ b/lib/auth/v4/headerAuthCheck.ts
@ -1,27 +1,32 @@
-'use strict'; // eslint-disable-line strict
-
-const errors = require('../../../lib/errors');
-const constants = require('../../constants');
-
-const constructStringToSign = require('./constructStringToSign');
-const checkTimeSkew = require('./timeUtils').checkTimeSkew;
-const convertUTCtoISO8601 = require('./timeUtils').convertUTCtoISO8601;
-const convertAmzTimeToMs = require('./timeUtils').convertAmzTimeToMs;
-const extractAuthItems = require('./validateInputs').extractAuthItems;
-const validateCredentials = require('./validateInputs').validateCredentials;
-const areSignedHeadersComplete =
-    require('./validateInputs').areSignedHeadersComplete;
+import { Logger } from 'werelogs';
+import errors from '../../../lib/errors';
+import * as constants from '../../constants';
+import constructStringToSign from './constructStringToSign';
+import {
+    checkTimeSkew,
+    convertUTCtoISO8601,
+    convertAmzTimeToMs,
+} from './timeUtils';
+import {
+    extractAuthItems,
+    validateCredentials,
+    areSignedHeadersComplete,
+} from './validateInputs';

 /**
 * V4 header auth check
- * @param {object} request - HTTP request object
- * @param {object} log - logging object
- * @param {object} data - Parameters from queryString parsing or body of
+ * @param request - HTTP request object
+ * @param log - logging object
+ * @param data - Parameters from queryString parsing or body of
 *      POST request
- * @param {string} awsService - Aws service ('iam' or 's3')
- * @return {callback} calls callback
+ * @param awsService - Aws service ('iam' or 's3')
 */
-function check(request, log, data, awsService) {
+export function check(
+    request: any,
+    log: Logger,
+    data: { [key: string]: string },
+    awsService: string
+) {
    log.trace('running header auth check');

    const token = request.headers['x-amz-security-token'];
@ -62,16 +67,16 @@ function check(request, log, data, awsService) {

    log.trace('authorization header from request', { authHeader });

-    const signatureFromRequest = authHeaderItems.signatureFromRequest;
-    const credentialsArr = authHeaderItems.credentialsArr;
-    const signedHeaders = authHeaderItems.signedHeaders;
+    const signatureFromRequest = authHeaderItems.signatureFromRequest!;
+    const credentialsArr = authHeaderItems.credentialsArr!;
+    const signedHeaders = authHeaderItems.signedHeaders!;

    if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
        log.debug('signedHeaders are incomplete', { signedHeaders });
        return { err: errors.AccessDenied };
    }

-    let timestamp;
+    let timestamp: string | undefined;
    // check request timestamp
    const xAmzDate = request.headers['x-amz-date'];
    if (xAmzDate) {
@ -166,5 +171,3 @@ function check(request, log, data, awsService) {
        },
    };
 }
-
-module.exports = { check };
--- a/lib/auth/v4/queryAuthCheck.ts
+++ b/lib/auth/v4/queryAuthCheck.ts
@ -1,24 +1,18 @@
-'use strict'; // eslint-disable-line strict
-
-const constants = require('../../constants');
-const errors = require('../../errors');
-
-const constructStringToSign = require('./constructStringToSign');
-const checkTimeSkew = require('./timeUtils').checkTimeSkew;
-const convertAmzTimeToMs = require('./timeUtils').convertAmzTimeToMs;
-const validateCredentials = require('./validateInputs').validateCredentials;
-const extractQueryParams = require('./validateInputs').extractQueryParams;
-const areSignedHeadersComplete =
-    require('./validateInputs').areSignedHeadersComplete;
+import { Logger } from 'werelogs';
+import * as constants from '../../constants';
+import errors from '../../errors';
+import constructStringToSign from './constructStringToSign';
+import { checkTimeSkew, convertAmzTimeToMs } from './timeUtils';
+import { validateCredentials, extractQueryParams } from './validateInputs';
+import { areSignedHeadersComplete } from './validateInputs';

 /**
 * V4 query auth check
- * @param {object} request - HTTP request object
- * @param {object} log - logging object
- * @param {object} data - Contain authentification params (GET or POST data)
- * @return {callback} calls callback
+ * @param request - HTTP request object
+ * @param log - logging object
+ * @param data - Contain authentification params (GET or POST data)
 */
-function check(request, log, data) {
+export function check(request: any, log: Logger, data: { [key: string]: string }) {
    const authParams = extractQueryParams(data, log);

    if (Object.keys(authParams).length !== 5) {
@ -33,11 +27,11 @@ function check(request, log, data) {
        return { err: errors.InvalidToken };
    }

-    const signedHeaders = authParams.signedHeaders;
-    const signatureFromRequest = authParams.signatureFromRequest;
-    const timestamp = authParams.timestamp;
-    const expiry = authParams.expiry;
-    const credential = authParams.credential;
+    const signedHeaders = authParams.signedHeaders!;
+    const signatureFromRequest = authParams.signatureFromRequest!;
+    const timestamp = authParams.timestamp!;
+    const expiry = authParams.expiry!;
+    const credential = authParams.credential!;

    if (!areSignedHeadersComplete(signedHeaders, request.headers)) {
        log.debug('signedHeaders are incomplete', { signedHeaders });
@ -110,5 +104,3 @@ function check(request, log, data) {
        },
    };
 }
-
-module.exports = { check };
--- a/lib/auth/v4/timeUtils.ts
+++ b/lib/auth/v4/timeUtils.ts
@ -1,12 +1,11 @@
-'use strict'; // eslint-disable-line strict
+import { Logger } from 'werelogs';

 /**
 * Convert timestamp to milliseconds since Unix Epoch
- * @param  {string} timestamp of ISO8601Timestamp format without
+ * @param timestamp of ISO8601Timestamp format without
 * dashes or colons, e.g. 20160202T220410Z
- * @return {number} number of milliseconds since Unix Epoch
 */
-function convertAmzTimeToMs(timestamp) {
+export function convertAmzTimeToMs(timestamp: string) {
    const arr = timestamp.split('');
    // Convert to YYYY-MM-DDTHH:mm:ss.sssZ
    const ISO8601time = `${arr.slice(0, 4).join('')}-${arr[4]}${arr[5]}` +
@ -15,13 +14,12 @@ function convertAmzTimeToMs(timestamp) {
    return Date.parse(ISO8601time);
 }

-
 /**
 * Convert UTC timestamp to ISO 8601 timestamp
- * @param  {string} timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
- * @return {string} ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
+ * @param timestamp of UTC form: Fri, 10 Feb 2012 21:34:55 GMT
+ * @return ISO8601 timestamp of form: YYYYMMDDTHHMMSSZ
 */
-function convertUTCtoISO8601(timestamp) {
+export function convertUTCtoISO8601(timestamp: string | number) {
    // convert to ISO string: YYYY-MM-DDTHH:mm:ss.sssZ.
    const converted = new Date(timestamp).toISOString();
    // Remove "-"s and "."s and milliseconds
@ -30,13 +28,13 @@ function convertUTCtoISO8601(timestamp) {

 /**
 * Check whether timestamp predates request or is too old
- * @param  {string} timestamp of ISO8601Timestamp format without
+ * @param timestamp of ISO8601Timestamp format without
 * dashes or colons, e.g. 20160202T220410Z
- * @param {number} expiry - number of seconds signature should be valid
- * @param {object} log - log for request
- * @return {boolean} true if there is a time problem
+ * @param expiry - number of seconds signature should be valid
+ * @param log - log for request
+ * @return true if there is a time problem
 */
-function checkTimeSkew(timestamp, expiry, log) {
+export function checkTimeSkew(timestamp: string, expiry: number, log: Logger) {
    const currentTime = Date.now();
    const fifteenMinutes = (15 * 60 * 1000);
    const parsedTimestamp = convertAmzTimeToMs(timestamp);
@ -56,5 +54,3 @@ function checkTimeSkew(timestamp, expiry, log) {
    }
    return false;
 }
-
-module.exports = { convertAmzTimeToMs, convertUTCtoISO8601, checkTimeSkew };
--- a/lib/auth/v4/validateInputs.ts
+++ b/lib/auth/v4/validateInputs.ts
@ -1,17 +1,19 @@
-'use strict'; // eslint-disable-line strict
-
-const errors = require('../../../lib/errors');
+import { Logger } from 'werelogs';
+import errors from '../../../lib/errors';

 /**
 * Validate Credentials
- * @param  {array} credentials - contains accessKey, scopeDate,
+ * @param credentials - contains accessKey, scopeDate,
 * region, service, requestType
- * @param {string} timestamp - timestamp from request in
+ * @param timestamp - timestamp from request in
 * the format of ISO 8601: YYYYMMDDTHHMMSSZ
- * @param {object} log - logging object
- * @return {boolean} true if credentials are correct format, false if not
+ * @param log - logging object
 */
-function validateCredentials(credentials, timestamp, log) {
+export function validateCredentials(
+    credentials: [string, string, string, string, string],
+    timestamp: string,
+    log: Logger
+): Error | {} {
    if (!Array.isArray(credentials) || credentials.length !== 5) {
        log.warn('credentials in improper format', { credentials });
        return errors.InvalidArgument;
@ -58,12 +60,21 @@ function validateCredentials(credentials, timestamp, log) {

 /**
 * Extract and validate components from query object
- * @param  {object} queryObj - query object from request
- * @param {object} log - logging object
- * @return {object} object containing extracted query params for authV4
+ * @param  queryObj - query object from request
+ * @param log - logging object
+ * @return object containing extracted query params for authV4
 */
-function extractQueryParams(queryObj, log) {
-    const authParams = {};
+export function extractQueryParams(
+    queryObj: { [key: string]: string | undefined },
+    log: Logger
+) {
+    const authParams: {
+        signedHeaders?: string;
+        signatureFromRequest?: string;
+        timestamp?: string;
+        expiry?: number;
+        credential?: [string, string, string, string, string];
+    } = {};

    // Do not need the algorithm sent back
    if (queryObj['X-Amz-Algorithm'] !== 'AWS4-HMAC-SHA256') {
@ -99,7 +110,7 @@ function extractQueryParams(queryObj, log) {
        return authParams;
    }

-    const expiry = Number.parseInt(queryObj['X-Amz-Expires'], 10);
+    const expiry = Number.parseInt(queryObj['X-Amz-Expires'] ?? 'nope', 10);
    const sevenDays = 604800;
    if (expiry && (expiry > 0 && expiry <= sevenDays)) {
        authParams.expiry = expiry;
@ -110,6 +121,7 @@ function extractQueryParams(queryObj, log) {

    const credential = queryObj['X-Amz-Credential'];
    if (credential && credential.length > 28 && credential.indexOf('/') > -1) {
+        // @ts-ignore
        authParams.credential = credential.split('/');
    } else {
        log.warn('invalid credential param', { credential });
@ -121,14 +133,17 @@ function extractQueryParams(queryObj, log) {

 /**
 * Extract and validate components from auth header
- * @param  {string} authHeader - authorization header from request
- * @param {object} log - logging object
- * @return {object} object containing extracted auth header items for authV4
+ * @param authHeader - authorization header from request
+ * @param log - logging object
+ * @return object containing extracted auth header items for authV4
 */
-function extractAuthItems(authHeader, log) {
-    const authItems = {};
-    const authArray = authHeader
-        .replace('AWS4-HMAC-SHA256 ', '').split(',');
+export function extractAuthItems(authHeader: string, log: Logger) {
+    const authItems: {
+        credentialsArr?: [string, string, string, string, string];
+        signedHeaders?: string;
+        signatureFromRequest?: string;
+    } = {};
+    const authArray = authHeader.replace('AWS4-HMAC-SHA256 ', '').split(',');

    if (authArray.length < 3) {
        return authItems;
@ -138,8 +153,12 @@ function extractAuthItems(authHeader, log) {
    const signedHeadersStr = authArray[1];
    const signatureStr = authArray[2];
    log.trace('credentials from request', { credentialStr });
-    if (credentialStr && credentialStr.trim().startsWith('Credential=')
-        && credentialStr.indexOf('/') > -1) {
+    if (
+        credentialStr &&
+        credentialStr.trim().startsWith('Credential=') &&
+        credentialStr.indexOf('/') > -1
+    ) {
+        // @ts-ignore
        authItems.credentialsArr = credentialStr
            .trim().replace('Credential=', '').split('/');
    } else {
@ -166,11 +185,11 @@ function extractAuthItems(authHeader, log) {
 /**
 * Checks whether the signed headers include the host header
 * and all x-amz- and x-scal- headers in request
- * @param {string} signedHeaders - signed headers sent with request
- * @param {object} allHeaders - request.headers
- * @return {boolean} true if all x-amz-headers included and false if not
+ * @param signedHeaders - signed headers sent with request
+ * @param allHeaders - request.headers
+ * @return true if all x-amz-headers included and false if not
 */
-function areSignedHeadersComplete(signedHeaders, allHeaders) {
+export function areSignedHeadersComplete(signedHeaders: string, allHeaders: Headers) {
    const signedHeadersList = signedHeaders.split(';');
    if (signedHeadersList.indexOf('host') === -1) {
        return false;
@ -185,6 +204,3 @@ function areSignedHeadersComplete(signedHeaders, allHeaders) {
    }
    return true;
 }
-
-module.exports = { validateCredentials, extractQueryParams,
-    areSignedHeadersComplete, extractAuthItems };
--- a/lib/constants.js
+++ b/lib/constants.js
@ -1,108 +0,0 @@
-'use strict'; // eslint-disable-line strict
-
-// The min value here is to manage further backward compat if we
-// need it
-const iamSecurityTokenSizeMin = 128;
-const iamSecurityTokenSizeMax = 128;
-// Security token is an hex string (no real format from amazon)
-const iamSecurityTokenPattern =
-    new RegExp(`^[a-f0-9]{${iamSecurityTokenSizeMin},` +
-        `${iamSecurityTokenSizeMax}}$`);
-
-module.exports = {
-    // info about the iam security token
-    iamSecurityToken: {
-        min: iamSecurityTokenSizeMin,
-        max: iamSecurityTokenSizeMax,
-        pattern: iamSecurityTokenPattern,
-    },
-    // PublicId is used as the canonicalID for a request that contains
-    // no authentication information.  Requestor can access
-    // only public resources
-    publicId: 'http://acs.amazonaws.com/groups/global/AllUsers',
-    zenkoServiceAccount: 'http://acs.zenko.io/accounts/service',
-    metadataFileNamespace: '/MDFile',
-    dataFileURL: '/DataFile',
-    // AWS states max size for user-defined metadata
-    // (x-amz-meta- headers) is 2 KB:
-    // http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
-    // In testing, AWS seems to allow up to 88 more bytes,
-    // so we do the same.
-    maximumMetaHeadersSize: 2136,
-    emptyFileMd5: 'd41d8cd98f00b204e9800998ecf8427e',
-    // Version 2 changes the format of the data location property
-    // Version 3 adds the dataStoreName attribute
-    mdModelVersion: 3,
-    /*
-     * Splitter is used to build the object name for the overview of a
-     * multipart upload and to build the object names for each part of a
-     * multipart upload.  These objects with large names are then stored in
-     * metadata in a "shadow bucket" to a real bucket.  The shadow bucket
-     * contains all ongoing multipart uploads.  We include in the object
-     * name some of the info we might need to pull about an open multipart
-     * upload or about an individual part with each piece of info separated
-     * by the splitter.  We can then extract each piece of info by splitting
-     * the object name string with this splitter.
-     * For instance, assuming a splitter of '...!*!',
-     * the name of the upload overview would be:
-     *   overview...!*!objectKey...!*!uploadId
-     * For instance, the name of a part would be:
-     *   uploadId...!*!partNumber
-     *
-     * The sequence of characters used in the splitter should not occur
-     * elsewhere in the pieces of info to avoid splitting where not
-     * intended.
-     *
-     * Splitter is also used in adding bucketnames to the
-     * namespacerusersbucket.  The object names added to the
-     * namespaceusersbucket are of the form:
-     * canonicalID...!*!bucketname
-     */
-
-    splitter: '..|..',
-    usersBucket: 'users..bucket',
-    // MPU Bucket Prefix is used to create the name of the shadow
-    // bucket used for multipart uploads.  There is one shadow mpu
-    // bucket per bucket and its name is the mpuBucketPrefix followed
-    // by the name of the final destination bucket for the object
-    // once the multipart upload is complete.
-    mpuBucketPrefix: 'mpuShadowBucket',
-    // since aws s3 does not allow capitalized buckets, these may be
-    // used for special internal purposes
-    permittedCapitalizedBuckets: {
-        METADATA: true,
-    },
-    // Default expiration value of the S3 pre-signed URL duration
-    // 604800 seconds (seven days).
-    defaultPreSignedURLExpiry: 7 * 24 * 60 * 60,
-    // Regex for ISO-8601 formatted date
-    shortIso8601Regex: /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z/,
-    longIso8601Regex: /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/,
-    supportedNotificationEvents: new Set([
-        's3:ObjectCreated:*',
-        's3:ObjectCreated:Put',
-        's3:ObjectCreated:Copy',
-        's3:ObjectCreated:CompleteMultipartUpload',
-        's3:ObjectRemoved:*',
-        's3:ObjectRemoved:Delete',
-        's3:ObjectRemoved:DeleteMarkerCreated',
-    ]),
-    notificationArnPrefix: 'arn:scality:bucketnotif',
-    // HTTP server keep-alive timeout is set to a higher value than
-    // client's free sockets timeout to avoid the risk of triggering
-    // ECONNRESET errors if the server closes the connection at the
-    // exact moment clients attempt to reuse an established connection
-    // for a new request.
-    //
-    // Note: the ability to close inactive connections on the client
-    // after httpClientFreeSocketsTimeout milliseconds requires the
-    // use of "agentkeepalive" module instead of the regular node.js
-    // http.Agent.
-    httpServerKeepAliveTimeout: 60000,
-    httpClientFreeSocketTimeout: 55000,
-    supportedLifecycleRules: [
-        'expiration',
-        'noncurrentVersionExpiration',
-        'abortIncompleteMultipartUpload',
-    ],
-};
--- a/lib/constants.ts
+++ b/lib/constants.ts
@ -0,0 +1,104 @@
+// The min value here is to manage further backward compat if we
+// need it
+const iamSecurityTokenSizeMin = 128;
+const iamSecurityTokenSizeMax = 128;
+// Security token is an hex string (no real format from amazon)
+const iamSecurityTokenPattern = new RegExp(
+    `^[a-f0-9]{${iamSecurityTokenSizeMin},${iamSecurityTokenSizeMax}}$`,
+);
+
+// info about the iam security token
+export const iamSecurityToken = {
+    min: iamSecurityTokenSizeMin,
+    max: iamSecurityTokenSizeMax,
+    pattern: iamSecurityTokenPattern,
+};
+// PublicId is used as the canonicalID for a request that contains
+// no authentication information.  Requestor can access
+// only public resources
+export const publicId = 'http://acs.amazonaws.com/groups/global/AllUsers';
+export const zenkoServiceAccount = 'http://acs.zenko.io/accounts/service';
+export const metadataFileNamespace = '/MDFile';
+export const dataFileURL = '/DataFile';
+// AWS states max size for user-defined metadata
+// (x-amz-meta- headers) is 2 KB:
+// http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html
+// In testing, AWS seems to allow up to 88 more bytes,
+// so we do the same.
+export const maximumMetaHeadersSize = 2136;
+export const emptyFileMd5 = 'd41d8cd98f00b204e9800998ecf8427e';
+// Version 2 changes the format of the data location property
+// Version 3 adds the dataStoreName attribute
+export const mdModelVersion = 3;
+/*
+ * Splitter is used to build the object name for the overview of a
+ * multipart upload and to build the object names for each part of a
+ * multipart upload.  These objects with large names are then stored in
+ * metadata in a "shadow bucket" to a real bucket.  The shadow bucket
+ * contains all ongoing multipart uploads.  We include in the object
+ * name some of the info we might need to pull about an open multipart
+ * upload or about an individual part with each piece of info separated
+ * by the splitter.  We can then extract each piece of info by splitting
+ * the object name string with this splitter.
+ * For instance, assuming a splitter of '...!*!',
+ * the name of the upload overview would be:
+ *   overview...!*!objectKey...!*!uploadId
+ * For instance, the name of a part would be:
+ *   uploadId...!*!partNumber
+ *
+ * The sequence of characters used in the splitter should not occur
+ * elsewhere in the pieces of info to avoid splitting where not
+ * intended.
+ *
+ * Splitter is also used in adding bucketnames to the
+ * namespacerusersbucket.  The object names added to the
+ * namespaceusersbucket are of the form:
+ * canonicalID...!*!bucketname
+ */
+
+export const splitter = '..|..';
+export const usersBucket = 'users..bucket';
+// MPU Bucket Prefix is used to create the name of the shadow
+// bucket used for multipart uploads.  There is one shadow mpu
+// bucket per bucket and its name is the mpuBucketPrefix followed
+// by the name of the final destination bucket for the object
+// once the multipart upload is complete.
+export const mpuBucketPrefix = 'mpuShadowBucket';
+// since aws s3 does not allow capitalized buckets, these may be
+// used for special internal purposes
+export const permittedCapitalizedBuckets = {
+    METADATA: true,
+};
+// Default expiration value of the S3 pre-signed URL duration
+// 604800 seconds (seven days).
+export const defaultPreSignedURLExpiry = 7 * 24 * 60 * 60;
+// Regex for ISO-8601 formatted date
+export const shortIso8601Regex = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z/;
+export const longIso8601Regex = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z/;
+export const supportedNotificationEvents = new Set([
+    's3:ObjectCreated:*',
+    's3:ObjectCreated:Put',
+    's3:ObjectCreated:Copy',
+    's3:ObjectCreated:CompleteMultipartUpload',
+    's3:ObjectRemoved:*',
+    's3:ObjectRemoved:Delete',
+    's3:ObjectRemoved:DeleteMarkerCreated',
+]);
+export const notificationArnPrefix = 'arn:scality:bucketnotif';
+// HTTP server keep-alive timeout is set to a higher value than
+// client's free sockets timeout to avoid the risk of triggering
+// ECONNRESET errors if the server closes the connection at the
+// exact moment clients attempt to reuse an established connection
+// for a new request.
+//
+// Note: the ability to close inactive connections on the client
+// after httpClientFreeSocketsTimeout milliseconds requires the
+// use of "agentkeepalive" module instead of the regular node.js
+// http.Agent.
+export const httpServerKeepAliveTimeout = 60000;
+export const httpClientFreeSocketTimeout = 55000;
+export const supportedLifecycleRules = [
+    'expiration',
+    'noncurrentVersionExpiration',
+    'abortIncompleteMultipartUpload',
+];
--- a/lib/https/ciphers.ts
+++ b/lib/https/ciphers.ts
@ -1,6 +1,4 @@
-'use strict'; // eslint-disable-line strict
-
-const ciphers = [
+export const ciphers = [
    'DHE-RSA-AES128-GCM-SHA256',
    'ECDHE-ECDSA-AES128-GCM-SHA256',
    'ECDHE-RSA-AES256-GCM-SHA384',
@ -28,7 +26,3 @@ const ciphers = [
    '!EDH-RSA-DES-CBC3-SHA',
    '!KRB5-DES-CBC3-SHA',
 ].join(':');
-
-module.exports = {
-    ciphers,
-};
--- a/lib/https/dh2048.ts
+++ b/lib/https/dh2048.ts
@ -29,16 +29,11 @@ c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe
 bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==
 -----END DH PARAMETERS-----
 */
-'use strict'; // eslint-disable-line strict

-const dhparam =
+export const dhparam =
    'MIIBCAKCAQEAh99T77KGNuiY9N6xrCJ3QNv4SFADTa3CD+1VMTAdRJLHUNpglB+i' +
    'AoTYiLDFZgtTCpx0ZZUD+JM3qiCZy0OK5/ZGlVD7sZmxjRtdpVK4qIPtwav8t0J7' +
    'c2CNfUEqyRbJF4pE9ZcdQReT5p/llmyhQdvq6cHH+cKJk63C6DHRVoStsnsUcvKe' +
    '23PLGZulKg8H3eRBxHamHkmyuEVDtoNhMIoJONsdXSpo5GgcD4EQMM8xb/qsnCxn' +
    '6QIGTBvcHskxtlTZOfUPk4XQ6Yb3tQi2TurzkQHLln4U7p/GZs+D+6D3SgSPqr6P' +
    'bLxKsygK77ttjr61cxLoDJeGd5L5h1CPmwIBAg==';
-
-module.exports = {
-    dhparam,
-};
--- a/lib/https/index.ts
+++ b/lib/https/index.ts
@ -0,0 +1,2 @@
+export * as ciphers from './ciphers'
+export * as dhparam from './dh2048'
--- a/lib/simple-glob.d.ts
+++ b/lib/simple-glob.d.ts
@ -0,0 +1,8 @@
+// This module declare the interface for simple-glob.
+//   simple-glob should probably be discarded in favor of node-glob.
+//   node-glob is an up to date glob implementation, with support for sync and
+//   async, and well maintained by the community.
+//   node-glob is performance oriented and is a little lighter than simple-glob.
+declare module 'simple-glob' {
+    export default function (pattern: string | string[]): string[];
+}
--- a/lib/stream/readJSONStreamObject.js
+++ b/lib/stream/readJSONStreamObject.js
@ -5,7 +5,7 @@ const errors = require('../errors');
 * handle errors.
 *
 * @param {stream.Readable} s - Readable stream
- * @param {@hapi/joi} [joiSchema] - optional validation schema for the JSON object
+ * @param {joi} [joiSchema] - optional validation schema for the JSON object
 * @return {Promise} a Promise resolved with the parsed JSON object as a result
 */
 async function readJSONStreamObject(s, joiSchema) {
--- a/package.json
+++ b/package.json
@ -17,7 +17,8 @@
  },
  "homepage": "https://github.com/scality/Arsenal#readme",
  "dependencies": {
-    "@hapi/joi": "^15.1.0",
+    "@types/async": "^3.2.12",
+    "@types/utf8": "^3.0.1",
    "JSONStream": "^1.0.0",
    "agentkeepalive": "^4.1.3",
    "ajv": "6.12.2",
@ -28,6 +29,7 @@
    "diskusage": "^1.1.1",
    "ioredis": "^4.28.5",
    "ipaddr.js": "1.9.1",
+    "joi": "^17.6.0",
    "level": "~5.0.1",
    "level-sublevel": "~6.6.5",
    "node-forge": "^0.7.1",
@ -49,7 +51,7 @@
    "@sinonjs/fake-timers": "^6.0.1",
    "@types/jest": "^27.4.1",
    "@types/node": "^17.0.21",
-    "eslint": "2.13.1",
+    "eslint": "^8.12.0",
    "eslint-config-airbnb": "6.2.0",
    "eslint-config-scality": "scality/Guidelines#7.10.2",
    "eslint-plugin-react": "^4.3.0",
--- a/tests/unit/auth/AuthInfo.spec.js
+++ b/tests/unit/auth/AuthInfo.spec.js
@ -2,7 +2,7 @@

 const assert = require('assert');

-const AuthInfo = require('../../../lib/auth/AuthInfo');
+const AuthInfo = require('../../../lib/auth/AuthInfo').default;
 const constants = require('../../../lib/constants');

 const arn = 'arn:aws:iam::123456789012:user/Fred';
--- a/tests/unit/auth/in_memory/indexer.spec.js
+++ b/tests/unit/auth/in_memory/indexer.spec.js
@ -1,6 +1,6 @@
 const assert = require('assert');

-const Indexer = require('../../../../lib/auth/in_memory/Indexer');
+const Indexer = require('../../../../lib/auth/in_memory/Indexer').default;
 const ref = require('./sample_authdata.json');
 const { should } = require('./AuthLoader.spec');

--- a/tests/unit/auth/v2/canonicalization.spec.js
+++ b/tests/unit/auth/v2/canonicalization.spec.js
@ -3,9 +3,9 @@
 const assert = require('assert');

 const getCanonicalizedAmzHeaders =
-    require('../../../../lib/auth/v2/getCanonicalizedAmzHeaders');
+    require('../../../../lib/auth/v2/getCanonicalizedAmzHeaders').default;
 const getCanonicalizedResource =
-    require('../../../../lib/auth/v2/getCanonicalizedResource');
+    require('../../../../lib/auth/v2/getCanonicalizedResource').default;

 const getCanonicalizedGcpHeaders = headers =>
    getCanonicalizedAmzHeaders(headers, 'GCP');
--- a/tests/unit/auth/v2/checkRequestExpiry.spec.js
+++ b/tests/unit/auth/v2/checkRequestExpiry.spec.js
@ -3,7 +3,7 @@
 const assert = require('assert');

 const checkRequestExpiry =
-    require('../../../../lib/auth/v2/checkRequestExpiry');
+    require('../../../../lib/auth/v2/checkRequestExpiry').default;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
 const errors = require('../../../../index').errors;

--- a/tests/unit/auth/v2/constructStringToSign.spec.js
+++ b/tests/unit/auth/v2/constructStringToSign.spec.js
@ -3,7 +3,7 @@
 const assert = require('assert');

 const constructStringToSign =
-    require('../../../../lib/auth/v2/constructStringToSign');
+    require('../../../../lib/auth/v2/constructStringToSign').default;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;

 const log = new DummyRequestLogger();
--- a/tests/unit/auth/v2/publicAccess.spec.js
+++ b/tests/unit/auth/v2/publicAccess.spec.js
@ -4,7 +4,7 @@ const assert = require('assert');

 const errors = require('../../../../lib/errors');
 const auth = require('../../../../lib/auth/auth').server.doAuth;
-const AuthInfo = require('../../../../lib/auth/AuthInfo');
+const AuthInfo = require('../../../../lib/auth/AuthInfo').default;
 const constants = require('../../../../lib/constants');
 const DummyRequestLogger = require('../../helpers.js').DummyRequestLogger;
 const RequestContext =
--- a/tests/unit/auth/v2/signature.spec.js
+++ b/tests/unit/auth/v2/signature.spec.js
@ -3,7 +3,7 @@
 const assert = require('assert');

 const constructStringToSign =
-    require('../../../../lib/auth/v2/constructStringToSign');
+    require('../../../../lib/auth/v2/constructStringToSign').default;
 const hashSignature =
    require('../../../../lib/auth/in_memory/vaultUtilities').hashSignature;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;
--- a/tests/unit/auth/v4/awsURIencode.spec.js
+++ b/tests/unit/auth/v4/awsURIencode.spec.js
@ -2,7 +2,7 @@

 const assert = require('assert');

-const awsURIencode = require('../../../../lib/auth/v4/awsURIencode');
+const awsURIencode = require('../../../../lib/auth/v4/awsURIencode').default;

 // Note that expected outputs came from running node aws-sdk's
 // AWS.util.uriEscapePath and AWS.util.uriEscape functions
--- a/tests/unit/auth/v4/constructStringToSign.spec.js
+++ b/tests/unit/auth/v4/constructStringToSign.spec.js
@ -3,7 +3,7 @@
 const assert = require('assert');

 const constructStringToSign =
-    require('../../../../lib/auth/v4/constructStringToSign');
+    require('../../../../lib/auth/v4/constructStringToSign').default;
 const DummyRequestLogger = require('../../helpers').DummyRequestLogger;

 const log = new DummyRequestLogger();
--- a/tests/unit/auth/v4/createCanonicalRequest.spec.js
+++ b/tests/unit/auth/v4/createCanonicalRequest.spec.js
@ -2,9 +2,9 @@

 const assert = require('assert');
 const awsURIencode =
-    require('../../../../lib/auth/v4/awsURIencode');
+    require('../../../../lib/auth/v4/awsURIencode').default;
 const createCanonicalRequest =
-    require('../../../../lib/auth/v4/createCanonicalRequest');
+    require('../../../../lib/auth/v4/createCanonicalRequest').default;

 describe('createCanonicalRequest function', () => {
    // Example taken from: http://docs.aws.amazon.com/AmazonS3/
--- a/tests/unit/stream/readJSONStreamObject.spec.js
+++ b/tests/unit/stream/readJSONStreamObject.spec.js
@ -1,6 +1,6 @@
 const assert = require('assert');
 const stream = require('stream');
-const joi = require('@hapi/joi');
+const joi = require('joi');
 const readJSONStreamObject = require('../../../lib/stream/readJSONStreamObject');

 class ReqStream extends stream.Readable {
--- a/yarn.lock
+++ b/yarn.lock
Author	SHA1	Message	Date
Guillaume Hivert	321e449a12	OS-154 Type https	2022-04-14 14:13:30 +02:00
Guillaume Hivert	e5f5718db5	ARSN-108 Fix test suites	2022-03-29 16:19:11 +02:00
Guillaume Hivert	30dab925a4	ARSN-108 Type auth/auth	2022-03-29 16:19:11 +02:00
Guillaume Hivert	a857389a75	ARSN-108 Type auth/v4	2022-03-29 16:19:11 +02:00
Guillaume Hivert	bca41ab86d	ARSN-103 Type auth/v2	2022-03-29 16:19:11 +02:00
Guillaume Hivert	0a5dd348ef	ARSN-108 Type auth/Vault	2022-03-29 16:19:11 +02:00
Guillaume Hivert	542930f033	ARSN-108 Type auth/AuthInfo	2022-03-29 16:19:11 +02:00
Guillaume Hivert	49b43d30fa	ARSN-108 Type auth/in_memory/Indexer	2022-03-29 16:19:11 +02:00
Guillaume Hivert	e8b6932f00	ARSN-108 Type auth/in_memory/validateAuthConfig	2022-03-29 16:19:11 +02:00
Guillaume Hivert	8944c1f83b	ARSN-108 Type auth/in_memory/Backend	2022-03-29 16:19:11 +02:00
Guillaume Hivert	fe656e511d	ARSN-108 Type for auth/in_memory/vaultUtilities	2022-03-29 16:19:05 +02:00
Guillaume Hivert	5cdbe18634	ARSN-98 Type auth/in_memory/AuthLoader	2022-03-29 16:17:51 +02:00
Guillaume Hivert	48b4f49df9	ARSN-108 Type constants	2022-03-29 16:17:51 +02:00
Guillaume Hivert	09a5e8e503	ARSN-98 ARSN-108 ARSN-103 Add joi, eslint, simple-glob interface, @types/async and @types/utf8 to make TS compiler happy	2022-03-29 16:16:54 +02:00
Guillaume Hivert	0eb93cded3	ARSN-108 Rename auth js files to ts files, and constants.js to constants.ts	2022-03-29 16:16:19 +02:00