Merge branch 'main' into feature/protos

.github/workflows/build.yaml

@@ -1,6 +1,5 @@
 name: Build, Test, and Deliver Client
 
-
 env:
   do_sonarscan: ${{ github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository }}
 
@@ -37,7 +36,7 @@ jobs:
           textReportPath: './lib/coverage/coverage.txt'
       - run: echo "${MARKDOWN_REPORT}" >> $GITHUB_STEP_SUMMARY
         env:
-          MARKDOWN_REPORT: "${{ steps.coverage-md.outputs.markdownReport }}"
+          MARKDOWN_REPORT: '${{ steps.coverage-md.outputs.markdownReport }}'
       - run: npm audit --omit dev && npm audit --audit-level high
       - run: npm run license-check
       - run: npm run lint
@@ -208,7 +207,8 @@ jobs:
           echo "DIST_TAG=$(.github/workflows/guess-dist-tag.sh)" >> $GITHUB_OUTPUT
       - run: make test
       - run: make doc
-      - run: echo "::notice file=lib/package.json::Will be published to [GitHub Packages](https://github.com/opentdf/client-web/pkgs/npm/client) as ${{ steps.guess-build-metadata.outputs.DIST_TAG }} with version=[${{ steps.guess-build-metadata.outputs.FULL_VERSION }}]"
+      - run: >-
+          echo "::notice file=lib/package.json::Will be published to [GitHub Packages](https://github.com/opentdf/client-web/pkgs/npm/client)as ${{ steps.guess-build-metadata.outputs.DIST_TAG }} with version=[${{ steps.guess-build-metadata.outputs.FULL_VERSION }}]"
       - run: >-
           .github/workflows/publish-to.sh
           ${{ steps.guess-build-metadata.outputs.FULL_VERSION }}

.github/workflows/large-tests.yaml

@@ -2,7 +2,7 @@ name: Build, Test, and Deliver Client
 
 on:
   schedule:
-    - cron: "0 4 * * 2,4"
+    - cron: '0 4 * * 2,4'
 jobs:
   lib:
     runs-on: ubuntu-latest
@@ -106,8 +106,8 @@ jobs:
         env:
           #path relative to the quickstart Tiltfile
           TEST_SCRIPT: ../../wait-and-test.sh
-          OPENTDF_INGRESS_HOST_PORT: "5432"
-          OPENTDF_LOAD_FRONTEND: "false"
+          OPENTDF_INGRESS_HOST_PORT: '5432'
+          OPENTDF_LOAD_FRONTEND: 'false'
           PLAYWRIGHT_TESTS_TO_RUN: huge roundtrip
         run: |-
           tilt ci --file opentdf/quickstart/Tiltfile

.github/workflows/roundtrip/mocks/mock-secrets.yaml

@@ -1,62 +1,61 @@
 KAS_CERTIFICATE: |
-    -----BEGIN CERTIFICATE-----
-    MIICmDCCAYACCQC3BCaSANRhYzANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANr
-    YXMwHhcNMjEwOTE1MTQxMTQ4WhcNMjIwOTE1MTQxMTQ4WjAOMQwwCgYDVQQDDANr
-    YXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOpiotrvV2i5h6clHM
-    zDGgh3h/kMa0LoGx2OkDPd8jogycUh7pgE5GNiN2lpSmFkjxwYMXnyrwr9ExyczB
-    WJ7sRGDCDaQg5fjVUIloZ8FJVbn+sEcfQ9iX6vmI9/S++oGK79QM3V8M8cp41r/T
-    1YVmuzUHE1say/TLHGhjtGkxHDF8qFy6Z2rYFTCVJQHNqGmwNVGd0qG7gim86Haw
-    u/CMYj4jG9oITlj8rJtQOaJ6ZqemQVoNmb3j1LkyeUKzRIt+86aoBiz+T3TfOEvX
-    F6xgBj3XoiOhPYK+abFPYcrArvb6oubT8NjjQoj3j0sXWUnIIMg+e4f+XNVU54Zz
-    DaLZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABewfZOJ4/KNRE8IQ5TsW/AVn7C1
-    l5ty6tUUBSVi8/df7WYts0bHEdQh9yl9agEU5i4rj43y8vMVZNzSeHcurtV/+C0j
-    fbkHQHeiQ1xn7cq3Sbh4UVRyuu4C5PklEH4AN6gxmgXC3kT15uWw8I4nm/plzYLs
-    I099IoRfC5djHUYYLMU/VkOIHuPC3sb7J65pSN26eR8bTMVNagk187V/xNwUuvkf
-    +NUxDO615/5BwQKnAu5xiIVagYnDZqKCOtYS5qhxF33Nlnwlm7hH8iVZ1RI+n52l
-    wVyElqp317Ksz+GtTIc+DE6oryxK3tZd4hrj9fXT4KiJvQ4pcRjpePgH7B8=
-    -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIICmDCCAYACCQC3BCaSANRhYzANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANr
+  YXMwHhcNMjEwOTE1MTQxMTQ4WhcNMjIwOTE1MTQxMTQ4WjAOMQwwCgYDVQQDDANr
+  YXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOpiotrvV2i5h6clHM
+  zDGgh3h/kMa0LoGx2OkDPd8jogycUh7pgE5GNiN2lpSmFkjxwYMXnyrwr9ExyczB
+  WJ7sRGDCDaQg5fjVUIloZ8FJVbn+sEcfQ9iX6vmI9/S++oGK79QM3V8M8cp41r/T
+  1YVmuzUHE1say/TLHGhjtGkxHDF8qFy6Z2rYFTCVJQHNqGmwNVGd0qG7gim86Haw
+  u/CMYj4jG9oITlj8rJtQOaJ6ZqemQVoNmb3j1LkyeUKzRIt+86aoBiz+T3TfOEvX
+  F6xgBj3XoiOhPYK+abFPYcrArvb6oubT8NjjQoj3j0sXWUnIIMg+e4f+XNVU54Zz
+  DaLZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABewfZOJ4/KNRE8IQ5TsW/AVn7C1
+  l5ty6tUUBSVi8/df7WYts0bHEdQh9yl9agEU5i4rj43y8vMVZNzSeHcurtV/+C0j
+  fbkHQHeiQ1xn7cq3Sbh4UVRyuu4C5PklEH4AN6gxmgXC3kT15uWw8I4nm/plzYLs
+  I099IoRfC5djHUYYLMU/VkOIHuPC3sb7J65pSN26eR8bTMVNagk187V/xNwUuvkf
+  +NUxDO615/5BwQKnAu5xiIVagYnDZqKCOtYS5qhxF33Nlnwlm7hH8iVZ1RI+n52l
+  wVyElqp317Ksz+GtTIc+DE6oryxK3tZd4hrj9fXT4KiJvQ4pcRjpePgH7B8=
+  -----END CERTIFICATE-----
 KAS_EC_SECP256R1_CERTIFICATE: |
-    -----BEGIN CERTIFICATE-----
-    MIIBCzCBsgIJAL1qc/lWpG3HMAoGCCqGSM49BAMCMA4xDDAKBgNVBAMMA2thczAe
-    Fw0yMTA5MTUxNDExNDlaFw0yMjA5MTUxNDExNDlaMA4xDDAKBgNVBAMMA2thczBZ
-    MBMGByqGSM49AgEGCCqGSM49AwEHA0IABH2VM7Ws9SVr19rywr/o3fewDBj+170/
-    6y8zo4leVaJqCl76Nd9QfDNy4KjNCtmmjo6ftTS+iFAhnPCeugAJOWUwCgYIKoZI
-    zj0EAwIDSAAwRQIhAIFdrqhwvgL8ctPjUtmULXmg2ii0PFKg/Mox2GiCVXQdAiAW
-    UDdeafEoprE+qc4paMmbWoEpRXLlo+3S7rnc5T12Kw==
-    -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIBCzCBsgIJAL1qc/lWpG3HMAoGCCqGSM49BAMCMA4xDDAKBgNVBAMMA2thczAe
+  Fw0yMTA5MTUxNDExNDlaFw0yMjA5MTUxNDExNDlaMA4xDDAKBgNVBAMMA2thczBZ
+  MBMGByqGSM49AgEGCCqGSM49AwEHA0IABH2VM7Ws9SVr19rywr/o3fewDBj+170/
+  6y8zo4leVaJqCl76Nd9QfDNy4KjNCtmmjo6ftTS+iFAhnPCeugAJOWUwCgYIKoZI
+  zj0EAwIDSAAwRQIhAIFdrqhwvgL8ctPjUtmULXmg2ii0PFKg/Mox2GiCVXQdAiAW
+  UDdeafEoprE+qc4paMmbWoEpRXLlo+3S7rnc5T12Kw==
+  -----END CERTIFICATE-----
 KAS_EC_SECP256R1_PRIVATE_KEY: |
-    -----BEGIN PRIVATE KEY-----
-    MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOK47RufwyqeWbDdC
-    ojHYxzkZ+VphXbNzZOt2seMavk2hRANCAAR9lTO1rPUla9fa8sK/6N33sAwY/te9
-    P+svM6OJXlWiagpe+jXfUHwzcuCozQrZpo6On7U0vohQIZzwnroACTll
-    -----END PRIVATE KEY-----
+  -----BEGIN PRIVATE KEY-----
+  MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOK47RufwyqeWbDdC
+  ojHYxzkZ+VphXbNzZOt2seMavk2hRANCAAR9lTO1rPUla9fa8sK/6N33sAwY/te9
+  P+svM6OJXlWiagpe+jXfUHwzcuCozQrZpo6On7U0vohQIZzwnroACTll
+  -----END PRIVATE KEY-----
 KAS_PRIVATE_KEY: |
-    -----BEGIN PRIVATE KEY-----
-    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOpiotrvV2i5h6
-    clHMzDGgh3h/kMa0LoGx2OkDPd8jogycUh7pgE5GNiN2lpSmFkjxwYMXnyrwr9Ex
-    yczBWJ7sRGDCDaQg5fjVUIloZ8FJVbn+sEcfQ9iX6vmI9/S++oGK79QM3V8M8cp4
-    1r/T1YVmuzUHE1say/TLHGhjtGkxHDF8qFy6Z2rYFTCVJQHNqGmwNVGd0qG7gim8
-    6Hawu/CMYj4jG9oITlj8rJtQOaJ6ZqemQVoNmb3j1LkyeUKzRIt+86aoBiz+T3Tf
-    OEvXF6xgBj3XoiOhPYK+abFPYcrArvb6oubT8NjjQoj3j0sXWUnIIMg+e4f+XNVU
-    54ZzDaLZAgMBAAECggEBALb0yK0PlMUyzHnEUwXV1y5AIoAWhsYp0qvJ1msHUVKz
-    +yQ/VJz4+tQQxI8OvGbbnhNkd5LnWdYkYzsIZl7b/kBCPcQw3Zo+4XLCzhUAn1E1
-    M+n42c8le1LtN6Z7mVWoZh7DPONy7t+ABvm7b7S1+1i78DPmgCeWYZGeAhIcPXG6
-    5AxWIV3jigxksE6kYY9Y7DmtsZgMRrdV7SU8VtgPtT7tua8z5/U3Av0WINyKBSoM
-    0yDHsAg57KnM8znx2JWLtHd0Mk5bBuu2DLbtyKNrVUAUuMPzrLGBh9S9QRd934KU
-    uFAi1TEfgEachnGgSHJpzVzr2ur1tifABnQ7GNXObe0CgYEA6KowK0subdDY+uGW
-    ciP2XDAMerbJJeL0/UIGPb/LUmskniio2493UBGgY2FsRyvbzJ+/UAOjIPyIxhj7
-    78ZyVG8BmIzKan1RRVh//O+5yvks/eTOYjWeQ1Lcgqs3q4YAO13CEBZgKWKTUomg
-    mskFJq04tndeSIyhDaW+BuWaXA8CgYEA42ABz3pql+DH7oL5C4KYBymK6wFBBOqk
-    dVk+ftyJQ6PzuZKpfsu4aPIjKm71lkTgK6O9o08s3SckAdu6vLukq2TZFF+a+9OI
-    lu5ww7GvfdMTgLAaFchD4bPlOInh1KVjBc1MwGXpl0ROde5pi8+WUrv9QJuoQfB/
-    4rhYdbJLSpcCgYA41mqSCPm8pgp7r2RbWeGzP6Gs0L5u3PTQcbKonxQCfF4jrPcj
-    O/b/vm6aGJClClfVsyi/WUQeqNKY4j2Zo7cGXV/cbnh8b0TNVgNePQn8Rcbx91Vb
-    tJGHDNUFruIYqtGfrxXbbDvtoEExJqHvbjAt9J8oJB0KSCCH/vdfI/QDjQKBgQCD
-    xLPH5Y24js/O7aAeh4RLQkv7fTKNAt5kE2AgbPYveOhZ9yC7Fpy8VPcENGGmwCuZ
-    nr7b0ZqSX4iCezBxB92aZktXf0B2CFT0AyLehi7JoHWA8o1rai/MsVB5v45ciawl
-    RKDiLy18OF2wAoawO5FGSSOvOYX9EL9MSMEbFESF6QKBgCVlZ9pPC+55rGT6AcEL
-    tUpDs+/wZvcmfsFd8xC5mMUN0DatAVzVAUI95+tQaWU3Uj+bqHq0lC6Wy2VceG0D
-    D+7EicjdGFN/2WVPXiYX1fblkxasZY+wChYBrPLjA9g0qOzzmXbRBph5QxDuQjJ6
-    qcddVKB624a93ZBssn7OivnR
-    -----END PRIVATE KEY-----
-
+  -----BEGIN PRIVATE KEY-----
+  MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOpiotrvV2i5h6
+  clHMzDGgh3h/kMa0LoGx2OkDPd8jogycUh7pgE5GNiN2lpSmFkjxwYMXnyrwr9Ex
+  yczBWJ7sRGDCDaQg5fjVUIloZ8FJVbn+sEcfQ9iX6vmI9/S++oGK79QM3V8M8cp4
+  1r/T1YVmuzUHE1say/TLHGhjtGkxHDF8qFy6Z2rYFTCVJQHNqGmwNVGd0qG7gim8
+  6Hawu/CMYj4jG9oITlj8rJtQOaJ6ZqemQVoNmb3j1LkyeUKzRIt+86aoBiz+T3Tf
+  OEvXF6xgBj3XoiOhPYK+abFPYcrArvb6oubT8NjjQoj3j0sXWUnIIMg+e4f+XNVU
+  54ZzDaLZAgMBAAECggEBALb0yK0PlMUyzHnEUwXV1y5AIoAWhsYp0qvJ1msHUVKz
+  +yQ/VJz4+tQQxI8OvGbbnhNkd5LnWdYkYzsIZl7b/kBCPcQw3Zo+4XLCzhUAn1E1
+  M+n42c8le1LtN6Z7mVWoZh7DPONy7t+ABvm7b7S1+1i78DPmgCeWYZGeAhIcPXG6
+  5AxWIV3jigxksE6kYY9Y7DmtsZgMRrdV7SU8VtgPtT7tua8z5/U3Av0WINyKBSoM
+  0yDHsAg57KnM8znx2JWLtHd0Mk5bBuu2DLbtyKNrVUAUuMPzrLGBh9S9QRd934KU
+  uFAi1TEfgEachnGgSHJpzVzr2ur1tifABnQ7GNXObe0CgYEA6KowK0subdDY+uGW
+  ciP2XDAMerbJJeL0/UIGPb/LUmskniio2493UBGgY2FsRyvbzJ+/UAOjIPyIxhj7
+  78ZyVG8BmIzKan1RRVh//O+5yvks/eTOYjWeQ1Lcgqs3q4YAO13CEBZgKWKTUomg
+  mskFJq04tndeSIyhDaW+BuWaXA8CgYEA42ABz3pql+DH7oL5C4KYBymK6wFBBOqk
+  dVk+ftyJQ6PzuZKpfsu4aPIjKm71lkTgK6O9o08s3SckAdu6vLukq2TZFF+a+9OI
+  lu5ww7GvfdMTgLAaFchD4bPlOInh1KVjBc1MwGXpl0ROde5pi8+WUrv9QJuoQfB/
+  4rhYdbJLSpcCgYA41mqSCPm8pgp7r2RbWeGzP6Gs0L5u3PTQcbKonxQCfF4jrPcj
+  O/b/vm6aGJClClfVsyi/WUQeqNKY4j2Zo7cGXV/cbnh8b0TNVgNePQn8Rcbx91Vb
+  tJGHDNUFruIYqtGfrxXbbDvtoEExJqHvbjAt9J8oJB0KSCCH/vdfI/QDjQKBgQCD
+  xLPH5Y24js/O7aAeh4RLQkv7fTKNAt5kE2AgbPYveOhZ9yC7Fpy8VPcENGGmwCuZ
+  nr7b0ZqSX4iCezBxB92aZktXf0B2CFT0AyLehi7JoHWA8o1rai/MsVB5v45ciawl
+  RKDiLy18OF2wAoawO5FGSSOvOYX9EL9MSMEbFESF6QKBgCVlZ9pPC+55rGT6AcEL
+  tUpDs+/wZvcmfsFd8xC5mMUN0DatAVzVAUI95+tQaWU3Uj+bqHq0lC6Wy2VceG0D
+  D+7EicjdGFN/2WVPXiYX1fblkxasZY+wChYBrPLjA9g0qOzzmXbRBph5QxDuQjJ6
+  qcddVKB624a93ZBssn7OivnR
+  -----END PRIVATE KEY-----

.github/workflows/roundtrip/mocks/values.yaml

@@ -17,7 +17,7 @@ keycloak:
     password: bXlQb3N0Z3Jlc1Bhc3N3b3Jk
 kas:
   auth:
-    "http://localhost:65432/auth/realms/tdf":
-      discoveryBaseUrl: "http://keycloak-http/auth/realms/tdf"
+    'http://localhost:65432/auth/realms/tdf':
+      discoveryBaseUrl: 'http://keycloak-http/auth/realms/tdf'
 entitlementpdp:
   opaPolicyPullSecret: my-pat

.gitignore

@@ -109,3 +109,5 @@ dist
 
 # temporary folders
 **/temp/
+/web-app/tests/smallfiles
+.DS_Store

Makefile

@@ -27,7 +27,7 @@ remote-store/opentdf-remote-store-$(version).tgz: lib/opentdf-client-$(version).
 	(cd remote-store && npm ci ../lib/opentdf-client-$(version).tgz && npm pack)
 
 web-app/opentdf-web-app-$(version).tgz: lib/opentdf-client-$(version).tgz $(shell find web-app -not -path '*/dist*' -and -not -path '*/coverage*' -and -not -path '*/node_modules*')
-	(cd web-app && npm ci ../lib/opentdf-client-$(version).tgz && npm pack)
+	(cd web-app && npm ci ../lib/opentdf-client-$(version).tgz && npm pack && npm run build)
 
 lib/opentdf-client-$(version).tgz: $(shell find lib -not -path '*/dist*' -and -not -path '*/coverage*' -and -not -path '*/node_modules*')
 	(cd lib && npm ci --including=dev && npm pack)

lib/README.md

@@ -15,7 +15,7 @@ TDF3 with JSON envelopes.
     oidcOrigin: keycloakUrl,
   }
   const authProvider = await AuthProviders.refreshAuthProvider(oidcCredentials);
-  const client = new NanoTDFClient(authProvider, access);
+  const client = new NanoTDFClient({authProvider, kasEndpoint});
   const cipherText = await client.encrypt(plainText);
   const clearText = await client.decrypt(cipherText);
 ```

lib/src/auth/auth.ts

@@ -103,6 +103,13 @@ export type AuthProvider = {
   withCreds(httpReq: HttpRequest): Promise<HttpRequest>;
 };
 
+export function isAuthProvider(a?: unknown): a is AuthProvider {
+  if (!a || typeof a != 'object') {
+    return false;
+  }
+  return 'withCreds' in a;
+}
+
 /**
  * An AuthProvider encapsulates all logic necessary to authenticate to a backend service, in the
  * vein of <a href="https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Credentials.html">AWS.Credentials</a>.

lib/src/index.ts

@@ -10,7 +10,7 @@ import {
 } from './nanotdf/index.js';
 import { keyAgreement, extractPublicFromCertToCrypto } from './nanotdf-crypto/index.js';
 import { TypedArray, createAttribute, Policy } from './tdf/index.js';
-import { type AuthProvider } from './auth/auth.js';
+import { ClientConfig } from './nanotdf/Client.js';
 
 async function fetchKasPubKey(kasUrl: string): Promise<string> {
   const kasPubKeyResponse = await fetch(`${kasUrl}/kas_public_key?algorithm=ec:secp256r1`);
@@ -33,13 +33,14 @@ async function fetchKasPubKey(kasUrl: string): Promise<string> {
  * const KAS_URL = 'http://localhost:65432/api/kas/';
  *
  * const ciphertext = '...';
- * const client = new NanoTDFClient(
- *   await clientSecretAuthProvider({
+ * const client = new NanoTDFClient({
+ *   authProvider: await clientSecretAuthProvider({
  *     clientId: 'tdf-client',
  *     clientSecret: '123-456',
  *     oidcOrigin: OIDC_ENDPOINT,
  *   }),
- *   KAS_URL
+ *   kasEndpoint: KAS_URL
+ *  }
  * );
  * client.decrypt(ciphertext)
  *   .then(plaintext => {
@@ -120,9 +121,9 @@ export class NanoTDFClient extends Client {
    */
   async encrypt(data: string | TypedArray | ArrayBuffer): Promise<ArrayBuffer> {
     // For encrypt always generate the client ephemeralKeyPair
-    const ephemeralKeyPair = await this.generateEphemeralKeyPair();
-
+    const ephemeralKeyPair = await this.ephemeralKeyPair;
     const initializationVector = this.iv;
+
     if (typeof initializationVector !== 'number') {
       throw new Error('NanoTDF clients are single use. Please generate a new client and keypair.');
     }
@@ -174,6 +175,10 @@ export class NanoTDFClient extends Client {
   }
 }
 
+export type DatasetConfig = ClientConfig & {
+  maxKeyIterations?: number;
+};
+
 /**
  * NanoTDF Dataset SDK Client
  *
@@ -186,15 +191,15 @@ export class NanoTDFClient extends Client {
  * const KAS_URL = 'http://localhost:65432/api/kas/';
  *
  * const ciphertext = '...';
- * const client = new NanoTDFDatasetClient.default(
- *   await clientSecretAuthProvider({
+ * const client = new NanoTDFDatasetClient({
+ *   authProvider: await clientSecretAuthProvider({
  *     clientId: 'tdf-client',
  *     clientSecret: '123-456',
  *     exchange: 'client',
  *     oidcOrigin: OIDC_ENDPOINT,
  *   }),
- *   KAS_URL
- * );
+ *   kasEndpoint: KAS_URL,
+ * });
  * const plaintext = client.decrypt(ciphertext);
  * console.log('Plaintext', plaintext);
  * ```
@@ -223,19 +228,18 @@ export class NanoTDFDatasetClient extends Client {
    * @param ephemeralKeyPair (optional) ephemeral key pair to use
    * @param maxKeyIterations Max iteration to performe without a key rotation
    */
-  constructor(
-    authProvider: AuthProvider,
-    kasUrl: string,
-    maxKeyIterations: number = NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS,
-    ephemeralKeyPair?: Required<Readonly<CryptoKeyPair>>
-  ) {
-    if (maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS) {
-      throw new Error('Key iteration exceeds max iterations(8388606)');
+  constructor(opts: DatasetConfig) {
+    if (
+      opts.maxKeyIterations &&
+      opts.maxKeyIterations > NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS
+    ) {
+      throw new Error(
+        `Key iteration exceeds max iterations(${NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS})`
+      );
     }
+    super(opts);
 
-    super(authProvider, kasUrl, ephemeralKeyPair);
-
-    this.maxKeyIteration = maxKeyIterations;
+    this.maxKeyIteration = opts.maxKeyIterations || NanoTDFDatasetClient.NTDF_MAX_KEY_ITERATIONS;
     this.keyIterationCount = 0;
   }
 
@@ -250,7 +254,7 @@ export class NanoTDFDatasetClient extends Client {
     // Intial encrypt
     if (this.keyIterationCount == 0) {
       // For encrypt always generate the client ephemeralKeyPair
-      const ephemeralKeyPair = await this.generateEphemeralKeyPair();
+      const ephemeralKeyPair = await this.ephemeralKeyPair;
 
       if (!this.kasPubKey) {
         this.kasPubKey = await fetchKasPubKey(this.kasUrl);