npm - @edirect/mongo - Versions diffs - 11.0.41 → 11.0.42 - Mend

@edirect/mongo 11.0.41 → 11.0.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/package.json +6 -2
package/dist/src/aws.d.ts +3 -3
package/dist/src/aws.d.ts.map +1 -1
package/dist/src/aws.js +22 -32
package/dist/src/mongo.providers.d.ts.map +1 -1
package/dist/src/mongo.providers.js +25 -11
package/package.json +6 -2

package/dist/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@edirect/mongo",
-  "version": "11.0.40",
+  "version": "11.0.41",
   "main": "./dist/src/index.js",
   "types": "./dist/src/index.d.ts",
   "exports": {
@@ -17,11 +17,15 @@
   ],
   "dependencies": {
     "@aws-sdk/credential-providers": "^3.975.0",
-    "@edirect/config": "^11.0.40",
+    "@edirect/config": "^11.0.41",
     "@nestjs/common": "^11.1.12",
+    "aws4": "^1.13.2",
     "mongodb": "^7.0.0",
     "mongoose": "^9.1.5",
     "tslib": "^2.8.1"
   },
+  "devDependencies": {
+    "@types/aws4": "^1.11.6"
+  },
   "type": "commonjs"
 }

package/dist/src/aws.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { AWSCredentials } from 'mongodb';
-export declare const shouldAssumeRole: string | undefined;
-export declare const generateAwsCredentials: () => Promise<AWSCredentials | undefined>;
-export declare const generateConnectionString: (cnn: string | undefined) => Promise<string>;
+export declare const MONGODB_AWS_ROLE_ARN: string | undefined;
+export declare const AWS_WEB_IDENTITY_TOKEN_FILE: string | undefined;
+export declare function getMongoAwsCredentialProvider(): () => Promise<AWSCredentials>;
 //# sourceMappingURL=aws.d.ts.map

package/dist/src/aws.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/aws.ts"],"names":[],"mappings":"~~AACA~~,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;~~AAKzC~~,eAAO,MAAM,~~gBAAgB~~,~~oBACwB~~,CAAC;~~AAEtD~~,eAAO,MAAM,~~sBAAsB~~,~~QAAa~~,~~OAAO,CACrD,cAAc,GAAG,SAAS,CAQ3B,~~CAAC;~~AAEF~~,~~eAAO~~,~~MAAM~~,~~wBAAwB~~,~~GACnC,KAAK,~~MAAM,~~GAAG,SAAS,KACtB,~~OAAO,CAAC,~~MAAM~~,~~CAqBhB~~,~~CAAC~~"}
1	+ {"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/aws.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAOzC,eAAO,MAAM,oBAAoB,oBAAmC,CAAC;AACrE,eAAO,MAAM,2BAA2B,oBACC,CAAC;AAI1C,wBAAgB,6BAA6B,IAAI,MAAM,OAAO,CAAC,cAAc,CAAC,CAY7E"}

package/dist/src/aws.js CHANGED Viewed

@@ -1,36 +1,26 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateConnectionString = exports.generateAwsCredentials = exports.shouldAssumeRole = void 0;
+exports.AWS_WEB_IDENTITY_TOKEN_FILE = exports.MONGODB_AWS_ROLE_ARN = void 0;
+exports.getMongoAwsCredentialProvider = getMongoAwsCredentialProvider;
+const tslib_1 = require("tslib");
 const credential_providers_1 = require("@aws-sdk/credential-providers");
-const MONGODB_AWS_ROLE_ARN = process.env.MONGODB_AWS_ROLE_ARN;
-const AWS_WEB_IDENTITY_TOKEN_FILE = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
-exports.shouldAssumeRole = MONGODB_AWS_ROLE_ARN && AWS_WEB_IDENTITY_TOKEN_FILE;
-const generateAwsCredentials = async () => {
-    if (exports.shouldAssumeRole) {
-        return (0, credential_providers_1.fromNodeProviderChain)({
-            roleArn: MONGODB_AWS_ROLE_ARN,
-        });
+const aws4_1 = tslib_1.__importDefault(require("aws4"));
+aws4_1.default.RequestSigner; // ensure types are loaded
+// Environment variables required for IRSA/EKS role assumption authentication:
+//   MONGODB_AWS_ROLE_ARN: the AWS IAM Role ARN to assume
+//   AWS_WEB_IDENTITY_TOKEN_FILE: path to serviceAccount token (set by kubelet when IRSA is enabled)
+exports.MONGODB_AWS_ROLE_ARN = process.env.MONGODB_AWS_ROLE_ARN;
+exports.AWS_WEB_IDENTITY_TOKEN_FILE = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
+// A dynamic credentials provider for the MongoDB driver that will always fetch fresh AWS credentials (using IRSA+STS)
+// ALWAYS use this as the value of AWS_CREDENTIAL_PROVIDER in authMechanismProperties. Never embed static keys/tokens in the URI.
+function getMongoAwsCredentialProvider() {
+    if (!exports.MONGODB_AWS_ROLE_ARN || !exports.AWS_WEB_IDENTITY_TOKEN_FILE) {
+        throw new Error('[mongo] MONGODB_AWS_ROLE_ARN or AWS_WEB_IDENTITY_TOKEN_FILE are not set. ' +
+            'These are required for AWS IAM auth (IRSA, STS assume role), and must be set in the environment!');
     }
-    return (0, credential_providers_1.fromNodeProviderChain)();
-};
-exports.generateAwsCredentials = generateAwsCredentials;
-const generateConnectionString = async (cnn) => {
-    if (!cnn) {
-        throw new Error('MongoDB connection string is not defined');
-    }
-    if (exports.shouldAssumeRole) {
-        const credentials = await (0, exports.generateAwsCredentials)();
-        if (credentials) {
-            const url = new URL(cnn);
-            url.username = credentials.accessKeyId || '';
-            url.password = credentials.secretAccessKey || '';
-            if (credentials.sessionToken) {
-                url.searchParams.set('authMechanismProperties', `AWS_SESSION_TOKEN:${credentials.sessionToken}`);
-            }
-            return url.toString();
-        }
-        throw new Error('Failed to assume role with web identity');
-    }
-    return cnn;
-};
-exports.generateConnectionString = generateConnectionString;
+    // This permanently produces a rotating credentials chain using the specified roleArn, IRSA, and web identity token
+    const credentialChain = (0, credential_providers_1.fromNodeProviderChain)({
+        roleArn: exports.MONGODB_AWS_ROLE_ARN,
+    });
+    return () => credentialChain();
+}

package/dist/src/mongo.providers.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mongo.providers.d.ts","sourceRoot":"","sources":["../../src/mongo.providers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAU1C,eAAO,MAAM,cAAc,EAAE,QAAQ,~~EAiBpC~~,CAAC"}
1	+ {"version":3,"file":"mongo.providers.d.ts","sourceRoot":"","sources":["../../src/mongo.providers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAU1C,eAAO,MAAM,cAAc,EAAE,QAAQ,EA8BpC,CAAC"}

package/dist/src/mongo.providers.js CHANGED Viewed

@@ -9,17 +9,31 @@ const mongoUrl = (configService) => configService.get('MONGO_URL') ?? configServ
 exports.MongoProviders = [
     {
         provide: 'MONGO_CONNECTION',
-        useFactory: async (configService) => (0, mongoose_1.connect)(await (0, aws_1.generateConnectionString)(mongoUrl(configService)), {
-            ...(isNotProductionOrLive(configService.get('NODE_ENV')) && {
-                minPoolSize: 0,
-                maxPoolSize: 10,
-                ...((mongoUrl(configService) ?? '').includes('MONGODB-AWS') && {
-                    authMechanismProperties: {
-                        AWS_CREDENTIAL_PROVIDER: aws_1.generateAwsCredentials,
-                    },
-                }),
-            }),
-        }),
+        useFactory: async (configService) => {
+            const connectionString = mongoUrl(configService);
+            if (!connectionString)
+                throw new Error('MongoDB connection string is not defined');
+            const options = {};
+            // Always use dynamic AWS credential provider for MongoDB-AWS mechanism
+            if ((connectionString ?? '').includes('MONGODB-AWS')) {
+                options.authMechanismProperties = {
+                    // This will provide rotating, always-fresh AWS credentials via IRSA
+                    AWS_CREDENTIAL_PROVIDER: (0, aws_1.getMongoAwsCredentialProvider)(),
+                };
+            }
+            // Pool sizing for dev/test only
+            if (isNotProductionOrLive(configService.get('NODE_ENV'))) {
+                options.minPoolSize = 0;
+                options.maxPoolSize = 10;
+            }
+            try {
+                return await (0, mongoose_1.connect)(connectionString, options);
+            }
+            catch (err) {
+                console.error('[mongo] Failed to connect to MongoDB:', err);
+                throw err;
+            }
+        },
         inject: [config_1.ConfigService],
     },
 ];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@edirect/mongo",
-  "version": "11.0.41",
+  "version": "11.0.42",
   "packageScope": "@edirect",
   "main": "./dist/src/index.js",
   "types": "./dist/src/index.d.ts",
@@ -19,10 +19,11 @@
   "dependencies": {
     "@aws-sdk/credential-providers": "^3.975.0",
     "@nestjs/common": "^11.1.12",
+    "aws4": "^1.13.2",
     "mongodb": "^7.0.0",
     "mongoose": "^9.1.5",
     "tslib": "^2.8.1",
-    "@edirect/config": "11.0.41"
+    "@edirect/config": "11.0.42"
   },
   "nx": {
     "name": "@edirect/mongo",
@@ -40,5 +41,8 @@
         }
       }
     }
+  },
+  "devDependencies": {
+    "@types/aws4": "^1.11.6"
   }
 }