@edirect/mongo 11.0.41 → 11.0.43

package/dist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@edirect/mongo",
-  "version": "11.0.40",
+  "version": "11.0.43",
   "main": "./dist/src/index.js",
   "types": "./dist/src/index.d.ts",
   "exports": {
@@ -17,8 +17,9 @@
   ],
   "dependencies": {
     "@aws-sdk/credential-providers": "^3.975.0",
-    "@edirect/config": "^11.0.40",
+    "@edirect/config": "^11.0.43",
     "@nestjs/common": "^11.1.12",
+    "aws4": "^1.13.2",
     "mongodb": "^7.0.0",
     "mongoose": "^9.1.5",
     "tslib": "^2.8.1"

package/dist/src/aws.d.ts

@@ -1,5 +1,5 @@
 import { AWSCredentials } from 'mongodb';
-export declare const shouldAssumeRole: string | undefined;
-export declare const generateAwsCredentials: () => Promise<AWSCredentials | undefined>;
-export declare const generateConnectionString: (cnn: string | undefined) => Promise<string>;
+export declare const MONGODB_AWS_ROLE_ARN: string | undefined;
+export declare const AWS_WEB_IDENTITY_TOKEN_FILE: string | undefined;
+export declare function getMongoAwsCredentialProvider(): () => Promise<AWSCredentials>;
 //# sourceMappingURL=aws.d.ts.map

package/dist/src/aws.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/aws.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAKzC,eAAO,MAAM,gBAAgB,oBACwB,CAAC;AAEtD,eAAO,MAAM,sBAAsB,QAAa,OAAO,CACrD,cAAc,GAAG,SAAS,CAQ3B,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,KAAK,MAAM,GAAG,SAAS,KACtB,OAAO,CAAC,MAAM,CAqBhB,CAAC"}
+{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/aws.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAKzC,eAAO,MAAM,oBAAoB,oBAAmC,CAAC;AACrE,eAAO,MAAM,2BAA2B,oBACC,CAAC;AAI1C,wBAAgB,6BAA6B,IAAI,MAAM,OAAO,CAAC,cAAc,CAAC,CAY7E"}

package/dist/src/aws.js

@@ -1,36 +1,23 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateConnectionString = exports.generateAwsCredentials = exports.shouldAssumeRole = void 0;
+exports.AWS_WEB_IDENTITY_TOKEN_FILE = exports.MONGODB_AWS_ROLE_ARN = void 0;
+exports.getMongoAwsCredentialProvider = getMongoAwsCredentialProvider;
 const credential_providers_1 = require("@aws-sdk/credential-providers");
-const MONGODB_AWS_ROLE_ARN = process.env.MONGODB_AWS_ROLE_ARN;
-const AWS_WEB_IDENTITY_TOKEN_FILE = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
-exports.shouldAssumeRole = MONGODB_AWS_ROLE_ARN && AWS_WEB_IDENTITY_TOKEN_FILE;
-const generateAwsCredentials = async () => {
-    if (exports.shouldAssumeRole) {
-        return (0, credential_providers_1.fromNodeProviderChain)({
-            roleArn: MONGODB_AWS_ROLE_ARN,
-        });
+// Environment variables required for IRSA/EKS role assumption authentication:
+//   MONGODB_AWS_ROLE_ARN: the AWS IAM Role ARN to assume
+//   AWS_WEB_IDENTITY_TOKEN_FILE: path to serviceAccount token (set by kubelet when IRSA is enabled)
+exports.MONGODB_AWS_ROLE_ARN = process.env.MONGODB_AWS_ROLE_ARN;
+exports.AWS_WEB_IDENTITY_TOKEN_FILE = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
+// A dynamic credentials provider for the MongoDB driver that will always fetch fresh AWS credentials (using IRSA+STS)
+// ALWAYS use this as the value of AWS_CREDENTIAL_PROVIDER in authMechanismProperties. Never embed static keys/tokens in the URI.
+function getMongoAwsCredentialProvider() {
+    if (!exports.MONGODB_AWS_ROLE_ARN || !exports.AWS_WEB_IDENTITY_TOKEN_FILE) {
+        throw new Error('[mongo] MONGODB_AWS_ROLE_ARN or AWS_WEB_IDENTITY_TOKEN_FILE are not set. ' +
+            'These are required for AWS IAM auth (IRSA, STS assume role), and must be set in the environment!');
     }
-    return (0, credential_providers_1.fromNodeProviderChain)();
-};
-exports.generateAwsCredentials = generateAwsCredentials;
-const generateConnectionString = async (cnn) => {
-    if (!cnn) {
-        throw new Error('MongoDB connection string is not defined');
-    }
-    if (exports.shouldAssumeRole) {
-        const credentials = await (0, exports.generateAwsCredentials)();
-        if (credentials) {
-            const url = new URL(cnn);
-            url.username = credentials.accessKeyId || '';
-            url.password = credentials.secretAccessKey || '';
-            if (credentials.sessionToken) {
-                url.searchParams.set('authMechanismProperties', `AWS_SESSION_TOKEN:${credentials.sessionToken}`);
-            }
-            return url.toString();
-        }
-        throw new Error('Failed to assume role with web identity');
-    }
-    return cnn;
-};
-exports.generateConnectionString = generateConnectionString;
+    // This permanently produces a rotating credentials chain using the specified roleArn, IRSA, and web identity token
+    const credentialChain = (0, credential_providers_1.fromNodeProviderChain)({
+        roleArn: exports.MONGODB_AWS_ROLE_ARN,
+    });
+    return () => credentialChain();
+}

package/dist/src/mongo.providers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mongo.providers.d.ts","sourceRoot":"","sources":["../../src/mongo.providers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAU1C,eAAO,MAAM,cAAc,EAAE,QAAQ,EAiBpC,CAAC"}
+{"version":3,"file":"mongo.providers.d.ts","sourceRoot":"","sources":["../../src/mongo.providers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAU1C,eAAO,MAAM,cAAc,EAAE,QAAQ,EA8BpC,CAAC"}

package/dist/src/mongo.providers.js

@@ -9,17 +9,31 @@ const mongoUrl = (configService) => configService.get('MONGO_URL') ?? configServ
 exports.MongoProviders = [
     {
         provide: 'MONGO_CONNECTION',
-        useFactory: async (configService) => (0, mongoose_1.connect)(await (0, aws_1.generateConnectionString)(mongoUrl(configService)), {
-            ...(isNotProductionOrLive(configService.get('NODE_ENV')) && {
-                minPoolSize: 0,
-                maxPoolSize: 10,
-                ...((mongoUrl(configService) ?? '').includes('MONGODB-AWS') && {
-                    authMechanismProperties: {
-                        AWS_CREDENTIAL_PROVIDER: aws_1.generateAwsCredentials,
-                    },
-                }),
-            }),
-        }),
+        useFactory: async (configService) => {
+            const connectionString = mongoUrl(configService);
+            if (!connectionString)
+                throw new Error('MongoDB connection string is not defined');
+            const options = {};
+            // Always use dynamic AWS credential provider for MongoDB-AWS mechanism
+            if ((connectionString ?? '').includes('MONGODB-AWS')) {
+                options.authMechanismProperties = {
+                    // This will provide rotating, always-fresh AWS credentials via IRSA
+                    AWS_CREDENTIAL_PROVIDER: (0, aws_1.getMongoAwsCredentialProvider)(),
+                };
+            }
+            // Pool sizing for dev/test only
+            if (isNotProductionOrLive(configService.get('NODE_ENV'))) {
+                options.minPoolSize = 0;
+                options.maxPoolSize = 10;
+            }
+            try {
+                return await (0, mongoose_1.connect)(connectionString, options);
+            }
+            catch (err) {
+                console.error('[mongo] Failed to connect to MongoDB:', err);
+                throw err;
+            }
+        },
         inject: [config_1.ConfigService],
     },
 ];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@edirect/mongo",
-  "version": "11.0.41",
+  "version": "11.0.43",
   "packageScope": "@edirect",
   "main": "./dist/src/index.js",
   "types": "./dist/src/index.d.ts",
@@ -19,10 +19,11 @@
   "dependencies": {
     "@aws-sdk/credential-providers": "^3.975.0",
     "@nestjs/common": "^11.1.12",
+    "aws4": "^1.13.2",
     "mongodb": "^7.0.0",
     "mongoose": "^9.1.5",
     "tslib": "^2.8.1",
-    "@edirect/config": "11.0.41"
+    "@edirect/config": "11.0.43"
   },
   "nx": {
     "name": "@edirect/mongo",