mongodb 5.0.1 → 5.2.0

package/lib/cmap/auth/mongodb_oidc/callback_workflow.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CallbackWorkflow = void 0;
+const bson_1 = require("bson");
+const error_1 = require("../../../error");
+const utils_1 = require("../../../utils");
+const providers_1 = require("../providers");
+const token_entry_cache_1 = require("./token_entry_cache");
+/* 5 minutes in milliseconds */
+const TIMEOUT_MS = 300000;
+/**
+ * OIDC implementation of a callback based workflow.
+ * @internal
+ */
+class CallbackWorkflow {
+    /**
+     * Instantiate the workflow
+     */
+    constructor() {
+        this.cache = new token_entry_cache_1.TokenEntryCache();
+    }
+    /**
+     * Get the document to add for speculative authentication. Is empty when
+     * callbacks are in play.
+     */
+    speculativeAuth() {
+        return Promise.resolve({});
+    }
+    /**
+     * Execute the workflow.
+     *
+     * Steps:
+     * - If an entry is in the cache
+     *   - If it is not expired
+     *     - Skip step one and use the entry to execute step two.
+     *   - If it is expired
+     *     - If the refresh callback exists
+     *       - remove expired entry from cache
+     *       - call the refresh callback.
+     *       - put the new entry in the cache.
+     *       - execute step two.
+     *     - If the refresh callback does not exist.
+     *       - remove expired entry from cache
+     *       - call the request callback.
+     *       - put the new entry in the cache.
+     *       - execute step two.
+     * - If no entry is in the cache.
+     *   - execute step one.
+     *   - call the refresh callback.
+     *   - put the new entry in the cache.
+     *   - execute step two.
+     */
+    async execute(connection, credentials, reauthenticate = false) {
+        const request = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK;
+        const refresh = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK;
+        const entry = this.cache.getEntry(connection.address, credentials.username, request || null, refresh || null);
+        if (entry) {
+            // Check if the entry is not expired and if we are reauthenticating.
+            if (!reauthenticate && entry.isValid()) {
+                // Skip step one and execute the step two saslContinue.
+                try {
+                    const result = await finishAuth(entry.tokenResult, undefined, connection, credentials);
+                    return result;
+                }
+                catch (error) {
+                    // If authentication errors when using a cached token we remove it from
+                    // the cache.
+                    this.cache.deleteEntry(connection.address, credentials.username || '', request || null, refresh || null);
+                    throw error;
+                }
+            }
+            else {
+                // Remove the expired entry from the cache.
+                this.cache.deleteEntry(connection.address, credentials.username || '', request || null, refresh || null);
+                // Execute a refresh of the token and finish auth.
+                return this.refreshAndFinish(connection, credentials, entry.serverResult, entry.tokenResult);
+            }
+        }
+        else {
+            // No entry means to start with the step one saslStart.
+            const result = await connection.commandAsync((0, utils_1.ns)(credentials.source), startCommandDocument(credentials), undefined);
+            const stepOne = bson_1.BSON.deserialize(result.payload.buffer);
+            // Call the request callback and finish auth.
+            return this.requestAndFinish(connection, credentials, stepOne, result.conversationId);
+        }
+    }
+    /**
+     * Execute the refresh callback if it exists, otherwise the request callback, then
+     * finish the authentication.
+     */
+    async refreshAndFinish(connection, credentials, stepOneResult, tokenResult, conversationId) {
+        const request = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK;
+        const refresh = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK;
+        // If a refresh callback exists, use it. Otherwise use the request callback.
+        if (refresh) {
+            const result = await refresh(credentials.username, stepOneResult, tokenResult, TIMEOUT_MS);
+            // Validate the result.
+            if (!result || !result.accessToken) {
+                throw new error_1.MongoMissingCredentialsError('REFRESH_TOKEN_CALLBACK must return a valid object with an accessToken');
+            }
+            // Cache a new entry and continue with the saslContinue.
+            this.cache.addEntry(connection.address, credentials.username || '', request || null, refresh, result, stepOneResult);
+            return finishAuth(result, conversationId, connection, credentials);
+        }
+        else {
+            // Fallback to using the request callback.
+            return this.requestAndFinish(connection, credentials, stepOneResult, conversationId);
+        }
+    }
+    /**
+     * Execute the request callback and finish authentication.
+     */
+    async requestAndFinish(connection, credentials, stepOneResult, conversationId) {
+        // Call the request callback.
+        const request = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK;
+        const refresh = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK;
+        // Always clear expired entries from the cache on each finish as cleanup.
+        this.cache.deleteExpiredEntries();
+        if (!request) {
+            // Request callback must be present.
+            throw new error_1.MongoInvalidArgumentError('Auth mechanism property REQUEST_TOKEN_CALLBACK is required.');
+        }
+        const tokenResult = await request(credentials.username, stepOneResult, TIMEOUT_MS);
+        // Validate the result.
+        if (!tokenResult || !tokenResult.accessToken) {
+            throw new error_1.MongoMissingCredentialsError('REQUEST_TOKEN_CALLBACK must return a valid object with an accessToken');
+        }
+        // Cache a new entry and continue with the saslContinue.
+        this.cache.addEntry(connection.address, credentials.username || '', request, refresh || null, tokenResult, stepOneResult);
+        return finishAuth(tokenResult, conversationId, connection, credentials);
+    }
+}
+exports.CallbackWorkflow = CallbackWorkflow;
+/**
+ * Cache the result of the user supplied callback and execute the
+ * step two saslContinue.
+ */
+async function finishAuth(result, conversationId, connection, credentials) {
+    // Execute the step two saslContinue.
+    return connection.commandAsync((0, utils_1.ns)(credentials.source), continueCommandDocument(result.accessToken, conversationId), undefined);
+}
+/**
+ * Generate the saslStart command document.
+ */
+function startCommandDocument(credentials) {
+    const payload = {};
+    if (credentials.username) {
+        payload.n = credentials.username;
+    }
+    return {
+        saslStart: 1,
+        autoAuthorize: 1,
+        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
+        payload: new bson_1.Binary(bson_1.BSON.serialize(payload))
+    };
+}
+/**
+ * Generate the saslContinue command document.
+ */
+function continueCommandDocument(token, conversationId) {
+    if (conversationId) {
+        return {
+            saslContinue: 1,
+            conversationId: conversationId,
+            payload: new bson_1.Binary(bson_1.BSON.serialize({ jwt: token }))
+        };
+    }
+    // saslContinue requires a conversationId in the command to be valid so in this
+    // case the server allows "step two" to actually be a saslStart with the token
+    // as the jwt since the use of the cached value has no correlating conversating
+    // on the particular connection.
+    return {
+        saslStart: 1,
+        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
+        payload: new bson_1.Binary(bson_1.BSON.serialize({ jwt: token }))
+    };
+}
+//# sourceMappingURL=callback_workflow.js.map

package/lib/cmap/auth/mongodb_oidc/callback_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/callback_workflow.ts"],"names":[],"mappings":";;;AAAA,+BAAmD;AAEnD,0CAAyF;AACzF,0CAAoC;AAIpC,4CAA6C;AAC7C,2DAAsD;AAGtD,+BAA+B;AAC/B,MAAM,UAAU,GAAG,MAAM,CAAC;AAE1B;;;GAGG;AACH,MAAa,gBAAgB;IAG3B;;OAEG;IACH;QACE,IAAI,CAAC,KAAK,GAAG,IAAI,mCAAe,EAAE,CAAC;IACrC,CAAC;IAED;;;OAGG;IACH,eAAe;QACb,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC7B,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,KAAK,CAAC,OAAO,CACX,UAAsB,EACtB,WAA6B,EAC7B,cAAc,GAAG,KAAK;QAEtB,MAAM,OAAO,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QACvE,MAAM,OAAO,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QAEvE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAC/B,UAAU,CAAC,OAAO,EAClB,WAAW,CAAC,QAAQ,EACpB,OAAO,IAAI,IAAI,EACf,OAAO,IAAI,IAAI,CAChB,CAAC;QACF,IAAI,KAAK,EAAE;YACT,oEAAoE;YACpE,IAAI,CAAC,cAAc,IAAI,KAAK,CAAC,OAAO,EAAE,EAAE;gBACtC,uDAAuD;gBACvD,IAAI;oBACF,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,KAAK,CAAC,WAAW,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;oBACvF,OAAO,MAAM,CAAC;iBACf;gBAAC,OAAO,KAAK,EAAE;oBACd,uEAAuE;oBACvE,aAAa;oBACb,IAAI,CAAC,KAAK,CAAC,WAAW,CACpB,UAAU,CAAC,OAAO,EAClB,WAAW,CAAC,QAAQ,IAAI,EAAE,EAC1B,OAAO,IAAI,IAAI,EACf,OAAO,IAAI,IAAI,CAChB,CAAC;oBACF,MAAM,KAAK,CAAC;iBACb;aACF;iBAAM;gBACL,2CAA2C;gBAC3C,IAAI,CAAC,KAAK,CAAC,WAAW,CACpB,UAAU,CAAC,OAAO,EAClB,WAAW,CAAC,QAAQ,IAAI,EAAE,EAC1B,OAAO,IAAI,IAAI,EACf,OAAO,IAAI,IAAI,CAChB,CAAC;gBACF,kDAAkD;gBAClD,OAAO,IAAI,CAAC,gBAAgB,CAC1B,UAAU,EACV,WAAW,EACX,KAAK,CAAC,YAAY,EAClB,KAAK,CAAC,WAAW,CAClB,CAAC;aACH;SACF;aAAM;YACL,uDAAuD;YACvD,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,YAAY,CAC1C,IAAA,UAAE,EAAC,WAAW,CAAC,MAAM,CAAC,EACtB,oBAAoB,CAAC,WAAW,CAAC,EACjC,SAAS,CACV,CAAC;YACF,MAAM,OAAO,GAAG,WAAI,CAAC,WAAW,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAA6B,CAAC;YACpF,6CAA6C;YAC7C,OAAO,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;SACvF;IACH,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,gBAAgB,CAC5B,UAAsB,EACtB,WAA6B,EAC7B,aAAuC,EACvC,WAAmC,EACnC,cAAuB;QAEvB,MAAM,OAAO,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QACvE,MAAM,OAAO,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QACvE,4EAA4E;QAC5E,IAAI,OAAO,EAAE;YACX,MAAM,MAAM,GAA2B,MAAM,OAAO,CAClD,WAAW,CAAC,QAAQ,EACpB,aAAa,EACb,WAAW,EACX,UAAU,CACX,CAAC;YACF,uBAAuB;YACvB,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE;gBAClC,MAAM,IAAI,oCAA4B,CACpC,uEAAuE,CACxE,CAAC;aACH;YACD,wDAAwD;YACxD,IAAI,CAAC,KAAK,CAAC,QAAQ,CACjB,UAAU,CAAC,OAAO,EAClB,WAAW,CAAC,QAAQ,IAAI,EAAE,EAC1B,OAAO,IAAI,IAAI,EACf,OAAO,EACP,MAAM,EACN,aAAa,CACd,CAAC;YACF,OAAO,UAAU,CAAC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;SACpE;aAAM;YACL,0CAA0C;YAC1C,OAAO,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,CAAC,CAAC;SACtF;IACH,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,UAAsB,EACtB,WAA6B,EAC7B,aAAuC,EACvC,cAAuB;QAEvB,6BAA6B;QAC7B,MAAM,OAAO,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QACvE,MAAM,OAAO,GAAG,WAAW,CAAC,mBAAmB,CAAC,sBAAsB,CAAC;QACvE,yEAAyE;QACzE,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO,EAAE;YACZ,oCAAoC;YACpC,MAAM,IAAI,iCAAyB,CACjC,6DAA6D,CAC9D,CAAC;SACH;QACD,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,EAAE,aAAa,EAAE,UAAU,CAAC,CAAC;QACnF,uBAAuB;QACvB,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE;YAC5C,MAAM,IAAI,oCAA4B,CACpC,uEAAuE,CACxE,CAAC;SACH;QACD,wDAAwD;QACxD,IAAI,CAAC,KAAK,CAAC,QAAQ,CACjB,UAAU,CAAC,OAAO,EAClB,WAAW,CAAC,QAAQ,IAAI,EAAE,EAC1B,OAAO,EACP,OAAO,IAAI,IAAI,EACf,WAAW,EACX,aAAa,CACd,CAAC;QACF,OAAO,UAAU,CAAC,WAAW,EAAE,cAAc,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;IAC1E,CAAC;CACF;AAxLD,4CAwLC;AAED;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,MAA8B,EAC9B,cAAkC,EAClC,UAAsB,EACtB,WAA6B;IAE7B,qCAAqC;IACrC,OAAO,UAAU,CAAC,YAAY,CAC5B,IAAA,UAAE,EAAC,WAAW,CAAC,MAAM,CAAC,EACtB,uBAAuB,CAAC,MAAM,CAAC,WAAW,EAAE,cAAc,CAAC,EAC3D,SAAS,CACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,WAA6B;IACzD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,WAAW,CAAC,QAAQ,EAAE;QACxB,OAAO,CAAC,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC;KAClC;IACD,OAAO;QACL,SAAS,EAAE,CAAC;QACZ,aAAa,EAAE,CAAC;QAChB,SAAS,EAAE,yBAAa,CAAC,YAAY;QACrC,OAAO,EAAE,IAAI,aAAM,CAAC,WAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,KAAa,EAAE,cAAuB;IACrE,IAAI,cAAc,EAAE;QAClB,OAAO;YACL,YAAY,EAAE,CAAC;YACf,cAAc,EAAE,cAAc;YAC9B,OAAO,EAAE,IAAI,aAAM,CAAC,WAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;SACpD,CAAC;KACH;IACD,+EAA+E;IAC/E,8EAA8E;IAC9E,+EAA+E;IAC/E,gCAAgC;IAChC,OAAO;QACL,SAAS,EAAE,CAAC;QACZ,SAAS,EAAE,yBAAa,CAAC,YAAY;QACrC,OAAO,EAAE,IAAI,aAAM,CAAC,WAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;KACpD,CAAC;AACJ,CAAC"}

package/lib/cmap/auth/mongodb_oidc/service_workflow.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.commandDocument = exports.ServiceWorkflow = void 0;
+const bson_1 = require("bson");
+const utils_1 = require("../../../utils");
+const providers_1 = require("../providers");
+/**
+ * Common behaviour for OIDC device workflows.
+ * @internal
+ */
+class ServiceWorkflow {
+    /**
+     * Execute the workflow. Looks for AWS_WEB_IDENTITY_TOKEN_FILE in the environment
+     * and then attempts to read the token from that path.
+     */
+    async execute(connection, credentials) {
+        const token = await this.getToken();
+        const command = commandDocument(token);
+        return connection.commandAsync((0, utils_1.ns)(credentials.source), command, undefined);
+    }
+    /**
+     * Get the document to add for speculative authentication.
+     */
+    async speculativeAuth() {
+        const token = await this.getToken();
+        return { speculativeAuthenticate: commandDocument(token) };
+    }
+}
+exports.ServiceWorkflow = ServiceWorkflow;
+/**
+ * Create the saslStart command document.
+ */
+function commandDocument(token) {
+    return {
+        saslStart: 1,
+        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
+        payload: bson_1.BSON.serialize({ jwt: token })
+    };
+}
+exports.commandDocument = commandDocument;
+//# sourceMappingURL=service_workflow.js.map

package/lib/cmap/auth/mongodb_oidc/service_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/service_workflow.ts"],"names":[],"mappings":";;;AAAA,+BAA2C;AAE3C,0CAAoC;AAGpC,4CAA6C;AAG7C;;;GAGG;AACH,MAAsB,eAAe;IACnC;;;OAGG;IACH,KAAK,CAAC,OAAO,CAAC,UAAsB,EAAE,WAA6B;QACjE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,YAAY,CAAC,IAAA,UAAE,EAAC,WAAW,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe;QACnB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,uBAAuB,EAAE,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;IAC7D,CAAC;CAMF;AAvBD,0CAuBC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,KAAa;IAC3C,OAAO;QACL,SAAS,EAAE,CAAC;QACZ,SAAS,EAAE,yBAAa,CAAC,YAAY;QACrC,OAAO,EAAE,WAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC;AAND,0CAMC"}

package/lib/cmap/auth/mongodb_oidc/token_entry_cache.js

@@ -0,0 +1,115 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenEntryCache = exports.TokenEntry = void 0;
+/* 5 minutes in milliseonds */
+const EXPIRATION_BUFFER_MS = 300000;
+/* Default expiration is now for when no expiration provided */
+const DEFAULT_EXPIRATION_SECS = 0;
+/* Counter for function "hashes".*/
+let FN_HASH_COUNTER = 0;
+/* No function present function */
+const NO_FUNCTION = () => {
+    return Promise.resolve({ accessToken: 'test' });
+};
+/* The map of function hashes */
+const FN_HASHES = new WeakMap();
+/* Put the no function hash in the map. */
+FN_HASHES.set(NO_FUNCTION, FN_HASH_COUNTER);
+/** @internal */
+class TokenEntry {
+    /**
+     * Instantiate the entry.
+     */
+    constructor(tokenResult, serverResult, expiration) {
+        this.tokenResult = tokenResult;
+        this.serverResult = serverResult;
+        this.expiration = expiration;
+    }
+    /**
+     * The entry is still valid if the expiration is more than
+     * 5 minutes from the expiration time.
+     */
+    isValid() {
+        return this.expiration - Date.now() > EXPIRATION_BUFFER_MS;
+    }
+}
+exports.TokenEntry = TokenEntry;
+/**
+ * Cache of OIDC token entries.
+ * @internal
+ */
+class TokenEntryCache {
+    constructor() {
+        this.entries = new Map();
+    }
+    /**
+     * Set an entry in the token cache.
+     */
+    addEntry(address, username, requestFn, refreshFn, tokenResult, serverResult) {
+        const entry = new TokenEntry(tokenResult, serverResult, expirationTime(tokenResult.expiresInSeconds));
+        this.entries.set(cacheKey(address, username, requestFn, refreshFn), entry);
+        return entry;
+    }
+    /**
+     * Clear the cache.
+     */
+    clear() {
+        this.entries.clear();
+    }
+    /**
+     * Delete an entry from the cache.
+     */
+    deleteEntry(address, username, requestFn, refreshFn) {
+        this.entries.delete(cacheKey(address, username, requestFn, refreshFn));
+    }
+    /**
+     * Get an entry from the cache.
+     */
+    getEntry(address, username, requestFn, refreshFn) {
+        return this.entries.get(cacheKey(address, username, requestFn, refreshFn));
+    }
+    /**
+     * Delete all expired entries from the cache.
+     */
+    deleteExpiredEntries() {
+        for (const [key, entry] of this.entries) {
+            if (!entry.isValid()) {
+                this.entries.delete(key);
+            }
+        }
+    }
+}
+exports.TokenEntryCache = TokenEntryCache;
+/**
+ * Get an expiration time in milliseconds past epoch. Defaults to immediate.
+ */
+function expirationTime(expiresInSeconds) {
+    return Date.now() + (expiresInSeconds ?? DEFAULT_EXPIRATION_SECS) * 1000;
+}
+/**
+ * Create a cache key from the address and username.
+ */
+function cacheKey(address, username, requestFn, refreshFn) {
+    return `${address}-${username}-${hashFunctions(requestFn, refreshFn)}`;
+}
+/**
+ * Get the hash string for the request and refresh functions.
+ */
+function hashFunctions(requestFn, refreshFn) {
+    let requestHash = FN_HASHES.get(requestFn || NO_FUNCTION);
+    let refreshHash = FN_HASHES.get(refreshFn || NO_FUNCTION);
+    if (!requestHash && requestFn) {
+        // Create a new one for the function and put it in the map.
+        FN_HASH_COUNTER++;
+        requestHash = FN_HASH_COUNTER;
+        FN_HASHES.set(requestFn, FN_HASH_COUNTER);
+    }
+    if (!refreshHash && refreshFn) {
+        // Create a new one for the function and put it in the map.
+        FN_HASH_COUNTER++;
+        refreshHash = FN_HASH_COUNTER;
+        FN_HASHES.set(refreshFn, FN_HASH_COUNTER);
+    }
+    return `${requestHash}-${refreshHash}`;
+}
+//# sourceMappingURL=token_entry_cache.js.map

package/lib/cmap/auth/mongodb_oidc/token_entry_cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token_entry_cache.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/token_entry_cache.ts"],"names":[],"mappings":";;;AAOA,8BAA8B;AAC9B,MAAM,oBAAoB,GAAG,MAAM,CAAC;AACpC,+DAA+D;AAC/D,MAAM,uBAAuB,GAAG,CAAC,CAAC;AAClC,mCAAmC;AACnC,IAAI,eAAe,GAAG,CAAC,CAAC;AACxB,kCAAkC;AAClC,MAAM,WAAW,GAAwB,GAAG,EAAE;IAC5C,OAAO,OAAO,CAAC,OAAO,CAAC,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;AAClD,CAAC,CAAC;AACF,gCAAgC;AAChC,MAAM,SAAS,GAAG,IAAI,OAAO,EAAqD,CAAC;AACnF,0CAA0C;AAC1C,SAAS,CAAC,GAAG,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;AAE5C,gBAAgB;AAChB,MAAa,UAAU;IAKrB;;OAEG;IACH,YACE,WAAmC,EACnC,YAAsC,EACtC,UAAkB;QAElB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QACjC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,oBAAoB,CAAC;IAC7D,CAAC;CACF;AAzBD,gCAyBC;AAED;;;GAGG;AACH,MAAa,eAAe;IAG1B;QACE,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,QAAQ,CACN,OAAe,EACf,QAAgB,EAChB,SAAqC,EACrC,SAAqC,EACrC,WAAmC,EACnC,YAAsC;QAEtC,MAAM,KAAK,GAAG,IAAI,UAAU,CAC1B,WAAW,EACX,YAAY,EACZ,cAAc,CAAC,WAAW,CAAC,gBAAgB,CAAC,CAC7C,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,EAAE,KAAK,CAAC,CAAC;QAC3E,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,WAAW,CACT,OAAe,EACf,QAAgB,EAChB,SAAqC,EACrC,SAAqC;QAErC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;IACzE,CAAC;IAED;;OAEG;IACH,QAAQ,CACN,OAAe,EACf,QAAgB,EAChB,SAAqC,EACrC,SAAqC;QAErC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;IAC7E,CAAC;IAED;;OAEG;IACH,oBAAoB;QAClB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE;YACvC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE;gBACpB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;aAC1B;SACF;IACH,CAAC;CACF;AApED,0CAoEC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,gBAAyB;IAC/C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,gBAAgB,IAAI,uBAAuB,CAAC,GAAG,IAAI,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,QAAQ,CACf,OAAe,EACf,QAAgB,EAChB,SAAqC,EACrC,SAAqC;IAErC,OAAO,GAAG,OAAO,IAAI,QAAQ,IAAI,aAAa,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,CAAC;AACzE,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,SAAqC,EACrC,SAAqC;IAErC,IAAI,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,IAAI,WAAW,CAAC,CAAC;IAC1D,IAAI,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,IAAI,WAAW,CAAC,CAAC;IAC1D,IAAI,CAAC,WAAW,IAAI,SAAS,EAAE;QAC7B,2DAA2D;QAC3D,eAAe,EAAE,CAAC;QAClB,WAAW,GAAG,eAAe,CAAC;QAC9B,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;KAC3C;IACD,IAAI,CAAC,WAAW,IAAI,SAAS,EAAE;QAC7B,2DAA2D;QAC3D,eAAe,EAAE,CAAC;QAClB,WAAW,GAAG,eAAe,CAAC;QAC9B,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;KAC3C;IACD,OAAO,GAAG,WAAW,IAAI,WAAW,EAAE,CAAC;AACzC,CAAC"}

package/lib/cmap/auth/mongodb_oidc/workflow.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=workflow.js.map

package/lib/cmap/auth/mongodb_oidc/workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/workflow.ts"],"names":[],"mappings":""}

package/lib/cmap/auth/mongodb_oidc.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MongoDBOIDC = exports.OIDC_WORKFLOWS = void 0;
+const error_1 = require("../../error");
+const auth_provider_1 = require("./auth_provider");
+const aws_service_workflow_1 = require("./mongodb_oidc/aws_service_workflow");
+const callback_workflow_1 = require("./mongodb_oidc/callback_workflow");
+/** @internal */
+exports.OIDC_WORKFLOWS = new Map();
+exports.OIDC_WORKFLOWS.set('callback', new callback_workflow_1.CallbackWorkflow());
+exports.OIDC_WORKFLOWS.set('aws', new aws_service_workflow_1.AwsServiceWorkflow());
+/**
+ * OIDC auth provider.
+ * @experimental
+ */
+class MongoDBOIDC extends auth_provider_1.AuthProvider {
+    /**
+     * Instantiate the auth provider.
+     */
+    constructor() {
+        super();
+    }
+    /**
+     * Authenticate using OIDC
+     */
+    async auth(authContext) {
+        const { connection, credentials, response, reauthenticating } = authContext;
+        if (response?.speculativeAuthenticate) {
+            return;
+        }
+        if (!credentials) {
+            throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
+        }
+        const workflow = getWorkflow(credentials);
+        await workflow.execute(connection, credentials, reauthenticating);
+    }
+    /**
+     * Add the speculative auth for the initial handshake.
+     */
+    async prepare(handshakeDoc, authContext) {
+        const { credentials } = authContext;
+        if (!credentials) {
+            throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
+        }
+        const workflow = getWorkflow(credentials);
+        const result = await workflow.speculativeAuth();
+        return { ...handshakeDoc, ...result };
+    }
+}
+exports.MongoDBOIDC = MongoDBOIDC;
+/**
+ * Gets either a device workflow or callback workflow.
+ */
+function getWorkflow(credentials) {
+    const providerName = credentials.mechanismProperties.PROVIDER_NAME;
+    const workflow = exports.OIDC_WORKFLOWS.get(providerName || 'callback');
+    if (!workflow) {
+        throw new error_1.MongoInvalidArgumentError(`Could not load workflow for provider ${credentials.mechanismProperties.PROVIDER_NAME}`);
+    }
+    return workflow;
+}
+//# sourceMappingURL=mongodb_oidc.js.map

package/lib/cmap/auth/mongodb_oidc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mongodb_oidc.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongodb_oidc.ts"],"names":[],"mappings":";;;AAAA,uCAAsF;AAEtF,mDAAiE;AAEjE,8EAAyE;AACzE,wEAAoE;AAiDpE,gBAAgB;AACH,QAAA,cAAc,GAAgC,IAAI,GAAG,EAAE,CAAC;AACrE,sBAAc,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,oCAAgB,EAAE,CAAC,CAAC;AACvD,sBAAc,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,yCAAkB,EAAE,CAAC,CAAC;AAEpD;;;GAGG;AACH,MAAa,WAAY,SAAQ,4BAAY;IAC3C;;OAEG;IACH;QACE,KAAK,EAAE,CAAC;IACV,CAAC;IAED;;OAEG;IACM,KAAK,CAAC,IAAI,CAAC,WAAwB;QAC1C,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,gBAAgB,EAAE,GAAG,WAAW,CAAC;QAE5E,IAAI,QAAQ,EAAE,uBAAuB,EAAE;YACrC,OAAO;SACR;QAED,IAAI,CAAC,WAAW,EAAE;YAChB,MAAM,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC;SACjF;QAED,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;QAE1C,MAAM,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC;IACpE,CAAC;IAED;;OAEG;IACM,KAAK,CAAC,OAAO,CACpB,YAA+B,EAC/B,WAAwB;QAExB,MAAM,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;QAEpC,IAAI,CAAC,WAAW,EAAE;YAChB,MAAM,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC;SACjF;QAED,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;QAE1C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,eAAe,EAAE,CAAC;QAChD,OAAO,EAAE,GAAG,YAAY,EAAE,GAAG,MAAM,EAAE,CAAC;IACxC,CAAC;CACF;AA7CD,kCA6CC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,WAA6B;IAChD,MAAM,YAAY,GAAG,WAAW,CAAC,mBAAmB,CAAC,aAAa,CAAC;IACnE,MAAM,QAAQ,GAAG,sBAAc,CAAC,GAAG,CAAC,YAAY,IAAI,UAAU,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,iCAAyB,CACjC,wCAAwC,WAAW,CAAC,mBAAmB,CAAC,aAAa,EAAE,CACxF,CAAC;KACH;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/lib/cmap/auth/plain.js

@@ -6,13 +6,12 @@ const error_1 = require("../../error");
 const utils_1 = require("../../utils");
 const auth_provider_1 = require("./auth_provider");
 class Plain extends auth_provider_1.AuthProvider {
-    auth(authContext, callback) {
+    async auth(authContext) {
         const { connection, credentials } = authContext;
         if (!credentials) {
-            return callback(new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.'));
+            throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
         }
-        const username = credentials.username;
-        const password = credentials.password;
+        const { username, password } = credentials;
         const payload = new bson_1.Binary(Buffer.from(`\x00${username}\x00${password}`));
         const command = {
             saslStart: 1,
@@ -20,7 +19,7 @@ class Plain extends auth_provider_1.AuthProvider {
             payload: payload,
             autoAuthorize: 1
         };
-        connection.command((0, utils_1.ns)('$external.$cmd'), command, undefined, callback);
+        await connection.commandAsync((0, utils_1.ns)('$external.$cmd'), command, undefined);
     }
 }
 exports.Plain = Plain;

package/lib/cmap/auth/plain.js.map

@@ -1 +1 @@
-{"version":3,"file":"plain.js","sourceRoot":"","sources":["../../../src/cmap/auth/plain.ts"],"names":[],"mappings":";;;AAAA,qCAAoC;AACpC,uCAA2D;AAC3D,uCAA2C;AAC3C,mDAA4D;AAE5D,MAAa,KAAM,SAAQ,4BAAY;IAC5B,IAAI,CAAC,WAAwB,EAAE,QAAkB;QACxD,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;QAChD,IAAI,CAAC,WAAW,EAAE;YAChB,OAAO,QAAQ,CAAC,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC,CAAC;SAC5F;QACD,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC;QACtC,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC;QAEtC,MAAM,OAAO,GAAG,IAAI,aAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,QAAQ,OAAO,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG;YACd,SAAS,EAAE,CAAC;YACZ,SAAS,EAAE,OAAO;YAClB,OAAO,EAAE,OAAO;YAChB,aAAa,EAAE,CAAC;SACjB,CAAC;QAEF,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC,CAAC;IACzE,CAAC;CACF;AAnBD,sBAmBC"}
+{"version":3,"file":"plain.js","sourceRoot":"","sources":["../../../src/cmap/auth/plain.ts"],"names":[],"mappings":";;;AAAA,qCAAoC;AACpC,uCAA2D;AAC3D,uCAAiC;AACjC,mDAA4D;AAE5D,MAAa,KAAM,SAAQ,4BAAY;IAC5B,KAAK,CAAC,IAAI,CAAC,WAAwB;QAC1C,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;QAChD,IAAI,CAAC,WAAW,EAAE;YAChB,MAAM,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC;SACjF;QAED,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,WAAW,CAAC;QAE3C,MAAM,OAAO,GAAG,IAAI,aAAM,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,QAAQ,OAAO,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,OAAO,GAAG;YACd,SAAS,EAAE,CAAC;YACZ,SAAS,EAAE,OAAO;YAClB,OAAO,EAAE,OAAO;YAChB,aAAa,EAAE,CAAC;SACjB,CAAC;QAEF,MAAM,UAAU,CAAC,YAAY,CAAC,IAAA,UAAE,EAAC,gBAAgB,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAC1E,CAAC;CACF;AAnBD,sBAmBC"}

package/lib/cmap/auth/providers.js

@@ -10,12 +10,15 @@ exports.AuthMechanism = Object.freeze({
     MONGODB_PLAIN: 'PLAIN',
     MONGODB_SCRAM_SHA1: 'SCRAM-SHA-1',
     MONGODB_SCRAM_SHA256: 'SCRAM-SHA-256',
-    MONGODB_X509: 'MONGODB-X509'
+    MONGODB_X509: 'MONGODB-X509',
+    /** @experimental */
+    MONGODB_OIDC: 'MONGODB-OIDC'
 });
 /** @internal */
 exports.AUTH_MECHS_AUTH_SRC_EXTERNAL = new Set([
     exports.AuthMechanism.MONGODB_GSSAPI,
     exports.AuthMechanism.MONGODB_AWS,
+    exports.AuthMechanism.MONGODB_OIDC,
     exports.AuthMechanism.MONGODB_X509
 ]);
 //# sourceMappingURL=providers.js.map

package/lib/cmap/auth/providers.js.map

@@ -1 +1 @@
-{"version":3,"file":"providers.js","sourceRoot":"","sources":["../../../src/cmap/auth/providers.ts"],"names":[],"mappings":";;;AAAA,cAAc;AACD,QAAA,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;IACzC,WAAW,EAAE,aAAa;IAC1B,UAAU,EAAE,YAAY;IACxB,eAAe,EAAE,SAAS;IAC1B,cAAc,EAAE,QAAQ;IACxB,aAAa,EAAE,OAAO;IACtB,kBAAkB,EAAE,aAAa;IACjC,oBAAoB,EAAE,eAAe;IACrC,YAAY,EAAE,cAAc;CACpB,CAAC,CAAC;AAKZ,gBAAgB;AACH,QAAA,4BAA4B,GAAG,IAAI,GAAG,CAAgB;IACjE,qBAAa,CAAC,cAAc;IAC5B,qBAAa,CAAC,WAAW;IACzB,qBAAa,CAAC,YAAY;CAC3B,CAAC,CAAC"}
+{"version":3,"file":"providers.js","sourceRoot":"","sources":["../../../src/cmap/auth/providers.ts"],"names":[],"mappings":";;;AAAA,cAAc;AACD,QAAA,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;IACzC,WAAW,EAAE,aAAa;IAC1B,UAAU,EAAE,YAAY;IACxB,eAAe,EAAE,SAAS;IAC1B,cAAc,EAAE,QAAQ;IACxB,aAAa,EAAE,OAAO;IACtB,kBAAkB,EAAE,aAAa;IACjC,oBAAoB,EAAE,eAAe;IACrC,YAAY,EAAE,cAAc;IAC5B,oBAAoB;IACpB,YAAY,EAAE,cAAc;CACpB,CAAC,CAAC;AAKZ,gBAAgB;AACH,QAAA,4BAA4B,GAAG,IAAI,GAAG,CAAgB;IACjE,qBAAa,CAAC,cAAc;IAC5B,qBAAa,CAAC,WAAW;IACzB,qBAAa,CAAC,YAAY;IAC1B,qBAAa,CAAC,YAAY;CAC3B,CAAC,CAAC"}