mongodb 5.2.0 → 5.4.0

package/src/bulk/common.ts

@@ -212,37 +212,58 @@ export class BulkWriteResult {
     return this.result.ok;
   }
 
-  /** The number of inserted documents */
+  /**
+   * The number of inserted documents
+   * @deprecated Use insertedCount instead.
+   */
   get nInserted(): number {
     return this.result.nInserted;
   }
 
-  /** Number of upserted documents */
+  /**
+   * Number of upserted documents
+   * @deprecated User upsertedCount instead.
+   */
   get nUpserted(): number {
     return this.result.nUpserted;
   }
 
-  /** Number of matched documents */
+  /**
+   * Number of matched documents
+   * @deprecated Use matchedCount instead.
+   */
   get nMatched(): number {
     return this.result.nMatched;
   }
 
-  /** Number of documents updated physically on disk */
+  /**
+   * Number of documents updated physically on disk
+   * @deprecated Use modifiedCount instead.
+   */
   get nModified(): number {
     return this.result.nModified;
   }
 
-  /** Number of removed documents */
+  /**
+   * Number of removed documents
+   * @deprecated Use deletedCount instead.
+   */
   get nRemoved(): number {
     return this.result.nRemoved;
   }
 
-  /** Returns an array of all inserted ids */
+  /**
+   * Returns an array of all inserted ids
+   * @deprecated Use insertedIds instead.
+   */
   getInsertedIds(): Document[] {
     return this.result.insertedIds;
   }
 
-  /** Returns an array of all upserted ids */
+  /**
+   * Returns an array of all upserted ids
+   * @deprecated Use upsertedIds instead.
+   */
   getUpsertedIds(): Document[] {
     return this.result.upserted;
   }

package/src/change_stream.ts

@@ -700,7 +700,7 @@ export class ChangeStream<
   /**
    * Try to get the next available document from the Change Stream's cursor or `null` if an empty batch is returned
    */
-  async tryNext(): Promise<Document | null> {
+  async tryNext(): Promise<TChange | null> {
     this._setIsIterator();
     // Change streams must resume indefinitely while each resume event succeeds.
     // This loop continues until either a change event is received or until a resume attempt

package/src/cmap/auth/mongo_credentials.ts

@@ -30,6 +30,18 @@ function getDefaultAuthMechanism(hello?: Document): AuthMechanism {
   return AuthMechanism.MONGODB_CR;
 }
 
+const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.';
+
+/** @internal */
+export const DEFAULT_ALLOWED_HOSTS = [
+  '*.mongodb.net',
+  '*.mongodb-dev.net',
+  '*.mongodbgov.net',
+  'localhost',
+  '127.0.0.1',
+  '::1'
+];
+
 /** @public */
 export interface AuthMechanismProperties extends Document {
   SERVICE_HOST?: string;
@@ -43,11 +55,13 @@ export interface AuthMechanismProperties extends Document {
   REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
   /** @experimental */
   PROVIDER_NAME?: 'aws';
+  /** @experimental */
+  ALLOWED_HOSTS?: string[];
 }
 
 /** @public */
 export interface MongoCredentialsOptions {
-  username: string;
+  username?: string;
   password: string;
   source: string;
   db?: string;
@@ -72,7 +86,7 @@ export class MongoCredentials {
   readonly mechanismProperties: AuthMechanismProperties;
 
   constructor(options: MongoCredentialsOptions) {
-    this.username = options.username;
+    this.username = options.username ?? '';
     this.password = options.password;
     this.source = options.source;
     if (!this.source && options.db) {
@@ -101,6 +115,13 @@ export class MongoCredentials {
       }
     }
 
+    if (this.mechanism === AuthMechanism.MONGODB_OIDC && !this.mechanismProperties.ALLOWED_HOSTS) {
+      this.mechanismProperties = {
+        ...this.mechanismProperties,
+        ALLOWED_HOSTS: DEFAULT_ALLOWED_HOSTS
+      };
+    }
+
     Object.freeze(this.mechanismProperties);
     Object.freeze(this);
   }
@@ -181,6 +202,18 @@ export class MongoCredentials {
           `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
         );
       }
+
+      if (this.mechanismProperties.ALLOWED_HOSTS) {
+        const hosts = this.mechanismProperties.ALLOWED_HOSTS;
+        if (!Array.isArray(hosts)) {
+          throw new MongoInvalidArgumentError(ALLOWED_HOSTS_ERROR);
+        }
+        for (const host of hosts) {
+          if (typeof host !== 'string') {
+            throw new MongoInvalidArgumentError(ALLOWED_HOSTS_ERROR);
+          }
+        }
+      }
     }
 
     if (AUTH_MECHS_AUTH_SRC_EXTERNAL.has(this.mechanism)) {

package/src/cmap/auth/mongodb_oidc/aws_service_workflow.ts

@@ -1,8 +1,11 @@
-import { readFile } from 'fs/promises';
+import * as fs from 'fs';
 
 import { MongoAWSError } from '../../../error';
 import { ServiceWorkflow } from './service_workflow';
 
+/** Error for when the token is missing in the environment. */
+const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.';
+
 /**
  * Device workflow implementation for AWS.
  *
@@ -19,8 +22,8 @@ export class AwsServiceWorkflow extends ServiceWorkflow {
   async getToken(): Promise<string> {
     const tokenFile = process.env.AWS_WEB_IDENTITY_TOKEN_FILE;
     if (!tokenFile) {
-      throw new MongoAWSError('AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.');
+      throw new MongoAWSError(TOKEN_MISSING_ERROR);
     }
-    return readFile(tokenFile, 'utf8');
+    return fs.promises.readFile(tokenFile, 'utf8');
   }
 }

package/src/cmap/auth/mongodb_oidc/cache.ts

@@ -0,0 +1,27 @@
+/**
+ * Base class for OIDC caches.
+ */
+export abstract class Cache<T> {
+  entries: Map<string, T>;
+
+  /**
+   * Create a new cache.
+   */
+  constructor() {
+    this.entries = new Map<string, T>();
+  }
+
+  /**
+   * Clear the cache.
+   */
+  clear() {
+    this.entries.clear();
+  }
+
+  /**
+   * Create a cache key from the address and username.
+   */
+  cacheKey(address: string, username: string, callbackHash: string): string {
+    return JSON.stringify([address, username, callbackHash]);
+  }
+}

package/src/cmap/auth/mongodb_oidc/callback_lock_cache.ts

@@ -0,0 +1,107 @@
+import { MongoInvalidArgumentError } from '../../../error';
+import type { Connection } from '../../connection';
+import type { MongoCredentials } from '../mongo_credentials';
+import type {
+  IdPServerInfo,
+  IdPServerResponse,
+  OIDCCallbackContext,
+  OIDCRefreshFunction,
+  OIDCRequestFunction
+} from '../mongodb_oidc';
+import { Cache } from './cache';
+
+/** Error message for when request callback is missing. */
+const REQUEST_CALLBACK_REQUIRED_ERROR =
+  'Auth mechanism property REQUEST_TOKEN_CALLBACK is required.';
+/* Counter for function "hashes".*/
+let FN_HASH_COUNTER = 0;
+/* No function present function */
+const NO_FUNCTION: OIDCRequestFunction = async () => ({ accessToken: 'test' });
+/* The map of function hashes */
+const FN_HASHES = new WeakMap<OIDCRequestFunction | OIDCRefreshFunction, number>();
+/* Put the no function hash in the map. */
+FN_HASHES.set(NO_FUNCTION, FN_HASH_COUNTER);
+
+/**
+ * An entry of callbacks in the cache.
+ */
+interface CallbacksEntry {
+  requestCallback: OIDCRequestFunction;
+  refreshCallback?: OIDCRefreshFunction;
+  callbackHash: string;
+}
+
+/**
+ * A cache of request and refresh callbacks per server/user.
+ */
+export class CallbackLockCache extends Cache<CallbacksEntry> {
+  /**
+   * Get the callbacks for the connection and credentials. If an entry does not
+   * exist a new one will get set.
+   */
+  getCallbacks(connection: Connection, credentials: MongoCredentials): CallbacksEntry {
+    const requestCallback = credentials.mechanismProperties.REQUEST_TOKEN_CALLBACK;
+    const refreshCallback = credentials.mechanismProperties.REFRESH_TOKEN_CALLBACK;
+    if (!requestCallback) {
+      throw new MongoInvalidArgumentError(REQUEST_CALLBACK_REQUIRED_ERROR);
+    }
+    const callbackHash = hashFunctions(requestCallback, refreshCallback);
+    const key = this.cacheKey(connection.address, credentials.username, callbackHash);
+    const entry = this.entries.get(key);
+    if (entry) {
+      return entry;
+    }
+    return this.setCallbacks(key, callbackHash, requestCallback, refreshCallback);
+  }
+
+  /**
+   * Set locked callbacks on for connection and credentials.
+   */
+  private setCallbacks(
+    key: string,
+    callbackHash: string,
+    requestCallback: OIDCRequestFunction,
+    refreshCallback?: OIDCRefreshFunction
+  ): CallbacksEntry {
+    const entry = {
+      requestCallback: withLock(requestCallback),
+      refreshCallback: refreshCallback ? withLock(refreshCallback) : undefined,
+      callbackHash: callbackHash
+    };
+    this.entries.set(key, entry);
+    return entry;
+  }
+}
+
+/**
+ * Ensure the callback is only executed one at a time.
+ */
+function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) {
+  let lock: Promise<any> = Promise.resolve();
+  return async (info: IdPServerInfo, context: OIDCCallbackContext): Promise<IdPServerResponse> => {
+    await lock;
+    lock = lock.then(() => callback(info, context));
+    return lock;
+  };
+}
+
+/**
+ * Get the hash string for the request and refresh functions.
+ */
+function hashFunctions(requestFn: OIDCRequestFunction, refreshFn?: OIDCRefreshFunction): string {
+  let requestHash = FN_HASHES.get(requestFn);
+  let refreshHash = FN_HASHES.get(refreshFn ?? NO_FUNCTION);
+  if (requestHash == null) {
+    // Create a new one for the function and put it in the map.
+    FN_HASH_COUNTER++;
+    requestHash = FN_HASH_COUNTER;
+    FN_HASHES.set(requestFn, FN_HASH_COUNTER);
+  }
+  if (refreshHash == null && refreshFn) {
+    // Create a new one for the function and put it in the map.
+    FN_HASH_COUNTER++;
+    refreshHash = FN_HASH_COUNTER;
+    FN_HASHES.set(refreshFn, FN_HASH_COUNTER);
+  }
+  return `${requestHash}-${refreshHash}`;
+}