mongodb 6.16.0 → 6.17.0-dev.20250605.sha.57ef31be

package/src/bulk/common.ts

@@ -19,6 +19,7 @@ import { makeUpdateStatement, UpdateOperation, type UpdateStatement } from '../o
 import type { Server } from '../sdam/server';
 import type { Topology } from '../sdam/topology';
 import type { ClientSession } from '../sessions';
+import { type Sort } from '../sort';
 import { type TimeoutContext } from '../timeout';
 import {
   applyRetryableWrites,
@@ -68,7 +69,7 @@ export interface DeleteManyModel<TSchema extends Document = Document> {
 
 /** @public */
 export interface ReplaceOneModel<TSchema extends Document = Document> {
-  /** The filter to limit the replaced document. */
+  /** The filter that specifies which document to replace. In the case of multiple matches, the first document matched is replaced. */
   filter: Filter<TSchema>;
   /** The document with which to replace the matched document. */
   replacement: WithoutId<TSchema>;
@@ -78,11 +79,13 @@ export interface ReplaceOneModel<TSchema extends Document = Document> {
   hint?: Hint;
   /** When true, creates a new document if no document matches the query. */
   upsert?: boolean;
+  /** Specifies the sort order for the documents matched by the filter. */
+  sort?: Sort;
 }
 
 /** @public */
 export interface UpdateOneModel<TSchema extends Document = Document> {
-  /** The filter to limit the updated documents. */
+  /** The filter that specifies which document to update. In the case of multiple matches, the first document matched is updated. */
   filter: Filter<TSchema>;
   /**
    * The modifications to apply. The value can be either:
@@ -98,6 +101,8 @@ export interface UpdateOneModel<TSchema extends Document = Document> {
   hint?: Hint;
   /** When true, creates a new document if no document matches the query. */
   upsert?: boolean;
+  /** Specifies the sort order for the documents matched by the filter. */
+  sort?: Sort;
 }
 
 /** @public */
@@ -252,7 +257,7 @@ export class BulkWriteResult {
     return this.result.writeErrors.length > 0;
   }
 
-  /** Returns the number of write errors off the bulk operation */
+  /** Returns the number of write errors from the bulk operation */
   getWriteErrorCount(): number {
     return this.result.writeErrors.length;
   }
@@ -700,7 +705,7 @@ export class FindOperators {
 
   /** Add a single update operation to the bulk operation */
   updateOne(updateDocument: Document | Document[]): BulkOperationBase {
-    if (!hasAtomicOperators(updateDocument)) {
+    if (!hasAtomicOperators(updateDocument, this.bulkOperation.bsonOptions)) {
       throw new MongoInvalidArgumentError('Update document requires atomic operators');
     }
 
@@ -889,16 +894,14 @@ export abstract class BulkOperationBase {
   /** @internal */
   s: BulkOperationPrivate;
   operationId?: number;
+  private collection: Collection;
 
   /**
    * Create a new OrderedBulkOperation or UnorderedBulkOperation instance
    * @internal
    */
-  constructor(
-    private collection: Collection,
-    options: BulkWriteOptions,
-    isOrdered: boolean
-  ) {
+  constructor(collection: Collection, options: BulkWriteOptions, isOrdered: boolean) {
+    this.collection = collection;
     // determine whether bulkOperation is ordered or unordered
     this.isOrdered = isOrdered;
 
@@ -1110,7 +1113,7 @@ export abstract class BulkOperationBase {
           ...op.updateOne,
           multi: false
         });
-        if (!hasAtomicOperators(updateStatement.u)) {
+        if (!hasAtomicOperators(updateStatement.u, this.bsonOptions)) {
           throw new MongoInvalidArgumentError('Update document requires atomic operators');
         }
         return this.addToOperationsList(BatchType.UPDATE, updateStatement);
@@ -1124,7 +1127,7 @@ export abstract class BulkOperationBase {
           ...op.updateMany,
           multi: true
         });
-        if (!hasAtomicOperators(updateStatement.u)) {
+        if (!hasAtomicOperators(updateStatement.u, this.bsonOptions)) {
           throw new MongoInvalidArgumentError('Update document requires atomic operators');
         }
         return this.addToOperationsList(BatchType.UPDATE, updateStatement);

package/src/change_stream.ts

@@ -205,6 +205,16 @@ export interface ChangeStreamDocumentCommon {
   splitEvent?: ChangeStreamSplitEvent;
 }
 
+/** @public */
+export interface ChangeStreamDocumentWallTime {
+  /**
+   * The server date and time of the database operation.
+   * wallTime differs from clusterTime in that clusterTime is a timestamp taken from the oplog entry associated with the database operation event.
+   * @sinceServerVersion 6.0.0
+   */
+  wallTime?: Date;
+}
+
 /** @public */
 export interface ChangeStreamDocumentCollectionUUID {
   /**
@@ -239,7 +249,8 @@ export interface ChangeStreamDocumentOperationDescription {
 export interface ChangeStreamInsertDocument<TSchema extends Document = Document>
   extends ChangeStreamDocumentCommon,
     ChangeStreamDocumentKey<TSchema>,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'insert';
   /** This key will contain the document being inserted */
@@ -255,7 +266,8 @@ export interface ChangeStreamInsertDocument<TSchema extends Document = Document>
 export interface ChangeStreamUpdateDocument<TSchema extends Document = Document>
   extends ChangeStreamDocumentCommon,
     ChangeStreamDocumentKey<TSchema>,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'update';
   /**
@@ -285,7 +297,8 @@ export interface ChangeStreamUpdateDocument<TSchema extends Document = Document>
  */
 export interface ChangeStreamReplaceDocument<TSchema extends Document = Document>
   extends ChangeStreamDocumentCommon,
-    ChangeStreamDocumentKey<TSchema> {
+    ChangeStreamDocumentKey<TSchema>,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'replace';
   /** The fullDocument of a replace event represents the document after the insert of the replacement document */
@@ -309,7 +322,8 @@ export interface ChangeStreamReplaceDocument<TSchema extends Document = Document
 export interface ChangeStreamDeleteDocument<TSchema extends Document = Document>
   extends ChangeStreamDocumentCommon,
     ChangeStreamDocumentKey<TSchema>,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'delete';
   /** Namespace the delete event occurred on */
@@ -330,7 +344,8 @@ export interface ChangeStreamDeleteDocument<TSchema extends Document = Document>
  */
 export interface ChangeStreamDropDocument
   extends ChangeStreamDocumentCommon,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'drop';
   /** Namespace the drop event occurred on */
@@ -343,7 +358,8 @@ export interface ChangeStreamDropDocument
  */
 export interface ChangeStreamRenameDocument
   extends ChangeStreamDocumentCommon,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'rename';
   /** The new name for the `ns.coll` collection */
@@ -356,7 +372,9 @@ export interface ChangeStreamRenameDocument
  * @public
  * @see https://www.mongodb.com/docs/manual/reference/change-events/#dropdatabase-event
  */
-export interface ChangeStreamDropDatabaseDocument extends ChangeStreamDocumentCommon {
+export interface ChangeStreamDropDatabaseDocument
+  extends ChangeStreamDocumentCommon,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'dropDatabase';
   /** The database dropped */
@@ -367,7 +385,9 @@ export interface ChangeStreamDropDatabaseDocument extends ChangeStreamDocumentCo
  * @public
  * @see https://www.mongodb.com/docs/manual/reference/change-events/#invalidate-event
  */
-export interface ChangeStreamInvalidateDocument extends ChangeStreamDocumentCommon {
+export interface ChangeStreamInvalidateDocument
+  extends ChangeStreamDocumentCommon,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'invalidate';
 }
@@ -380,7 +400,8 @@ export interface ChangeStreamInvalidateDocument extends ChangeStreamDocumentComm
 export interface ChangeStreamCreateIndexDocument
   extends ChangeStreamDocumentCommon,
     ChangeStreamDocumentCollectionUUID,
-    ChangeStreamDocumentOperationDescription {
+    ChangeStreamDocumentOperationDescription,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'createIndexes';
 }
@@ -393,7 +414,8 @@ export interface ChangeStreamCreateIndexDocument
 export interface ChangeStreamDropIndexDocument
   extends ChangeStreamDocumentCommon,
     ChangeStreamDocumentCollectionUUID,
-    ChangeStreamDocumentOperationDescription {
+    ChangeStreamDocumentOperationDescription,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'dropIndexes';
 }
@@ -405,7 +427,8 @@ export interface ChangeStreamDropIndexDocument
  */
 export interface ChangeStreamCollModDocument
   extends ChangeStreamDocumentCommon,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'modify';
 }
@@ -416,7 +439,8 @@ export interface ChangeStreamCollModDocument
  */
 export interface ChangeStreamCreateDocument
   extends ChangeStreamDocumentCommon,
-    ChangeStreamDocumentCollectionUUID {
+    ChangeStreamDocumentCollectionUUID,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'create';
 
@@ -435,7 +459,8 @@ export interface ChangeStreamCreateDocument
 export interface ChangeStreamShardCollectionDocument
   extends ChangeStreamDocumentCommon,
     ChangeStreamDocumentCollectionUUID,
-    ChangeStreamDocumentOperationDescription {
+    ChangeStreamDocumentOperationDescription,
+    ChangeStreamDocumentWallTime {
   /** Describes the type of operation represented in this change notification */
   operationType: 'shardCollection';
 }

package/src/client-side-encryption/auto_encrypter.ts

@@ -52,6 +52,10 @@ export interface AutoEncryptionOptions {
   bypassAutoEncryption?: boolean;
   /** Allows users to bypass query analysis */
   bypassQueryAnalysis?: boolean;
+  /**
+   * Sets the expiration time for the DEK in the cache in milliseconds. Defaults to 60000.  0 means no timeout.
+   */
+  keyExpirationMS?: number;
   options?: {
     /** An optional hook to catch logging messages from the underlying encryption engine */
     logger?: (level: AutoEncryptionLoggerLevel, message: string) => void;
@@ -285,6 +289,10 @@ export class AutoEncrypter {
       mongoCryptOptions.bypassQueryAnalysis = options.bypassQueryAnalysis;
     }
 
+    if (options.keyExpirationMS != null) {
+      mongoCryptOptions.keyExpirationMS = options.keyExpirationMS;
+    }
+
     this._bypassMongocryptdAndCryptShared = this._bypassEncryption || !!options.bypassQueryAnalysis;
 
     if (options.extraOptions && options.extraOptions.cryptSharedLibSearchPaths) {
@@ -375,8 +383,8 @@ export class AutoEncrypter {
   /**
    * Cleans up the `_mongocryptdClient`, if present.
    */
-  async teardown(force: boolean): Promise<void> {
-    await this._mongocryptdClient?.close(force);
+  async close(): Promise<void> {
+    await this._mongocryptdClient?.close();
   }
 
   /**

package/src/client-side-encryption/client_encryption.ts

@@ -885,6 +885,11 @@ export interface ClientEncryptionOptions {
    */
   tlsOptions?: CSFLEKMSTlsOptions;
 
+  /**
+   * Sets the expiration time for the DEK in the cache in milliseconds. Defaults to 60000. 0 means no timeout.
+   */
+  keyExpirationMS?: number;
+
   /**
    * @experimental
    *

package/src/client-side-encryption/state_machine.ts

@@ -186,10 +186,13 @@ export type StateMachineOptions = {
  */
 // TODO(DRIVERS-2671): clarify CSOT behavior for FLE APIs
 export class StateMachine {
-  constructor(
-    private options: StateMachineOptions,
-    private bsonOptions = pluckBSONSerializeOptions(options)
-  ) {}
+  private options: StateMachineOptions;
+  private bsonOptions: BSONSerializeOptions;
+
+  constructor(options: StateMachineOptions, bsonOptions = pluckBSONSerializeOptions(options)) {
+    this.options = options;
+    this.bsonOptions = bsonOptions;
+  }
 
   /**
    * Executes the state machine according to the specification
@@ -275,7 +278,7 @@ export class StateMachine {
             // See docs on EMPTY_V
             result = EMPTY_V ??= serialize({ v: [] });
           }
-          for await (const key of keys) {
+          for (const key of keys) {
             context.addMongoOperationResponse(serialize(key));
           }
 

package/src/cmap/auth/mongodb_oidc/automated_callback_workflow.ts

@@ -34,6 +34,9 @@ export class AutomatedCallbackWorkflow extends CallbackWorkflow {
     // If the server fails for any other reason, do not clear the cache.
     if (this.cache.hasAccessToken) {
       const token = this.cache.getAccessToken();
+      if (!connection.accessToken) {
+        connection.accessToken = token;
+      }
       try {
         return await this.finishAuthentication(connection, credentials, token);
       } catch (error) {
@@ -66,6 +69,9 @@ export class AutomatedCallbackWorkflow extends CallbackWorkflow {
     if (credentials.username) {
       params.username = credentials.username;
     }
+    if (credentials.mechanismProperties.TOKEN_RESOURCE) {
+      params.tokenAudience = credentials.mechanismProperties.TOKEN_RESOURCE;
+    }
     const timeout = Timeout.expires(AUTOMATED_TIMEOUT_MS);
     try {
       return await Promise.race([this.executeAndValidateCallback(params), timeout]);

package/src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts

@@ -1,9 +1,7 @@
 import { addAzureParams, AZURE_BASE_URL } from '../../../client-side-encryption/providers/azure';
 import { MongoAzureError } from '../../../error';
 import { get } from '../../../utils';
-import type { MongoCredentials } from '../mongo_credentials';
-import { type AccessToken, MachineWorkflow } from './machine_workflow';
-import { type TokenCache } from './token_cache';
+import type { OIDCCallbackFunction, OIDCCallbackParams, OIDCResponse } from '../mongodb_oidc';
 
 /** Azure request headers. */
 const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
@@ -17,39 +15,29 @@ const TOKEN_RESOURCE_MISSING_ERROR =
   'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure.';
 
 /**
- * Device workflow implementation for Azure.
- *
- * @internal
+ * The callback function to be used in the automated callback workflow.
+ * @param params - The OIDC callback parameters.
+ * @returns The OIDC response.
  */
-export class AzureMachineWorkflow extends MachineWorkflow {
-  /**
-   * Instantiate the machine workflow.
-   */
-  constructor(cache: TokenCache) {
-    super(cache);
+export const callback: OIDCCallbackFunction = async (
+  params: OIDCCallbackParams
+): Promise<OIDCResponse> => {
+  const tokenAudience = params.tokenAudience;
+  const username = params.username;
+  if (!tokenAudience) {
+    throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
   }
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
-    const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
-    const username = credentials?.username;
-    if (!tokenAudience) {
-      throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
-    }
-    const response = await getAzureTokenData(tokenAudience, username);
-    if (!isEndpointResultValid(response)) {
-      throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
-    }
-    return response;
+  const response = await getAzureTokenData(tokenAudience, username);
+  if (!isEndpointResultValid(response)) {
+    throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
   }
-}
+  return response;
+};
 
 /**
  * Hit the Azure endpoint to get the token data.
  */
-async function getAzureTokenData(tokenAudience: string, username?: string): Promise<AccessToken> {
+async function getAzureTokenData(tokenAudience: string, username?: string): Promise<OIDCResponse> {
   const url = new URL(AZURE_BASE_URL);
   addAzureParams(url, tokenAudience, username);
   const response = await get(url, {
@@ -62,8 +50,8 @@ async function getAzureTokenData(tokenAudience: string, username?: string): Prom
   }
   const result = JSON.parse(response.body);
   return {
-    access_token: result.access_token,
-    expires_in: Number(result.expires_in)
+    accessToken: result.access_token,
+    expiresInSeconds: Number(result.expires_in)
   };
 }
 
@@ -77,9 +65,9 @@ function isEndpointResultValid(
 ): token is { access_token: unknown; expires_in: unknown } {
   if (token == null || typeof token !== 'object') return false;
   return (
-    'access_token' in token &&
-    typeof token.access_token === 'string' &&
-    'expires_in' in token &&
-    typeof token.expires_in === 'number'
+    'accessToken' in token &&
+    typeof token.accessToken === 'string' &&
+    'expiresInSeconds' in token &&
+    typeof token.expiresInSeconds === 'number'
   );
 }

package/src/cmap/auth/mongodb_oidc/gcp_machine_workflow.ts

@@ -1,8 +1,6 @@
 import { MongoGCPError } from '../../../error';
 import { get } from '../../../utils';
-import { type MongoCredentials } from '../mongo_credentials';
-import { type AccessToken, MachineWorkflow } from './machine_workflow';
-import { type TokenCache } from './token_cache';
+import type { OIDCCallbackFunction, OIDCCallbackParams, OIDCResponse } from '../mongodb_oidc';
 
 /** GCP base URL. */
 const GCP_BASE_URL =
@@ -15,30 +13,25 @@ const GCP_HEADERS = Object.freeze({ 'Metadata-Flavor': 'Google' });
 const TOKEN_RESOURCE_MISSING_ERROR =
   'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is gcp.';
 
-export class GCPMachineWorkflow extends MachineWorkflow {
-  /**
-   * Instantiate the machine workflow.
-   */
-  constructor(cache: TokenCache) {
-    super(cache);
-  }
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
-    const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
-    if (!tokenAudience) {
-      throw new MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
-    }
-    return await getGcpTokenData(tokenAudience);
+/**
+ * The callback function to be used in the automated callback workflow.
+ * @param params - The OIDC callback parameters.
+ * @returns The OIDC response.
+ */
+export const callback: OIDCCallbackFunction = async (
+  params: OIDCCallbackParams
+): Promise<OIDCResponse> => {
+  const tokenAudience = params.tokenAudience;
+  if (!tokenAudience) {
+    throw new MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
   }
-}
+  return await getGcpTokenData(tokenAudience);
+};
 
 /**
  * Hit the GCP endpoint to get the token data.
  */
-async function getGcpTokenData(tokenAudience: string): Promise<AccessToken> {
+async function getGcpTokenData(tokenAudience: string): Promise<OIDCResponse> {
   const url = new URL(GCP_BASE_URL);
   url.searchParams.append('audience', tokenAudience);
   const response = await get(url, {
@@ -49,5 +42,5 @@ async function getGcpTokenData(tokenAudience: string): Promise<AccessToken> {
       `Status code ${response.status} returned from the GCP endpoint. Response body: ${response.body}`
     );
   }
-  return { access_token: response.body };
+  return { accessToken: response.body };
 }

package/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts

@@ -1,7 +1,6 @@
 import { readFile } from 'fs/promises';
 
-import { type AccessToken, MachineWorkflow } from './machine_workflow';
-import { type TokenCache } from './token_cache';
+import type { OIDCCallbackFunction, OIDCResponse } from '../mongodb_oidc';
 
 /** The fallback file name */
 const FALLBACK_FILENAME = '/var/run/secrets/kubernetes.io/serviceaccount/token';
@@ -12,27 +11,20 @@ const AZURE_FILENAME = 'AZURE_FEDERATED_TOKEN_FILE';
 /** The AWS environment variable for the file name. */
 const AWS_FILENAME = 'AWS_WEB_IDENTITY_TOKEN_FILE';
 
-export class K8SMachineWorkflow extends MachineWorkflow {
-  /**
-   * Instantiate the machine workflow.
-   */
-  constructor(cache: TokenCache) {
-    super(cache);
+/**
+ * The callback function to be used in the automated callback workflow.
+ * @param params - The OIDC callback parameters.
+ * @returns The OIDC response.
+ */
+export const callback: OIDCCallbackFunction = async (): Promise<OIDCResponse> => {
+  let filename: string;
+  if (process.env[AZURE_FILENAME]) {
+    filename = process.env[AZURE_FILENAME];
+  } else if (process.env[AWS_FILENAME]) {
+    filename = process.env[AWS_FILENAME];
+  } else {
+    filename = FALLBACK_FILENAME;
   }
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(): Promise<AccessToken> {
-    let filename: string;
-    if (process.env[AZURE_FILENAME]) {
-      filename = process.env[AZURE_FILENAME];
-    } else if (process.env[AWS_FILENAME]) {
-      filename = process.env[AWS_FILENAME];
-    } else {
-      filename = FALLBACK_FILENAME;
-    }
-    const token = await readFile(filename, 'utf8');
-    return { access_token: token };
-  }
-}
+  const token = await readFile(filename, 'utf8');
+  return { accessToken: token };
+};

package/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts

@@ -1,34 +1,21 @@
 import * as fs from 'fs';
 
 import { MongoAWSError } from '../../../error';
-import { type AccessToken, MachineWorkflow } from './machine_workflow';
-import { type TokenCache } from './token_cache';
+import type { OIDCCallbackFunction, OIDCResponse } from '../mongodb_oidc';
 
 /** Error for when the token is missing in the environment. */
 const TOKEN_MISSING_ERROR = 'OIDC_TOKEN_FILE must be set in the environment.';
 
 /**
- * Device workflow implementation for AWS.
- *
- * @internal
+ * The callback function to be used in the automated callback workflow.
+ * @param params - The OIDC callback parameters.
+ * @returns The OIDC response.
  */
-export class TokenMachineWorkflow extends MachineWorkflow {
-  /**
-   * Instantiate the machine workflow.
-   */
-  constructor(cache: TokenCache) {
-    super(cache);
+export const callback: OIDCCallbackFunction = async (): Promise<OIDCResponse> => {
+  const tokenFile = process.env.OIDC_TOKEN_FILE;
+  if (!tokenFile) {
+    throw new MongoAWSError(TOKEN_MISSING_ERROR);
   }
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(): Promise<AccessToken> {
-    const tokenFile = process.env.OIDC_TOKEN_FILE;
-    if (!tokenFile) {
-      throw new MongoAWSError(TOKEN_MISSING_ERROR);
-    }
-    const token = await fs.promises.readFile(tokenFile, 'utf8');
-    return { access_token: token };
-  }
-}
+  const token = await fs.promises.readFile(tokenFile, 'utf8');
+  return { accessToken: token };
+};

package/src/cmap/auth/mongodb_oidc.ts

@@ -4,11 +4,12 @@ import type { HandshakeDocument } from '../connect';
 import type { Connection } from '../connection';
 import { type AuthContext, AuthProvider } from './auth_provider';
 import type { MongoCredentials } from './mongo_credentials';
-import { AzureMachineWorkflow } from './mongodb_oidc/azure_machine_workflow';
-import { GCPMachineWorkflow } from './mongodb_oidc/gcp_machine_workflow';
-import { K8SMachineWorkflow } from './mongodb_oidc/k8s_machine_workflow';
+import { AutomatedCallbackWorkflow } from './mongodb_oidc/automated_callback_workflow';
+import { callback as azureCallback } from './mongodb_oidc/azure_machine_workflow';
+import { callback as gcpCallback } from './mongodb_oidc/gcp_machine_workflow';
+import { callback as k8sCallback } from './mongodb_oidc/k8s_machine_workflow';
 import { TokenCache } from './mongodb_oidc/token_cache';
-import { TokenMachineWorkflow } from './mongodb_oidc/token_machine_workflow';
+import { callback as testCallback } from './mongodb_oidc/token_machine_workflow';
 
 /** Error when credentials are missing. */
 const MISSING_CREDENTIALS_ERROR = 'AuthContext must provide credentials.';
@@ -78,6 +79,8 @@ export interface OIDCCallbackParams {
   idpInfo?: IdPInfo;
   /** The refresh token, if applicable, to be used by the callback to request a new token from the issuer. */
   refreshToken?: string;
+  /** The token audience for GCP and Azure. */
+  tokenAudience?: string;
 }
 
 /**
@@ -93,6 +96,8 @@ type EnvironmentName = 'test' | 'azure' | 'gcp' | 'k8s' | undefined;
 
 /** @internal */
 export interface Workflow {
+  cache: TokenCache;
+
   /**
    * All device workflows must implement this method in order to get the access
    * token and then call authenticate with it.
@@ -116,10 +121,10 @@ export interface Workflow {
 
 /** @internal */
 export const OIDC_WORKFLOWS: Map<EnvironmentName, () => Workflow> = new Map();
-OIDC_WORKFLOWS.set('test', () => new TokenMachineWorkflow(new TokenCache()));
-OIDC_WORKFLOWS.set('azure', () => new AzureMachineWorkflow(new TokenCache()));
-OIDC_WORKFLOWS.set('gcp', () => new GCPMachineWorkflow(new TokenCache()));
-OIDC_WORKFLOWS.set('k8s', () => new K8SMachineWorkflow(new TokenCache()));
+OIDC_WORKFLOWS.set('test', () => new AutomatedCallbackWorkflow(new TokenCache(), testCallback));
+OIDC_WORKFLOWS.set('azure', () => new AutomatedCallbackWorkflow(new TokenCache(), azureCallback));
+OIDC_WORKFLOWS.set('gcp', () => new AutomatedCallbackWorkflow(new TokenCache(), gcpCallback));
+OIDC_WORKFLOWS.set('k8s', () => new AutomatedCallbackWorkflow(new TokenCache(), k8sCallback));
 
 /**
  * OIDC auth provider.