mongodb 6.16.0 → 6.17.0

package/mongodb.d.ts

@@ -770,6 +770,10 @@ export declare interface AutoEncryptionOptions {
     bypassAutoEncryption?: boolean;
     /** Allows users to bypass query analysis */
     bypassQueryAnalysis?: boolean;
+    /**
+     * Sets the expiration time for the DEK in the cache in milliseconds. Defaults to 60000.  0 means no timeout.
+     */
+    keyExpirationMS?: number;
     options?: {
         /** An optional hook to catch logging messages from the underlying encryption engine */
         logger?: (level: AutoEncryptionLoggerLevel, message: string) => void;
@@ -1142,7 +1146,7 @@ export declare class BulkWriteResult {
     getRawResponse(): Document;
     /** Returns true if the bulk operation contains a write error */
     hasWriteErrors(): boolean;
-    /** Returns the number of write errors off the bulk operation */
+    /** Returns the number of write errors from the bulk operation */
     getWriteErrorCount(): number;
     /** Returns a specific write error object */
     getWriteErrorAt(index: number): WriteError | undefined;
@@ -2164,6 +2168,10 @@ export declare interface ClientEncryptionOptions {
      * TLS options for kms providers to use.
      */
     tlsOptions?: CSFLEKMSTlsOptions;
+    /**
+     * Sets the expiration time for the DEK in the cache in milliseconds. Defaults to 60000. 0 means no timeout.
+     */
+    keyExpirationMS?: number;
     /**
      * @experimental
      *
@@ -2307,6 +2315,8 @@ export declare interface ClientReplaceOneModel<TSchema> extends ClientWriteModel
     hint?: Hint;
     /** When true, creates a new document if no document matches the query. */
     upsert?: boolean;
+    /** Specifies the sort order for the documents matched by the filter. */
+    sort?: Sort;
 }
 
 /**
@@ -2539,6 +2549,8 @@ export declare interface ClientUpdateOneModel<TSchema> extends ClientWriteModel
     hint?: Hint;
     /** When true, creates a new document if no document matches the query. */
     upsert?: boolean;
+    /** Specifies the sort order for the documents matched by the filter. */
+    sort?: Sort;
 }
 
 /** @public */
@@ -2739,7 +2751,9 @@ export declare class Collection<TSchema extends Document = Document> {
      * @param update - The modifications to apply
      * @param options - Optional settings for the command
      */
-    updateOne(filter: Filter<TSchema>, update: UpdateFilter<TSchema> | Document[], options?: UpdateOptions): Promise<UpdateResult<TSchema>>;
+    updateOne(filter: Filter<TSchema>, update: UpdateFilter<TSchema> | Document[], options?: UpdateOptions & {
+        sort?: Sort;
+    }): Promise<UpdateResult<TSchema>>;
     /**
      * Replace a document in a collection with another document
      *
@@ -5364,7 +5378,7 @@ export declare interface KMSProviders {
 /* Excluded from this release type: LegacyTimeoutContextOptions */
 
 /** @public */
-export declare const LEGAL_TCP_SOCKET_OPTIONS: readonly ["autoSelectFamily", "autoSelectFamilyAttemptTimeout", "family", "hints", "localAddress", "localPort", "lookup"];
+export declare const LEGAL_TCP_SOCKET_OPTIONS: readonly ["autoSelectFamily", "autoSelectFamilyAttemptTimeout", "keepAliveInitialDelay", "family", "hints", "localAddress", "localPort", "lookup"];
 
 /** @public */
 export declare const LEGAL_TLS_SOCKET_OPTIONS: readonly ["allowPartialTrustChain", "ALPNProtocols", "ca", "cert", "checkServerIdentity", "ciphers", "crl", "ecdhCurve", "key", "minDHSize", "passphrase", "pfx", "rejectUnauthorized", "secureContext", "secureProtocol", "servername", "session"];
@@ -5674,22 +5688,35 @@ export declare class MongoChangeStreamError extends MongoRuntimeError {
 }
 
 /**
- * The **MongoClient** class is a class that allows for making Connections to MongoDB.
  * @public
  *
+ * The **MongoClient** class is a class that allows for making Connections to MongoDB.
+ *
+ * **NOTE:** The programmatically provided options take precedence over the URI options.
+ *
  * @remarks
- * The programmatically provided options take precedence over the URI options.
+ *
+ * A MongoClient is the entry point to connecting to a MongoDB server.
+ *
+ * It handles a multitude of features on your application's behalf:
+ * - **Server Host Connection Configuration**: A MongoClient is responsible for reading TLS cert, ca, and crl files if provided.
+ * - **SRV Record Polling**: A "`mongodb+srv`" style connection string is used to have the MongoClient resolve DNS SRV records of all server hostnames which the driver periodically monitors for changes and adjusts its current view of hosts correspondingly.
+ * - **Server Monitoring**: The MongoClient automatically keeps monitoring the health of server nodes in your cluster to reach out to the correct and lowest latency one available.
+ * - **Connection Pooling**: To avoid paying the cost of rebuilding a connection to the server on every operation the MongoClient keeps idle connections preserved for reuse.
+ * - **Session Pooling**: The MongoClient creates logical sessions that enable retryable writes, causal consistency, and transactions. It handles pooling these sessions for reuse in subsequent operations.
+ * - **Cursor Operations**: A MongoClient's cursors use the health monitoring system to send the request for more documents to the same server the query began on.
+ * - **Mongocryptd process**: When using auto encryption, a MongoClient will launch a `mongocryptd` instance for handling encryption if the mongocrypt shared library isn't in use.
+ *
+ * There are many more features of a MongoClient that are not listed above.
+ *
+ * In order to enable these features, a number of asynchronous Node.js resources are established by the driver: Timers, FS Requests, Sockets, etc.
+ * For details on cleanup, please refer to the MongoClient `close()` documentation.
  *
  * @example
  * ```ts
  * import { MongoClient } from 'mongodb';
- *
  * // Enable command monitoring for debugging
- * const client = new MongoClient('mongodb://localhost:27017', { monitorCommands: true });
- *
- * client.on('commandStarted', started => console.log(started));
- * client.db().collection('pets');
- * await client.insertOne({ name: 'spot', kind: 'dog' });
+ * const client = new MongoClient('mongodb://localhost:27017?appName=mflix', { monitorCommands: true });
  * ```
  */
 export declare class MongoClient extends TypedEventEmitter<MongoClientEvents> implements AsyncDisposable_2 {
@@ -5741,19 +5768,51 @@ export declare class MongoClient extends TypedEventEmitter<MongoClientEvents> im
     connect(): Promise<this>;
     /* Excluded from this release type: _connect */
     /**
-     * Cleans up client-side resources used by the MongoCLient and .  This includes:
-     *
-     * - Closes all open, unused connections (see note).
-     * - Ends all in-use sessions with {@link ClientSession#endSession|ClientSession.endSession()}.
-     * - Ends all unused sessions server-side.
-     * - Cleans up any resources being used for auto encryption if auto encryption is enabled.
-     *
-     * @remarks Any in-progress operations are not killed and any connections used by in progress operations
-     * will be cleaned up lazily as operations finish.
-     *
-     * @param force - Force close, emitting no events
-     */
-    close(force?: boolean): Promise<void>;
+     * Cleans up resources managed by the MongoClient.
+     *
+     * The close method clears and closes all resources whose lifetimes are managed by the MongoClient.
+     * Please refer to the `MongoClient` class documentation for a high level overview of the client's key features and responsibilities.
+     *
+     * **However,** the close method does not handle the cleanup of resources explicitly created by the user.
+     * Any user-created driver resource with its own `close()` method should be explicitly closed by the user before calling MongoClient.close().
+     * This method is written as a "best effort" attempt to leave behind the least amount of resources server-side when possible.
+     *
+     * The following list defines ideal preconditions and consequent pitfalls if they are not met.
+     * The MongoClient, ClientSession, Cursors and ChangeStreams all support [explicit resource management](https://www.typescriptlang.org/docs/handbook/release-notes/typescript-5-2.html).
+     * By using explicit resource management to manage the lifetime of driver resources instead of manually managing their lifetimes, the pitfalls outlined below can be avoided.
+     *
+     * The close method performs the following in the order listed:
+     * - Client-side:
+     *   - **Close in-use connections**: Any connections that are currently waiting on a response from the server will be closed.
+     *     This is performed _first_ to avoid reaching the next step (server-side clean up) and having no available connections to check out.
+     *     - _Ideal_: All operations have been awaited or cancelled, and the outcomes, regardless of success or failure, have been processed before closing the client servicing the operation.
+     *     - _Pitfall_: When `client.close()` is called and all connections are in use, after closing them, the client must create new connections for cleanup operations, which comes at the cost of new TLS/TCP handshakes and authentication steps.
+     * - Server-side:
+     *   - **Close active cursors**: All cursors that haven't been completed will have a `killCursor` operation sent to the server they were initialized on, freeing the server-side resource.
+     *     - _Ideal_: Cursors are explicitly closed or completed before `client.close()` is called.
+     *     - _Pitfall_: `killCursors` may have to build a new connection if the in-use closure ended all pooled connections.
+     *   - **End active sessions**: In-use sessions created with `client.startSession()` or `client.withSession()` or implicitly by the driver will have their `.endSession()` method called.
+     *     Contrary to the name of the method, `endSession()` returns the session to the client's pool of sessions rather than end them on the server.
+     *     - _Ideal_: Transaction outcomes are awaited and their corresponding explicit sessions are ended before `client.close()` is called.
+     *     - _Pitfall_: **This step aborts in-progress transactions**. It is advisable to observe the outcome of a transaction before closing your client.
+     *   - **End all pooled sessions**: The `endSessions` command with all session IDs the client has pooled is sent to the server to inform the cluster it can clean them up.
+     *     - _Ideal_: No user intervention is expected.
+     *     - _Pitfall_: None.
+     *
+     * The remaining shutdown is of the MongoClient resources that are intended to be entirely internal but is documented here as their existence relates to the JS event loop.
+     *
+     * - Client-side (again):
+     *   - **Stop all server monitoring**: Connections kept live for detecting cluster changes and roundtrip time measurements are shutdown.
+     *   - **Close all pooled connections**: Each server node in the cluster has a corresponding connection pool and all connections in the pool are closed. Any operations waiting to check out a connection will have an error thrown instead of a connection returned.
+     *   - **Clear out server selection queue**: Any operations that are in the process of waiting for a server to be selected will have an error thrown instead of a server returned.
+     *   - **Close encryption-related resources**: An internal MongoClient created for communicating with `mongocryptd` or other encryption purposes is closed. (Using this same method of course!)
+     *
+     * After the close method completes there should be no MongoClient related resources [ref-ed in Node.js' event loop](https://docs.libuv.org/en/v1.x/handle.html#reference-counting).
+     * This should allow Node.js to exit gracefully if MongoClient resources were the only active handles in the event loop.
+     *
+     * @param _force - currently an unused flag that has no effect. Defaults to `false`.
+     */
+    close(_force?: boolean): Promise<void>;
     private _close;
     /**
      * Create a new Db instance sharing the current socket connections.
@@ -5946,6 +6005,29 @@ export declare class MongoClientBulkWriteExecutionError extends MongoRuntimeErro
     get name(): string;
 }
 
+/**
+ * An error generated when the MongoClient is closed and async
+ * operations are interrupted.
+ *
+ * @public
+ * @category Error
+ */
+export declare class MongoClientClosedError extends MongoAPIError {
+    /**
+     * **Do not use this constructor!**
+     *
+     * Meant for internal use only.
+     *
+     * @remarks
+     * This class is only meant to be constructed within the driver. This constructor is
+     * not subject to semantic versioning compatibility guarantees and may change at any time.
+     *
+     * @public
+     **/
+    constructor();
+    get name(): string;
+}
+
 /** @public */
 export declare type MongoClientEvents = Pick<TopologyEvents, (typeof MONGO_CLIENT_EVENTS)[number]> & {
     open(mongoClient: MongoClient): void;
@@ -7345,6 +7427,8 @@ export declare interface OIDCCallbackParams {
     idpInfo?: IdPInfo;
     /** The refresh token, if applicable, to be used by the callback to request a new token from the issuer. */
     refreshToken?: string;
+    /** The token audience for GCP and Azure. */
+    tokenAudience?: string;
 }
 
 /**
@@ -7678,7 +7762,7 @@ export declare interface RenameOptions extends CommandOperationOptions {
 
 /** @public */
 export declare interface ReplaceOneModel<TSchema extends Document = Document> {
-    /** The filter to limit the replaced document. */
+    /** The filter that specifies which document to replace. In the case of multiple matches, the first document matched is replaced. */
     filter: Filter<TSchema>;
     /** The document with which to replace the matched document. */
     replacement: WithoutId<TSchema>;
@@ -7688,6 +7772,8 @@ export declare interface ReplaceOneModel<TSchema extends Document = Document> {
     hint?: Hint;
     /** When true, creates a new document if no document matches the query. */
     upsert?: boolean;
+    /** Specifies the sort order for the documents matched by the filter. */
+    sort?: Sort;
 }
 
 /** @public */
@@ -7702,6 +7788,8 @@ export declare interface ReplaceOptions extends CommandOperationOptions {
     upsert?: boolean;
     /** Map of parameter names and values that can be accessed using $$var (requires MongoDB 5.0). */
     let?: Document;
+    /** Specifies the sort order for the documents matched by the filter. */
+    sort?: Sort;
 }
 
 /**
@@ -8214,19 +8302,24 @@ export declare type SeverityLevel = (typeof SeverityLevel)[keyof typeof Severity
 
 /** @public */
 export declare type Sort = string | Exclude<SortDirection, {
-    $meta: string;
-}> | string[] | {
-    [key: string]: SortDirection;
-} | Map<string, SortDirection> | [string, SortDirection][] | [string, SortDirection];
+    readonly $meta: string;
+}> | ReadonlyArray<string> | {
+    readonly [key: string]: SortDirection;
+} | ReadonlyMap<string, SortDirection> | ReadonlyArray<readonly [string, SortDirection]> | readonly [string, SortDirection];
 
 /** @public */
 export declare type SortDirection = 1 | -1 | 'asc' | 'desc' | 'ascending' | 'descending' | {
-    $meta: string;
+    readonly $meta: string;
 };
 
-/* Excluded from this release type: SortDirectionForCmd */
+/** Below stricter types were created for sort that correspond with type that the cmd takes  */
+/** @public */
+export declare type SortDirectionForCmd = 1 | -1 | {
+    $meta: string;
+};
 
-/* Excluded from this release type: SortForCmd */
+/** @public */
+export declare type SortForCmd = Map<string, SortDirectionForCmd>;
 
 /* Excluded from this release type: SrvPoller */
 
@@ -8327,6 +8420,8 @@ export declare type SupportedNodeConnectionOptions = SupportedTLSConnectionOptio
 export declare type SupportedSocketOptions = Pick<TcpNetConnectOpts & {
     autoSelectFamily?: boolean;
     autoSelectFamilyAttemptTimeout?: number;
+    /** Node.JS socket option to set the time the first keepalive probe is sent on an idle socket. Defaults to 120000ms */
+    keepAliveInitialDelay?: number;
 }, (typeof LEGAL_TCP_SOCKET_OPTIONS)[number]>;
 
 /** @public */
@@ -8694,7 +8789,7 @@ export declare interface UpdateManyModel<TSchema extends Document = Document> {
 
 /** @public */
 export declare interface UpdateOneModel<TSchema extends Document = Document> {
-    /** The filter to limit the updated documents. */
+    /** The filter that specifies which document to update. In the case of multiple matches, the first document matched is updated. */
     filter: Filter<TSchema>;
     /**
      * The modifications to apply. The value can be either:
@@ -8710,6 +8805,8 @@ export declare interface UpdateOneModel<TSchema extends Document = Document> {
     hint?: Hint;
     /** When true, creates a new document if no document matches the query. */
     upsert?: boolean;
+    /** Specifies the sort order for the documents matched by the filter. */
+    sort?: Sort;
 }
 
 /** @public */
@@ -8761,6 +8858,8 @@ export declare interface UpdateStatement {
     arrayFilters?: Document[];
     /** A document or string that specifies the index to use to support the query predicate. */
     hint?: Hint;
+    /** Specifies the sort order for the documents matched by the filter. */
+    sort?: SortForCmd;
 }
 
 export { UUID }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mongodb",
-  "version": "6.16.0",
+  "version": "6.17.0",
   "description": "The official MongoDB driver for Node.js",
   "main": "lib/index.js",
   "files": [
@@ -26,7 +26,7 @@
   },
   "dependencies": {
     "@mongodb-js/saslprep": "^1.1.9",
-    "bson": "^6.10.3",
+    "bson": "^6.10.4",
     "mongodb-connection-string-url": "^3.0.0"
   },
   "peerDependencies": {
@@ -65,43 +65,43 @@
     "@aws-sdk/credential-providers": "^3.632.0",
     "@iarna/toml": "^2.2.5",
     "@istanbuljs/nyc-config-typescript": "^1.0.2",
-    "@microsoft/api-extractor": "^7.49.2",
+    "@microsoft/api-extractor": "^7.52.5",
     "@microsoft/tsdoc-config": "^0.17.1",
-    "@mongodb-js/zstd": "^2.0.0",
+    "@mongodb-js/zstd": "^2.0.1",
     "@types/chai": "^4.3.17",
     "@types/chai-subset": "^1.3.5",
-    "@types/express": "^4.17.21",
+    "@types/express": "^5.0.1",
     "@types/kerberos": "^1.1.5",
     "@types/mocha": "^10.0.9",
-    "@types/node": "^22.13.0",
+    "@types/node": "^22.15.3",
     "@types/saslprep": "^1.0.3",
-    "@types/semver": "^7.5.8",
-    "@types/sinon": "^17.0.3",
-    "@types/sinon-chai": "^3.2.12",
-    "@types/whatwg-url": "^11.0.5",
-    "@typescript-eslint/eslint-plugin": "8.4.0",
-    "@typescript-eslint/parser": "8.4.0",
+    "@types/semver": "^7.7.0",
+    "@types/sinon": "^17.0.4",
+    "@types/sinon-chai": "^4.0.0",
+    "@types/whatwg-url": "^13.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.31.1",
+    "@typescript-eslint/parser": "^8.31.1",
     "chai": "^4.4.1",
     "chai-subset": "^1.6.0",
     "chalk": "^4.1.2",
-    "eslint": "9.9.0",
-    "eslint-config-prettier": "^9.1.0",
+    "eslint": "^9.25.1",
+    "eslint-config-prettier": "^10.1.2",
     "eslint-plugin-mocha": "^10.4.1",
     "eslint-plugin-prettier": "^5.2.3",
     "eslint-plugin-simple-import-sort": "^12.1.1",
     "eslint-plugin-tsdoc": "^0.4.0",
     "eslint-plugin-unused-imports": "^4.1.4",
-    "express": "^4.21.2",
+    "express": "^5.1.0",
     "gcp-metadata": "^5.3.0",
     "js-yaml": "^4.1.0",
     "mocha": "^10.8.2",
     "mocha-sinon": "^2.1.2",
-    "mongodb-client-encryption": "^6.3.0",
+    "mongodb-client-encryption": "^6.4.0",
     "mongodb-legacy": "^6.1.3",
     "nyc": "^15.1.0",
-    "prettier": "^3.4.2",
+    "prettier": "^3.5.3",
     "semver": "^7.7.0",
-    "sinon": "^18.0.0",
+    "sinon": "^18.0.1",
     "sinon-chai": "^3.7.0",
     "snappy": "^7.2.2",
     "socks": "^2.8.1",
@@ -175,4 +175,4 @@
       "moduleResolution": "node"
     }
   }
-}
+}

package/src/bulk/common.ts

@@ -19,6 +19,7 @@ import { makeUpdateStatement, UpdateOperation, type UpdateStatement } from '../o
 import type { Server } from '../sdam/server';
 import type { Topology } from '../sdam/topology';
 import type { ClientSession } from '../sessions';
+import { type Sort } from '../sort';
 import { type TimeoutContext } from '../timeout';
 import {
   applyRetryableWrites,
@@ -68,7 +69,7 @@ export interface DeleteManyModel<TSchema extends Document = Document> {
 
 /** @public */
 export interface ReplaceOneModel<TSchema extends Document = Document> {
-  /** The filter to limit the replaced document. */
+  /** The filter that specifies which document to replace. In the case of multiple matches, the first document matched is replaced. */
   filter: Filter<TSchema>;
   /** The document with which to replace the matched document. */
   replacement: WithoutId<TSchema>;
@@ -78,11 +79,13 @@ export interface ReplaceOneModel<TSchema extends Document = Document> {
   hint?: Hint;
   /** When true, creates a new document if no document matches the query. */
   upsert?: boolean;
+  /** Specifies the sort order for the documents matched by the filter. */
+  sort?: Sort;
 }
 
 /** @public */
 export interface UpdateOneModel<TSchema extends Document = Document> {
-  /** The filter to limit the updated documents. */
+  /** The filter that specifies which document to update. In the case of multiple matches, the first document matched is updated. */
   filter: Filter<TSchema>;
   /**
    * The modifications to apply. The value can be either:
@@ -98,6 +101,8 @@ export interface UpdateOneModel<TSchema extends Document = Document> {
   hint?: Hint;
   /** When true, creates a new document if no document matches the query. */
   upsert?: boolean;
+  /** Specifies the sort order for the documents matched by the filter. */
+  sort?: Sort;
 }
 
 /** @public */
@@ -252,7 +257,7 @@ export class BulkWriteResult {
     return this.result.writeErrors.length > 0;
   }
 
-  /** Returns the number of write errors off the bulk operation */
+  /** Returns the number of write errors from the bulk operation */
   getWriteErrorCount(): number {
     return this.result.writeErrors.length;
   }
@@ -700,7 +705,7 @@ export class FindOperators {
 
   /** Add a single update operation to the bulk operation */
   updateOne(updateDocument: Document | Document[]): BulkOperationBase {
-    if (!hasAtomicOperators(updateDocument)) {
+    if (!hasAtomicOperators(updateDocument, this.bulkOperation.bsonOptions)) {
       throw new MongoInvalidArgumentError('Update document requires atomic operators');
     }
 
@@ -1110,7 +1115,7 @@ export abstract class BulkOperationBase {
           ...op.updateOne,
           multi: false
         });
-        if (!hasAtomicOperators(updateStatement.u)) {
+        if (!hasAtomicOperators(updateStatement.u, this.bsonOptions)) {
           throw new MongoInvalidArgumentError('Update document requires atomic operators');
         }
         return this.addToOperationsList(BatchType.UPDATE, updateStatement);
@@ -1124,7 +1129,7 @@ export abstract class BulkOperationBase {
           ...op.updateMany,
           multi: true
         });
-        if (!hasAtomicOperators(updateStatement.u)) {
+        if (!hasAtomicOperators(updateStatement.u, this.bsonOptions)) {
           throw new MongoInvalidArgumentError('Update document requires atomic operators');
         }
         return this.addToOperationsList(BatchType.UPDATE, updateStatement);

package/src/client-side-encryption/auto_encrypter.ts

@@ -52,6 +52,10 @@ export interface AutoEncryptionOptions {
   bypassAutoEncryption?: boolean;
   /** Allows users to bypass query analysis */
   bypassQueryAnalysis?: boolean;
+  /**
+   * Sets the expiration time for the DEK in the cache in milliseconds. Defaults to 60000.  0 means no timeout.
+   */
+  keyExpirationMS?: number;
   options?: {
     /** An optional hook to catch logging messages from the underlying encryption engine */
     logger?: (level: AutoEncryptionLoggerLevel, message: string) => void;
@@ -285,6 +289,10 @@ export class AutoEncrypter {
       mongoCryptOptions.bypassQueryAnalysis = options.bypassQueryAnalysis;
     }
 
+    if (options.keyExpirationMS != null) {
+      mongoCryptOptions.keyExpirationMS = options.keyExpirationMS;
+    }
+
     this._bypassMongocryptdAndCryptShared = this._bypassEncryption || !!options.bypassQueryAnalysis;
 
     if (options.extraOptions && options.extraOptions.cryptSharedLibSearchPaths) {
@@ -375,8 +383,8 @@ export class AutoEncrypter {
   /**
    * Cleans up the `_mongocryptdClient`, if present.
    */
-  async teardown(force: boolean): Promise<void> {
-    await this._mongocryptdClient?.close(force);
+  async close(): Promise<void> {
+    await this._mongocryptdClient?.close();
   }
 
   /**

package/src/client-side-encryption/client_encryption.ts

@@ -885,6 +885,11 @@ export interface ClientEncryptionOptions {
    */
   tlsOptions?: CSFLEKMSTlsOptions;
 
+  /**
+   * Sets the expiration time for the DEK in the cache in milliseconds. Defaults to 60000. 0 means no timeout.
+   */
+  keyExpirationMS?: number;
+
   /**
    * @experimental
    *

package/src/client-side-encryption/state_machine.ts

@@ -275,7 +275,7 @@ export class StateMachine {
             // See docs on EMPTY_V
             result = EMPTY_V ??= serialize({ v: [] });
           }
-          for await (const key of keys) {
+          for (const key of keys) {
             context.addMongoOperationResponse(serialize(key));
           }
 

package/src/cmap/auth/mongodb_oidc/automated_callback_workflow.ts

@@ -34,6 +34,9 @@ export class AutomatedCallbackWorkflow extends CallbackWorkflow {
     // If the server fails for any other reason, do not clear the cache.
     if (this.cache.hasAccessToken) {
       const token = this.cache.getAccessToken();
+      if (!connection.accessToken) {
+        connection.accessToken = token;
+      }
       try {
         return await this.finishAuthentication(connection, credentials, token);
       } catch (error) {
@@ -66,6 +69,9 @@ export class AutomatedCallbackWorkflow extends CallbackWorkflow {
     if (credentials.username) {
       params.username = credentials.username;
     }
+    if (credentials.mechanismProperties.TOKEN_RESOURCE) {
+      params.tokenAudience = credentials.mechanismProperties.TOKEN_RESOURCE;
+    }
     const timeout = Timeout.expires(AUTOMATED_TIMEOUT_MS);
     try {
       return await Promise.race([this.executeAndValidateCallback(params), timeout]);

package/src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts

@@ -1,9 +1,7 @@
 import { addAzureParams, AZURE_BASE_URL } from '../../../client-side-encryption/providers/azure';
 import { MongoAzureError } from '../../../error';
 import { get } from '../../../utils';
-import type { MongoCredentials } from '../mongo_credentials';
-import { type AccessToken, MachineWorkflow } from './machine_workflow';
-import { type TokenCache } from './token_cache';
+import type { OIDCCallbackFunction, OIDCCallbackParams, OIDCResponse } from '../mongodb_oidc';
 
 /** Azure request headers. */
 const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
@@ -17,39 +15,29 @@ const TOKEN_RESOURCE_MISSING_ERROR =
   'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure.';
 
 /**
- * Device workflow implementation for Azure.
- *
- * @internal
+ * The callback function to be used in the automated callback workflow.
+ * @param params - The OIDC callback parameters.
+ * @returns The OIDC response.
  */
-export class AzureMachineWorkflow extends MachineWorkflow {
-  /**
-   * Instantiate the machine workflow.
-   */
-  constructor(cache: TokenCache) {
-    super(cache);
+export const callback: OIDCCallbackFunction = async (
+  params: OIDCCallbackParams
+): Promise<OIDCResponse> => {
+  const tokenAudience = params.tokenAudience;
+  const username = params.username;
+  if (!tokenAudience) {
+    throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
   }
-
-  /**
-   * Get the token from the environment.
-   */
-  async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
-    const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
-    const username = credentials?.username;
-    if (!tokenAudience) {
-      throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
-    }
-    const response = await getAzureTokenData(tokenAudience, username);
-    if (!isEndpointResultValid(response)) {
-      throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
-    }
-    return response;
+  const response = await getAzureTokenData(tokenAudience, username);
+  if (!isEndpointResultValid(response)) {
+    throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
   }
-}
+  return response;
+};
 
 /**
  * Hit the Azure endpoint to get the token data.
  */
-async function getAzureTokenData(tokenAudience: string, username?: string): Promise<AccessToken> {
+async function getAzureTokenData(tokenAudience: string, username?: string): Promise<OIDCResponse> {
   const url = new URL(AZURE_BASE_URL);
   addAzureParams(url, tokenAudience, username);
   const response = await get(url, {
@@ -62,8 +50,8 @@ async function getAzureTokenData(tokenAudience: string, username?: string): Prom
   }
   const result = JSON.parse(response.body);
   return {
-    access_token: result.access_token,
-    expires_in: Number(result.expires_in)
+    accessToken: result.access_token,
+    expiresInSeconds: Number(result.expires_in)
   };
 }
 
@@ -77,9 +65,9 @@ function isEndpointResultValid(
 ): token is { access_token: unknown; expires_in: unknown } {
   if (token == null || typeof token !== 'object') return false;
   return (
-    'access_token' in token &&
-    typeof token.access_token === 'string' &&
-    'expires_in' in token &&
-    typeof token.expires_in === 'number'
+    'accessToken' in token &&
+    typeof token.accessToken === 'string' &&
+    'expiresInSeconds' in token &&
+    typeof token.expiresInSeconds === 'number'
   );
 }