mongodb 6.20.0-dev.20251106.sha.696664cb → 6.21.0

package/src/cmap/auth/aws_temporary_credentials.ts

@@ -1,5 +1,10 @@
 import { type AWSCredentials, getAwsCredentialProvider } from '../../deps';
 import { MongoAWSError } from '../../error';
+import { request } from '../../utils';
+
+const AWS_RELATIVE_URI = 'http://169.254.170.2';
+const AWS_EC2_URI = 'http://169.254.169.254';
+const AWS_EC2_PATH = '/latest/meta-data/iam/security-credentials';
 
 /**
  * @internal
@@ -19,9 +24,26 @@ export interface AWSTempCredentials {
 /** @public **/
 export type AWSCredentialProvider = () => Promise<AWSCredentials>;
 
-/** @internal */
-export class AWSSDKCredentialProvider {
+/**
+ * @internal
+ *
+ * Fetches temporary AWS credentials.
+ */
+export abstract class AWSTemporaryCredentialProvider {
+  abstract getCredentials(): Promise<AWSTempCredentials>;
   private static _awsSDK: ReturnType<typeof getAwsCredentialProvider>;
+  protected static get awsSDK() {
+    AWSTemporaryCredentialProvider._awsSDK ??= getAwsCredentialProvider();
+    return AWSTemporaryCredentialProvider._awsSDK;
+  }
+
+  static get isAWSSDKInstalled(): boolean {
+    return !('kModuleError' in AWSTemporaryCredentialProvider.awsSDK);
+  }
+}
+
+/** @internal */
+export class AWSSDKCredentialProvider extends AWSTemporaryCredentialProvider {
   private _provider?: AWSCredentialProvider;
 
   /**
@@ -29,23 +51,20 @@ export class AWSSDKCredentialProvider {
    * @param credentialsProvider - The credentials provider.
    */
   constructor(credentialsProvider?: AWSCredentialProvider) {
+    super();
+
     if (credentialsProvider) {
       this._provider = credentialsProvider;
     }
   }
 
-  static get awsSDK() {
-    AWSSDKCredentialProvider._awsSDK ??= getAwsCredentialProvider();
-    return AWSSDKCredentialProvider._awsSDK;
-  }
-
   /**
    * The AWS SDK caches credentials automatically and handles refresh when the credentials have expired.
    * To ensure this occurs, we need to cache the `provider` returned by the AWS sdk and re-use it when fetching credentials.
    */
   private get provider(): () => Promise<AWSCredentials> {
-    if ('kModuleError' in AWSSDKCredentialProvider.awsSDK) {
-      throw AWSSDKCredentialProvider.awsSDK.kModuleError;
+    if ('kModuleError' in AWSTemporaryCredentialProvider.awsSDK) {
+      throw AWSTemporaryCredentialProvider.awsSDK.kModuleError;
     }
     if (this._provider) {
       return this._provider;
@@ -93,15 +112,15 @@ export class AWSSDKCredentialProvider {
 
     this._provider =
       awsRegionSettingsExist && useRegionalSts
-        ? AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain({
+        ? AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain({
             clientConfig: { region: AWS_REGION }
           })
-        : AWSSDKCredentialProvider.awsSDK.fromNodeProviderChain();
+        : AWSTemporaryCredentialProvider.awsSDK.fromNodeProviderChain();
 
     return this._provider;
   }
 
-  async getCredentials(): Promise<AWSTempCredentials> {
+  override async getCredentials(): Promise<AWSTempCredentials> {
     /*
      * Creates a credential provider that will attempt to find credentials from the
      * following sources (listed in order of precedence):
@@ -125,3 +144,42 @@ export class AWSSDKCredentialProvider {
     }
   }
 }
+
+/**
+ * @internal
+ * Fetches credentials manually (without the AWS SDK), as outlined in the [Obtaining Credentials](https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#obtaining-credentials)
+ * section of the Auth spec.
+ */
+export class LegacyAWSTemporaryCredentialProvider extends AWSTemporaryCredentialProvider {
+  override async getCredentials(): Promise<AWSTempCredentials> {
+    // If the environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+    // is set then drivers MUST assume that it was set by an AWS ECS agent
+    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
+      return await request(
+        `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`
+      );
+    }
+
+    // Otherwise assume we are on an EC2 instance
+
+    // get a token
+    const token = await request(`${AWS_EC2_URI}/latest/api/token`, {
+      method: 'PUT',
+      json: false,
+      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': 30 }
+    });
+
+    // get role name
+    const roleName = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}`, {
+      json: false,
+      headers: { 'X-aws-ec2-metadata-token': token }
+    });
+
+    // get temp credentials
+    const creds = await request(`${AWS_EC2_URI}/${AWS_EC2_PATH}/${roleName}`, {
+      headers: { 'X-aws-ec2-metadata-token': token }
+    });
+
+    return creds;
+  }
+}

package/src/cmap/auth/mongo_credentials.ts

@@ -58,7 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
-  /** @internal */
+  /** @deprecated Will be removed in the next major version. */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;
@@ -135,6 +135,26 @@ export class MongoCredentials {
     this.mechanism = options.mechanism || AuthMechanism.MONGODB_DEFAULT;
     this.mechanismProperties = options.mechanismProperties || {};
 
+    if (this.mechanism.match(/MONGODB-AWS/i)) {
+      if (!this.username && process.env.AWS_ACCESS_KEY_ID) {
+        this.username = process.env.AWS_ACCESS_KEY_ID;
+      }
+
+      if (!this.password && process.env.AWS_SECRET_ACCESS_KEY) {
+        this.password = process.env.AWS_SECRET_ACCESS_KEY;
+      }
+
+      if (
+        this.mechanismProperties.AWS_SESSION_TOKEN == null &&
+        process.env.AWS_SESSION_TOKEN != null
+      ) {
+        this.mechanismProperties = {
+          ...this.mechanismProperties,
+          AWS_SESSION_TOKEN: process.env.AWS_SESSION_TOKEN
+        };
+      }
+    }
+
     if (this.mechanism === AuthMechanism.MONGODB_OIDC && !this.mechanismProperties.ALLOWED_HOSTS) {
       this.mechanismProperties = {
         ...this.mechanismProperties,

package/src/cmap/auth/mongodb_aws.ts

@@ -11,7 +11,9 @@ import { type AuthContext, AuthProvider } from './auth_provider';
 import {
   type AWSCredentialProvider,
   AWSSDKCredentialProvider,
-  type AWSTempCredentials
+  type AWSTempCredentials,
+  AWSTemporaryCredentialProvider,
+  LegacyAWSTemporaryCredentialProvider
 } from './aws_temporary_credentials';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
@@ -32,11 +34,16 @@ interface AWSSaslContinuePayload {
 }
 
 export class MongoDBAWS extends AuthProvider {
-  private credentialFetcher: AWSSDKCredentialProvider;
+  private credentialFetcher: AWSTemporaryCredentialProvider;
+  private credentialProvider?: AWSCredentialProvider;
 
   constructor(credentialProvider?: AWSCredentialProvider) {
     super();
-    this.credentialFetcher = new AWSSDKCredentialProvider(credentialProvider);
+
+    this.credentialProvider = credentialProvider;
+    this.credentialFetcher = AWSTemporaryCredentialProvider.isAWSSDKInstalled
+      ? new AWSSDKCredentialProvider(credentialProvider)
+      : new LegacyAWSTemporaryCredentialProvider();
   }
 
   override async auth(authContext: AuthContext): Promise<void> {
@@ -56,10 +63,12 @@ export class MongoDBAWS extends AuthProvider {
       );
     }
 
-    authContext.credentials = await makeTempCredentials(
-      authContext.credentials,
-      this.credentialFetcher
-    );
+    if (!authContext.credentials.username) {
+      authContext.credentials = await makeTempCredentials(
+        authContext.credentials,
+        this.credentialFetcher
+      );
+    }
 
     const { credentials } = authContext;
 
@@ -153,7 +162,7 @@ export class MongoDBAWS extends AuthProvider {
 
 async function makeTempCredentials(
   credentials: MongoCredentials,
-  awsCredentialFetcher: AWSSDKCredentialProvider
+  awsCredentialFetcher: AWSTemporaryCredentialProvider
 ): Promise<MongoCredentials> {
   function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
     // The AWS session token (creds.Token) may or may not be set.

package/src/cmap/auth/providers.ts

@@ -1,6 +1,7 @@
 /** @public */
 export const AuthMechanism = Object.freeze({
   MONGODB_AWS: 'MONGODB-AWS',
+  MONGODB_CR: 'MONGODB-CR',
   MONGODB_DEFAULT: 'DEFAULT',
   MONGODB_GSSAPI: 'GSSAPI',
   MONGODB_PLAIN: 'PLAIN',

package/src/cmap/connect.ts

@@ -222,7 +222,7 @@ export async function prepareHandshakeDocument(
   const options = authContext.options;
   const compressors = options.compressors ? options.compressors : [];
   const { serverApi } = authContext.connection;
-  const clientMetadata: Document = await options.metadata;
+  const clientMetadata: Document = await options.extendedMetadata;
 
   const handshakeDoc: HandshakeDocument = {
     [serverApi?.version || options.loadBalanced === true ? 'hello' : LEGACY_HELLO_COMMAND]: 1,

package/src/cmap/connection.ts

@@ -22,6 +22,7 @@ import {
 import {
   MongoCompatibilityError,
   MONGODB_ERROR_CODES,
+  MongoMissingDependencyError,
   MongoNetworkError,
   MongoNetworkTimeoutError,
   MongoOperationTimeoutError,
@@ -90,6 +91,8 @@ export interface CommandOptions extends BSONSerializeOptions {
   /** Session to use for the operation */
   session?: ClientSession;
   documentsReturnedIn?: string;
+  /** @deprecated Will be removed in the next major version. */
+  noResponse?: boolean;
   omitMaxTimeMS?: boolean;
 
   // TODO(NODE-2802): Currently the CommandOptions take a property willRetryWrite which is a hint
@@ -137,10 +140,11 @@ export interface ConnectionOptions
   tls: boolean;
   noDelay?: boolean;
   socketTimeoutMS?: number;
-  /** @internal */
+  /** @deprecated Will be removed in the next major version */
   cancellationToken?: CancellationToken;
+  metadata: ClientMetadata;
   /** @internal */
-  metadata: Promise<ClientMetadata>;
+  extendedMetadata: Promise<Document>;
   /** @internal */
   mongoLogger?: MongoLogger | undefined;
 }
@@ -466,7 +470,7 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
         signal: options.signal
       });
 
-      if (message.moreToCome) {
+      if (options.noResponse || message.moreToCome) {
         yield MongoDBResponse.empty;
         return;
       }
@@ -566,7 +570,11 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
             new CommandSucceededEvent(
               this,
               message,
-              message.moreToCome ? { ok: 1 } : (object ??= document.toObject(bsonOptions)),
+              options.noResponse
+                ? undefined
+                : message.moreToCome
+                  ? { ok: 1 }
+                  : (object ??= document.toObject(bsonOptions)),
               started,
               this.description.serverConnectionId
             )
@@ -709,15 +717,7 @@ export class Connection extends TypedEventEmitter<ConnectionEvents> {
       }
     }
 
-    try {
-      if (this.socket.write(buffer)) return;
-    } catch (writeError) {
-      const networkError = new MongoNetworkError('unexpected error writing to socket', {
-        cause: writeError
-      });
-      this.onError(networkError);
-      throw networkError;
-    }
+    if (this.socket.write(buffer)) return;
 
     const drainEvent = once<void>(this.socket, 'drain', options);
     const timeout = options?.timeoutContext?.timeoutForSocketWrite;
@@ -870,7 +870,11 @@ export class CryptoConnection extends Connection {
   ): Promise<Document> {
     const { autoEncrypter } = this;
     if (!autoEncrypter) {
-      throw new MongoRuntimeError('No AutoEncrypter available for encryption');
+      // TODO(NODE-6065): throw a MongoRuntimeError in Node V7
+      // @ts-expect-error No cause provided because there is no underlying error.
+      throw new MongoMissingDependencyError('No AutoEncrypter available for encryption', {
+        dependencyName: 'n/a'
+      });
     }
 
     const serverWireVersion = maxWireVersion(this);

package/src/cmap/connection_pool.ts

@@ -97,6 +97,15 @@ export const PoolState = Object.freeze({
 
 type PoolState = (typeof PoolState)[keyof typeof PoolState];
 
+/**
+ * @public
+ * @deprecated This interface is deprecated and will be removed in a future release as it is not used
+ * in the driver
+ */
+export interface CloseOptions {
+  force?: boolean;
+}
+
 /** @public */
 export type ConnectionPoolEvents = {
   connectionPoolCreated(event: ConnectionPoolCreatedEvent): void;
@@ -601,9 +610,9 @@ export class ConnectionPool extends TypedEventEmitter<ConnectionPoolEvents> {
   }
 
   private createConnection(callback: Callback<Connection>) {
-    // Note that metadata may have changed on the client but have
-    // been frozen here, so we pull the metadata promise always from the client
-    // no matter what options were set at the construction of the pool.
+    // Note that metadata and extendedMetadata may have changed on the client but have
+    // been frozen here, so we pull the extendedMetadata promise always from the client
+    // no mattter what options were set at the construction of the pool.
     const connectOptions: ConnectionOptions = {
       ...this.options,
       id: this.connectionCounter.next().value,
@@ -611,7 +620,7 @@ export class ConnectionPool extends TypedEventEmitter<ConnectionPoolEvents> {
       cancellationToken: this.cancellationToken,
       mongoLogger: this.mongoLogger,
       authProviders: this.server.topology.client.s.authProviders,
-      metadata: this.server.topology.client.options.metadata
+      extendedMetadata: this.server.topology.client.options.extendedMetadata
     };
 
     this.pending++;

package/src/cmap/errors.ts

@@ -56,7 +56,7 @@ export class PoolClearedError extends MongoNetworkError {
     super(errorMessage, pool.serverError ? { cause: pool.serverError } : undefined);
     this.address = pool.address;
 
-    this.addErrorLabel(MongoErrorLabel.PoolRequestedRetry);
+    this.addErrorLabel(MongoErrorLabel.PoolRequstedRetry);
   }
 
   override get name(): string {

package/src/cmap/handshake/client_metadata.ts

@@ -27,7 +27,8 @@ export function isDriverInfoEqual(info1: DriverInfo, info2: DriverInfo): boolean
 }
 
 /**
- * @internal
+ * @public
+ * @deprecated This interface will be made internal in the next major release.
  * @see https://github.com/mongodb/specifications/blob/master/source/mongodb-handshake/handshake.md#hello-command
  */
 export interface ClientMetadata {
@@ -47,17 +48,27 @@ export interface ClientMetadata {
   };
   /** FaaS environment information */
   env?: {
-    name?: 'aws.lambda' | 'gcp.func' | 'azure.func' | 'vercel';
+    name: 'aws.lambda' | 'gcp.func' | 'azure.func' | 'vercel';
     timeout_sec?: Int32;
     memory_mb?: Int32;
     region?: string;
-    container?: {
-      runtime?: string;
-      orchestrator?: string;
-    };
+    url?: string;
   };
 }
 
+/**
+ * @public
+ * @deprecated This interface will be made internal in the next major release.
+ */
+export interface ClientMetadataOptions {
+  driverInfo?: {
+    name?: string;
+    version?: string;
+    platform?: string;
+  };
+  appName?: string;
+}
+
 /** @internal */
 export class LimitedSizeDocument {
   private document = new Map();
@@ -105,10 +116,10 @@ type MakeClientMetadataOptions = Pick<MongoOptions, 'appName'>;
  * 3. Omit the `env` document entirely.
  * 4. Truncate `platform`. -- special we do not truncate this field
  */
-export async function makeClientMetadata(
+export function makeClientMetadata(
   driverInfoList: DriverInfo[],
   { appName = '' }: MakeClientMetadataOptions
-): Promise<ClientMetadata> {
+): ClientMetadata {
   const metadataDocument = new LimitedSizeDocument(512);
 
   // Add app name first, it must be sent
@@ -180,21 +191,19 @@ export async function makeClientMetadata(
       }
     }
   }
-  return await addContainerMetadata(metadataDocument.toObject() as ClientMetadata);
+  return metadataDocument.toObject() as ClientMetadata;
 }
 
 let dockerPromise: Promise<boolean>;
-type ContainerMetadata = NonNullable<NonNullable<ClientMetadata['env']>['container']>;
 /** @internal */
-async function getContainerMetadata(): Promise<ContainerMetadata> {
+async function getContainerMetadata() {
+  const containerMetadata: Record<string, any> = {};
   dockerPromise ??= fileIsAccessible('/.dockerenv');
   const isDocker = await dockerPromise;
 
   const { KUBERNETES_SERVICE_HOST = '' } = process.env;
   const isKubernetes = KUBERNETES_SERVICE_HOST.length > 0 ? true : false;
 
-  const containerMetadata: ContainerMetadata = {};
-
   if (isDocker) containerMetadata.runtime = 'docker';
   if (isKubernetes) containerMetadata.orchestrator = 'kubernetes';
 
@@ -206,16 +215,15 @@ async function getContainerMetadata(): Promise<ContainerMetadata> {
  * Re-add each metadata value.
  * Attempt to add new env container metadata, but keep old data if it does not fit.
  */
-async function addContainerMetadata(originalMetadata: ClientMetadata): Promise<ClientMetadata> {
+export async function addContainerMetadata(
+  originalMetadata: ClientMetadata
+): Promise<ClientMetadata> {
   const containerMetadata = await getContainerMetadata();
   if (Object.keys(containerMetadata).length === 0) return originalMetadata;
 
   const extendedMetadata = new LimitedSizeDocument(512);
 
-  const extendedEnvMetadata: NonNullable<ClientMetadata['env']> = {
-    ...originalMetadata?.env,
-    container: containerMetadata
-  };
+  const extendedEnvMetadata = { ...originalMetadata?.env, container: containerMetadata };
 
   for (const [key, val] of Object.entries(originalMetadata)) {
     if (key !== 'env') {

package/src/cmap/wire_protocol/constants.ts

@@ -1,7 +1,5 @@
 export const MIN_SUPPORTED_SERVER_VERSION = '4.2';
 export const MAX_SUPPORTED_SERVER_VERSION = '8.2';
-export const MIN_SUPPORTED_SNAPSHOT_READS_WIRE_VERSION = 13;
-export const MIN_SUPPORTED_SNAPSHOT_READS_SERVER_VERSION = '5.0';
 export const MIN_SUPPORTED_WIRE_VERSION = 8;
 export const MAX_SUPPORTED_WIRE_VERSION = 27;
 export const MIN_SUPPORTED_QE_WIRE_VERSION = 21;

package/src/cmap/wire_protocol/on_data.ts

@@ -49,7 +49,7 @@ export function onData(
   /** Set to true only after event listeners have been removed. */
   let finished = false;
 
-  const iterator: AsyncGenerator<Buffer> & AsyncDisposable = {
+  const iterator: AsyncGenerator<Buffer> = {
     next() {
       // First, we consume all unread events
       const value = unconsumedEvents.shift();
@@ -89,6 +89,7 @@ export function onData(
       return this;
     },
 
+    // Note this should currently not be used, but is required by the AsyncGenerator interface.
     async [Symbol.asyncDispose]() {
       await closeHandler();
     }

package/src/collection.ts

@@ -546,7 +546,7 @@ export class Collection<TSchema extends Document = Document> {
     // Explicitly set the limit to 1 and singleBatch to true for all commands, per the spec.
     // noCursorTimeout must be unset as well as batchSize.
     // See: https://github.com/mongodb/specifications/blob/master/source/crud/crud.md#findone-api-details
-    const { ...opts } = options;
+    const { batchSize: _batchSize, noCursorTimeout: _noCursorTimeout, ...opts } = options;
     opts.singleBatch = true;
     const cursor = this.find(filter, opts).limit(1);
     const result = await cursor.next();

package/src/connection_string.ts

@@ -7,7 +7,12 @@ import { MongoCredentials } from './cmap/auth/mongo_credentials';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './cmap/auth/providers';
 import { Compressor, type CompressorName } from './cmap/wire_protocol/compression';
 import { Encrypter } from './encrypter';
-import { MongoAPIError, MongoInvalidArgumentError, MongoParseError } from './error';
+import {
+  MongoAPIError,
+  MongoInvalidArgumentError,
+  MongoMissingCredentialsError,
+  MongoParseError
+} from './error';
 import {
   MongoClient,
   type MongoClientOptions,
@@ -412,18 +417,10 @@ export function parseOptions(
       });
     }
 
-    if (isAws) {
-      const { username, password } = mongoOptions.credentials;
-      if (username || password) {
-        throw new MongoAPIError(
-          'username and password cannot be provided when using MONGODB-AWS. Credentials must be provided in a manner that can be read by the AWS SDK.'
-        );
-      }
-      if (mongoOptions.credentials.mechanismProperties.AWS_SESSION_TOKEN) {
-        throw new MongoAPIError(
-          'AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS. Credentials must be provided in a manner that can be read by the AWS SDK.'
-        );
-      }
+    if (isAws && mongoOptions.credentials.username && !mongoOptions.credentials.password) {
+      throw new MongoMissingCredentialsError(
+        `When using ${mongoOptions.credentials.mechanism} password must be set when a username is specified`
+      );
     }
 
     mongoOptions.credentials.validate();
@@ -1286,6 +1283,16 @@ export const OPTIONS = {
   secureProtocol: { type: 'any' },
   index: { type: 'any' },
   // Legacy options from v3 era
+  useNewUrlParser: {
+    type: 'boolean',
+    deprecated:
+      'useNewUrlParser has no effect since Node.js Driver version 4.0.0 and will be removed in the next major version'
+  } as OptionDescriptor,
+  useUnifiedTopology: {
+    type: 'boolean',
+    deprecated:
+      'useUnifiedTopology has no effect since Node.js Driver version 4.0.0 and will be removed in the next major version'
+  } as OptionDescriptor,
   __skipPingOnConnect: { type: 'boolean' }
 } as Record<keyof MongoClientOptions, OptionDescriptor>;