mongodb 6.6.2 → 6.7.0

package/lib/client-side-encryption/providers/azure.js

@@ -1,9 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.loadAzureCredentials = exports.fetchAzureKMSToken = exports.prepareRequest = exports.tokenCache = exports.AzureCredentialCache = void 0;
+exports.loadAzureCredentials = exports.fetchAzureKMSToken = exports.prepareRequest = exports.addAzureParams = exports.tokenCache = exports.AzureCredentialCache = exports.AZURE_BASE_URL = void 0;
+const error_1 = require("../../error");
+const utils_1 = require("../../utils");
 const errors_1 = require("../errors");
-const utils_1 = require("./utils");
 const MINIMUM_TOKEN_REFRESH_IN_MILLISECONDS = 6000;
+/** Base URL for getting Azure tokens. */
+exports.AZURE_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?';
 /**
  * @internal
  */
@@ -66,6 +69,19 @@ async function parseResponse(response) {
         expiresOnTimestamp: Date.now() + expiresInMS
     };
 }
+/**
+ * @internal
+ * Get the Azure endpoint URL.
+ */
+function addAzureParams(url, resource, username) {
+    url.searchParams.append('api-version', '2018-02-01');
+    url.searchParams.append('resource', resource);
+    if (username) {
+        url.searchParams.append('client_id', username);
+    }
+    return url;
+}
+exports.addAzureParams = addAzureParams;
 /**
  * @internal
  *
@@ -73,9 +89,8 @@ async function parseResponse(response) {
  * the default values for headers and the request url.
  */
 function prepareRequest(options) {
-    const url = new URL(options.url?.toString() ?? 'http://169.254.169.254/metadata/identity/oauth2/token');
-    url.searchParams.append('api-version', '2018-02-01');
-    url.searchParams.append('resource', 'https://vault.azure.net');
+    const url = new URL(options.url?.toString() ?? exports.AZURE_BASE_URL);
+    addAzureParams(url, 'https://vault.azure.net');
     const headers = { ...options.headers, 'Content-Type': 'application/json', Metadata: true };
     return { headers, url };
 }
@@ -97,7 +112,7 @@ async function fetchAzureKMSToken(options = {}) {
         return await parseResponse(response);
     }
     catch (error) {
-        if (error instanceof errors_1.MongoCryptKMSRequestNetworkTimeoutError) {
+        if (error instanceof error_1.MongoNetworkTimeoutError) {
             throw new errors_1.MongoCryptAzureKMSRequestError(`[Azure KMS] ${error.message}`);
         }
         throw error;

package/lib/client-side-encryption/providers/azure.js.map

@@ -1 +1 @@
-{"version":3,"file":"azure.js","sourceRoot":"","sources":["../../../src/client-side-encryption/providers/azure.ts"],"names":[],"mappings":";;;AACA,sCAAoG;AAEpG,mCAA8B;AAE9B,MAAM,qCAAqC,GAAG,IAAI,CAAC;AAkBnD;;GAEG;AACH,MAAa,oBAAoB;IAAjC;QACE,gBAAW,GAAgC,IAAI,CAAC;IA4BlD,CAAC;IA1BC,KAAK,CAAC,QAAQ;QACZ,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE;YACnE,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;SAC3C;QAED,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IACvD,CAAC;IAED,YAAY,CAAC,KAA2B;QACtC,MAAM,qBAAqB,GAAG,KAAK,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACpE,OAAO,qBAAqB,IAAI,qCAAqC,CAAC;IACxE,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,kBAAkB,EAAE,CAAC;IAC9B,CAAC;CACF;AA7BD,oDA6BC;AAED,gBAAgB;AACH,QAAA,UAAU,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAErD,gBAAgB;AAChB,KAAK,UAAU,aAAa,CAAC,QAG5B;IACC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;IAE3C,MAAM,IAAI,GAAmD,CAAC,GAAG,EAAE;QACjE,IAAI;YACF,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;SAC5B;QAAC,MAAM;YACN,MAAM,IAAI,uCAA8B,CAAC,qCAAqC,CAAC,CAAC;SACjF;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,MAAM,KAAK,GAAG,EAAE;QAClB,MAAM,IAAI,uCAA8B,CAAC,6BAA6B,EAAE,IAAI,CAAC,CAAC;KAC/E;IAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;QACtB,MAAM,IAAI,uCAA8B,CACtC,yDAAyD,CAC1D,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE;QACpB,MAAM,IAAI,uCAA8B,CACtC,uDAAuD,CACxD,CAAC;KACH;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;IACnD,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;QAC7B,MAAM,IAAI,uCAA8B,CACtC,wEAAwE,CACzE,CAAC;KACH;IAED,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,kBAAkB,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;KAC7C,CAAC;AACJ,CAAC;AAaD;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,OAA+B;IAI5D,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,uDAAuD,CACnF,CAAC;IAEF,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACrD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,EAAE,yBAAyB,CAAC,CAAC;IAE/D,MAAM,OAAO,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3F,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1B,CAAC;AAbD,wCAaC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,kBAAkB,CACtC,UAAkC,EAAE;IAEpC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,IAAA,WAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7C,OAAO,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;KACtC;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,KAAK,YAAY,gDAAuC,EAAE;YAC5D,MAAM,IAAI,uCAA8B,CAAC,eAAe,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;SAC1E;QACD,MAAM,KAAK,CAAC;KACb;AACH,CAAC;AAbD,gDAaC;AAED;;;;GAIG;AACI,KAAK,UAAU,oBAAoB,CAAC,YAA0B;IACnE,MAAM,KAAK,GAAG,MAAM,kBAAU,CAAC,QAAQ,EAAE,CAAC;IAC1C,OAAO,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAHD,oDAGC"}
+{"version":3,"file":"azure.js","sourceRoot":"","sources":["../../../src/client-side-encryption/providers/azure.ts"],"names":[],"mappings":";;;AACA,uCAAuD;AACvD,uCAAkC;AAClC,sCAA2D;AAG3D,MAAM,qCAAqC,GAAG,IAAI,CAAC;AACnD,yCAAyC;AAC5B,QAAA,cAAc,GAAG,wDAAwD,CAAC;AAkBvF;;GAEG;AACH,MAAa,oBAAoB;IAAjC;QACE,gBAAW,GAAgC,IAAI,CAAC;IA4BlD,CAAC;IA1BC,KAAK,CAAC,QAAQ;QACZ,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE;YACnE,IAAI,CAAC,WAAW,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;SAC3C;QAED,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;IACvD,CAAC;IAED,YAAY,CAAC,KAA2B;QACtC,MAAM,qBAAqB,GAAG,KAAK,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACpE,OAAO,qBAAqB,IAAI,qCAAqC,CAAC;IACxE,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,kBAAkB,EAAE,CAAC;IAC9B,CAAC;CACF;AA7BD,oDA6BC;AAED,gBAAgB;AACH,QAAA,UAAU,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAErD,gBAAgB;AAChB,KAAK,UAAU,aAAa,CAAC,QAG5B;IACC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,QAAQ,CAAC;IAE3C,MAAM,IAAI,GAAmD,CAAC,GAAG,EAAE;QACjE,IAAI;YACF,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;SAC5B;QAAC,MAAM;YACN,MAAM,IAAI,uCAA8B,CAAC,qCAAqC,CAAC,CAAC;SACjF;IACH,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,MAAM,KAAK,GAAG,EAAE;QAClB,MAAM,IAAI,uCAA8B,CAAC,6BAA6B,EAAE,IAAI,CAAC,CAAC;KAC/E;IAED,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;QACtB,MAAM,IAAI,uCAA8B,CACtC,yDAAyD,CAC1D,CAAC;KACH;IAED,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE;QACpB,MAAM,IAAI,uCAA8B,CACtC,uDAAuD,CACxD,CAAC;KACH;IAED,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;IACnD,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE;QAC7B,MAAM,IAAI,uCAA8B,CACtC,wEAAwE,CACzE,CAAC;KACH;IAED,OAAO;QACL,WAAW,EAAE,IAAI,CAAC,YAAY;QAC9B,kBAAkB,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW;KAC7C,CAAC;AACJ,CAAC;AAaD;;;GAGG;AACH,SAAgB,cAAc,CAAC,GAAQ,EAAE,QAAgB,EAAE,QAAiB;IAC1E,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IACrD,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC9C,IAAI,QAAQ,EAAE;QACZ,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;KAChD;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAPD,wCAOC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,OAA+B;IAI5D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,sBAAc,CAAC,CAAC;IAC/D,cAAc,CAAC,GAAG,EAAE,yBAAyB,CAAC,CAAC;IAC/C,MAAM,OAAO,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3F,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;AAC1B,CAAC;AARD,wCAQC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,kBAAkB,CACtC,UAAkC,EAAE;IAEpC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,IAAA,WAAG,EAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAC7C,OAAO,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;KACtC;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,KAAK,YAAY,gCAAwB,EAAE;YAC7C,MAAM,IAAI,uCAA8B,CAAC,eAAe,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;SAC1E;QACD,MAAM,KAAK,CAAC;KACb;AACH,CAAC;AAbD,gDAaC;AAED;;;;GAIG;AACI,KAAK,UAAU,oBAAoB,CAAC,YAA0B;IACnE,MAAM,KAAK,GAAG,MAAM,kBAAU,CAAC,QAAQ,EAAE,CAAC;IAC1C,OAAO,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAHD,oDAGC"}

package/lib/cmap/auth/mongo_credentials.js

@@ -22,11 +22,16 @@ function getDefaultAuthMechanism(hello) {
     // Default for wireprotocol < 3
     return providers_1.AuthMechanism.MONGODB_CR;
 }
-const ALLOWED_PROVIDER_NAMES = ['aws', 'azure'];
+const ALLOWED_ENVIRONMENT_NAMES = [
+    'test',
+    'azure',
+    'gcp'
+];
 const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.';
 /** @internal */
 exports.DEFAULT_ALLOWED_HOSTS = [
     '*.mongodb.net',
+    '*.mongodb-qa.net',
     '*.mongodb-dev.net',
     '*.mongodbgov.net',
     'localhost',
@@ -34,7 +39,7 @@ exports.DEFAULT_ALLOWED_HOSTS = [
     '::1'
 ];
 /** Error for when the token audience is missing in the environment. */
-const TOKEN_AUDIENCE_MISSING_ERROR = 'TOKEN_AUDIENCE must be set in the auth mechanism properties when PROVIDER_NAME is azure.';
+const TOKEN_RESOURCE_MISSING_ERROR = 'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure or gcp.';
 /**
  * A representation of the credentials used by MongoDB
  * @public
@@ -109,24 +114,27 @@ class MongoCredentials {
             throw new error_1.MongoMissingCredentialsError(`Username required for mechanism '${this.mechanism}'`);
         }
         if (this.mechanism === providers_1.AuthMechanism.MONGODB_OIDC) {
-            if (this.username && this.mechanismProperties.PROVIDER_NAME) {
-                throw new error_1.MongoInvalidArgumentError(`username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`);
+            if (this.username &&
+                this.mechanismProperties.ENVIRONMENT &&
+                this.mechanismProperties.ENVIRONMENT !== 'azure') {
+                throw new error_1.MongoInvalidArgumentError(`username and ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' may not be used together for mechanism '${this.mechanism}'.`);
             }
-            if (this.mechanismProperties.PROVIDER_NAME === 'azure' &&
-                !this.mechanismProperties.TOKEN_AUDIENCE) {
-                throw new error_1.MongoAzureError(TOKEN_AUDIENCE_MISSING_ERROR);
+            if (this.username && this.password) {
+                throw new error_1.MongoInvalidArgumentError(`No password is allowed in ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' for '${this.mechanism}'.`);
             }
-            if (this.mechanismProperties.PROVIDER_NAME &&
-                !ALLOWED_PROVIDER_NAMES.includes(this.mechanismProperties.PROVIDER_NAME)) {
-                throw new error_1.MongoInvalidArgumentError(`Currently only a PROVIDER_NAME in ${ALLOWED_PROVIDER_NAMES.join(',')} is supported for mechanism '${this.mechanism}'.`);
+            if ((this.mechanismProperties.ENVIRONMENT === 'azure' ||
+                this.mechanismProperties.ENVIRONMENT === 'gcp') &&
+                !this.mechanismProperties.TOKEN_RESOURCE) {
+                throw new error_1.MongoInvalidArgumentError(TOKEN_RESOURCE_MISSING_ERROR);
             }
-            if (this.mechanismProperties.REFRESH_TOKEN_CALLBACK &&
-                !this.mechanismProperties.REQUEST_TOKEN_CALLBACK) {
-                throw new error_1.MongoInvalidArgumentError(`A REQUEST_TOKEN_CALLBACK must be provided when using a REFRESH_TOKEN_CALLBACK for mechanism '${this.mechanism}'`);
+            if (this.mechanismProperties.ENVIRONMENT &&
+                !ALLOWED_ENVIRONMENT_NAMES.includes(this.mechanismProperties.ENVIRONMENT)) {
+                throw new error_1.MongoInvalidArgumentError(`Currently only a ENVIRONMENT in ${ALLOWED_ENVIRONMENT_NAMES.join(',')} is supported for mechanism '${this.mechanism}'.`);
             }
-            if (!this.mechanismProperties.PROVIDER_NAME &&
-                !this.mechanismProperties.REQUEST_TOKEN_CALLBACK) {
-                throw new error_1.MongoInvalidArgumentError(`Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`);
+            if (!this.mechanismProperties.ENVIRONMENT &&
+                !this.mechanismProperties.OIDC_CALLBACK &&
+                !this.mechanismProperties.OIDC_HUMAN_CALLBACK) {
+                throw new error_1.MongoInvalidArgumentError(`Either a ENVIRONMENT, OIDC_CALLBACK, or OIDC_HUMAN_CALLBACK must be specified for mechanism '${this.mechanism}'.`);
             }
             if (this.mechanismProperties.ALLOWED_HOSTS) {
                 const hosts = this.mechanismProperties.ALLOWED_HOSTS;

package/lib/cmap/auth/mongo_credentials.js.map

@@ -1 +1 @@
-{"version":3,"file":"mongo_credentials.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongo_credentials.ts"],"names":[],"mappings":";;;AAGA,uCAKqB;AACrB,qCAAuD;AAEvD,2CAA0E;AAE1E,6EAA6E;AAC7E,SAAS,uBAAuB,CAAC,KAAsB;IACrD,IAAI,KAAK,EAAE;QACT,0DAA0D;QAC1D,uCAAuC;QACvC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE;YAC3C,OAAO,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,yBAAa,CAAC,oBAAoB,CAAC;gBAC1E,CAAC,CAAC,yBAAa,CAAC,oBAAoB;gBACpC,CAAC,CAAC,yBAAa,CAAC,kBAAkB,CAAC;SACtC;QAED,6EAA6E;QAC7E,IAAI,KAAK,CAAC,cAAc,IAAI,CAAC,EAAE;YAC7B,OAAO,yBAAa,CAAC,kBAAkB,CAAC;SACzC;KACF;IAED,+BAA+B;IAC/B,OAAO,yBAAa,CAAC,UAAU,CAAC;AAClC,CAAC;AAED,MAAM,sBAAsB,GAA+C,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;AAC5F,MAAM,mBAAmB,GAAG,oEAAoE,CAAC;AAEjG,gBAAgB;AACH,QAAA,qBAAqB,GAAG;IACnC,eAAe;IACf,mBAAmB;IACnB,kBAAkB;IAClB,WAAW;IACX,WAAW;IACX,KAAK;CACN,CAAC;AAEF,uEAAuE;AACvE,MAAM,4BAA4B,GAChC,0FAA0F,CAAC;AA+B7F;;;GAGG;AACH,MAAa,gBAAgB;IAY3B,YAAY,OAAgC;QAC1C,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,EAAE;YAC9B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;SAC1B;QACD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,yBAAa,CAAC,eAAe,CAAC;QACpE,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,EAAE,CAAC;QAE7D,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE;YACxC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE;gBACnD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;aAC/C;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE;gBACvD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;aACnD;YAED,IACE,IAAI,CAAC,mBAAmB,CAAC,iBAAiB,IAAI,IAAI;gBAClD,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,EACrC;gBACA,IAAI,CAAC,mBAAmB,GAAG;oBACzB,GAAG,IAAI,CAAC,mBAAmB;oBAC3B,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;iBACjD,CAAC;aACH;SACF;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;YAC5F,IAAI,CAAC,mBAAmB,GAAG;gBACzB,GAAG,IAAI,CAAC,mBAAmB;gBAC3B,aAAa,EAAE,6BAAqB;aACrC,CAAC;SACH;QAED,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IAED,gEAAgE;IAChE,MAAM,CAAC,KAAuB;QAC5B,OAAO,CACL,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS;YAClC,IAAI,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ;YAChC,IAAI,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ;YAChC,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,CAC7B,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,oBAAoB,CAAC,KAAsB;QACzC,0EAA0E;QAC1E,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE;YACpC,OAAO,IAAI,gBAAgB,CAAC;gBAC1B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,SAAS,EAAE,uBAAuB,CAAC,KAAK,CAAC;gBACzC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;aAC9C,CAAC,CAAC;SACJ;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ;QACN,IACE,CAAC,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,cAAc;YAC9C,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,UAAU;YAC3C,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,aAAa;YAC9C,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,kBAAkB;YACnD,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,oBAAoB,CAAC;YACxD,CAAC,IAAI,CAAC,QAAQ,EACd;YACA,MAAM,IAAI,oCAA4B,CAAC,oCAAoC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;SAC/F;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,YAAY,EAAE;YACjD,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;gBAC3D,MAAM,IAAI,iCAAyB,CACjC,sEAAsE,IAAI,CAAC,SAAS,IAAI,CACzF,CAAC;aACH;YAED,IACE,IAAI,CAAC,mBAAmB,CAAC,aAAa,KAAK,OAAO;gBAClD,CAAC,IAAI,CAAC,mBAAmB,CAAC,cAAc,EACxC;gBACA,MAAM,IAAI,uBAAe,CAAC,4BAA4B,CAAC,CAAC;aACzD;YAED,IACE,IAAI,CAAC,mBAAmB,CAAC,aAAa;gBACtC,CAAC,sBAAsB,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,EACxE;gBACA,MAAM,IAAI,iCAAyB,CACjC,qCAAqC,sBAAsB,CAAC,IAAI,CAC9D,GAAG,CACJ,gCAAgC,IAAI,CAAC,SAAS,IAAI,CACpD,CAAC;aACH;YAED,IACE,IAAI,CAAC,mBAAmB,CAAC,sBAAsB;gBAC/C,CAAC,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,EAChD;gBACA,MAAM,IAAI,iCAAyB,CACjC,gGAAgG,IAAI,CAAC,SAAS,GAAG,CAClH,CAAC;aACH;YAED,IACE,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa;gBACvC,CAAC,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,EAChD;gBACA,MAAM,IAAI,iCAAyB,CACjC,uFAAuF,IAAI,CAAC,SAAS,IAAI,CAC1G,CAAC;aACH;YAED,IAAI,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;gBAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC;gBACrD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;oBACzB,MAAM,IAAI,iCAAyB,CAAC,mBAAmB,CAAC,CAAC;iBAC1D;gBACD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;oBACxB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;wBAC5B,MAAM,IAAI,iCAAyB,CAAC,mBAAmB,CAAC,CAAC;qBAC1D;iBACF;aACF;SACF;QAED,IAAI,wCAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;YACpD,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE;gBACtD,gEAAgE;gBAChE,MAAM,IAAI,qBAAa,CACrB,mBAAmB,IAAI,CAAC,MAAM,oBAAoB,IAAI,CAAC,SAAS,cAAc,CAC/E,CAAC;aACH;SACF;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,EAAE;YACzE,gEAAgE;YAChE,MAAM,IAAI,qBAAa,CAAC,qDAAqD,CAAC,CAAC;SAChF;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,YAAY,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,EAAE;YAC1E,IAAI,IAAI,CAAC,QAAQ,KAAK,EAAE,EAAE;gBACxB,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;gBACzC,OAAO;aACR;YACD,gEAAgE;YAChE,MAAM,IAAI,qBAAa,CAAC,iDAAiD,CAAC,CAAC;SAC5E;QAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,IAAI,KAAK,CAAC;QAClF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAA2B,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;YAC1E,MAAM,IAAI,qBAAa,CAAC,yCAAyC,gBAAgB,EAAE,CAAC,CAAC;SACtF;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CACV,KAAmC,EACnC,OAAyC;QAEzC,OAAO,IAAI,gBAAgB,CAAC;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,KAAK,EAAE,QAAQ,IAAI,EAAE;YACnD,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,KAAK,EAAE,QAAQ,IAAI,EAAE;YACnD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,KAAK,EAAE,SAAS,IAAI,yBAAa,CAAC,eAAe;YACjF,mBAAmB,EAAE,OAAO,CAAC,mBAAmB,IAAI,KAAK,EAAE,mBAAmB,IAAI,EAAE;YACpF,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,IAAI,KAAK,EAAE,MAAM,IAAI,OAAO;SACjE,CAAC,CAAC;IACL,CAAC;CACF;AAjMD,4CAiMC"}
+{"version":3,"file":"mongo_credentials.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongo_credentials.ts"],"names":[],"mappings":";;;AAGA,uCAIqB;AACrB,qCAAuD;AAEvD,2CAA0E;AAE1E,6EAA6E;AAC7E,SAAS,uBAAuB,CAAC,KAAsB;IACrD,IAAI,KAAK,EAAE;QACT,0DAA0D;QAC1D,uCAAuC;QACvC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE;YAC3C,OAAO,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,yBAAa,CAAC,oBAAoB,CAAC;gBAC1E,CAAC,CAAC,yBAAa,CAAC,oBAAoB;gBACpC,CAAC,CAAC,yBAAa,CAAC,kBAAkB,CAAC;SACtC;QAED,6EAA6E;QAC7E,IAAI,KAAK,CAAC,cAAc,IAAI,CAAC,EAAE;YAC7B,OAAO,yBAAa,CAAC,kBAAkB,CAAC;SACzC;KACF;IAED,+BAA+B;IAC/B,OAAO,yBAAa,CAAC,UAAU,CAAC;AAClC,CAAC;AAED,MAAM,yBAAyB,GAA6C;IAC1E,MAAM;IACN,OAAO;IACP,KAAK;CACN,CAAC;AACF,MAAM,mBAAmB,GAAG,oEAAoE,CAAC;AAEjG,gBAAgB;AACH,QAAA,qBAAqB,GAAG;IACnC,eAAe;IACf,kBAAkB;IAClB,mBAAmB;IACnB,kBAAkB;IAClB,WAAW;IACX,WAAW;IACX,KAAK;CACN,CAAC;AAEF,uEAAuE;AACvE,MAAM,4BAA4B,GAChC,+FAA+F,CAAC;AA+BlG;;;GAGG;AACH,MAAa,gBAAgB;IAY3B,YAAY,OAAgC;QAC1C,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,EAAE;YAC9B,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,EAAE,CAAC;SAC1B;QACD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,yBAAa,CAAC,eAAe,CAAC;QACpE,IAAI,CAAC,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,IAAI,EAAE,CAAC;QAE7D,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE;YACxC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE;gBACnD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;aAC/C;YAED,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE;gBACvD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC;aACnD;YAED,IACE,IAAI,CAAC,mBAAmB,CAAC,iBAAiB,IAAI,IAAI;gBAClD,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,IAAI,EACrC;gBACA,IAAI,CAAC,mBAAmB,GAAG;oBACzB,GAAG,IAAI,CAAC,mBAAmB;oBAC3B,iBAAiB,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;iBACjD,CAAC;aACH;SACF;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;YAC5F,IAAI,CAAC,mBAAmB,GAAG;gBACzB,GAAG,IAAI,CAAC,mBAAmB;gBAC3B,aAAa,EAAE,6BAAqB;aACrC,CAAC;SACH;QAED,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACxC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACtB,CAAC;IAED,gEAAgE;IAChE,MAAM,CAAC,KAAuB;QAC5B,OAAO,CACL,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS;YAClC,IAAI,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ;YAChC,IAAI,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ;YAChC,IAAI,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,CAC7B,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,oBAAoB,CAAC,KAAsB;QACzC,0EAA0E;QAC1E,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE;YACpC,OAAO,IAAI,gBAAgB,CAAC;gBAC1B,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,SAAS,EAAE,uBAAuB,CAAC,KAAK,CAAC;gBACzC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;aAC9C,CAAC,CAAC;SACJ;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ;QACN,IACE,CAAC,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,cAAc;YAC9C,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,UAAU;YAC3C,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,aAAa;YAC9C,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,kBAAkB;YACnD,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,oBAAoB,CAAC;YACxD,CAAC,IAAI,CAAC,QAAQ,EACd;YACA,MAAM,IAAI,oCAA4B,CAAC,oCAAoC,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;SAC/F;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,YAAY,EAAE;YACjD,IACE,IAAI,CAAC,QAAQ;gBACb,IAAI,CAAC,mBAAmB,CAAC,WAAW;gBACpC,IAAI,CAAC,mBAAmB,CAAC,WAAW,KAAK,OAAO,EAChD;gBACA,MAAM,IAAI,iCAAyB,CACjC,6BAA6B,IAAI,CAAC,mBAAmB,CAAC,WAAW,6CAA6C,IAAI,CAAC,SAAS,IAAI,CACjI,CAAC;aACH;YAED,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,EAAE;gBAClC,MAAM,IAAI,iCAAyB,CACjC,0CAA0C,IAAI,CAAC,mBAAmB,CAAC,WAAW,UAAU,IAAI,CAAC,SAAS,IAAI,CAC3G,CAAC;aACH;YAED,IACE,CAAC,IAAI,CAAC,mBAAmB,CAAC,WAAW,KAAK,OAAO;gBAC/C,IAAI,CAAC,mBAAmB,CAAC,WAAW,KAAK,KAAK,CAAC;gBACjD,CAAC,IAAI,CAAC,mBAAmB,CAAC,cAAc,EACxC;gBACA,MAAM,IAAI,iCAAyB,CAAC,4BAA4B,CAAC,CAAC;aACnE;YAED,IACE,IAAI,CAAC,mBAAmB,CAAC,WAAW;gBACpC,CAAC,yBAAyB,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,EACzE;gBACA,MAAM,IAAI,iCAAyB,CACjC,mCAAmC,yBAAyB,CAAC,IAAI,CAC/D,GAAG,CACJ,gCAAgC,IAAI,CAAC,SAAS,IAAI,CACpD,CAAC;aACH;YAED,IACE,CAAC,IAAI,CAAC,mBAAmB,CAAC,WAAW;gBACrC,CAAC,IAAI,CAAC,mBAAmB,CAAC,aAAa;gBACvC,CAAC,IAAI,CAAC,mBAAmB,CAAC,mBAAmB,EAC7C;gBACA,MAAM,IAAI,iCAAyB,CACjC,gGAAgG,IAAI,CAAC,SAAS,IAAI,CACnH,CAAC;aACH;YAED,IAAI,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE;gBAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC;gBACrD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;oBACzB,MAAM,IAAI,iCAAyB,CAAC,mBAAmB,CAAC,CAAC;iBAC1D;gBACD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE;oBACxB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;wBAC5B,MAAM,IAAI,iCAAyB,CAAC,mBAAmB,CAAC,CAAC;qBAC1D;iBACF;aACF;SACF;QAED,IAAI,wCAA4B,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;YACpD,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,WAAW,EAAE;gBACtD,gEAAgE;gBAChE,MAAM,IAAI,qBAAa,CACrB,mBAAmB,IAAI,CAAC,MAAM,oBAAoB,IAAI,CAAC,SAAS,cAAc,CAC/E,CAAC;aACH;SACF;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,aAAa,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,EAAE;YACzE,gEAAgE;YAChE,MAAM,IAAI,qBAAa,CAAC,qDAAqD,CAAC,CAAC;SAChF;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,yBAAa,CAAC,YAAY,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,EAAE;YAC1E,IAAI,IAAI,CAAC,QAAQ,KAAK,EAAE,EAAE;gBACxB,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;gBACzC,OAAO;aACR;YACD,gEAAgE;YAChE,MAAM,IAAI,qBAAa,CAAC,iDAAiD,CAAC,CAAC;SAC5E;QAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,mBAAmB,CAAC,sBAAsB,IAAI,KAAK,CAAC;QAClF,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,oCAA2B,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE;YAC1E,MAAM,IAAI,qBAAa,CAAC,yCAAyC,gBAAgB,EAAE,CAAC,CAAC;SACtF;IACH,CAAC;IAED,MAAM,CAAC,KAAK,CACV,KAAmC,EACnC,OAAyC;QAEzC,OAAO,IAAI,gBAAgB,CAAC;YAC1B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,KAAK,EAAE,QAAQ,IAAI,EAAE;YACnD,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,KAAK,EAAE,QAAQ,IAAI,EAAE;YACnD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,KAAK,EAAE,SAAS,IAAI,yBAAa,CAAC,eAAe;YACjF,mBAAmB,EAAE,OAAO,CAAC,mBAAmB,IAAI,KAAK,EAAE,mBAAmB,IAAI,EAAE;YACpF,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,EAAE,IAAI,KAAK,EAAE,MAAM,IAAI,OAAO;SACjE,CAAC,CAAC;IACL,CAAC;CACF;AApMD,4CAoMC"}

package/lib/cmap/auth/mongodb_oidc/automated_callback_workflow.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AutomatedCallbackWorkflow = void 0;
+const error_1 = require("../../../error");
+const timeout_1 = require("../../../timeout");
+const mongodb_oidc_1 = require("../mongodb_oidc");
+const callback_workflow_1 = require("./callback_workflow");
+/**
+ * Class implementing behaviour for the non human callback workflow.
+ * @internal
+ */
+class AutomatedCallbackWorkflow extends callback_workflow_1.CallbackWorkflow {
+    /**
+     * Instantiate the human callback workflow.
+     */
+    constructor(cache, callback) {
+        super(cache, callback);
+    }
+    /**
+     * Execute the OIDC callback workflow.
+     */
+    async execute(connection, credentials) {
+        // If there is a cached access token, try to authenticate with it. If
+        // authentication fails with an Authentication error (18),
+        // invalidate the access token, fetch a new access token, and try
+        // to authenticate again.
+        // If the server fails for any other reason, do not clear the cache.
+        if (this.cache.hasAccessToken) {
+            const token = this.cache.getAccessToken();
+            try {
+                return await this.finishAuthentication(connection, credentials, token);
+            }
+            catch (error) {
+                if (error instanceof error_1.MongoError &&
+                    error.code === error_1.MONGODB_ERROR_CODES.AuthenticationFailed) {
+                    this.cache.removeAccessToken();
+                    return await this.execute(connection, credentials);
+                }
+                else {
+                    throw error;
+                }
+            }
+        }
+        const response = await this.fetchAccessToken(credentials);
+        this.cache.put(response);
+        connection.accessToken = response.accessToken;
+        await this.finishAuthentication(connection, credentials, response.accessToken);
+    }
+    /**
+     * Fetches the access token using the callback.
+     */
+    async fetchAccessToken(credentials) {
+        const controller = new AbortController();
+        const params = {
+            timeoutContext: controller.signal,
+            version: mongodb_oidc_1.OIDC_VERSION
+        };
+        if (credentials.username) {
+            params.username = credentials.username;
+        }
+        const timeout = timeout_1.Timeout.expires(callback_workflow_1.AUTOMATED_TIMEOUT_MS);
+        try {
+            return await Promise.race([this.executeAndValidateCallback(params), timeout]);
+        }
+        catch (error) {
+            if (timeout_1.TimeoutError.is(error)) {
+                controller.abort();
+                throw new error_1.MongoOIDCError(`OIDC callback timed out after ${callback_workflow_1.AUTOMATED_TIMEOUT_MS}ms.`);
+            }
+            throw error;
+        }
+        finally {
+            timeout.clear();
+        }
+    }
+}
+exports.AutomatedCallbackWorkflow = AutomatedCallbackWorkflow;
+//# sourceMappingURL=automated_callback_workflow.js.map

package/lib/cmap/auth/mongodb_oidc/automated_callback_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"automated_callback_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/automated_callback_workflow.ts"],"names":[],"mappings":";;;AAAA,0CAAiF;AACjF,8CAAyD;AAGzD,kDAKyB;AACzB,2DAA6E;AAG7E;;;GAGG;AACH,MAAa,yBAA0B,SAAQ,oCAAgB;IAC7D;;OAEG;IACH,YAAY,KAAiB,EAAE,QAA8B;QAC3D,KAAK,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,UAAsB,EAAE,WAA6B;QACjE,qEAAqE;QACrE,0DAA0D;QAC1D,iEAAiE;QACjE,yBAAyB;QACzB,oEAAoE;QACpE,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE;YAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1C,IAAI;gBACF,OAAO,MAAM,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,WAAW,EAAE,KAAK,CAAC,CAAC;aACxE;YAAC,OAAO,KAAK,EAAE;gBACd,IACE,KAAK,YAAY,kBAAU;oBAC3B,KAAK,CAAC,IAAI,KAAK,2BAAmB,CAAC,oBAAoB,EACvD;oBACA,IAAI,CAAC,KAAK,CAAC,iBAAiB,EAAE,CAAC;oBAC/B,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;iBACpD;qBAAM;oBACL,MAAM,KAAK,CAAC;iBACb;aACF;SACF;QACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAC1D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACzB,UAAU,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;QAC9C,MAAM,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,WAAW,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjF,CAAC;IAED;;OAEG;IACO,KAAK,CAAC,gBAAgB,CAAC,WAA6B;QAC5D,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,MAAM,GAAuB;YACjC,cAAc,EAAE,UAAU,CAAC,MAAM;YACjC,OAAO,EAAE,2BAAY;SACtB,CAAC;QACF,IAAI,WAAW,CAAC,QAAQ,EAAE;YACxB,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC;SACxC;QACD,MAAM,OAAO,GAAG,iBAAO,CAAC,OAAO,CAAC,wCAAoB,CAAC,CAAC;QACtD,IAAI;YACF,OAAO,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;SAC/E;QAAC,OAAO,KAAK,EAAE;YACd,IAAI,sBAAY,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE;gBAC1B,UAAU,CAAC,KAAK,EAAE,CAAC;gBACnB,MAAM,IAAI,sBAAc,CAAC,iCAAiC,wCAAoB,KAAK,CAAC,CAAC;aACtF;YACD,MAAM,KAAK,CAAC;SACb;gBAAS;YACR,OAAO,CAAC,KAAK,EAAE,CAAC;SACjB;IACH,CAAC;CACF;AAhED,8DAgEC"}

package/lib/cmap/auth/mongodb_oidc/azure_machine_workflow.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureMachineWorkflow = void 0;
+const azure_1 = require("../../../client-side-encryption/providers/azure");
+const error_1 = require("../../../error");
+const utils_1 = require("../../../utils");
+const machine_workflow_1 = require("./machine_workflow");
+/** Azure request headers. */
+const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
+/** Invalid endpoint result error. */
+const ENDPOINT_RESULT_ERROR = 'Azure endpoint did not return a value with only access_token and expires_in properties';
+/** Error for when the token audience is missing in the environment. */
+const TOKEN_RESOURCE_MISSING_ERROR = 'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure.';
+/**
+ * Device workflow implementation for Azure.
+ *
+ * @internal
+ */
+class AzureMachineWorkflow extends machine_workflow_1.MachineWorkflow {
+    /**
+     * Instantiate the machine workflow.
+     */
+    constructor(cache) {
+        super(cache);
+    }
+    /**
+     * Get the token from the environment.
+     */
+    async getToken(credentials) {
+        const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
+        const username = credentials?.username;
+        if (!tokenAudience) {
+            throw new error_1.MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
+        }
+        const response = await getAzureTokenData(tokenAudience, username);
+        if (!isEndpointResultValid(response)) {
+            throw new error_1.MongoAzureError(ENDPOINT_RESULT_ERROR);
+        }
+        return response;
+    }
+}
+exports.AzureMachineWorkflow = AzureMachineWorkflow;
+/**
+ * Hit the Azure endpoint to get the token data.
+ */
+async function getAzureTokenData(tokenAudience, username) {
+    const url = new URL(azure_1.AZURE_BASE_URL);
+    (0, azure_1.addAzureParams)(url, tokenAudience, username);
+    const response = await (0, utils_1.get)(url, {
+        headers: AZURE_HEADERS
+    });
+    if (response.status !== 200) {
+        throw new error_1.MongoAzureError(`Status code ${response.status} returned from the Azure endpoint. Response body: ${response.body}`);
+    }
+    const result = JSON.parse(response.body);
+    return {
+        access_token: result.access_token,
+        expires_in: Number(result.expires_in)
+    };
+}
+/**
+ * Determines if a result returned from the endpoint is valid.
+ * This means the result is not nullish, contains the access_token required field
+ * and the expires_in required field.
+ */
+function isEndpointResultValid(token) {
+    if (token == null || typeof token !== 'object')
+        return false;
+    return ('access_token' in token &&
+        typeof token.access_token === 'string' &&
+        'expires_in' in token &&
+        typeof token.expires_in === 'number');
+}
+//# sourceMappingURL=azure_machine_workflow.js.map

package/lib/cmap/auth/mongodb_oidc/azure_machine_workflow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure_machine_workflow.js","sourceRoot":"","sources":["../../../../src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts"],"names":[],"mappings":";;;AAAA,2EAAiG;AACjG,0CAAiD;AACjD,0CAAqC;AAErC,yDAAuE;AAGvE,6BAA6B;AAC7B,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAEtF,qCAAqC;AACrC,MAAM,qBAAqB,GACzB,wFAAwF,CAAC;AAE3F,uEAAuE;AACvE,MAAM,4BAA4B,GAChC,wFAAwF,CAAC;AAE3F;;;;GAIG;AACH,MAAa,oBAAqB,SAAQ,kCAAe;IACvD;;OAEG;IACH,YAAY,KAAiB;QAC3B,KAAK,CAAC,KAAK,CAAC,CAAC;IACf,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,WAA8B;QAC3C,MAAM,aAAa,GAAG,WAAW,EAAE,mBAAmB,CAAC,cAAc,CAAC;QACtE,MAAM,QAAQ,GAAG,WAAW,EAAE,QAAQ,CAAC;QACvC,IAAI,CAAC,aAAa,EAAE;YAClB,MAAM,IAAI,uBAAe,CAAC,4BAA4B,CAAC,CAAC;SACzD;QACD,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAClE,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,EAAE;YACpC,MAAM,IAAI,uBAAe,CAAC,qBAAqB,CAAC,CAAC;SAClD;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAvBD,oDAuBC;AAED;;GAEG;AACH,KAAK,UAAU,iBAAiB,CAAC,aAAqB,EAAE,QAAiB;IACvE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,sBAAc,CAAC,CAAC;IACpC,IAAA,sBAAc,EAAC,GAAG,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,MAAM,IAAA,WAAG,EAAC,GAAG,EAAE;QAC9B,OAAO,EAAE,aAAa;KACvB,CAAC,CAAC;IACH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;QAC3B,MAAM,IAAI,uBAAe,CACvB,eAAe,QAAQ,CAAC,MAAM,qDAAqD,QAAQ,CAAC,IAAI,EAAE,CACnG,CAAC;KACH;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO;QACL,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC;KACtC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAC5B,KAAc;IAEd,IAAI,KAAK,IAAI,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAC7D,OAAO,CACL,cAAc,IAAI,KAAK;QACvB,OAAO,KAAK,CAAC,YAAY,KAAK,QAAQ;QACtC,YAAY,IAAI,KAAK;QACrB,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,CACrC,CAAC;AACJ,CAAC"}

package/lib/cmap/auth/mongodb_oidc/callback_workflow.js

@@ -1,179 +1,133 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CallbackWorkflow = void 0;
-const bson_1 = require("bson");
+exports.CallbackWorkflow = exports.AUTOMATED_TIMEOUT_MS = exports.HUMAN_TIMEOUT_MS = void 0;
+const promises_1 = require("timers/promises");
 const error_1 = require("../../../error");
 const utils_1 = require("../../../utils");
-const providers_1 = require("../providers");
-const callback_lock_cache_1 = require("./callback_lock_cache");
-const token_entry_cache_1 = require("./token_entry_cache");
-/** The current version of OIDC implementation. */
-const OIDC_VERSION = 0;
-/** 5 minutes in seconds */
-const TIMEOUT_S = 300;
+const command_builders_1 = require("./command_builders");
+/** 5 minutes in milliseconds */
+exports.HUMAN_TIMEOUT_MS = 300000;
+/** 1 minute in milliseconds */
+exports.AUTOMATED_TIMEOUT_MS = 60000;
 /** Properties allowed on results of callbacks. */
 const RESULT_PROPERTIES = ['accessToken', 'expiresInSeconds', 'refreshToken'];
 /** Error message when the callback result is invalid. */
 const CALLBACK_RESULT_ERROR = 'User provided OIDC callbacks must return a valid object with an accessToken.';
+/** The time to throttle callback calls. */
+const THROTTLE_MS = 100;
 /**
  * OIDC implementation of a callback based workflow.
  * @internal
  */
 class CallbackWorkflow {
     /**
-     * Instantiate the workflow
+     * Instantiate the callback workflow.
      */
-    constructor() {
-        this.cache = new token_entry_cache_1.TokenEntryCache();
-        this.callbackCache = new callback_lock_cache_1.CallbackLockCache();
+    constructor(cache, callback) {
+        this.cache = cache;
+        this.callback = this.withLock(callback);
+        this.lastExecutionTime = Date.now() - THROTTLE_MS;
     }
     /**
      * Get the document to add for speculative authentication. This also needs
      * to add a db field from the credentials source.
      */
-    async speculativeAuth(credentials) {
-        const document = startCommandDocument(credentials);
-        document.db = credentials.source;
-        return { speculativeAuthenticate: document };
+    async speculativeAuth(connection, credentials) {
+        // Check if the Client Cache has an access token.
+        // If it does, cache the access token in the Connection Cache and send a JwtStepRequest
+        // with the cached access token in the speculative authentication SASL payload.
+        if (this.cache.hasAccessToken) {
+            const accessToken = this.cache.getAccessToken();
+            connection.accessToken = accessToken;
+            const document = (0, command_builders_1.finishCommandDocument)(accessToken);
+            document.db = credentials.source;
+            return { speculativeAuthenticate: document };
+        }
+        return {};
     }
     /**
-     * Execute the OIDC callback workflow.
+     * Reauthenticate the callback workflow. For this we invalidated the access token
+     * in the cache and run the authentication steps again. No initial handshake needs
+     * to be sent.
      */
-    async execute(connection, credentials, reauthenticating, response) {
-        // Get the callbacks with locks from the callback lock cache.
-        const { requestCallback, refreshCallback, callbackHash } = this.callbackCache.getEntry(connection, credentials);
-        // Look for an existing entry in the cache.
-        const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash);
-        let result;
-        if (entry) {
-            // Reauthentication cannot use a token from the cache since the server has
-            // stated it is invalid by the request for reauthentication.
-            if (entry.isValid() && !reauthenticating) {
-                // Presence of a valid cache entry means we can skip to the finishing step.
-                result = await this.finishAuthentication(connection, credentials, entry.tokenResult, response?.speculativeAuthenticate?.conversationId);
+    async reauthenticate(connection, credentials) {
+        if (this.cache.hasAccessToken) {
+            // Reauthentication implies the token has expired.
+            if (connection.accessToken === this.cache.getAccessToken()) {
+                // If connection's access token is the same as the cache's, remove
+                // the token from the cache and connection.
+                this.cache.removeAccessToken();
+                delete connection.accessToken;
             }
             else {
-                // Presence of an expired cache entry means we must fetch a new one and
-                // then execute the final step.
-                const tokenResult = await this.fetchAccessToken(connection, credentials, entry.serverInfo, reauthenticating, callbackHash, requestCallback, refreshCallback);
-                try {
-                    result = await this.finishAuthentication(connection, credentials, tokenResult, reauthenticating ? undefined : response?.speculativeAuthenticate?.conversationId);
-                }
-                catch (error) {
-                    // If we are reauthenticating and this errors with reauthentication
-                    // required, we need to do the entire process over again and clear
-                    // the cache entry.
-                    if (reauthenticating &&
-                        error instanceof error_1.MongoError &&
-                        error.code === error_1.MONGODB_ERROR_CODES.Reauthenticate) {
-                        this.cache.deleteEntry(connection.address, credentials.username, callbackHash);
-                        result = await this.execute(connection, credentials, reauthenticating);
-                    }
-                    else {
-                        throw error;
-                    }
-                }
+                // If the connection's access token is different from the cache's, set
+                // the cache's token on the connection and do not remove from the
+                // cache.
+                connection.accessToken = this.cache.getAccessToken();
             }
         }
-        else {
-            // No entry in the cache requires us to do all authentication steps
-            // from start to finish, including getting a fresh token for the cache.
-            const startDocument = await this.startAuthentication(connection, credentials, reauthenticating, response);
-            const conversationId = startDocument.conversationId;
-            const serverResult = bson_1.BSON.deserialize(startDocument.payload.buffer);
-            const tokenResult = await this.fetchAccessToken(connection, credentials, serverResult, reauthenticating, callbackHash, requestCallback, refreshCallback);
-            result = await this.finishAuthentication(connection, credentials, tokenResult, conversationId);
-        }
-        return result;
+        await this.execute(connection, credentials);
     }
     /**
      * Starts the callback authentication process. If there is a speculative
      * authentication document from the initial handshake, then we will use that
      * value to get the issuer, otherwise we will send the saslStart command.
      */
-    async startAuthentication(connection, credentials, reauthenticating, response) {
+    async startAuthentication(connection, credentials, response) {
         let result;
-        if (!reauthenticating && response?.speculativeAuthenticate) {
+        if (response?.speculativeAuthenticate) {
             result = response.speculativeAuthenticate;
         }
         else {
-            result = await connection.command((0, utils_1.ns)(credentials.source), startCommandDocument(credentials), undefined);
+            result = await connection.command((0, utils_1.ns)(credentials.source), (0, command_builders_1.startCommandDocument)(credentials), undefined);
         }
         return result;
     }
     /**
      * Finishes the callback authentication process.
      */
-    async finishAuthentication(connection, credentials, tokenResult, conversationId) {
-        const result = await connection.command((0, utils_1.ns)(credentials.source), finishCommandDocument(tokenResult.accessToken, conversationId), undefined);
-        return result;
+    async finishAuthentication(connection, credentials, token, conversationId) {
+        await connection.command((0, utils_1.ns)(credentials.source), (0, command_builders_1.finishCommandDocument)(token, conversationId), undefined);
     }
     /**
-     * Fetches an access token using either the request or refresh callbacks and
-     * puts it in the cache.
+     * Executes the callback and validates the output.
      */
-    async fetchAccessToken(connection, credentials, serverInfo, reauthenticating, callbackHash, requestCallback, refreshCallback) {
-        // Get the token from the cache.
-        const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash);
-        let result;
-        const context = { timeoutSeconds: TIMEOUT_S, version: OIDC_VERSION };
-        // Check if there's a token in the cache.
-        if (entry) {
-            // If the cache entry is valid, return the token result.
-            if (entry.isValid() && !reauthenticating) {
-                return entry.tokenResult;
-            }
-            // If the cache entry is not valid, remove it from the cache and first attempt
-            // to use the refresh callback to get a new token. If no refresh callback
-            // exists, then fallback to the request callback.
-            if (refreshCallback) {
-                context.refreshToken = entry.tokenResult.refreshToken;
-                result = await refreshCallback(serverInfo, context);
-            }
-            else {
-                result = await requestCallback(serverInfo, context);
-            }
-        }
-        else {
-            // With no token in the cache we use the request callback.
-            result = await requestCallback(serverInfo, context);
-        }
+    async executeAndValidateCallback(params) {
+        const result = await this.callback(params);
         // Validate that the result returned by the callback is acceptable. If it is not
         // we must clear the token result from the cache.
         if (isCallbackResultInvalid(result)) {
-            this.cache.deleteEntry(connection.address, credentials.username, callbackHash);
             throw new error_1.MongoMissingCredentialsError(CALLBACK_RESULT_ERROR);
         }
-        // Cleanup the cache.
-        this.cache.deleteExpiredEntries();
-        // Put the new entry into the cache.
-        this.cache.addEntry(connection.address, credentials.username || '', callbackHash, result, serverInfo);
         return result;
     }
-}
-exports.CallbackWorkflow = CallbackWorkflow;
-/**
- * Generate the finishing command document for authentication. Will be a
- * saslStart or saslContinue depending on the presence of a conversation id.
- */
-function finishCommandDocument(token, conversationId) {
-    if (conversationId != null && typeof conversationId === 'number') {
-        return {
-            saslContinue: 1,
-            conversationId: conversationId,
-            payload: new bson_1.Binary(bson_1.BSON.serialize({ jwt: token }))
+    /**
+     * Ensure the callback is only executed one at a time and throttles the calls
+     * to every 100ms.
+     */
+    withLock(callback) {
+        let lock = Promise.resolve();
+        return async (params) => {
+            // We do this to ensure that we would never return the result of the
+            // previous lock, only the current callback's value would get returned.
+            await lock;
+            lock = lock
+                // eslint-disable-next-line github/no-then
+                .catch(() => null)
+                // eslint-disable-next-line github/no-then
+                .then(async () => {
+                const difference = Date.now() - this.lastExecutionTime;
+                if (difference <= THROTTLE_MS) {
+                    await (0, promises_1.setTimeout)(THROTTLE_MS - difference, { signal: params.timeoutContext });
+                }
+                this.lastExecutionTime = Date.now();
+                return await callback(params);
+            });
+            return await lock;
         };
     }
-    // saslContinue requires a conversationId in the command to be valid so in this
-    // case the server allows "step two" to actually be a saslStart with the token
-    // as the jwt since the use of the cached value has no correlating conversating
-    // on the particular connection.
-    return {
-        saslStart: 1,
-        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
-        payload: new bson_1.Binary(bson_1.BSON.serialize({ jwt: token }))
-    };
 }
+exports.CallbackWorkflow = CallbackWorkflow;
 /**
  * Determines if a result returned from a request or refresh callback
  * function is invalid. This means the result is nullish, doesn't contain
@@ -186,19 +140,4 @@ function isCallbackResultInvalid(tokenResult) {
         return true;
     return !Object.getOwnPropertyNames(tokenResult).every(prop => RESULT_PROPERTIES.includes(prop));
 }
-/**
- * Generate the saslStart command document.
- */
-function startCommandDocument(credentials) {
-    const payload = {};
-    if (credentials.username) {
-        payload.n = credentials.username;
-    }
-    return {
-        saslStart: 1,
-        autoAuthorize: 1,
-        mechanism: providers_1.AuthMechanism.MONGODB_OIDC,
-        payload: new bson_1.Binary(bson_1.BSON.serialize(payload))
-    };
-}
 //# sourceMappingURL=callback_workflow.js.map