mongodb 7.0.0-dev.20260109.sha.cc503cb9 → 7.0.0-dev.20260113.sha.0f46db8a

package/lib/cmap/auth/aws4.js

@@ -0,0 +1,161 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.aws4Sign = aws4Sign;
+const bson_1 = require("../../bson");
+/**
+ * Calculates the SHA-256 hash of a string.
+ *
+ * @param str - String to hash.
+ * @returns Hexadecimal representation of the hash.
+ */
+const getHexSha256 = async (str) => {
+    const data = stringToBuffer(str);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    const hashHex = bson_1.BSON.onDemand.ByteUtils.toHex(new Uint8Array(hashBuffer));
+    return hashHex;
+};
+/**
+ * Calculates the HMAC-SHA256 of a string using the provided key.
+ * @param key - Key to use for HMAC calculation. Can be a string or Uint8Array.
+ * @param str - String to calculate HMAC for.
+ * @returns Uint8Array containing the HMAC-SHA256 digest.
+ */
+const getHmacSha256 = async (key, str) => {
+    let keyData;
+    if (typeof key === 'string') {
+        keyData = stringToBuffer(key);
+    }
+    else {
+        keyData = key;
+    }
+    const importedKey = await crypto.subtle.importKey('raw', keyData, { name: 'HMAC', hash: { name: 'SHA-256' } }, false, ['sign']);
+    const strData = stringToBuffer(str);
+    const signature = await crypto.subtle.sign('HMAC', importedKey, strData);
+    const digest = new Uint8Array(signature);
+    return digest;
+};
+/**
+ * Converts header values according to AWS requirements,
+ * From https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html#create-canonical-request
+ * For values, you must:
+    - trim any leading or trailing spaces.
+    - convert sequential spaces to a single space.
+ * @param value - Header value to convert.
+ * @returns - Converted header value.
+ */
+const convertHeaderValue = (value) => {
+    return value.toString().trim().replace(/\s+/g, ' ');
+};
+/**
+ * Returns a Uint8Array representation of a string, encoded in UTF-8.
+ * @param str - String to convert.
+ * @returns Uint8Array containing the UTF-8 encoded string.
+ */
+function stringToBuffer(str) {
+    const data = new Uint8Array(bson_1.BSON.onDemand.ByteUtils.utf8ByteLength(str));
+    bson_1.BSON.onDemand.ByteUtils.encodeUTF8Into(data, str, 0);
+    return data;
+}
+/**
+ * This method implements AWS Signature 4 logic for a very specific request format.
+ * The signing logic is described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+ */
+async function aws4Sign(options, credentials) {
+    /**
+     * From the spec: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+     *
+     * Summary of signing steps
+     * 1. Create a canonical request
+     *    Arrange the contents of your request (host, action, headers, etc.) into a standard canonical format. The canonical request is one of the inputs used to create the string to sign.
+     * 2. Create a hash of the canonical request
+     *    Hash the canonical request using the same algorithm that you used to create the hash of the payload. The hash of the canonical request is a string of lowercase hexadecimal characters.
+     * 3. Create a string to sign
+     *    Create a string to sign with the canonical request and extra information such as the algorithm, request date, credential scope, and the hash of the canonical request.
+     * 4. Derive a signing key
+     *    Use the secret access key to derive the key used to sign the request.
+     * 5. Calculate the signature
+     *    Perform a keyed hash operation on the string to sign using the derived signing key as the hash key.
+     * 6. Add the signature to the request
+     *    Add the calculated signature to an HTTP header or to the query string of the request.
+     */
+    // 1: Create a canonical request
+    // Date – The date and time used to sign the request.
+    const date = options.date;
+    // RequestDateTime – The date and time used in the credential scope. This value is the current UTC time in ISO 8601 format (for example, 20130524T000000Z).
+    const requestDateTime = date.toISOString().replace(/[:-]|\.\d{3}/g, '');
+    // RequestDate – The date used in the credential scope. This value is the current UTC date in YYYYMMDD format (for example, 20130524).
+    const requestDate = requestDateTime.substring(0, 8);
+    // Method – The HTTP request method. For us, this is always 'POST'.
+    const method = options.method;
+    // CanonicalUri – The URI-encoded version of the absolute path component URI, starting with the / that follows the domain name and up to the end of the string
+    // For our requests, this is always '/'
+    const canonicalUri = options.path;
+    // CanonicalQueryString – The URI-encoded query string parameters. For our requests, there are no query string parameters, so this is always an empty string.
+    const canonicalQuerystring = '';
+    // CanonicalHeaders – A list of request headers with their values. Individual header name and value pairs are separated by the newline character ("\n").
+    // All of our known/expected headers are included here, there are no extra headers.
+    const headers = new Headers({
+        'content-length': convertHeaderValue(options.headers['Content-Length']),
+        'content-type': convertHeaderValue(options.headers['Content-Type']),
+        host: convertHeaderValue(options.host),
+        'x-amz-date': convertHeaderValue(requestDateTime),
+        'x-mongodb-gs2-cb-flag': convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag']),
+        'x-mongodb-server-nonce': convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])
+    });
+    // If session token is provided, include it in the headers
+    if ('sessionToken' in credentials && credentials.sessionToken) {
+        headers.append('x-amz-security-token', convertHeaderValue(credentials.sessionToken));
+    }
+    // Canonical headers are lowercased and sorted.
+    const canonicalHeaders = Array.from(headers.entries())
+        .map(([key, value]) => `${key.toLowerCase()}:${value}`)
+        .sort()
+        .join('\n');
+    const canonicalHeaderNames = Array.from(headers.keys()).map(header => header.toLowerCase());
+    // SignedHeaders – An alphabetically sorted, semicolon-separated list of lowercase request header names.
+    const signedHeaders = canonicalHeaderNames.sort().join(';');
+    // HashedPayload – A string created using the payload in the body of the HTTP request as input to a hash function. This string uses lowercase hexadecimal characters.
+    const hashedPayload = await getHexSha256(options.body);
+    // CanonicalRequest – A string that includes the above elements, separated by newline characters.
+    const canonicalRequest = [
+        method,
+        canonicalUri,
+        canonicalQuerystring,
+        canonicalHeaders + '\n',
+        signedHeaders,
+        hashedPayload
+    ].join('\n');
+    // 2. Create a hash of the canonical request
+    // HashedCanonicalRequest – A string created by using the canonical request as input to a hash function.
+    const hashedCanonicalRequest = await getHexSha256(canonicalRequest);
+    // 3. Create a string to sign
+    // Algorithm – The algorithm used to create the hash of the canonical request. For SigV4, use AWS4-HMAC-SHA256.
+    const algorithm = 'AWS4-HMAC-SHA256';
+    // CredentialScope – The credential scope, which restricts the resulting signature to the specified Region and service.
+    // Has the following format: YYYYMMDD/region/service/aws4_request.
+    const credentialScope = `${requestDate}/${options.region}/${options.service}/aws4_request`;
+    // StringToSign – A string that includes the above elements, separated by newline characters.
+    const stringToSign = [algorithm, requestDateTime, credentialScope, hashedCanonicalRequest].join('\n');
+    // 4. Derive a signing key
+    // To derive a signing key for SigV4, perform a succession of keyed hash operations (HMAC) on the request date, Region, and service, with your AWS secret access key as the key for the initial hashing operation.
+    const dateKey = await getHmacSha256('AWS4' + credentials.secretAccessKey, requestDate);
+    const dateRegionKey = await getHmacSha256(dateKey, options.region);
+    const dateRegionServiceKey = await getHmacSha256(dateRegionKey, options.service);
+    const signingKey = await getHmacSha256(dateRegionServiceKey, 'aws4_request');
+    // 5. Calculate the signature
+    const signatureBuffer = await getHmacSha256(signingKey, stringToSign);
+    const signature = bson_1.BSON.onDemand.ByteUtils.toHex(signatureBuffer);
+    // 6. Add the signature to the request
+    // Calculate the Authorization header
+    const authorizationHeader = [
+        'AWS4-HMAC-SHA256 Credential=' + credentials.accessKeyId + '/' + credentialScope,
+        'SignedHeaders=' + signedHeaders,
+        'Signature=' + signature
+    ].join(', ');
+    // Return the calculated headers
+    return {
+        Authorization: authorizationHeader,
+        'X-Amz-Date': requestDateTime
+    };
+}
+//# sourceMappingURL=aws4.js.map

package/lib/cmap/auth/aws4.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws4.js","sourceRoot":"","sources":["../../../src/cmap/auth/aws4.ts"],"names":[],"mappings":";;AA4FA,4BAkHC;AA9MD,qCAAkC;AAwBlC;;;;;GAKG;AACH,MAAM,YAAY,GAAG,KAAK,EAAE,GAAW,EAAmB,EAAE;IAC1D,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,WAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IAC1E,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,aAAa,GAAG,KAAK,EAAE,GAAwB,EAAE,GAAW,EAAuB,EAAE;IACzF,IAAI,OAAmB,CAAC;IACxB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,GAAG,CAAC;IAChB,CAAC;IAED,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAC3C,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;IACF,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IACzE,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,kBAAkB,GAAG,CAAC,KAAsB,EAAE,EAAE;IACpD,OAAO,KAAK,CAAC,QAAQ,EAAE,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AACtD,CAAC,CAAC;AAEF;;;;GAIG;AACH,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,WAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC;IACzE,WAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;IACrD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,QAAQ,CAC5B,OAAwB,EACxB,WAA2B;IAE3B;;;;;;;;;;;;;;;;OAgBG;IAEH,gCAAgC;IAEhC,qDAAqD;IACrD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,2JAA2J;IAC3J,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC;IACxE,sIAAsI;IACtI,MAAM,WAAW,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACpD,mEAAmE;IACnE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,8JAA8J;IAC9J,uCAAuC;IACvC,MAAM,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC;IAClC,6JAA6J;IAC7J,MAAM,oBAAoB,GAAG,EAAE,CAAC;IAEhC,wJAAwJ;IACxJ,mFAAmF;IACnF,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;QAC1B,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACvE,cAAc,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACnE,IAAI,EAAE,kBAAkB,CAAC,OAAO,CAAC,IAAI,CAAC;QACtC,YAAY,EAAE,kBAAkB,CAAC,eAAe,CAAC;QACjD,uBAAuB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;QACrF,wBAAwB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;KACxF,CAAC,CAAC;IACH,0DAA0D;IAC1D,IAAI,cAAc,IAAI,WAAW,IAAI,WAAW,CAAC,YAAY,EAAE,CAAC;QAC9D,OAAO,CAAC,MAAM,CAAC,sBAAsB,EAAE,kBAAkB,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC;IACvF,CAAC;IAED,+CAA+C;IAC/C,MAAM,gBAAgB,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;SACnD,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,IAAI,KAAK,EAAE,CAAC;SACtD,IAAI,EAAE;SACN,IAAI,CAAC,IAAI,CAAC,CAAC;IACd,MAAM,oBAAoB,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5F,wGAAwG;IACxG,MAAM,aAAa,GAAG,oBAAoB,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE5D,qKAAqK;IACrK,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAEvD,iGAAiG;IACjG,MAAM,gBAAgB,GAAG;QACvB,MAAM;QACN,YAAY;QACZ,oBAAoB;QACpB,gBAAgB,GAAG,IAAI;QACvB,aAAa;QACb,aAAa;KACd,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,4CAA4C;IAC5C,wGAAwG;IACxG,MAAM,sBAAsB,GAAG,MAAM,YAAY,CAAC,gBAAgB,CAAC,CAAC;IAEpE,6BAA6B;IAC7B,+GAA+G;IAC/G,MAAM,SAAS,GAAG,kBAAkB,CAAC;IACrC,uHAAuH;IACvH,kEAAkE;IAClE,MAAM,eAAe,GAAG,GAAG,WAAW,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,OAAO,eAAe,CAAC;IAC3F,6FAA6F;IAC7F,MAAM,YAAY,GAAG,CAAC,SAAS,EAAE,eAAe,EAAE,eAAe,EAAE,sBAAsB,CAAC,CAAC,IAAI,CAC7F,IAAI,CACL,CAAC;IAEF,0BAA0B;IAC1B,kNAAkN;IAClN,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,MAAM,GAAG,WAAW,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACvF,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IACnE,MAAM,oBAAoB,GAAG,MAAM,aAAa,CAAC,aAAa,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,oBAAoB,EAAE,cAAc,CAAC,CAAC;IAE7E,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,WAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAEjE,sCAAsC;IACtC,qCAAqC;IACrC,MAAM,mBAAmB,GAAG;QAC1B,8BAA8B,GAAG,WAAW,CAAC,WAAW,GAAG,GAAG,GAAG,eAAe;QAChF,gBAAgB,GAAG,aAAa;QAChC,YAAY,GAAG,SAAS;KACzB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,gCAAgC;IAChC,OAAO;QACL,aAAa,EAAE,mBAAmB;QAClC,YAAY,EAAE,eAAe;KAC9B,CAAC;AACJ,CAAC"}

package/lib/cmap/auth/mongodb_aws.js

@@ -2,11 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.MongoDBAWS = void 0;
 const BSON = require("../../bson");
-const deps_1 = require("../../deps");
 const error_1 = require("../../error");
 const utils_1 = require("../../utils");
 const auth_provider_1 = require("./auth_provider");
 const aws_temporary_credentials_1 = require("./aws_temporary_credentials");
+const aws4_1 = require("./aws4");
 const mongo_credentials_1 = require("./mongo_credentials");
 const providers_1 = require("./providers");
 const ASCII_N = 110;
@@ -27,10 +27,6 @@ class MongoDBAWS extends auth_provider_1.AuthProvider {
         if (!authContext.credentials) {
             throw new error_1.MongoMissingCredentialsError('AuthContext must provide credentials.');
         }
-        if ('kModuleError' in deps_1.aws4) {
-            throw deps_1.aws4['kModuleError'];
-        }
-        const { sign } = deps_1.aws4;
         if ((0, utils_1.maxWireVersion)(connection) < 9) {
             throw new error_1.MongoCompatibilityError('MONGODB-AWS authentication requires MongoDB version 4.4 or later');
         }
@@ -40,12 +36,10 @@ class MongoDBAWS extends auth_provider_1.AuthProvider {
         const secretAccessKey = credentials.password;
         // Allow the user to specify an AWS session token for authentication with temporary credentials.
         const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
-        // If all three defined, include sessionToken, else include username and pass, else no credentials
-        const awsCredentials = accessKeyId && secretAccessKey && sessionToken
+        // If all three defined, include sessionToken, else only include username and pass
+        const awsCredentials = sessionToken
             ? { accessKeyId, secretAccessKey, sessionToken }
-            : accessKeyId && secretAccessKey
-                ? { accessKeyId, secretAccessKey }
-                : undefined;
+            : { accessKeyId, secretAccessKey };
         const db = credentials.source;
         const nonce = await (0, utils_1.randomBytes)(32);
         // All messages between MongoDB clients and servers are sent as BSON objects
@@ -74,7 +68,7 @@ class MongoDBAWS extends auth_provider_1.AuthProvider {
             throw new error_1.MongoRuntimeError(`Server returned an invalid host: "${host}"`);
         }
         const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-        const options = sign({
+        const headers = await (0, aws4_1.aws4Sign)({
             method: 'POST',
             host,
             region: deriveRegion(serverResponse.h),
@@ -86,11 +80,12 @@ class MongoDBAWS extends auth_provider_1.AuthProvider {
                 'X-MongoDB-GS2-CB-Flag': 'n'
             },
             path: '/',
-            body
+            body,
+            date: new Date()
         }, awsCredentials);
         const payload = {
-            a: options.headers.Authorization,
-            d: options.headers['X-Amz-Date']
+            a: headers.Authorization,
+            d: headers['X-Amz-Date']
         };
         if (sessionToken) {
             payload.t = sessionToken;

package/lib/cmap/auth/mongodb_aws.js.map

@@ -1 +1 @@
-{"version":3,"file":"mongodb_aws.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongodb_aws.ts"],"names":[],"mappings":";;;AACA,mCAAmC;AACnC,qCAAkC;AAClC,uCAIqB;AACrB,uCAAyE;AACzE,mDAAiE;AACjE,2EAIqC;AACrC,2DAAuD;AACvD,2CAA4C;AAE5C,MAAM,OAAO,GAAG,GAAG,CAAC;AACpB,MAAM,WAAW,GAAyB;IACxC,WAAW,EAAE,KAAK;IAClB,YAAY,EAAE,IAAI;IAClB,aAAa,EAAE,IAAI;IACnB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE,KAAK;CAClB,CAAC;AAQF,MAAa,UAAW,SAAQ,4BAAY;IAG1C,YAAY,kBAA0C;QACpD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,iBAAiB,GAAG,IAAI,oDAAwB,CAAC,kBAAkB,CAAC,CAAC;IAC5E,CAAC;IAEQ,KAAK,CAAC,IAAI,CAAC,WAAwB;QAC1C,MAAM,EAAE,UAAU,EAAE,GAAG,WAAW,CAAC;QACnC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;YAC7B,MAAM,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,cAAc,IAAI,WAAI,EAAE,CAAC;YAC3B,MAAM,WAAI,CAAC,cAAc,CAAC,CAAC;QAC7B,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,GAAG,WAAI,CAAC;QAEtB,IAAI,IAAA,sBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,+BAAuB,CAC/B,kEAAkE,CACnE,CAAC;QACJ,CAAC;QAED,WAAW,CAAC,WAAW,GAAG,MAAM,mBAAmB,CACjD,WAAW,CAAC,WAAW,EACvB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QAEF,MAAM,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;QAEpC,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,CAAC;QACzC,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC;QAC7C,gGAAgG;QAChG,MAAM,YAAY,GAAG,WAAW,CAAC,mBAAmB,CAAC,iBAAiB,CAAC;QAEvE,kGAAkG;QAClG,MAAM,cAAc,GAClB,WAAW,IAAI,eAAe,IAAI,YAAY;YAC5C,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE,YAAY,EAAE;YAChD,CAAC,CAAC,WAAW,IAAI,eAAe;gBAC9B,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE;gBAClC,CAAC,CAAC,SAAS,CAAC;QAElB,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC;QAC9B,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAW,EAAC,EAAE,CAAC,CAAC;QAEpC,4EAA4E;QAC5E,sDAAsD;QACtD,MAAM,SAAS,GAAG;YAChB,SAAS,EAAE,CAAC;YACZ,SAAS,EAAE,aAAa;YACxB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,WAAW,CAAC;SAC/D,CAAC;QAEF,MAAM,iBAAiB,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,GAAG,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAE3F,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAGpF,CAAC;QACF,MAAM,IAAI,GAAG,cAAc,CAAC,CAAC,CAAC;QAC9B,MAAM,WAAW,GAAG,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5C,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC9B,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,+BAA+B,WAAW,CAAC,MAAM,eAAe,CAAC,CAAC;QAChG,CAAC;QAED,IAAI,CAAC,iBAAS,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;YACxE,0FAA0F;YAC1F,2FAA2F;YAE3F,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,+CAA+C,CAAC,CAAC;QAC/E,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACtE,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,qCAAqC,IAAI,GAAG,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,IAAI,GAAG,6CAA6C,CAAC;QAC3D,MAAM,OAAO,GAAG,IAAI,CAClB;YACE,MAAM,EAAE,MAAM;YACd,IAAI;YACJ,MAAM,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC;YACtC,OAAO,EAAE,KAAK;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,gBAAgB,EAAE,IAAI,CAAC,MAAM;gBAC7B,wBAAwB,EAAE,iBAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACzD,uBAAuB,EAAE,GAAG;aAC7B;YACD,IAAI,EAAE,GAAG;YACT,IAAI;SACL,EACD,cAAc,CACf,CAAC;QAEF,MAAM,OAAO,GAA2B;YACtC,CAAC,EAAE,OAAO,CAAC,OAAO,CAAC,aAAa;YAChC,CAAC,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;SACjC,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC,GAAG,YAAY,CAAC;QAC3B,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,YAAY,EAAE,CAAC;YACf,cAAc,EAAE,iBAAiB,CAAC,cAAc;YAChD,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,WAAW,CAAC;SAC9C,CAAC;QAEF,MAAM,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,GAAG,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACtE,CAAC;CACF;AAtHD,gCAsHC;AAED,KAAK,UAAU,mBAAmB,CAChC,WAA6B,EAC7B,oBAA8C;IAE9C,SAAS,+BAA+B,CAAC,KAAyB;QAChE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;YACjD,MAAM,IAAI,oCAA4B,CAAC,oDAAoD,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO,IAAI,oCAAgB,CAAC;YAC1B,QAAQ,EAAE,KAAK,CAAC,WAAW;YAC3B,QAAQ,EAAE,KAAK,CAAC,eAAe;YAC/B,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,SAAS,EAAE,yBAAa,CAAC,WAAW;YACpC,mBAAmB,EAAE;gBACnB,iBAAiB,EAAE,KAAK,CAAC,KAAK;aAC/B;SACF,CAAC,CAAC;IACL,CAAC;IACD,MAAM,oBAAoB,GAAG,MAAM,oBAAoB,CAAC,cAAc,EAAE,CAAC;IAEzE,OAAO,+BAA+B,CAAC,oBAAoB,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC;QACnD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}
+{"version":3,"file":"mongodb_aws.js","sourceRoot":"","sources":["../../../src/cmap/auth/mongodb_aws.ts"],"names":[],"mappings":";;;AACA,mCAAmC;AACnC,uCAIqB;AACrB,uCAAyE;AACzE,mDAAiE;AACjE,2EAIqC;AACrC,iCAAkC;AAClC,2DAAuD;AACvD,2CAA4C;AAE5C,MAAM,OAAO,GAAG,GAAG,CAAC;AACpB,MAAM,WAAW,GAAyB;IACxC,WAAW,EAAE,KAAK;IAClB,YAAY,EAAE,IAAI;IAClB,aAAa,EAAE,IAAI;IACnB,cAAc,EAAE,KAAK;IACrB,UAAU,EAAE,KAAK;CAClB,CAAC;AAQF,MAAa,UAAW,SAAQ,4BAAY;IAG1C,YAAY,kBAA0C;QACpD,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,iBAAiB,GAAG,IAAI,oDAAwB,CAAC,kBAAkB,CAAC,CAAC;IAC5E,CAAC;IAEQ,KAAK,CAAC,IAAI,CAAC,WAAwB;QAC1C,MAAM,EAAE,UAAU,EAAE,GAAG,WAAW,CAAC;QACnC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;YAC7B,MAAM,IAAI,oCAA4B,CAAC,uCAAuC,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,IAAA,sBAAc,EAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,+BAAuB,CAC/B,kEAAkE,CACnE,CAAC;QACJ,CAAC;QAED,WAAW,CAAC,WAAW,GAAG,MAAM,mBAAmB,CACjD,WAAW,CAAC,WAAW,EACvB,IAAI,CAAC,iBAAiB,CACvB,CAAC;QAEF,MAAM,EAAE,WAAW,EAAE,GAAG,WAAW,CAAC;QAEpC,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,CAAC;QACzC,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC;QAC7C,gGAAgG;QAChG,MAAM,YAAY,GAAG,WAAW,CAAC,mBAAmB,CAAC,iBAAiB,CAAC;QAEvE,kFAAkF;QAClF,MAAM,cAAc,GAAG,YAAY;YACjC,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE,YAAY,EAAE;YAChD,CAAC,CAAC,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC;QAErC,MAAM,EAAE,GAAG,WAAW,CAAC,MAAM,CAAC;QAC9B,MAAM,KAAK,GAAG,MAAM,IAAA,mBAAW,EAAC,EAAE,CAAC,CAAC;QAEpC,4EAA4E;QAC5E,sDAAsD;QACtD,MAAM,SAAS,GAAG;YAChB,SAAS,EAAE,CAAC;YACZ,SAAS,EAAE,aAAa;YACxB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,WAAW,CAAC;SAC/D,CAAC;QAEF,MAAM,iBAAiB,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,GAAG,EAAE,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAE3F,MAAM,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,iBAAiB,CAAC,OAAO,CAAC,MAAM,EAAE,WAAW,CAGpF,CAAC;QACF,MAAM,IAAI,GAAG,cAAc,CAAC,CAAC,CAAC;QAC9B,MAAM,WAAW,GAAG,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5C,IAAI,WAAW,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC9B,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,+BAA+B,WAAW,CAAC,MAAM,eAAe,CAAC,CAAC;QAChG,CAAC;QAED,IAAI,CAAC,iBAAS,CAAC,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,EAAE,CAAC;YACxE,0FAA0F;YAC1F,2FAA2F;YAE3F,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,+CAA+C,CAAC,CAAC;QAC/E,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACtE,kBAAkB;YAClB,MAAM,IAAI,yBAAiB,CAAC,qCAAqC,IAAI,GAAG,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,IAAI,GAAG,6CAA6C,CAAC;QAC3D,MAAM,OAAO,GAAG,MAAM,IAAA,eAAQ,EAC5B;YACE,MAAM,EAAE,MAAM;YACd,IAAI;YACJ,MAAM,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC,CAAC;YACtC,OAAO,EAAE,KAAK;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,gBAAgB,EAAE,IAAI,CAAC,MAAM;gBAC7B,wBAAwB,EAAE,iBAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACzD,uBAAuB,EAAE,GAAG;aAC7B;YACD,IAAI,EAAE,GAAG;YACT,IAAI;YACJ,IAAI,EAAE,IAAI,IAAI,EAAE;SACjB,EACD,cAAc,CACf,CAAC;QAEF,MAAM,OAAO,GAA2B;YACtC,CAAC,EAAE,OAAO,CAAC,aAAa;YACxB,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC;SACzB,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,CAAC,CAAC,GAAG,YAAY,CAAC;QAC3B,CAAC;QAED,MAAM,YAAY,GAAG;YACnB,YAAY,EAAE,CAAC;YACf,cAAc,EAAE,iBAAiB,CAAC,cAAc;YAChD,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,WAAW,CAAC;SAC9C,CAAC;QAEF,MAAM,UAAU,CAAC,OAAO,CAAC,IAAA,UAAE,EAAC,GAAG,EAAE,OAAO,CAAC,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;IACtE,CAAC;CACF;AA/GD,gCA+GC;AAED,KAAK,UAAU,mBAAmB,CAChC,WAA6B,EAC7B,oBAA8C;IAE9C,SAAS,+BAA+B,CAAC,KAAyB;QAChE,6DAA6D;QAC7D,IAAI,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;YACjD,MAAM,IAAI,oCAA4B,CAAC,oDAAoD,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO,IAAI,oCAAgB,CAAC;YAC1B,QAAQ,EAAE,KAAK,CAAC,WAAW;YAC3B,QAAQ,EAAE,KAAK,CAAC,eAAe;YAC/B,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,SAAS,EAAE,yBAAa,CAAC,WAAW;YACpC,mBAAmB,EAAE;gBACnB,iBAAiB,EAAE,KAAK,CAAC,KAAK;aAC/B;SACF,CAAC,CAAC;IACL,CAAC;IACD,MAAM,oBAAoB,GAAG,MAAM,oBAAoB,CAAC,cAAc,EAAE,CAAC;IAEzE,OAAO,+BAA+B,CAAC,oBAAoB,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC;QACnD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/lib/deps.js

@@ -1,6 +1,5 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.aws4 = void 0;
 exports.getKerberos = getKerberos;
 exports.getZstdLibrary = getZstdLibrary;
 exports.getAwsCredentialProvider = getAwsCredentialProvider;
@@ -94,18 +93,6 @@ function getSocks() {
         return { kModuleError };
     }
 }
-exports.aws4 = loadAws4();
-function loadAws4() {
-    let aws4;
-    try {
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        aws4 = require('aws4');
-    }
-    catch (error) {
-        aws4 = makeErrorModule(new error_1.MongoMissingDependencyError('Optional module `aws4` not found. Please install it to enable AWS authentication', { cause: error, dependencyName: 'aws4' }));
-    }
-    return aws4;
-}
 /** A utility function to get the instance of mongodb-client-encryption, if it exists. */
 function getMongoDBClientEncryption() {
     let mongodbClientEncryption = null;

package/lib/deps.js.map

@@ -1 +1 @@
-{"version":3,"file":"deps.js","sourceRoot":"","sources":["../src/deps.ts"],"names":[],"mappings":";;;AAqBA,kCAeC;AA0BD,wCAeC;AAsBD,4DAiBC;AAOD,wCAeC;AAiBD,8BAaC;AAsBD,4BAaC;AA+DD,gEAoBC;AA7RD,mCAAsD;AAGtD,SAAS,eAAe,CAAC,KAAU;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnD,OAAO,IAAI,KAAK,CAAC,KAAK,EAAE;QACtB,GAAG,EAAE,CAAC,CAAM,EAAE,GAAQ,EAAE,EAAE;YACxB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;gBAC3B,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;QACD,GAAG,EAAE,GAAG,EAAE;YACR,MAAM,KAAK,CAAC;QACd,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAID,SAAgB,WAAW;IACzB,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,GAAG,eAAe,CACxB,IAAI,mCAA2B,CAC7B,2FAA2F,EAC3F,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAC7C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AA0BD,SAAgB,cAAc;IAC5B,IAAI,SAAuE,CAAC;IAC5E,IAAI,CAAC;QACH,iEAAiE;QACjE,SAAS,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,SAAS,GAAG,eAAe,CACzB,IAAI,mCAA2B,CAC7B,4FAA4F,EAC5F,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,CACzC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAsBD,SAAgB,wBAAwB;IAGtC,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,kBAAkB,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;QACpE,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,eAAe,CACpB,IAAI,mCAA2B,CAC7B,4DAA4D;YAC1D,4EAA4E,EAC9E,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,+BAA+B,EAAE,CAClE,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAOD,SAAgB,cAAc;IAC5B,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,kBAAkB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;QACnD,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,eAAe,CACpB,IAAI,mCAA2B,CAC7B,2CAA2C;YACzC,4EAA4E,EAC9E,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,CACjD,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAiBD,SAAgB,SAAS;IACvB,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,mCAA2B,CAClD,oFAAoF,EACpF,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,CAC3C,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAsBD,SAAgB,QAAQ;IACtB,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/B,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,mCAA2B,CAClD,yFAAyF,EACzF,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,CAC1C,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AA2CY,QAAA,IAAI,GAAyD,QAAQ,EAAE,CAAC;AAErF,SAAS,QAAQ;IACf,IAAI,IAA0D,CAAC;IAC/D,IAAI,CAAC;QACH,iEAAiE;QACjE,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,GAAG,eAAe,CACpB,IAAI,mCAA2B,CAC7B,kFAAkF,EAClF,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,CACzC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,yFAAyF;AACzF,SAAgB,0BAA0B;IAGxC,IAAI,uBAAuB,GAAG,IAAI,CAAC;IAEnC,IAAI,CAAC;QACH,yFAAyF;QACzF,kGAAkG;QAClG,4GAA4G;QAC5G,iEAAiE;QACjE,uBAAuB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,mCAA2B,CAClD,sHAAsH,EACtH,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,2BAA2B,EAAE,CAC9D,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC"}
+{"version":3,"file":"deps.js","sourceRoot":"","sources":["../src/deps.ts"],"names":[],"mappings":";;AAqBA,kCAeC;AA0BD,wCAeC;AAsBD,4DAiBC;AAOD,wCAeC;AAiBD,8BAaC;AAsBD,4BAaC;AAGD,gEAoBC;AAjOD,mCAAsD;AAGtD,SAAS,eAAe,CAAC,KAAU;IACjC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACnD,OAAO,IAAI,KAAK,CAAC,KAAK,EAAE;QACtB,GAAG,EAAE,CAAC,CAAM,EAAE,GAAQ,EAAE,EAAE;YACxB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;gBAC3B,OAAO,KAAK,CAAC;YACf,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;QACD,GAAG,EAAE,GAAG,EAAE;YACR,MAAM,KAAK,CAAC;QACd,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAID,SAAgB,WAAW;IACzB,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,QAAQ,GAAG,eAAe,CACxB,IAAI,mCAA2B,CAC7B,2FAA2F,EAC3F,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,CAC7C,CACF,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AA0BD,SAAgB,cAAc;IAC5B,IAAI,SAAuE,CAAC;IAC5E,IAAI,CAAC;QACH,iEAAiE;QACjE,SAAS,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,SAAS,GAAG,eAAe,CACzB,IAAI,mCAA2B,CAC7B,4FAA4F,EAC5F,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,CACzC,CACF,CAAC;IACJ,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAsBD,SAAgB,wBAAwB;IAGtC,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,kBAAkB,GAAG,OAAO,CAAC,+BAA+B,CAAC,CAAC;QACpE,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,eAAe,CACpB,IAAI,mCAA2B,CAC7B,4DAA4D;YAC1D,4EAA4E,EAC9E,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,+BAA+B,EAAE,CAClE,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAOD,SAAgB,cAAc;IAC5B,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,kBAAkB,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;QACnD,OAAO,kBAAkB,CAAC;IAC5B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,eAAe,CACpB,IAAI,mCAA2B,CAC7B,2CAA2C;YACzC,4EAA4E,EAC9E,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,cAAc,EAAE,CACjD,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAiBD,SAAgB,SAAS;IACvB,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,mCAA2B,CAClD,oFAAoF,EACpF,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,QAAQ,EAAE,CAC3C,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAsBD,SAAgB,QAAQ;IACtB,IAAI,CAAC;QACH,wEAAwE;QACxE,iEAAiE;QACjE,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAC/B,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,mCAA2B,CAClD,yFAAyF,EACzF,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,CAC1C,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;AACH,CAAC;AAED,yFAAyF;AACzF,SAAgB,0BAA0B;IAGxC,IAAI,uBAAuB,GAAG,IAAI,CAAC;IAEnC,IAAI,CAAC;QACH,yFAAyF;QACzF,kGAAkG;QAClG,4GAA4G;QAC5G,iEAAiE;QACjE,uBAAuB,GAAG,OAAO,CAAC,2BAA2B,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,IAAI,mCAA2B,CAClD,sHAAsH,EACtH,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,2BAA2B,EAAE,CAC9D,CAAC;QACF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mongodb",
-  "version": "7.0.0-dev.20260109.sha.cc503cb9",
+  "version": "7.0.0-dev.20260113.sha.0f46db8a",
   "description": "The official MongoDB driver for Node.js",
   "main": "lib/index.js",
   "files": [
@@ -81,6 +81,7 @@
     "@types/whatwg-url": "^13.0.0",
     "@typescript-eslint/eslint-plugin": "^8.46.3",
     "@typescript-eslint/parser": "^8.31.1",
+    "aws4": "^1.13.2",
     "chai": "^4.4.1",
     "chai-subset": "^1.6.0",
     "chalk": "^4.1.2",

package/src/cmap/auth/aws4.ts

@@ -0,0 +1,207 @@
+import { BSON } from '../../bson';
+import { type AWSCredentials } from '../../deps';
+
+export type AwsSigv4Options = {
+  path: '/';
+  body: string;
+  host: string;
+  method: 'POST';
+  headers: {
+    'Content-Type': 'application/x-www-form-urlencoded';
+    'Content-Length': number;
+    'X-MongoDB-Server-Nonce': string;
+    'X-MongoDB-GS2-CB-Flag': 'n';
+  };
+  service: string;
+  region: string;
+  date: Date;
+};
+
+export type SignedHeaders = {
+  Authorization: string;
+  'X-Amz-Date': string;
+};
+
+/**
+ * Calculates the SHA-256 hash of a string.
+ *
+ * @param str - String to hash.
+ * @returns Hexadecimal representation of the hash.
+ */
+const getHexSha256 = async (str: string): Promise<string> => {
+  const data = stringToBuffer(str);
+  const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+  const hashHex = BSON.onDemand.ByteUtils.toHex(new Uint8Array(hashBuffer));
+  return hashHex;
+};
+
+/**
+ * Calculates the HMAC-SHA256 of a string using the provided key.
+ * @param key - Key to use for HMAC calculation. Can be a string or Uint8Array.
+ * @param str - String to calculate HMAC for.
+ * @returns Uint8Array containing the HMAC-SHA256 digest.
+ */
+const getHmacSha256 = async (key: string | Uint8Array, str: string): Promise<Uint8Array> => {
+  let keyData: Uint8Array;
+  if (typeof key === 'string') {
+    keyData = stringToBuffer(key);
+  } else {
+    keyData = key;
+  }
+
+  const importedKey = await crypto.subtle.importKey(
+    'raw',
+    keyData,
+    { name: 'HMAC', hash: { name: 'SHA-256' } },
+    false,
+    ['sign']
+  );
+  const strData = stringToBuffer(str);
+  const signature = await crypto.subtle.sign('HMAC', importedKey, strData);
+  const digest = new Uint8Array(signature);
+  return digest;
+};
+
+/**
+ * Converts header values according to AWS requirements,
+ * From https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html#create-canonical-request
+ * For values, you must:
+    - trim any leading or trailing spaces.
+    - convert sequential spaces to a single space.
+ * @param value - Header value to convert.
+ * @returns - Converted header value.
+ */
+const convertHeaderValue = (value: string | number) => {
+  return value.toString().trim().replace(/\s+/g, ' ');
+};
+
+/**
+ * Returns a Uint8Array representation of a string, encoded in UTF-8.
+ * @param str - String to convert.
+ * @returns Uint8Array containing the UTF-8 encoded string.
+ */
+function stringToBuffer(str: string): Uint8Array {
+  const data = new Uint8Array(BSON.onDemand.ByteUtils.utf8ByteLength(str));
+  BSON.onDemand.ByteUtils.encodeUTF8Into(data, str, 0);
+  return data;
+}
+
+/**
+ * This method implements AWS Signature 4 logic for a very specific request format.
+ * The signing logic is described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+ */
+export async function aws4Sign(
+  options: AwsSigv4Options,
+  credentials: AWSCredentials
+): Promise<SignedHeaders> {
+  /**
+   * From the spec: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
+   *
+   * Summary of signing steps
+   * 1. Create a canonical request
+   *    Arrange the contents of your request (host, action, headers, etc.) into a standard canonical format. The canonical request is one of the inputs used to create the string to sign.
+   * 2. Create a hash of the canonical request
+   *    Hash the canonical request using the same algorithm that you used to create the hash of the payload. The hash of the canonical request is a string of lowercase hexadecimal characters.
+   * 3. Create a string to sign
+   *    Create a string to sign with the canonical request and extra information such as the algorithm, request date, credential scope, and the hash of the canonical request.
+   * 4. Derive a signing key
+   *    Use the secret access key to derive the key used to sign the request.
+   * 5. Calculate the signature
+   *    Perform a keyed hash operation on the string to sign using the derived signing key as the hash key.
+   * 6. Add the signature to the request
+   *    Add the calculated signature to an HTTP header or to the query string of the request.
+   */
+
+  // 1: Create a canonical request
+
+  // Date – The date and time used to sign the request.
+  const date = options.date;
+  // RequestDateTime – The date and time used in the credential scope. This value is the current UTC time in ISO 8601 format (for example, 20130524T000000Z).
+  const requestDateTime = date.toISOString().replace(/[:-]|\.\d{3}/g, '');
+  // RequestDate – The date used in the credential scope. This value is the current UTC date in YYYYMMDD format (for example, 20130524).
+  const requestDate = requestDateTime.substring(0, 8);
+  // Method – The HTTP request method. For us, this is always 'POST'.
+  const method = options.method;
+  // CanonicalUri – The URI-encoded version of the absolute path component URI, starting with the / that follows the domain name and up to the end of the string
+  // For our requests, this is always '/'
+  const canonicalUri = options.path;
+  // CanonicalQueryString – The URI-encoded query string parameters. For our requests, there are no query string parameters, so this is always an empty string.
+  const canonicalQuerystring = '';
+
+  // CanonicalHeaders – A list of request headers with their values. Individual header name and value pairs are separated by the newline character ("\n").
+  // All of our known/expected headers are included here, there are no extra headers.
+  const headers = new Headers({
+    'content-length': convertHeaderValue(options.headers['Content-Length']),
+    'content-type': convertHeaderValue(options.headers['Content-Type']),
+    host: convertHeaderValue(options.host),
+    'x-amz-date': convertHeaderValue(requestDateTime),
+    'x-mongodb-gs2-cb-flag': convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag']),
+    'x-mongodb-server-nonce': convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])
+  });
+  // If session token is provided, include it in the headers
+  if ('sessionToken' in credentials && credentials.sessionToken) {
+    headers.append('x-amz-security-token', convertHeaderValue(credentials.sessionToken));
+  }
+
+  // Canonical headers are lowercased and sorted.
+  const canonicalHeaders = Array.from(headers.entries())
+    .map(([key, value]) => `${key.toLowerCase()}:${value}`)
+    .sort()
+    .join('\n');
+  const canonicalHeaderNames = Array.from(headers.keys()).map(header => header.toLowerCase());
+  // SignedHeaders – An alphabetically sorted, semicolon-separated list of lowercase request header names.
+  const signedHeaders = canonicalHeaderNames.sort().join(';');
+
+  // HashedPayload – A string created using the payload in the body of the HTTP request as input to a hash function. This string uses lowercase hexadecimal characters.
+  const hashedPayload = await getHexSha256(options.body);
+
+  // CanonicalRequest – A string that includes the above elements, separated by newline characters.
+  const canonicalRequest = [
+    method,
+    canonicalUri,
+    canonicalQuerystring,
+    canonicalHeaders + '\n',
+    signedHeaders,
+    hashedPayload
+  ].join('\n');
+
+  // 2. Create a hash of the canonical request
+  // HashedCanonicalRequest – A string created by using the canonical request as input to a hash function.
+  const hashedCanonicalRequest = await getHexSha256(canonicalRequest);
+
+  // 3. Create a string to sign
+  // Algorithm – The algorithm used to create the hash of the canonical request. For SigV4, use AWS4-HMAC-SHA256.
+  const algorithm = 'AWS4-HMAC-SHA256';
+  // CredentialScope – The credential scope, which restricts the resulting signature to the specified Region and service.
+  // Has the following format: YYYYMMDD/region/service/aws4_request.
+  const credentialScope = `${requestDate}/${options.region}/${options.service}/aws4_request`;
+  // StringToSign – A string that includes the above elements, separated by newline characters.
+  const stringToSign = [algorithm, requestDateTime, credentialScope, hashedCanonicalRequest].join(
+    '\n'
+  );
+
+  // 4. Derive a signing key
+  // To derive a signing key for SigV4, perform a succession of keyed hash operations (HMAC) on the request date, Region, and service, with your AWS secret access key as the key for the initial hashing operation.
+  const dateKey = await getHmacSha256('AWS4' + credentials.secretAccessKey, requestDate);
+  const dateRegionKey = await getHmacSha256(dateKey, options.region);
+  const dateRegionServiceKey = await getHmacSha256(dateRegionKey, options.service);
+  const signingKey = await getHmacSha256(dateRegionServiceKey, 'aws4_request');
+
+  // 5. Calculate the signature
+  const signatureBuffer = await getHmacSha256(signingKey, stringToSign);
+  const signature = BSON.onDemand.ByteUtils.toHex(signatureBuffer);
+
+  // 6. Add the signature to the request
+  // Calculate the Authorization header
+  const authorizationHeader = [
+    'AWS4-HMAC-SHA256 Credential=' + credentials.accessKeyId + '/' + credentialScope,
+    'SignedHeaders=' + signedHeaders,
+    'Signature=' + signature
+  ].join(', ');
+
+  // Return the calculated headers
+  return {
+    Authorization: authorizationHeader,
+    'X-Amz-Date': requestDateTime
+  };
+}

package/src/cmap/auth/mongodb_aws.ts

@@ -1,6 +1,5 @@
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
-import { aws4 } from '../../deps';
 import {
   MongoCompatibilityError,
   MongoMissingCredentialsError,
@@ -13,6 +12,7 @@ import {
   AWSSDKCredentialProvider,
   type AWSTempCredentials
 } from './aws_temporary_credentials';
+import { aws4Sign } from './aws4';
 import { MongoCredentials } from './mongo_credentials';
 import { AuthMechanism } from './providers';
 
@@ -45,11 +45,6 @@ export class MongoDBAWS extends AuthProvider {
       throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
 
-    if ('kModuleError' in aws4) {
-      throw aws4['kModuleError'];
-    }
-    const { sign } = aws4;
-
     if (maxWireVersion(connection) < 9) {
       throw new MongoCompatibilityError(
         'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
@@ -68,13 +63,10 @@ export class MongoDBAWS extends AuthProvider {
     // Allow the user to specify an AWS session token for authentication with temporary credentials.
     const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
 
-    // If all three defined, include sessionToken, else include username and pass, else no credentials
-    const awsCredentials =
-      accessKeyId && secretAccessKey && sessionToken
-        ? { accessKeyId, secretAccessKey, sessionToken }
-        : accessKeyId && secretAccessKey
-          ? { accessKeyId, secretAccessKey }
-          : undefined;
+    // If all three defined, include sessionToken, else only include username and pass
+    const awsCredentials = sessionToken
+      ? { accessKeyId, secretAccessKey, sessionToken }
+      : { accessKeyId, secretAccessKey };
 
     const db = credentials.source;
     const nonce = await randomBytes(32);
@@ -114,7 +106,7 @@ export class MongoDBAWS extends AuthProvider {
     }
 
     const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-    const options = sign(
+    const headers = await aws4Sign(
       {
         method: 'POST',
         host,
@@ -127,14 +119,15 @@ export class MongoDBAWS extends AuthProvider {
           'X-MongoDB-GS2-CB-Flag': 'n'
         },
         path: '/',
-        body
+        body,
+        date: new Date()
       },
       awsCredentials
     );
 
     const payload: AWSSaslContinuePayload = {
-      a: options.headers.Authorization,
-      d: options.headers['X-Amz-Date']
+      a: headers.Authorization,
+      d: headers['X-Amz-Date']
     };
 
     if (sessionToken) {

package/src/deps.ts

@@ -203,66 +203,6 @@ export function getSocks(): SocksLib | { kModuleError: MongoMissingDependencyErr
   }
 }
 
-interface AWS4 {
-  /**
-   * Created these inline types to better assert future usage of this API
-   * @param options - options for request
-   * @param credentials - AWS credential details, sessionToken should be omitted entirely if its false-y
-   */
-  sign(
-    this: void,
-    options: {
-      path: '/';
-      body: string;
-      host: string;
-      method: 'POST';
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded';
-        'Content-Length': number;
-        'X-MongoDB-Server-Nonce': string;
-        'X-MongoDB-GS2-CB-Flag': 'n';
-      };
-      service: string;
-      region: string;
-    },
-    credentials:
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-          sessionToken: string;
-        }
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-        }
-      | undefined
-  ): {
-    headers: {
-      Authorization: string;
-      'X-Amz-Date': string;
-    };
-  };
-}
-
-export const aws4: AWS4 | { kModuleError: MongoMissingDependencyError } = loadAws4();
-
-function loadAws4() {
-  let aws4: AWS4 | { kModuleError: MongoMissingDependencyError };
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    aws4 = require('aws4');
-  } catch (error) {
-    aws4 = makeErrorModule(
-      new MongoMissingDependencyError(
-        'Optional module `aws4` not found. Please install it to enable AWS authentication',
-        { cause: error, dependencyName: 'aws4' }
-      )
-    );
-  }
-
-  return aws4;
-}
-
 /** A utility function to get the instance of mongodb-client-encryption, if it exists. */
 export function getMongoDBClientEncryption():
   | typeof import('mongodb-client-encryption')