(authContext: AuthContext)
| 40 | } |
| 41 | |
| 42 | override async auth(authContext: AuthContext): Promise<void> { |
| 43 | const { connection } = authContext; |
| 44 | if (!authContext.credentials) { |
| 45 | throw new MongoMissingCredentialsError('AuthContext must provide credentials.'); |
| 46 | } |
| 47 | |
| 48 | if (maxWireVersion(connection) < 9) { |
| 49 | throw new MongoCompatibilityError( |
| 50 | 'MONGODB-AWS authentication requires MongoDB version 4.4 or later' |
| 51 | ); |
| 52 | } |
| 53 | |
| 54 | authContext.credentials = await makeTempCredentials( |
| 55 | authContext.credentials, |
| 56 | this.credentialFetcher |
| 57 | ); |
| 58 | |
| 59 | const { credentials } = authContext; |
| 60 | |
| 61 | const accessKeyId = credentials.username; |
| 62 | const secretAccessKey = credentials.password; |
| 63 | // Allow the user to specify an AWS session token for authentication with temporary credentials. |
| 64 | const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN; |
| 65 | |
| 66 | // If all three defined, include sessionToken, else only include username and pass |
| 67 | const awsCredentials = sessionToken |
| 68 | ? { accessKeyId, secretAccessKey, sessionToken } |
| 69 | : { accessKeyId, secretAccessKey }; |
| 70 | |
| 71 | const db = credentials.source; |
| 72 | const nonce = await randomBytes(32); |
| 73 | |
| 74 | // All messages between MongoDB clients and servers are sent as BSON objects |
| 75 | // in the payload field of saslStart and saslContinue. |
| 76 | const saslStart = { |
| 77 | saslStart: 1, |
| 78 | mechanism: 'MONGODB-AWS', |
| 79 | payload: BSON.serialize({ r: nonce, p: ASCII_N }, bsonOptions) |
| 80 | }; |
| 81 | |
| 82 | const saslStartResponse = await connection.command(ns(`${db}.$cmd`), saslStart, undefined); |
| 83 | |
| 84 | const serverResponse = BSON.deserialize(saslStartResponse.payload.buffer, bsonOptions) as { |
| 85 | s: Binary; |
| 86 | h: string; |
| 87 | }; |
| 88 | const host = serverResponse.h; |
| 89 | const serverNonce = serverResponse.s.buffer; |
| 90 | if (serverNonce.length !== 64) { |
| 91 | // TODO(NODE-3483) |
| 92 | throw new MongoRuntimeError(`Invalid server nonce length ${serverNonce.length}, expected 64`); |
| 93 | } |
| 94 | |
| 95 | if (!ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) { |
| 96 | // throw because the serverNonce's leading 32 bytes must equal the client nonce's 32 bytes |
| 97 | // https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#conversation-5 |
| 98 | |
| 99 | // TODO(NODE-3483) |
nothing calls this directly
no test coverage detected