MCPcopy
hub / github.com/mongodb/node-mongodb-native / auth

Method auth

src/cmap/auth/mongodb_aws.ts:42–144  ·  view source on GitHub ↗
(authContext: AuthContext)

Source from the content-addressed store, hash-verified

40 }
41
42 override async auth(authContext: AuthContext): Promise<void> {
43 const { connection } = authContext;
44 if (!authContext.credentials) {
45 throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
46 }
47
48 if (maxWireVersion(connection) < 9) {
49 throw new MongoCompatibilityError(
50 'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
51 );
52 }
53
54 authContext.credentials = await makeTempCredentials(
55 authContext.credentials,
56 this.credentialFetcher
57 );
58
59 const { credentials } = authContext;
60
61 const accessKeyId = credentials.username;
62 const secretAccessKey = credentials.password;
63 // Allow the user to specify an AWS session token for authentication with temporary credentials.
64 const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
65
66 // If all three defined, include sessionToken, else only include username and pass
67 const awsCredentials = sessionToken
68 ? { accessKeyId, secretAccessKey, sessionToken }
69 : { accessKeyId, secretAccessKey };
70
71 const db = credentials.source;
72 const nonce = await randomBytes(32);
73
74 // All messages between MongoDB clients and servers are sent as BSON objects
75 // in the payload field of saslStart and saslContinue.
76 const saslStart = {
77 saslStart: 1,
78 mechanism: 'MONGODB-AWS',
79 payload: BSON.serialize({ r: nonce, p: ASCII_N }, bsonOptions)
80 };
81
82 const saslStartResponse = await connection.command(ns(`${db}.$cmd`), saslStart, undefined);
83
84 const serverResponse = BSON.deserialize(saslStartResponse.payload.buffer, bsonOptions) as {
85 s: Binary;
86 h: string;
87 };
88 const host = serverResponse.h;
89 const serverNonce = serverResponse.s.buffer;
90 if (serverNonce.length !== 64) {
91 // TODO(NODE-3483)
92 throw new MongoRuntimeError(`Invalid server nonce length ${serverNonce.length}, expected 64`);
93 }
94
95 if (!ByteUtils.equals(serverNonce.subarray(0, nonce.byteLength), nonce)) {
96 // throw because the serverNonce's leading 32 bytes must equal the client nonce's 32 bytes
97 // https://github.com/mongodb/specifications/blob/master/source/auth/auth.md#conversation-5
98
99 // TODO(NODE-3483)

Callers

nothing calls this directly

Calls 8

maxWireVersionFunction · 0.90
randomBytesFunction · 0.90
nsFunction · 0.90
aws4SignFunction · 0.90
makeTempCredentialsFunction · 0.85
deriveRegionFunction · 0.85
commandMethod · 0.45
equalsMethod · 0.45

Tested by

no test coverage detected