fix(devtools-connect): allow AWS auth using connection string with driver 7.x COMPASS-9911 (#612)

The Node.js driver removed support for specifying AWS auth options
in the connection string in 7.x. Since we do not (currently) want
to push this breaking change onto our users for the time being,
we add a translation layer that accounts for this change.

Author: addaleax

packages/devtools-connect/src/aws-auth-compat.spec.ts

@@ -0,0 +1,75 @@
+import { expect } from 'chai';
+import { transformAWSAuthMechanismOptions } from './aws-auth-compat';
+import { MongoClientOptions } from 'mongodb';
+
+describe('transformAWSAuthMechanismOptions', function () {
+  it('returns original uri and options if authMechanism is not MONGODB-AWS', function () {
+    const uri = 'mongodb://user:pass@host:27017/db?authMechanism=SCRAM-SHA-1';
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(uri);
+    expect(result.clientOptions).to.equal(clientOptions);
+  });
+
+  it('transforms uri and options when MONGODB-AWS auth with credentials in connection string', async function () {
+    const uri =
+      'mongodb://accessKey:secretKey@host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:sessionToken';
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(
+      'mongodb://host:27017/db?authMechanism=MONGODB-AWS',
+    );
+    expect(result.clientOptions.auth).to.equal(undefined);
+    expect(result.clientOptions.authMechanismProperties).to.have.property(
+      'AWS_CREDENTIAL_PROVIDER',
+    );
+    const creds =
+      await result.clientOptions.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER?.();
+    expect(creds).to.deep.equal({
+      accessKeyId: 'accessKey',
+      secretAccessKey: 'secretKey',
+      sessionToken: 'sessionToken',
+    });
+  });
+
+  it('handles special characters', async function () {
+    const uri = `mongodb://${encodeURIComponent('usernäme')}:${encodeURIComponent('passwõrd')}@host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:${encodeURIComponent('a+b=c/d')}`;
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(
+      'mongodb://host:27017/db?authMechanism=MONGODB-AWS',
+    );
+    expect(result.clientOptions.auth).to.equal(undefined);
+    expect(result.clientOptions.authMechanismProperties).to.have.property(
+      'AWS_CREDENTIAL_PROVIDER',
+    );
+    const creds =
+      await result.clientOptions.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER?.();
+    expect(creds).to.deep.equal({
+      accessKeyId: 'usernäme',
+      secretAccessKey: 'passwõrd',
+      sessionToken: 'a+b=c/d',
+    });
+  });
+
+  it('leaves unrelated auth mechanism properties intact', async function () {
+    const uri =
+      'mongodb://accessKey:secretKey@host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:sessionToken,FOO:BAR';
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(
+      'mongodb://host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=FOO%3ABAR',
+    );
+    expect(result.clientOptions.auth).to.equal(undefined);
+    expect(result.clientOptions.authMechanismProperties).to.have.property(
+      'AWS_CREDENTIAL_PROVIDER',
+    );
+    const creds =
+      await result.clientOptions.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER?.();
+    expect(creds).to.deep.equal({
+      accessKeyId: 'accessKey',
+      secretAccessKey: 'secretKey',
+      sessionToken: 'sessionToken',
+    });
+  });
+});

packages/devtools-connect/src/aws-auth-compat.ts

@@ -0,0 +1,81 @@
+import {
+  CommaAndColonSeparatedRecord,
+  ConnectionString,
+} from 'mongodb-connection-string-url';
+import type {
+  AuthMechanismProperties,
+  AWSCredentials,
+  MongoClientOptions,
+} from 'mongodb';
+
+// The 7.x driver supports AWS authentication via callback-based providers,
+// and removed support for credentials passed through the connection string
+// (NODE-7046).
+// We add the support back here via a custom callback-based provider when
+// we detect that the user is trying to use MONGODB-AWS auth with credentials
+// in the connection string.
+export function transformAWSAuthMechanismOptions<T extends MongoClientOptions>({
+  uri,
+  clientOptions,
+}: {
+  uri: string;
+  clientOptions: T;
+}): { uri: string; clientOptions: T } {
+  let connectionString: ConnectionString;
+  try {
+    connectionString = new ConnectionString(uri);
+  } catch {
+    return { uri, clientOptions };
+  }
+  const searchParams = connectionString.typedSearchParams<MongoClientOptions>();
+  if (
+    (clientOptions.authMechanism ?? searchParams.get('authMechanism')) !==
+    'MONGODB-AWS'
+  ) {
+    return { uri, clientOptions };
+  }
+  const username =
+    clientOptions.auth?.username ??
+    decodeURIComponent(connectionString.username);
+  const password =
+    clientOptions.auth?.password ??
+    decodeURIComponent(connectionString.password);
+  const authMechProps = new CommaAndColonSeparatedRecord(
+    searchParams.get('authMechanismProperties') ?? '',
+  );
+  const sessionToken =
+    clientOptions.authMechanismProperties?.AWS_SESSION_TOKEN ??
+    authMechProps.get('AWS_SESSION_TOKEN');
+  if (username || password || sessionToken) {
+    // First, remove all relevant options from the connection string
+    connectionString.username = '';
+    connectionString.password = '';
+    authMechProps.delete('AWS_SESSION_TOKEN');
+    if (authMechProps.size === 0) {
+      searchParams.delete('authMechanismProperties');
+    } else {
+      searchParams.set('authMechanismProperties', authMechProps.toString());
+    }
+    // Set AWS_CREDENTIAL_PROVIDER in the programmatic options,
+    // and unset all other credential options.
+    const programmaticAuthMechProps: AuthMechanismProperties & {
+      AWS_SESSION_TOKEN?: unknown;
+    } = { ...clientOptions.authMechanismProperties };
+    delete programmaticAuthMechProps.AWS_SESSION_TOKEN;
+    programmaticAuthMechProps.AWS_CREDENTIAL_PROVIDER ??=
+      (): Promise<AWSCredentials> => {
+        const creds: AWSCredentials = {
+          accessKeyId: username,
+          secretAccessKey: password,
+          sessionToken: sessionToken || undefined,
+        };
+        return Promise.resolve(creds);
+      };
+    clientOptions = {
+      ...clientOptions,
+      auth: undefined,
+      authMechanismProperties: programmaticAuthMechProps,
+    };
+  }
+  return { uri: connectionString.toString(), clientOptions };
+}

packages/devtools-connect/src/connect.ts

@@ -34,6 +34,7 @@ import {
   createFetch,
   isExistingAgentInstance,
 } from '@mongodb-js/devtools-proxy-support';
+import { transformAWSAuthMechanismOptions } from './aws-auth-compat';
 export type { DevtoolsProxyOptions, AgentWithInitialize };
 
 function isAtlas(str: string): boolean {
@@ -479,6 +480,11 @@ async function connectMongoClientImpl({
   MongoClientClass: typeof MongoClient;
   useSystemCA: boolean;
 }): Promise<ConnectMongoClientResult> {
+  ({ uri, clientOptions } = transformAWSAuthMechanismOptions({
+    uri,
+    clientOptions,
+  }));
+
   const cleanupOnClientClose: (() => void | Promise<void>)[] = [];
   const runClose = async () => {
     let item: (() => void | Promise<void>) | undefined;