fix: suggestions

Author: durran

src/cmap/auth/gssapi.ts

@@ -58,7 +58,7 @@ export class GSSAPI extends AuthProvider {
       saslContinue(negotiatedPayload, saslStartResponse.conversationId)
     );
 
-    const finalizePayload = await finalize(client, username, saslContinueResponse.payload);
+    const finalizePayload = await finalize(client, username ?? '', saslContinueResponse.payload);
 
     await externalCommand(connection, {
       saslContinue: 1,

src/cmap/auth/mongo_credentials.ts

@@ -61,7 +61,7 @@ export interface AuthMechanismProperties extends Document {
 
 /** @public */
 export interface MongoCredentialsOptions {
-  username: string;
+  username?: string;
   password: string;
   source: string;
   db?: string;
@@ -75,7 +75,7 @@ export interface MongoCredentialsOptions {
  */
 export class MongoCredentials {
   /** The username used for authentication */
-  readonly username: string;
+  readonly username?: string;
   /** The password used for authentication */
   readonly password: string;
   /** The database that the user should authenticate against */

src/cmap/auth/mongodb_oidc.ts

@@ -1,10 +1,12 @@
+import type { Document } from 'bson';
+
 import { MongoInvalidArgumentError, MongoMissingCredentialsError } from '../../error';
 import type { HandshakeDocument } from '../connect';
+import type { Connection } from '../connection';
 import { AuthContext, AuthProvider } from './auth_provider';
 import type { MongoCredentials } from './mongo_credentials';
 import { AwsServiceWorkflow } from './mongodb_oidc/aws_service_workflow';
 import { CallbackWorkflow } from './mongodb_oidc/callback_workflow';
-import type { Workflow } from './mongodb_oidc/workflow';
 
 /** Error when credentials are missing. */
 const MISSING_CREDENTIALS_ERROR = 'AuthContext must provide credentials.';
@@ -60,6 +62,24 @@ export type OIDCRefreshFunction = (
 
 type ProviderName = 'aws' | 'callback';
 
+export interface Workflow {
+  /**
+   * All device workflows must implement this method in order to get the access
+   * token and then call authenticate with it.
+   */
+  execute(
+    connection: Connection,
+    credentials: MongoCredentials,
+    reauthenticating: boolean,
+    response?: Document
+  ): Promise<Document>;
+
+  /**
+   * Get the document to add for speculative authentication.
+   */
+  speculativeAuth(credentials: MongoCredentials): Promise<Document>;
+}
+
 /** @internal */
 export const OIDC_WORKFLOWS: Map<ProviderName, Workflow> = new Map();
 OIDC_WORKFLOWS.set('callback', new CallbackWorkflow());

src/cmap/auth/mongodb_oidc/aws_service_workflow.ts

@@ -1,4 +1,4 @@
-import { readFile } from 'fs/promises';
+import * as fs from 'fs';
 
 import { MongoAWSError } from '../../../error';
 import { ServiceWorkflow } from './service_workflow';
@@ -24,6 +24,6 @@ export class AwsServiceWorkflow extends ServiceWorkflow {
     if (!tokenFile) {
       throw new MongoAWSError(TOKEN_MISSING_ERROR);
     }
-    return readFile(tokenFile, 'utf8');
+    return fs.promises.readFile(tokenFile, 'utf8');
   }
 }

src/cmap/auth/mongodb_oidc/cache.ts

@@ -0,0 +1,27 @@
+/**
+ * Base class for OIDC caches.
+ */
+export abstract class Cache<T> {
+  entries: Map<string, T>;
+
+  /**
+   * Create a new cache.
+   */
+  constructor() {
+    this.entries = new Map<string, T>();
+  }
+
+  /**
+   * Clear the cache.
+   */
+  clear() {
+    this.entries.clear();
+  }
+
+  /**
+   * Create a cache key from the address and username.
+   */
+  cacheKey(address: string, username: string, callbackHash: string): string {
+    return JSON.stringify([address, username, callbackHash]);
+  }
+}

src/cmap/auth/mongodb_oidc/callback_lock_cache.ts

@@ -8,16 +8,15 @@ import type {
   OIDCRefreshFunction,
   OIDCRequestFunction
 } from '../mongodb_oidc';
+import { Cache } from './cache';
 
 /** Error message for when request callback is missing. */
 const REQUEST_CALLBACK_REQUIRED_ERROR =
   'Auth mechanism property REQUEST_TOKEN_CALLBACK is required.';
 /* Counter for function "hashes".*/
 let FN_HASH_COUNTER = 0;
 /* No function present function */
-const NO_FUNCTION: OIDCRequestFunction = () => {
-  return Promise.resolve({ accessToken: 'test' });
-};
+const NO_FUNCTION: OIDCRequestFunction = async () => ({ accessToken: 'test' });
 /* The map of function hashes */
 const FN_HASHES = new WeakMap<OIDCRequestFunction | OIDCRefreshFunction, number>();
 /* Put the no function hash in the map. */
@@ -35,23 +34,7 @@ interface CallbacksEntry {
 /**
  * A cache of request and refresh callbacks per server/user.
  */
-export class CallbackLockCache {
-  entries: Map<string, CallbacksEntry>;
-
-  /**
-   * Instantiate the new cache.
-   */
-  constructor() {
-    this.entries = new Map<string, CallbacksEntry>();
-  }
-
-  /**
-   * Clear the cache.
-   */
-  clear() {
-    this.entries.clear();
-  }
-
+export class CallbackLockCache extends Cache<CallbacksEntry> {
   /**
    * Get the callbacks for the connection and credentials. If an entry does not
    * exist a new one will get set.
@@ -63,7 +46,7 @@ export class CallbackLockCache {
       throw new MongoInvalidArgumentError(REQUEST_CALLBACK_REQUIRED_ERROR);
     }
     const callbackHash = hashFunctions(requestCallback, refreshCallback);
-    const key = cacheKey(connection, credentials, callbackHash);
+    const key = this.cacheKey(connection.address, credentials.username ?? '', callbackHash);
     const entry = this.entries.get(key);
     if (entry) {
       return entry;
@@ -90,17 +73,6 @@ export class CallbackLockCache {
   }
 }
 
-/**
- * Get a cache key based on connection and credentials.
- */
-function cacheKey(
-  connection: Connection,
-  credentials: MongoCredentials,
-  callbackHash: string
-): string {
-  return JSON.stringify([connection.address, credentials.username, callbackHash]);
-}
-
 /**
  * Ensure the callback is only executed one at a time.
  */
@@ -117,15 +89,15 @@ function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) {
  * Get the hash string for the request and refresh functions.
  */
 function hashFunctions(requestFn: OIDCRequestFunction, refreshFn?: OIDCRefreshFunction): string {
-  let requestHash = FN_HASHES.get(requestFn || NO_FUNCTION);
-  let refreshHash = FN_HASHES.get(refreshFn || NO_FUNCTION);
-  if (!requestHash && requestFn) {
+  let requestHash = FN_HASHES.get(requestFn);
+  let refreshHash = FN_HASHES.get(refreshFn ?? NO_FUNCTION);
+  if (requestHash == null) {
     // Create a new one for the function and put it in the map.
     FN_HASH_COUNTER++;
     requestHash = FN_HASH_COUNTER;
     FN_HASHES.set(requestFn, FN_HASH_COUNTER);
   }
-  if (!refreshHash && refreshFn) {
+  if (refreshHash == null && refreshFn) {
     // Create a new one for the function and put it in the map.
     FN_HASH_COUNTER++;
     refreshHash = FN_HASH_COUNTER;

src/cmap/auth/mongodb_oidc/callback_workflow.ts

@@ -9,12 +9,12 @@ import type {
   IdPServerResponse,
   OIDCCallbackContext,
   OIDCRefreshFunction,
-  OIDCRequestFunction
+  OIDCRequestFunction,
+  Workflow
 } from '../mongodb_oidc';
 import { AuthMechanism } from '../providers';
 import { CallbackLockCache } from './callback_lock_cache';
 import { TokenEntryCache } from './token_entry_cache';
-import type { Workflow } from './workflow';
 
 /** The current version of OIDC implementation. */
 const OIDC_VERSION = 0;
@@ -70,7 +70,7 @@ export class CallbackWorkflow implements Workflow {
       credentials
     );
     // Look for an existing entry in the cache.
-    const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash);
+    const entry = this.cache.getEntry(connection.address, credentials.username ?? '', callbackHash);
     let result;
     if (entry) {
       // Reauthentication cannot use a token from the cache since the server has
@@ -111,7 +111,7 @@ export class CallbackWorkflow implements Workflow {
             error instanceof MongoError &&
             error.code === MONGODB_ERROR_CODES.Reauthenticate
           ) {
-            this.cache.deleteEntry(connection.address, credentials.username || '', callbackHash);
+            this.cache.deleteEntry(connection.address, credentials.username ?? '', callbackHash);
             result = await this.execute(connection, credentials, reauthenticating);
           } else {
             throw error;
@@ -203,7 +203,7 @@ export class CallbackWorkflow implements Workflow {
     refreshCallback?: OIDCRefreshFunction
   ): Promise<IdPServerResponse> {
     // Get the token from the cache.
-    const entry = this.cache.getEntry(connection.address, credentials.username, callbackHash);
+    const entry = this.cache.getEntry(connection.address, credentials.username ?? '', callbackHash);
     let result;
     const context: OIDCCallbackContext = { timeoutSeconds: TIMEOUT_S, version: OIDC_VERSION };
     // Check if there's a token in the cache.
@@ -228,7 +228,7 @@ export class CallbackWorkflow implements Workflow {
     // Validate that the result returned by the callback is acceptable. If it is not
     // we must clear the token result from the cache.
     if (isCallbackResultInvalid(result)) {
-      this.cache.deleteEntry(connection.address, credentials.username || '', callbackHash);
+      this.cache.deleteEntry(connection.address, credentials.username ?? '', callbackHash);
       throw new MongoMissingCredentialsError(CALLBACK_RESULT_ERROR);
     }
     // Cleanup the cache.
@@ -250,7 +250,7 @@ export class CallbackWorkflow implements Workflow {
  * saslStart or saslContinue depending on the presence of a conversation id.
  */
 function finishCommandDocument(token: string, conversationId?: number): Document {
-  if (conversationId) {
+  if (conversationId != null && typeof conversationId === 'number') {
     return {
       saslContinue: 1,
       conversationId: conversationId,
@@ -273,9 +273,9 @@ function finishCommandDocument(token: string, conversationId?: number): Document
  * function is invalid. This means the result is nullish, doesn't contain
  * the accessToken required field, and does not contain extra fields.
  */
-function isCallbackResultInvalid(tokenResult: any): boolean {
-  if (!tokenResult) return true;
-  if (!tokenResult.accessToken) return true;
+function isCallbackResultInvalid(tokenResult: unknown): boolean {
+  if (tokenResult == null || typeof tokenResult !== 'object') return true;
+  if (!('accessToken' in tokenResult)) return true;
   return !Object.getOwnPropertyNames(tokenResult).every(prop => RESULT_PROPERTIES.includes(prop));
 }
 

src/cmap/auth/mongodb_oidc/service_workflow.ts

@@ -3,8 +3,8 @@ import { BSON, type Document } from 'bson';
 import { ns } from '../../../utils';
 import type { Connection } from '../../connection';
 import type { MongoCredentials } from '../mongo_credentials';
+import type { Workflow } from '../mongodb_oidc';
 import { AuthMechanism } from '../providers';
-import type { Workflow } from './workflow';
 
 /**
  * Common behaviour for OIDC device workflows.

src/cmap/auth/mongodb_oidc/token_entry_cache.ts

@@ -1,6 +1,7 @@
 import type { IdPServerInfo, IdPServerResponse } from '../mongodb_oidc';
+import { Cache } from './cache';
 
-/* 5 minutes in milliseonds */
+/* 5 minutes in milliseconds */
 const EXPIRATION_BUFFER_MS = 300000;
 /* Default expiration is now for when no expiration provided */
 const DEFAULT_EXPIRATION_SECS = 0;
@@ -32,13 +33,7 @@ export class TokenEntry {
  * Cache of OIDC token entries.
  * @internal
  */
-export class TokenEntryCache {
-  entries: Map<string, TokenEntry>;
-
-  constructor() {
-    this.entries = new Map();
-  }
-
+export class TokenEntryCache extends Cache<TokenEntry> {
   /**
    * Set an entry in the token cache.
    */
@@ -54,29 +49,22 @@ export class TokenEntryCache {
       serverInfo,
       expirationTime(tokenResult.expiresInSeconds)
     );
-    this.entries.set(cacheKey(address, username, callbackHash), entry);
+    this.entries.set(this.cacheKey(address, username, callbackHash), entry);
     return entry;
   }
 
-  /**
-   * Clear the cache.
-   */
-  clear(): void {
-    this.entries.clear();
-  }
-
   /**
    * Delete an entry from the cache.
    */
   deleteEntry(address: string, username: string, callbackHash: string): void {
-    this.entries.delete(cacheKey(address, username, callbackHash));
+    this.entries.delete(this.cacheKey(address, username, callbackHash));
   }
 
   /**
    * Get an entry from the cache.
    */
   getEntry(address: string, username: string, callbackHash: string): TokenEntry | undefined {
-    return this.entries.get(cacheKey(address, username, callbackHash));
+    return this.entries.get(this.cacheKey(address, username, callbackHash));
   }
 
   /**
@@ -97,10 +85,3 @@ export class TokenEntryCache {
 function expirationTime(expiresInSeconds?: number): number {
   return Date.now() + (expiresInSeconds ?? DEFAULT_EXPIRATION_SECS) * 1000;
 }
-
-/**
- * Create a cache key from the address and username.
- */
-function cacheKey(address: string, username: string, callbackHash: string): string {
-  return JSON.stringify([address, username, callbackHash]);
-}

src/cmap/auth/mongodb_oidc/workflow.ts

@@ -86,7 +86,7 @@ function makeFirstMessage(
   credentials: MongoCredentials,
   nonce: Buffer
 ) {
-  const username = cleanUsername(credentials.username);
+  const username = cleanUsername(credentials.username ?? '');
   const mechanism =
     cryptoMethod === 'sha1' ? AuthMechanism.MONGODB_SCRAM_SHA1 : AuthMechanism.MONGODB_SCRAM_SHA256;
 
@@ -135,7 +135,7 @@ async function continueScramConversation(
   const nonce = authContext.nonce;
 
   const db = credentials.source;
-  const username = cleanUsername(credentials.username);
+  const username = cleanUsername(credentials.username ?? '');
   const password = credentials.password;
 
   let processedPassword;