Skip to content

feat(NODE-5393): Migrate AWS signature v4 logic into driver #4824

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
PavelSafronov wants to merge 25 commits into
base: main
Choose a base branch
from
Open

feat(NODE-5393): Migrate AWS signature v4 logic into driver #4824

PavelSafronov wants to merge 25 commits into from
+408 −137

Conversation

@PavelSafronov
Copy link
Contributor

@PavelSafronov PavelSafronov commented Dec 12, 2025
edited
Loading

Description

Summary of Changes

Replace optional dependency on aws4 package with a minimal equivalent implementation.

What is the motivation for this change?

This helps us reduce our runtime dependencies, as part of https://jira.mongodb.org/browse/NODE-6601

Release Highlight

Replace optional dependency on aws4 package with a minimal equivalent implementation

This reduces the number of optional dependencies.

Double check the following

  • Lint is passing (npm run check:lint)
  • Self-review completed using the steps outlined here
  • PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • Changes are covered by tests
  • New TODOs have a related JIRA ticket

@PavelSafronov PavelSafronov changed the title WIP: feat(NODE-5393): Migrate AWS signature v4 logic into driver feat(NODE-5393): Migrate AWS signature v4 logic into driver Dec 15, 2025
@PavelSafronov PavelSafronov marked this pull request as ready for review December 15, 2025 20:36
@PavelSafronov PavelSafronov requested a review from a team as a code owner December 15, 2025 20:36
@baileympearson baileympearson self-assigned this Dec 16, 2025
@baileympearson baileympearson added the Primary Review In Review with primary reviewer, not yet ready for team's eyes label Dec 16, 2025
baileympearson
baileympearson requested changes Dec 16, 2025
View reviewed changes
addaleax
addaleax reviewed Dec 17, 2025
View reviewed changes
@PavelSafronov
pr feedback:
221044d 
- removed extraneous new types
- removed unnecessary AWS4 interface
- getHmacArray renamed
- removed unnecessary env-reading code
- added a bunch of comments about the sigv4 algorithm
- removed tests that did not pass in any credentials, we never do this
@PavelSafronov
removed extraneous integ test and moved its logic into an existing aw…
72ab61d 
…s test
@PavelSafronov
minor fixes
037bcf8
tadjik1
tadjik1 reviewed Dec 19, 2025
View reviewed changes
src/cmap/auth/mongodb_aws.ts
? { accessKeyId, secretAccessKey, sessionToken }
: accessKeyId && secretAccessKey
? { accessKeyId, secretAccessKey }
: undefined;
Copy link
Member

@tadjik1 tadjik1 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this case (awsCredentials = undefined) no longer valid?

Copy link
Contributor Author

@PavelSafronov PavelSafronov Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is based on Bailey's earlier comment:

We only ever call this with credentials already fetched - could we make this explicitly required?

But maybe we should throw another MongoMissingCredentialsError if we find that credentials.username or credentials.password are empty?

Copy link
Contributor

@baileympearson baileympearson Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was dead code before. these values come from above:

    authContext.credentials = await makeTempCredentials(
      authContext.credentials,
      this.credentialFetcher
    );

    const { credentials } = authContext;

    const accessKeyId = credentials.username;
    const secretAccessKey = credentials.password;
    // Allow the user to specify an AWS session token for authentication with temporary credentials.
    const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;

and:

async function makeTempCredentials(
  credentials: MongoCredentials,
  awsCredentialFetcher: AWSSDKCredentialProvider
): Promise<MongoCredentials> {
  function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
    // The AWS session token (creds.Token) may or may not be set.
    if (!creds.AccessKeyId || !creds.SecretAccessKey) {
      throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials');
    }

    return new MongoCredentials({
      username: creds.AccessKeyId,
      password: creds.SecretAccessKey,
      source: credentials.source,
      mechanism: AuthMechanism.MONGODB_AWS,
      mechanismProperties: {
        AWS_SESSION_TOKEN: creds.Token
      }
    });
  }
  const temporaryCredentials = await awsCredentialFetcher.getCredentials();

  return makeMongoCredentialsFromAWSTemp(temporaryCredentials);
}

So, we always have an accessKeyId and secretAccessKey, token is optional.

nbbeeken
nbbeeken reviewed Dec 19, 2025
View reviewed changes
nbbeeken
nbbeeken approved these changes Dec 19, 2025
View reviewed changes
Copy link
Contributor

@nbbeeken nbbeeken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

all good on my end 🙂 thanks for taking on the improvements!

baileympearson
baileympearson requested changes Jan 5, 2026
View reviewed changes
Copy link
Contributor

@baileympearson baileympearson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor comments. Nice work!

src/cmap/auth/mongodb_aws.ts
? { accessKeyId, secretAccessKey, sessionToken }
: accessKeyId && secretAccessKey
? { accessKeyId, secretAccessKey }
: undefined;
Copy link
Contributor

@baileympearson baileympearson Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was dead code before. these values come from above:

    authContext.credentials = await makeTempCredentials(
      authContext.credentials,
      this.credentialFetcher
    );

    const { credentials } = authContext;

    const accessKeyId = credentials.username;
    const secretAccessKey = credentials.password;
    // Allow the user to specify an AWS session token for authentication with temporary credentials.
    const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;

and:

async function makeTempCredentials(
  credentials: MongoCredentials,
  awsCredentialFetcher: AWSSDKCredentialProvider
): Promise<MongoCredentials> {
  function makeMongoCredentialsFromAWSTemp(creds: AWSTempCredentials) {
    // The AWS session token (creds.Token) may or may not be set.
    if (!creds.AccessKeyId || !creds.SecretAccessKey) {
      throw new MongoMissingCredentialsError('Could not obtain temporary MONGODB-AWS credentials');
    }

    return new MongoCredentials({
      username: creds.AccessKeyId,
      password: creds.SecretAccessKey,
      source: credentials.source,
      mechanism: AuthMechanism.MONGODB_AWS,
      mechanismProperties: {
        AWS_SESSION_TOKEN: creds.Token
      }
    });
  }
  const temporaryCredentials = await awsCredentialFetcher.getCredentials();

  return makeMongoCredentialsFromAWSTemp(temporaryCredentials);
}

So, we always have an accessKeyId and secretAccessKey, token is optional.

baileympearson
baileympearson requested changes Jan 6, 2026
View reviewed changes
PavelSafronov and others added 4 commits January 6, 2026 10:10
@PavelSafronov @baileympearson
Update src/cmap/auth/aws4.ts
9178f66 
rename Options to AwsSigv4Options

Co-authored-by: Bailey Pearson <bailey.pearson@gmail.com>
@PavelSafronov
pr feedback
5a8380f
@PavelSafronov
minor fix
a3c06e4
@PavelSafronov
Merge branch 'main' into NODE-5393
26fecf5
addaleax
addaleax previously approved these changes Jan 8, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@addaleax addaleax addaleax left review comments

@tadjik1 tadjik1 Awaiting requested review from tadjik1

@baileympearson baileympearson Awaiting requested review from baileympearson

+1 more reviewer

@nbbeeken nbbeeken nbbeeken approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

@baileympearson baileympearson

Labels

Primary Review In Review with primary reviewer, not yet ready for team's eyes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@PavelSafronov @addaleax @tadjik1 @nbbeeken @baileympearson