fix: include nonce in oidc request by default MONGOSH-1905 MONGOSH-1917 (#2269)

Author: nirinchev

.github/workflows/cron-tasks.yml

@@ -13,24 +13,24 @@ jobs:
     name: Update automatically generated files
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           # don't checkout a detatched HEAD
           ref: ${{ github.head_ref }}
 
           # this is important so git log can pick up on
           # the whole history to generate the list of AUTHORS
-          fetch-depth: '0'
+          fetch-depth: "0"
 
       - name: Set up Git
         run: |
           git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config --local user.name "github-actions[bot]"
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
           node-version: ^16.x
-          cache: 'npm'
+          cache: "npm"
 
       - name: Install npm@8
         run: |
@@ -50,41 +50,36 @@ jobs:
         run: |
           npm run update-authors
           git add AUTHORS \*/AUTHORS
-          git commit --no-allow-empty -m "chore: update AUTHORS" || true
 
       - name: Generate Error Documentation
         run: |
           npm run generate-error-overview
           mv error-overview.md error-overview.rst packages/errors/generated/
           npm run reformat
           git add packages/errors/generated
-          git commit --no-allow-empty -m "chore: update error documentation" || true
 
       - name: Regenerate Evergreen Config
         run: |
           npm run update-evergreen-config
           git add .evergreen.yml
-          git commit --no-allow-empty -m "chore: update evergreen config" || true
 
       - name: Update Security Test Summary
         run: |
           npm run update-security-test-summary
           git add docs/security-test-summary.md
-          git commit --no-allow-empty -m "chore: update security test summary" || true
 
       - name: Regenerate CLI usage text in README files
         run: |
           npm run update-cli-usage-text packages/*/*.md *.md
           git add packages/*/*.md *.md
-          git commit --no-allow-empty -m "chore: update CLI usage text" || true
 
       - name: Create pull request
         id: cpr
         uses: peter-evans/create-pull-request@v6
         with:
           commit-message: Update auto-generated files
           branch: ci/cron-tasks-update-files
-          title: 'chore: update auto-generated files'
+          title: "chore: update auto-generated files"
           body: |
             - Update auto-generated files
 

README.md

@@ -90,6 +90,7 @@ variable. For detailed instructions for each of our supported platforms, please
         --oidcTrustedEndpoint                  Treat the cluster/database mongosh as a trusted endpoint
         --oidcIdTokenAsAccessToken             Use ID tokens in place of access tokens for auth
         --oidcDumpTokens[=mode]                Debug OIDC by printing tokens to mongosh's output [full|include-secrets]
+        --oidcNoNonce                          Don't send a nonce argument in the OIDC auth request
 
   DB Address Examples:
 

package-lock.json

@@ -450,6 +450,22 @@ describe('arg-mapper.mapCliToDriver', function () {
     });
   });
 
+  context('when cli args have oidcNoNonce', function () {
+    const cliOptions: CliOptions = {
+      oidcNoNonce: true,
+    };
+
+    it('maps to oidc skipNonceInAuthCodeRequest', function () {
+      expect(optionsTest(cliOptions)).to.deep.equal({
+        driver: {
+          oidc: {
+            skipNonceInAuthCodeRequest: true,
+          },
+        },
+      });
+    });
+  });
+
   context('when cli args have browser', function () {
     it('maps to oidc command', function () {
       expect(optionsTest({ browser: '/usr/bin/browser' })).to.deep.equal({

packages/arg-parser/src/arg-mapper.spec.ts

@@ -29,7 +29,7 @@ function setServerApi<Key extends keyof ServerApi>(
   const serverApi =
     typeof previousServerApi === 'string'
       ? { version: previousServerApi }
-      : { ...previousServerApi } ?? {};
+      : { ...previousServerApi };
   serverApi[key] = value;
   return setDriver(i, 'serverApi', serverApi as Required<ServerApi>);
 }
@@ -237,6 +237,7 @@ const MAPPINGS: {
       v.split(',').filter(Boolean) as OIDCOptions['allowedFlows']
     ),
   oidcIdTokenAsAccessToken: (i, v) => setOIDC(i, 'passIdTokenAsAccessToken', v),
+  oidcNoNonce: (i, v) => setOIDC(i, 'skipNonceInAuthCodeRequest', v),
   browser: (i, v) =>
     setOIDC(i, 'openBrowser', typeof v === 'string' ? { command: v } : v),
 };

packages/arg-parser/src/arg-mapper.ts

@@ -56,5 +56,6 @@ export interface CliOptions {
   oidcTrustedEndpoint?: boolean;
   oidcIdTokenAsAccessToken?: boolean;
   oidcDumpTokens?: boolean | 'redacted' | 'include-secrets';
+  oidcNoNonce?: boolean;
   browser?: string | false;
 }

packages/arg-parser/src/cli-options.ts

@@ -75,6 +75,7 @@ of mongosh, visit https://www.mongodb.com/try/download/shell.
         --oidcTrustedEndpoint                  Treat the cluster/database mongosh as a trusted endpoint
         --oidcIdTokenAsAccessToken             Use ID tokens in place of access tokens for auth
         --oidcDumpTokens[=mode]                Debug OIDC by printing tokens to mongosh's output [full|include-secrets]
+        --oidcNoNonce                          Don't send a nonce argument in the OIDC auth request
 
   DB Address Examples:
 

packages/cli-repl/README.md

@@ -65,6 +65,7 @@ const OPTIONS = {
     'norc',
     'oidcTrustedEndpoint',
     'oidcIdTokenAsAccessToken',
+    'oidcNoNonce',
     'perfTests',
     'quiet',
     'retryWrites',

packages/cli-repl/src/arg-parser.ts

@@ -152,6 +152,9 @@ export const USAGE = `
         --oidcDumpTokens[=mode]                ${i18n.__(
           'cli-repl.args.oidcDumpTokens'
         )}
+        --oidcNoNonce                          ${i18n.__(
+          'cli-repl.args.oidcNoNonce'
+        )}
 
   ${clr(i18n.__('cli-repl.args.dbAddressOptions'), 'mongosh:section-header')}
 

packages/cli-repl/src/constants.ts

@@ -33,7 +33,7 @@
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
-    "@mongodb-js/oidc-mock-provider": "^0.10.0",
+    "@mongodb-js/oidc-mock-provider": "^0.10.2",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "@types/chai-as-promised": "^7.1.3",