Skip to content
18 changes: 13 additions & 5 deletions src/integration.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,14 @@ async function fetchBrowser({ url }: OpenBrowserOptions): Promise<void> {
(await fetch(url)).body?.resume();
}

function filterConnectionStatus(
status: Record<string, unknown>
): Record<string, unknown> {
// 8.1.0-rc0+ (SERVER-91936) adds and UUID to the response
const { ok, authInfo } = status;
return { ok, authInfo };
}

describe('integration test with mongod', function () {
this.timeout(90_000);

Expand Down Expand Up @@ -109,7 +117,7 @@ describe('integration test with mongod', function () {
const status = await client
.db('admin')
.command({ connectionStatus: 1 });
expect(status).to.deep.equal({
expect(filterConnectionStatus(status)).to.deep.equal({
ok: 1,
authInfo: {
authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
Expand Down Expand Up @@ -184,7 +192,7 @@ describe('integration test with mongod', function () {
const status = await client
.db('admin')
.command({ connectionStatus: 1 });
expect(status).to.deep.equal({
expect(filterConnectionStatus(status)).to.deep.equal({
ok: 1,
authInfo: {
authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
Expand All @@ -210,7 +218,7 @@ describe('integration test with mongod', function () {
const status = await client
.db('admin')
.command({ connectionStatus: 1 });
expect(status).to.deep.equal({
expect(filterConnectionStatus(status)).to.deep.equal({
ok: 1,
authInfo: {
authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
Expand All @@ -234,7 +242,7 @@ describe('integration test with mongod', function () {
const status = await client
.db('admin')
.command({ connectionStatus: 1 });
expect(status).to.deep.equal({
expect(filterConnectionStatus(status)).to.deep.equal({
ok: 1,
authInfo: {
authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
Expand Down Expand Up @@ -270,7 +278,7 @@ describe('integration test with mongod', function () {
const status = await client
.db('admin')
.command({ connectionStatus: 1 });
expect(status).to.deep.equal({
expect(filterConnectionStatus(status)).to.deep.equal({
ok: 1,
authInfo: {
authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
Expand Down
13 changes: 12 additions & 1 deletion src/log-hook.ts
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,15 @@ export function hookLoggerToMongoLogWriter(

emitter.on(
'mongodb-oidc-plugin:auth-succeeded',
({ tokenType, refreshToken, expiresAt, passIdTokenAsAccessToken }) => {
({
tokenType,
refreshToken,
expiresAt,
passIdTokenAsAccessToken,
forceRefreshOrReauth,
willRetryWithForceRefreshOrReauth,
tokenSetId,
}) => {
log.info(
'OIDC-PLUGIN',
mongoLogId(1_002_000_017),
Expand All @@ -252,6 +260,9 @@ export function hookLoggerToMongoLogWriter(
refreshToken,
expiresAt,
passIdTokenAsAccessToken,
forceRefreshOrReauth,
willRetryWithForceRefreshOrReauth,
tokenSetId,
}
);
}
Expand Down
157 changes: 150 additions & 7 deletions src/plugin.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -56,13 +56,15 @@ function requestToken(
plugin: MongoDBOIDCPlugin,
oidcParams: IdPServerInfo,
abortSignal?: OIDCAbortSignal,
username?: string
username?: string,
refreshToken?: string
): ReturnType<OIDCCallbackFunction> {
return plugin.mongoClientOptions.authMechanismProperties.OIDC_HUMAN_CALLBACK({
timeoutContext: abortSignal,
version: 1,
idpInfo: oidcParams,
username,
refreshToken,
});
}

Expand Down Expand Up @@ -390,6 +392,7 @@ describe('OIDC plugin (local OIDC provider)', function () {
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
expect(Object.keys(serializedData.state[0][1]).sort()).to.deep.equal([
'currentTokenSet',
'discardingTokenSets',
'lastIdTokenClaims',
'serverOIDCMetadata',
]);
Expand Down Expand Up @@ -905,24 +908,77 @@ describe('OIDC plugin (local OIDC provider)', function () {

describe('automaticRefreshTimeoutMS', function () {
it('returns the correct automatic refresh timeout', function () {
const nowS = Date.now() / 1000;
const nowMS = nowS * 1000;
expect(automaticRefreshTimeoutMS({})).to.equal(undefined);
expect(automaticRefreshTimeoutMS({ expires_in: 10000 })).to.equal(
expect(automaticRefreshTimeoutMS({ expires_at: nowS + 10000 })).to.equal(
undefined
);
expect(
automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 10000 })
automaticRefreshTimeoutMS(
{
refresh_token: 'asdf',
expires_at: nowS + 10000,
},
undefined,
nowMS
)
).to.equal(9700000);
expect(
automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 100 })
automaticRefreshTimeoutMS(
{
refresh_token: 'asdf',
expires_at: nowS + 100,
},
undefined,
nowMS
)
).to.equal(50000);
expect(
automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 10 })
automaticRefreshTimeoutMS(
{
refresh_token: 'asdf',
expires_at: nowS + 100,
id_token: '...',
claims() {
return { exp: nowS + 500 };
},
},
true,
nowMS
)
).to.equal(250000);
expect(
automaticRefreshTimeoutMS(
{
refresh_token: 'asdf',
expires_at: nowS + 100,
id_token: '...',
claims() {
return { exp: nowS + 500 };
},
},
false,
nowMS
)
).to.equal(50000);
expect(
automaticRefreshTimeoutMS({
refresh_token: 'asdf',
expires_at: nowS + 10,
})
).to.equal(undefined);
expect(
automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 0 })
automaticRefreshTimeoutMS({
refresh_token: 'asdf',
expires_at: nowS + 0,
})
).to.equal(undefined);
expect(
automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: -10 })
automaticRefreshTimeoutMS({
refresh_token: 'asdf',
expires_at: nowS + -10,
})
).to.equal(undefined);
});
});
Expand Down Expand Up @@ -1235,6 +1291,93 @@ describe('OIDC plugin (mock OIDC provider)', function () {
});
});

context('when drivers re-request tokens early', function () {
let plugin: MongoDBOIDCPlugin;

beforeEach(function () {
plugin = createMongoDBOIDCPlugin({
openBrowserTimeout: 60_000,
openBrowser: fetchBrowser,
allowedFlows: ['auth-code'],
redirectURI: 'http://localhost:0/callback',
});
});

it('will return a different token even if the existing one is not yet expired', async function () {
const result1 = await requestToken(plugin, {
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
});
const result2 = await requestToken(plugin, {
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
});
const result3 = await requestToken(
plugin,
{
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
},
undefined,
undefined,
result2.refreshToken
);
const result4 = await requestToken(
plugin,
{
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
},
undefined,
undefined,
result2.refreshToken
);
expect(result1).to.deep.equal(result2);
expect(result2.accessToken).not.to.equal(result3.accessToken);
expect(result2.refreshToken).not.to.equal(result3.refreshToken);
expect(result3).to.deep.equal(result4);
});

it('will return only one new token per expired token even when called in parallel', async function () {
const result1 = await requestToken(plugin, {
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
});
const [result2, result3] = await Promise.all([
requestToken(
plugin,
{
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
},
undefined,
undefined,
result1.refreshToken
),
requestToken(
plugin,
{
issuer: provider.issuer,
clientId: 'mockclientid',
requestScopes: [],
},
undefined,
undefined,
result1.refreshToken
),
]);
expect(result1.accessToken).not.to.equal(result2.accessToken);
expect(result1.refreshToken).not.to.equal(result2.refreshToken);
expect(result2).to.deep.equal(result3);
});
});

context('HTTP request tracking', function () {
it('will log all outgoing HTTP requests', async function () {
const pluginHttpRequests: string[] = [];
Expand Down
Loading
Loading