feat: throw if credentials set

durran · durran · commit f68d8ef70e7b · 2025-09-30T15:46:06.000+02:00
diff --git a/src/cmap/auth/mongo_credentials.ts b/src/cmap/auth/mongo_credentials.ts
@@ -58,6 +58,7 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_NAME?: string;
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
+  /** @internal */
   AWS_SESSION_TOKEN?: string;
   /** A user provided OIDC machine callback function. */
   OIDC_CALLBACK?: OIDCCallbackFunction;
diff --git a/src/cmap/auth/mongodb_aws.ts b/src/cmap/auth/mongodb_aws.ts
@@ -56,12 +56,10 @@ export class MongoDBAWS extends AuthProvider {
       );
     }
 
-    if (!authContext.credentials.username) {
-      authContext.credentials = await makeTempCredentials(
-        authContext.credentials,
-        this.credentialFetcher
-      );
-    }
+    authContext.credentials = await makeTempCredentials(
+      authContext.credentials,
+      this.credentialFetcher
+    );
 
     const { credentials } = authContext;
 
diff --git a/src/connection_string.ts b/src/connection_string.ts
@@ -423,6 +423,18 @@ export function parseOptions(
       );
     }
 
+    if (isAws) {
+      const { username, password } = mongoOptions.credentials;
+      if (username || password) {
+        throw new MongoParseError(
+          'username and password cannot be provided when using MONGODB-AWS'
+        );
+      }
+      if (mongoOptions.credentials.mechanismProperties.AWS_SESSION_TOKEN) {
+        throw new MongoParseError('AWS_SESSION_TOKEN cannot be provided when using MONGODB-AWS');
+      }
+    }
+
     mongoOptions.credentials.validate();
 
     // Check if the only auth related option provided was authSource, if so we can remove credentials
diff --git a/test/spec/auth/legacy/connection-string.json b/test/spec/auth/legacy/connection-string.json
@@ -440,6 +440,21 @@
         }
       }
     },
+    {
+      "description": "should throw an exception if username provided (MONGODB-AWS) implies default mechanism)",
+      "uri": "mongodb://user:localhost.com/",
+      "valid": false
+    },
+    {
+      "description": "should throw an exception if username and password provided (MONGODB-AWS) implies default mechanism)",
+      "uri": "mongodb://user@pass:localhost.com/",
+      "valid": false
+    },
+    {
+      "description": "should throw an exception if AWS_SESSION_TOKEN provided (MONGODB-AWS) implies default mechanism)",
+      "uri": "mongodb://localhost/?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:token",
+      "valid": false
+    },
     {
       "description": "should recognise the mechanism with test environment (MONGODB-OIDC)",
       "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test",
diff --git a/test/spec/auth/legacy/connection-string.yml b/test/spec/auth/legacy/connection-string.yml
@@ -480,4 +480,4 @@ tests:
     (MONGODB-OIDC)
   uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:k8s
   valid: false
-  credential: null
+  credential: null
