Add EnvironCredentialsProvider for env-based auth detection

Author: polRk

.changeset/environ-credentials-provider.md

@@ -0,0 +1,5 @@
+---
+'@ydbjs/auth': minor
+---
+
+Add EnvironCredentialsProvider that auto-detects authentication method from environment variables (YDB_ANONYMOUS_CREDENTIALS, YDB_METADATA_CREDENTIALS, YDB_ACCESS_TOKEN_CREDENTIALS, YDB_STATIC_CREDENTIALS_USER) and TLS configuration (YDB_SSL_ROOT_CERTIFICATES_FILE, YDB_SSL_CERTIFICATE_FILE, YDB_SSL_PRIVATE_KEY_FILE or their PEM string variants). Exported from `@ydbjs/auth/environ`.

docs/guide/core.md

@@ -86,6 +86,39 @@ const driver = new Driver('grpc://localhost:2136/local', {
 await driver.ready()
 ```
 
+### 5) Environment-Based Auto-Detection
+
+`EnvironCredentialsProvider` reads environment variables and picks the right auth strategy automatically. It also detects TLS configuration.
+
+```ts
+import { Driver } from '@ydbjs/core'
+import { EnvironCredentialsProvider } from '@ydbjs/auth/environ'
+
+let cs = process.env['YDB_CONNECTION_STRING']!
+let creds = new EnvironCredentialsProvider(cs)
+
+const driver = new Driver(cs, {
+  credentialsProvider: creds,
+  secureOptions: creds.secureOptions,
+})
+await driver.ready()
+```
+
+Detection priority (first match wins):
+
+| Variable                            | Description                                             |
+| ----------------------------------- | ------------------------------------------------------- |
+| `YDB_ANONYMOUS_CREDENTIALS=1`       | Anonymous                                               |
+| `YDB_METADATA_CREDENTIALS=1`        | Cloud metadata                                          |
+| `YDB_METADATA_CREDENTIALS_ENDPOINT` | Custom metadata endpoint (default: GCE metadata)        |
+| `YDB_METADATA_CREDENTIALS_FLAVOR`   | Custom metadata flavor (default: `Google`)              |
+| `YDB_ACCESS_TOKEN_CREDENTIALS`      | Access token                                            |
+| `YDB_STATIC_CREDENTIALS_USER`       | Username for static auth                                |
+| `YDB_STATIC_CREDENTIALS_PASSWORD`   | Password (default: empty)                               |
+| `YDB_STATIC_CREDENTIALS_ENDPOINT`   | Auth endpoint (default: derived from connection string) |
+
+TLS is configured via `YDB_SSL_ROOT_CERTIFICATES_FILE` (or `YDB_SSL_ROOT_CERTIFICATES` for PEM string), `YDB_SSL_CERTIFICATE_FILE` / `YDB_SSL_CERTIFICATE`, `YDB_SSL_PRIVATE_KEY_FILE` / `YDB_SSL_PRIVATE_KEY`.
+
 ## TLS and mTLS in Driver
 
 Pass `secureOptions` (Node.js `tls.SecureContextOptions`). For `grpcs://...`, system CA store is used by default; `secureOptions` lets you provide custom roots/certificates.

docs/package.json

@@ -1,7 +1,10 @@
 {
 	"name": "@ydbjs/docs",
-	"type": "module",
 	"private": true,
+	"type": "module",
+	"publishConfig": {
+		"access": "restricted"
+	},
 	"scripts": {
 		"dev": "vitepress dev .",
 		"build": "vitepress build .",
@@ -10,8 +13,5 @@
 	},
 	"devDependencies": {
 		"vitepress": "^1.6.4"
-	},
-	"publishConfig": {
-		"access": "restricted"
 	}
 }

docs/ru/guide/core.md

@@ -86,6 +86,39 @@ const driver = new Driver('grpc://localhost:2136/local', {
 await driver.ready()
 ```
 
+### 5) Автоопределение из переменных окружения
+
+`EnvironCredentialsProvider` читает переменные окружения и автоматически выбирает нужный метод аутентификации. Также определяет TLS-конфигурацию.
+
+```ts
+import { Driver } from '@ydbjs/core'
+import { EnvironCredentialsProvider } from '@ydbjs/auth/environ'
+
+let cs = process.env['YDB_CONNECTION_STRING']!
+let creds = new EnvironCredentialsProvider(cs)
+
+const driver = new Driver(cs, {
+  credentialsProvider: creds,
+  secureOptions: creds.secureOptions,
+})
+await driver.ready()
+```
+
+Приоритет определения (первое совпадение):
+
+| Переменная                          | Описание                                                      |
+| ----------------------------------- | ------------------------------------------------------------- |
+| `YDB_ANONYMOUS_CREDENTIALS=1`       | Anonymous                                                     |
+| `YDB_METADATA_CREDENTIALS=1`        | Cloud metadata                                                |
+| `YDB_METADATA_CREDENTIALS_ENDPOINT` | Кастомный endpoint метадаты (по умолчанию: GCE metadata)      |
+| `YDB_METADATA_CREDENTIALS_FLAVOR`   | Кастомный flavor метадаты (по умолчанию: `Google`)            |
+| `YDB_ACCESS_TOKEN_CREDENTIALS`      | Access token                                                  |
+| `YDB_STATIC_CREDENTIALS_USER`       | Имя пользователя для static auth                              |
+| `YDB_STATIC_CREDENTIALS_PASSWORD`   | Пароль (по умолчанию: пустая строка)                          |
+| `YDB_STATIC_CREDENTIALS_ENDPOINT`   | Endpoint аутентификации (по умолчанию: из строки подключения) |
+
+TLS настраивается через `YDB_SSL_ROOT_CERTIFICATES_FILE` (или `YDB_SSL_ROOT_CERTIFICATES` для PEM-строки), `YDB_SSL_CERTIFICATE_FILE` / `YDB_SSL_CERTIFICATE`, `YDB_SSL_PRIVATE_KEY_FILE` / `YDB_SSL_PRIVATE_KEY`.
+
 ## TLS и mTLS в Driver
 
 Передайте `secureOptions` (Node.js `tls.SecureContextOptions`). Если строка подключения `grpcs://...`, по умолчанию используется системное хранилище CA; `secureOptions` позволяет указать свои корни/сертификаты.

e2e/package.json

@@ -3,11 +3,9 @@
 	"version": "0.0.0",
 	"private": true,
 	"type": "module",
-	"engines": {
-		"node": ">=20.19.0",
-		"npm": ">=10"
+	"publishConfig": {
+		"access": "restricted"
 	},
-	"engineStrict": true,
 	"scripts": {
 		"test": "vitest --run --project e2e",
 		"test:debug": "FORCE_COLOR=3 DEBUG_COLORS=1 DEBUG=ydbjs:* vitest --project e2e --inspect --no-file-parallelism"
@@ -24,7 +22,9 @@
 		"@ydbjs/topic": "*",
 		"@ydbjs/value": "*"
 	},
-	"publishConfig": {
-		"access": "restricted"
-	}
+	"engines": {
+		"node": ">=20.19.0",
+		"npm": ">=10"
+	},
+	"engineStrict": true
 }

examples/api/package.json

@@ -3,11 +3,9 @@
 	"version": "6.0.0",
 	"private": true,
 	"type": "module",
-	"engines": {
-		"node": ">=20.19.0",
-		"npm": ">=10"
+	"publishConfig": {
+		"access": "restricted"
 	},
-	"engineStrict": true,
 	"scripts": {
 		"start": "node index.js",
 		"dev": "DEBUG=ydbjs:* node index.js"
@@ -18,7 +16,9 @@
 		"@ydbjs/auth": "^6.0.0",
 		"@ydbjs/core": "^6.0.7"
 	},
-	"publishConfig": {
-		"access": "restricted"
-	}
+	"engines": {
+		"node": ">=20.19.0",
+		"npm": ">=10"
+	},
+	"engineStrict": true
 }

examples/auth-yandex-cloud/package.json

@@ -2,13 +2,11 @@
 	"name": "@ydbjs/examples-auth-yandex-cloud",
 	"version": "6.0.0",
 	"private": true,
-	"type": "module",
 	"description": "Example of YDB connection using Yandex Cloud IAM authentication",
-	"engines": {
-		"node": ">=20.19.0",
-		"npm": ">=10"
+	"type": "module",
+	"publishConfig": {
+		"access": "restricted"
 	},
-	"engineStrict": true,
 	"scripts": {
 		"start": "node index.js",
 		"dev": "DEBUG=ydbjs:* node index.js"
@@ -18,7 +16,9 @@
 		"@ydbjs/core": "^6.0.7",
 		"@ydbjs/query": "^6.0.7"
 	},
-	"publishConfig": {
-		"access": "restricted"
-	}
+	"engines": {
+		"node": ">=20.19.0",
+		"npm": ">=10"
+	},
+	"engineStrict": true
 }

examples/environ/README.md

@@ -0,0 +1,52 @@
+# Environment-based Authentication Example
+
+This example demonstrates how to use `EnvironCredentialsProvider` to auto-detect the authentication method and TLS configuration from environment variables.
+
+## Usage
+
+```bash
+# Anonymous (local YDB)
+YDB_CONNECTION_STRING=grpc://localhost:2136/local npm start
+
+# Static credentials (on-premises)
+YDB_CONNECTION_STRING=grpcs://ydb.example.com:2135/mydb \
+YDB_STATIC_CREDENTIALS_USER=admin \
+YDB_STATIC_CREDENTIALS_PASSWORD=secret \
+YDB_SSL_ROOT_CERTIFICATES_FILE=/path/to/ca.pem \
+npm start
+
+# Access token
+YDB_CONNECTION_STRING=grpcs://ydb.example.com:2135/mydb \
+YDB_ACCESS_TOKEN_CREDENTIALS=my-token \
+npm start
+
+# Metadata (cloud VM)
+YDB_CONNECTION_STRING=grpcs://ydb.example.com:2135/mydb \
+YDB_METADATA_CREDENTIALS=1 \
+npm start
+```
+
+## Environment Variables
+
+### Credentials (first match wins)
+
+| Variable                            | Description                                             |
+| ----------------------------------- | ------------------------------------------------------- |
+| `YDB_ANONYMOUS_CREDENTIALS=1`       | Anonymous access                                        |
+| `YDB_METADATA_CREDENTIALS=1`        | Cloud metadata token                                    |
+| `YDB_METADATA_CREDENTIALS_ENDPOINT` | Custom metadata endpoint (default: GCE metadata)        |
+| `YDB_METADATA_CREDENTIALS_FLAVOR`   | Custom metadata flavor (default: `Google`)              |
+| `YDB_ACCESS_TOKEN_CREDENTIALS`      | Direct access token                                     |
+| `YDB_STATIC_CREDENTIALS_USER`       | Username for static auth                                |
+| `YDB_STATIC_CREDENTIALS_PASSWORD`   | Password (default: empty)                               |
+| `YDB_STATIC_CREDENTIALS_ENDPOINT`   | Auth endpoint (default: derived from connection string) |
+
+### TLS (file path or PEM string)
+
+| File variant                     | String variant              | Description        |
+| -------------------------------- | --------------------------- | ------------------ |
+| `YDB_SSL_ROOT_CERTIFICATES_FILE` | `YDB_SSL_ROOT_CERTIFICATES` | CA certificate     |
+| `YDB_SSL_CERTIFICATE_FILE`       | `YDB_SSL_CERTIFICATE`       | Client certificate |
+| `YDB_SSL_PRIVATE_KEY_FILE`       | `YDB_SSL_PRIVATE_KEY`       | Client private key |
+
+`NODE_EXTRA_CA_CERTS` is also supported as a CA file path fallback.

examples/environ/index.js

@@ -0,0 +1,35 @@
+import { Driver } from '@ydbjs/core'
+import { EnvironCredentialsProvider } from '@ydbjs/auth/environ'
+import { DiscoveryServiceDefinition } from '@ydbjs/api/discovery'
+
+let cs = process.env.YDB_CONNECTION_STRING
+if (!cs) throw new Error('YDB_CONNECTION_STRING is required')
+
+// Auto-detect auth method and TLS from environment variables.
+//
+// Credentials (first match wins):
+//   YDB_ANONYMOUS_CREDENTIALS=1
+//   YDB_METADATA_CREDENTIALS=1  (+ YDB_METADATA_CREDENTIALS_ENDPOINT, YDB_METADATA_CREDENTIALS_FLAVOR)
+//   YDB_ACCESS_TOKEN_CREDENTIALS=<token>
+//   YDB_STATIC_CREDENTIALS_USER=<user>  (+ YDB_STATIC_CREDENTIALS_PASSWORD, YDB_STATIC_CREDENTIALS_ENDPOINT)
+//
+// TLS (file path or PEM string):
+//   YDB_SSL_ROOT_CERTIFICATES_FILE / YDB_SSL_ROOT_CERTIFICATES
+//   YDB_SSL_CERTIFICATE_FILE      / YDB_SSL_CERTIFICATE
+//   YDB_SSL_PRIVATE_KEY_FILE      / YDB_SSL_PRIVATE_KEY
+let creds = new EnvironCredentialsProvider(cs)
+
+let driver = new Driver(cs, {
+	credentialsProvider: creds,
+	secureOptions: creds.secureOptions,
+})
+
+await driver.ready()
+console.log('Connected to', cs)
+
+let discovery = driver.createClient(DiscoveryServiceDefinition)
+let resp = await discovery.listEndpoints({ database: driver.database })
+console.log('Endpoints status:', resp.status)
+
+driver.close()
+console.log('Done')

examples/environ/package.json

@@ -0,0 +1,23 @@
+{
+	"name": "@ydbjs/examples-environ",
+	"version": "6.0.0",
+	"private": true,
+	"type": "module",
+	"publishConfig": {
+		"access": "restricted"
+	},
+	"scripts": {
+		"start": "node index.js",
+		"dev": "DEBUG=ydbjs:* node index.js"
+	},
+	"dependencies": {
+		"@ydbjs/api": "^6.0.0",
+		"@ydbjs/auth": "^6.0.5",
+		"@ydbjs/core": "^6.0.7"
+	},
+	"engines": {
+		"node": ">=20.19.0",
+		"npm": ">=10"
+	},
+	"engineStrict": true
+}