fix(NODE-5289): prevent scram auth from throwing TypeError if saslpre…

…p is not a function (#3727)
mongodb · Jun 29, 2023 · 89b391c · 89b391c
1 parent 0012460
commit 89b391c
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 124 deletions.
diff --git a/src/cmap/auth/scram.ts b/src/cmap/auth/scram.ts
@@ -34,7 +34,10 @@ class ScramSHA extends AuthProvider {
     if (!credentials) {
       throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
-    if (cryptoMethod === 'sha256' && saslprep == null) {
+    if (
+      cryptoMethod === 'sha256' &&
+      ('kModuleError' in saslprep || typeof saslprep !== 'function')
+    ) {
       emitWarning('Warning: no saslprep library specified. Passwords will not be sanitized');
     }
 
@@ -140,7 +143,8 @@ async function continueScramConversation(
 
   let processedPassword;
   if (cryptoMethod === 'sha256') {
-    processedPassword = 'kModuleError' in saslprep ? password : saslprep(password);
+    processedPassword =
+      'kModuleError' in saslprep || typeof saslprep !== 'function' ? password : saslprep(password);
   } else {
     processedPassword = passwordDigest(username, password);
   }

diff --git a/test/integration/auth/scram_sha_256.test.js b/test/integration/auth/scram_sha_256.test.js
diff --git a/test/integration/auth/scram_sha_256.test.ts b/test/integration/auth/scram_sha_256.test.ts
@@ -0,0 +1,64 @@
+import { expect } from 'chai';
+import * as sinon from 'sinon';
+
+// eslint-disable-next-line @typescript-eslint/no-restricted-imports
+import * as deps from '../../../src/deps';
+import { type MongoClient } from '../../mongodb';
+
+describe('SCRAM_SHA_256', function () {
+  beforeEach(function () {
+    if (!this.configuration.parameters.authenticationMechanisms.includes('SCRAM-SHA-256')) {
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      this.currentTest!.skipReason = 'Test requires that SCRAM-SHA-256 be enabled on the server.';
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      this.currentTest!.skip();
+    }
+  });
+
+  context('when saslprep is not a function', () => {
+    let client: MongoClient;
+
+    beforeEach(function () {
+      sinon.stub(deps, 'saslprep').value({});
+      client = this.configuration.newClient({ authMechanism: 'SCRAM-SHA-256' });
+    });
+
+    afterEach(() => {
+      sinon.restore();
+      return client.close();
+    });
+
+    it('does not throw an error', { requires: { auth: 'enabled' } }, async function () {
+      await client.connect();
+    });
+
+    it('emits a warning', { requires: { auth: 'enabled' } }, async function () {
+      const warnings: Array<Error> = [];
+      process.once('warning', w => warnings.push(w));
+      await client.connect();
+      expect(warnings).to.have.lengthOf(1);
+      expect(warnings[0]).to.have.property(
+        'message',
+        'Warning: no saslprep library specified. Passwords will not be sanitized'
+      );
+    });
+  });
+
+  context('when saslprep is a function', () => {
+    let client: MongoClient;
+
+    beforeEach(function () {
+      client = this.configuration.newClient({ authMechanism: 'SCRAM-SHA-256' });
+    });
+
+    afterEach(() => client.close());
+
+    it('calls saslprep', { requires: { auth: 'enabled' } }, async function () {
+      const spy = sinon.spy(deps, 'saslprep');
+
+      await client.connect();
+
+      expect(spy).to.have.been.called;
+    });
+  });
+});