fix(NODE-7548): SCRAM authentication fails on non-Node runtimes#4932
Open
PavelSafronov wants to merge 20 commits intomainfrom
Open
fix(NODE-7548): SCRAM authentication fails on non-Node runtimes#4932PavelSafronov wants to merge 20 commits intomainfrom
PavelSafronov wants to merge 20 commits intomainfrom
Conversation
… call also updated bundling logic to correctly remove Buffer. 9 tests are currently failing, with failures that are not related to scram. Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: Copilot <copilot@github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses SCRAM authentication and unit test failures when running the driver in “nodeless” (non-Node) runtimes by replacing Node-specific Buffer APIs with runtime-neutral utilities, adjusting the bundling configuration, and conditionally adapting/skipping tests that rely on Node-only behavior.
Changes:
- Update SCRAM message parsing/encoding to use
ByteUtilsUTF-8 helpers instead ofBinary#toString('utf8'). - Adjust unit tests to run in nodeless environments (conditional assertions, avoiding Buffer APIs, skipping sinon-dependent tests).
- Change the driver bundling setup to
platform: 'browser'and tighten the VM sandbox globals used by bundled tests.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| test/unit/utils.test.ts | Makes compareObjectId tests conditional for nodeless behavior differences. |
| test/unit/sessions.test.ts | Avoids instanceof Long checks in nodeless by using ensureTypeByName. |
| test/unit/nodeless.test.ts | Adds assertions about the VM sandbox not exposing Node globals. |
| test/unit/commands.test.ts | Replaces Buffer read methods with runtime-neutral helpers. |
| test/unit/cmap/wire_protocol/on_demand/document.test.ts | Adapts throw assertions for nodeless runtime differences (needs tightening to avoid false positives). |
| test/unit/cmap/connect.test.ts | Skips sinon-based socket tests when running nodeless. |
| test/unit/cmap/commands.test.ts | Removes Buffer-specific toString usage for document sequence name assertions. |
| test/unit/client-side-encryption/state_machine.test.ts | Skips sinon-based tests for nodeless runs. |
| test/tools/runner/vm_context_helper.ts | Updates VM sandbox globals and adds bundle debugging hooks; exports sandbox. |
| test/mongodb_bundled.ts | Exposes additional exports needed by bundled/nodeless tests (makeSocket, keep-alive constant). |
| src/cmap/auth/scram.ts | Switches SCRAM auth message decoding/parsing to ByteUtils.toUTF8. |
| src/bson.ts | Adds readUint8 helper alongside existing buffer read helpers (needs bounds validation). |
| etc/bundle-driver.mjs | Bundles with platform: 'browser'/chrome112 and bundles bson instead of externalizing it. |
Comments suppressed due to low confidence (1)
src/cmap/auth/scram.ts:213
parsePayloadcurrently decodespayload.bufferusingpayload.buffer.length, which can include unwritten bytes (seeBinary.position). It also assumespayloadis always aBinary, but other code already handlesresponse.payloadbeing aUint8Array—r.payloadmay be as well. Consider normalizing insideparsePayload(acceptBinary | Uint8Array) and decode only the actual payload length.
function parsePayload(payload: Binary) {
const payloadStr = ByteUtils.toUTF8(payload.buffer, 0, payload.buffer.length, true);
const dict: Document = {};
const parts = payloadStr.split(',');
for (let i = 0; i < parts.length; i++) {
const valueParts = (parts[i].match(/^([^=]*)=(.*)$/) ?? []).slice(1);
dict[valueParts[0]] = valueParts[1];
}
- use Binary.position instead of buffer.length - add a validateBufferInputs call to readUint8 - add expect.fail in cases where we expect an exception
tadjik1
added
the
Primary Review
tadjik1
reviewed
May 6, 2026
tadjik1
reviewed
May 6, 2026
tadjik1
requested changes
May 6, 2026
Member
There was a problem hiding this comment.
thanks @PavelSafronov! I left few small questions, please let me know what you think.
Can you also please take a look at lint errors?
And I guess you spotted another bug by switching the environment:
[2026/05/06 01:26:35.258] 34) Unified test format runner (valid-pass)
[2026/05/06 01:26:35.258] poc-sessions
[2026/05/06 01:26:35.258] Server supports implicit sessions:
[2026/05/06 01:26:35.258] TypeError: [last.command.lsid.id](http://last.command.lsid.id/).buffer.equals is not a function
[2026/05/06 01:26:35.258] at assertSameLsidOnLastTwoCommands (test/tools/unified-spec-runner/operations.ts:147:38)
[2026/05/06 01:26:35.258] at executeOperationAndCheck (test/tools/unified-spec-runner/operations.ts:1037:20)
[2026/05/06 01:26:35.258] at runUnifiedTest (test/tools/unified-spec-runner/runner.ts:239:39)
[2026/05/06 01:26:35.258] at processTicksAndRejections (node:internal/process/task_queues:104:5)
[2026/05/06 01:26:35.258] at async Context.<anonymous> (test/tools/unified-spec-runner/runner.ts:349:13)[2026/05/06 01:26:35.258] 34) Unified test format runner (valid-pass)
[2026/05/06 01:26:35.258] poc-sessions
[2026/05/06 01:26:35.258] Server supports implicit sessions:
[2026/05/06 01:26:35.258] TypeError: [last.command.lsid.id](http://last.command.lsid.id/).buffer.equals is not a function
[2026/05/06 01:26:35.258] at assertSameLsidOnLastTwoCommands (test/tools/unified-spec-runner/operations.ts:147:38)
[2026/05/06 01:26:35.258] at executeOperationAndCheck (test/tools/unified-spec-runner/operations.ts:1037:20)
[2026/05/06 01:26:35.258] at runUnifiedTest (test/tools/unified-spec-runner/runner.ts:239:39)
[2026/05/06 01:26:35.258] at processTicksAndRejections (node:internal/process/task_queues:104:5)
[2026/05/06 01:26:35.258] at async Context.<anonymous> (test/tools/unified-spec-runner/runner.ts:349:13)[2026/05/06 01:26:35.258] 34) Unified test format runner (valid-pass)
[2026/05/06 01:26:35.258] poc-sessions
[2026/05/06 01:26:35.258] Server supports implicit sessions:
[2026/05/06 01:26:35.258] TypeError: [last.command.lsid.id](http://last.command.lsid.id/).buffer.equals is not a function
[2026/05/06 01:26:35.258] at assertSameLsidOnLastTwoCommands (test/tools/unified-spec-runner/operations.ts:147:38)
[2026/05/06 01:26:35.258] at executeOperationAndCheck (test/tools/unified-spec-runner/operations.ts:1037:20)
[2026/05/06 01:26:35.258] at runUnifiedTest (test/tools/unified-spec-runner/runner.ts:239:39)
[2026/05/06 01:26:35.258] at processTicksAndRejections (node:internal/process/task_queues:104:5)
[2026/05/06 01:26:35.258] at async Context.<anonymous> (test/tools/unified-spec-runner/runner.ts:349:13)
TypeError: last.command.lsid.id.buffer.equals is not a function
- lint fixes - use payload.position - add comments about NODE-7576
tadjik1
reviewed
May 8, 2026
| withoutProof | ||
| ].join(','); | ||
| const firstMessageBytes = clientFirstMessageBare(username, nonce); | ||
| const firstMessage = ByteUtils.toUTF8(firstMessageBytes, 0, firstMessageBytes.length, true); |
Member
There was a problem hiding this comment.
It seems that fatal=true is going to change the behaviour of this part (from the js-bson docs):
/** Create a string from utf8 code units, fatal=true will throw an error if UTF-8 bytes are invalid, fatal=false will insert replacement characters */
toUTF8: (buffer: Uint8Array, start: number, end: number, fatal: boolean) => string;
Before toString() didn't throw error, and instead replaced bad bytes silently. Now we are going to throw TypeError in case of invalid UTF8.
(and the same for parsePayload)
Suggested change
| const firstMessage = ByteUtils.toUTF8(firstMessageBytes, 0, firstMessageBytes.length, true); | |
| const firstMessage = ByteUtils.toUTF8(firstMessageBytes, 0, firstMessageBytes.length, false); |
Contributor
Author
There was a problem hiding this comment.
Great catch, updating.
tadjik1
reviewed
May 8, 2026
| requires: { | ||
| predicate: _test => { | ||
| if (runNodelessTests) { | ||
| return 'Test is not node specific and should be run in nodeless environments'; |
Member
There was a problem hiding this comment.
Suggested change
| return 'Test is not node specific and should be run in nodeless environments'; | |
| return 'Test is node specific and should not be run in nodeless environments'; |
Contributor
Author
There was a problem hiding this comment.
Changed, and added a bit more context.
tadjik1
requested changes
May 8, 2026
Member
tadjik1
left a comment
tadjik1
left a comment
There was a problem hiding this comment.
thanks @PavelSafronov, great work! I have left, I believe, 2 last small comments, to preserve existing behaviour and small typo fix. Everything else is looking really good 👍
- avoid throwing by toUTF8 - clarify comments
tadjik1
approved these changes
May 8, 2026
addaleax
reviewed
May 11, 2026
| const firstMessageBytes = clientFirstMessageBare(username, nonce); | ||
| const firstMessage = ByteUtils.toUTF8(firstMessageBytes, 0, firstMessageBytes.length, false); | ||
| const payloadString = ByteUtils.toUTF8(payload.buffer, 0, payload.position, false); | ||
| const authMessage = [firstMessage, payloadString, withoutProof].join(','); |
Contributor
There was a problem hiding this comment.
Might be a bit interesting to think about how this could have been prevented ... it's a bit unfortunate that TS lets you call .join() on arrays that contain non-primitives.
Maybe if we enforced the usage of template strings instead of joining fixed-length arrays, this could be avoided? It's technically still valid JS, but I'm pretty sure at least in the devtools codebases this would result in linter failures
Suggested change
| const authMessage = [firstMessage, payloadString, withoutProof].join(','); | |
| const authMessage = `${firstMessage},${payloadString},${withoutProof}`; |
| bsonType: 'int', | ||
| algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random', | ||
| keyId: [new UUID(dataKey)] | ||
| keyId: [new UUID(dataKey.toHexString(true))] |
Contributor
There was a problem hiding this comment.
Can you explain why the changes here are necessary/how they tie into the rest of the PR? Passing a BSON UUID value here should work just fine
| globalThis: undefined as any | ||
| globalThis: undefined as any, | ||
|
|
||
| // These are needed for webByteUtils and are not available in the browser. |
Contributor
There was a problem hiding this comment.
Huh? These APIs come from browsers and were only adopted in server-side runtimes later
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Summary of Changes
This fixes the deno-specific issue where SCRAM is broken. The bug happens because we are invoking toString implicitly, and this results in a behavior change. The fix is to convert the bytes to string explicitly.
Part of the reason that this was not caught in testing is because we were still targeting node when creating the bundle.
Switching bundler to web exposed a few issues:
Notes for Reviewers
What is the motivation for this change?
Customer-created ticket. Driver is broken infor deno.
Release Highlight
Release notes highlight
Double check the following
npm run check:lint)type(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript