mongodb-js · addaleax · Jan 22, 2026 · Jan 22, 2026
diff --git a/packages/devtools-connect/src/aws-auth-compat.spec.ts b/packages/devtools-connect/src/aws-auth-compat.spec.ts
@@ -0,0 +1,75 @@
+import { expect } from 'chai';
+import { transformAWSAuthMechanismOptions } from './aws-auth-compat';
+import { MongoClientOptions } from 'mongodb';
+
+describe('transformAWSAuthMechanismOptions', function () {
+  it('returns original uri and options if authMechanism is not MONGODB-AWS', function () {
+    const uri = 'mongodb://user:pass@host:27017/db?authMechanism=SCRAM-SHA-1';
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(uri);
+    expect(result.clientOptions).to.equal(clientOptions);
+  });
+
+  it('transforms uri and options when MONGODB-AWS auth with credentials in connection string', async function () {
+    const uri =
+      'mongodb://accessKey:secretKey@host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:sessionToken';
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(
+      'mongodb://host:27017/db?authMechanism=MONGODB-AWS',
+    );
+    expect(result.clientOptions.auth).to.equal(undefined);
+    expect(result.clientOptions.authMechanismProperties).to.have.property(
+      'AWS_CREDENTIAL_PROVIDER',
+    );
+    const creds =
+      await result.clientOptions.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER?.();
+    expect(creds).to.deep.equal({
+      accessKeyId: 'accessKey',
+      secretAccessKey: 'secretKey',
+      sessionToken: 'sessionToken',
+    });
+  });
+
+  it('handles special characters', async function () {
+    const uri = `mongodb://${encodeURIComponent('usernäme')}:${encodeURIComponent('passwõrd')}@host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:${encodeURIComponent('a+b=c/d')}`;
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(
+      'mongodb://host:27017/db?authMechanism=MONGODB-AWS',
+    );
+    expect(result.clientOptions.auth).to.equal(undefined);
+    expect(result.clientOptions.authMechanismProperties).to.have.property(
+      'AWS_CREDENTIAL_PROVIDER',
+    );
+    const creds =
+      await result.clientOptions.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER?.();
+    expect(creds).to.deep.equal({
+      accessKeyId: 'usernäme',
+      secretAccessKey: 'passwõrd',
+      sessionToken: 'a+b=c/d',
+    });
+  });
+
+  it('leaves unrelated auth mechanism properties intact', async function () {
+    const uri =
+      'mongodb://accessKey:secretKey@host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=AWS_SESSION_TOKEN:sessionToken,FOO:BAR';
+    const clientOptions: MongoClientOptions = {};
+    const result = transformAWSAuthMechanismOptions({ uri, clientOptions });
+    expect(result.uri).to.equal(
+      'mongodb://host:27017/db?authMechanism=MONGODB-AWS&authMechanismProperties=FOO%3ABAR',
+    );
+    expect(result.clientOptions.auth).to.equal(undefined);
+    expect(result.clientOptions.authMechanismProperties).to.have.property(
+      'AWS_CREDENTIAL_PROVIDER',
+    );
+    const creds =
+      await result.clientOptions.authMechanismProperties?.AWS_CREDENTIAL_PROVIDER?.();
+    expect(creds).to.deep.equal({
+      accessKeyId: 'accessKey',
+      secretAccessKey: 'secretKey',
+      sessionToken: 'sessionToken',
+    });
+  });
+});
diff --git a/packages/devtools-connect/src/aws-auth-compat.ts b/packages/devtools-connect/src/aws-auth-compat.ts
@@ -0,0 +1,81 @@
+import {
+  CommaAndColonSeparatedRecord,
+  ConnectionString,
+} from 'mongodb-connection-string-url';
+import type {
+  AuthMechanismProperties,
+  AWSCredentials,
+  MongoClientOptions,
+} from 'mongodb';
+
+// The 7.x driver supports AWS authentication via callback-based providers,
+// and removed support for credentials passed through the connection string
+// (NODE-7046).
+// We add the support back here via a custom callback-based provider when
+// we detect that the user is trying to use MONGODB-AWS auth with credentials
+// in the connection string.
+export function transformAWSAuthMechanismOptions<T extends MongoClientOptions>({
+  uri,
+  clientOptions,
+}: {
+  uri: string;
+  clientOptions: T;
+}): { uri: string; clientOptions: T } {
+  let connectionString: ConnectionString;
+  try {
+    connectionString = new ConnectionString(uri);
+  } catch {
+    return { uri, clientOptions };
+  }
+  const searchParams = connectionString.typedSearchParams<MongoClientOptions>();
+  if (
+    (clientOptions.authMechanism ?? searchParams.get('authMechanism')) !==
+    'MONGODB-AWS'
+  ) {
+    return { uri, clientOptions };
+  }
+  const username =
+    clientOptions.auth?.username ??
+    decodeURIComponent(connectionString.username);
+  const password =
+    clientOptions.auth?.password ??
+    decodeURIComponent(connectionString.password);
+  const authMechProps = new CommaAndColonSeparatedRecord(
+    searchParams.get('authMechanismProperties') ?? '',
+  );
+  const sessionToken =
+    clientOptions.authMechanismProperties?.AWS_SESSION_TOKEN ??
+    authMechProps.get('AWS_SESSION_TOKEN');
+  if (username || password || sessionToken) {
+    // First, remove all relevant options from the connection string
+    connectionString.username = '';
+    connectionString.password = '';
+    authMechProps.delete('AWS_SESSION_TOKEN');
+    if (authMechProps.size === 0) {
+      searchParams.delete('authMechanismProperties');
+    } else {
+      searchParams.set('authMechanismProperties', authMechProps.toString());
+    }
+    // Set AWS_CREDENTIAL_PROVIDER in the programmatic options,
+    // and unset all other credential options.
+    const programmaticAuthMechProps: AuthMechanismProperties & {
+      AWS_SESSION_TOKEN?: unknown;
+    } = { ...clientOptions.authMechanismProperties };
+    delete programmaticAuthMechProps.AWS_SESSION_TOKEN;
+    programmaticAuthMechProps.AWS_CREDENTIAL_PROVIDER ??=
+      (): Promise<AWSCredentials> => {
+        const creds: AWSCredentials = {
+          accessKeyId: username,
+          secretAccessKey: password,
+          sessionToken: sessionToken || undefined,
+        };
+        return Promise.resolve(creds);
+      };
+    clientOptions = {
+      ...clientOptions,
+      auth: undefined,
+      authMechanismProperties: programmaticAuthMechProps,
+    };
+  }
+  return { uri: connectionString.toString(), clientOptions };
+}
diff --git a/packages/devtools-connect/src/connect.ts b/packages/devtools-connect/src/connect.ts
@@ -34,6 +34,7 @@ import {
   createFetch,
   isExistingAgentInstance,
 } from '@mongodb-js/devtools-proxy-support';
+import { transformAWSAuthMechanismOptions } from './aws-auth-compat';
 export type { DevtoolsProxyOptions, AgentWithInitialize };
 
 function isAtlas(str: string): boolean {
@@ -479,6 +480,11 @@ async function connectMongoClientImpl({
   MongoClientClass: typeof MongoClient;
   useSystemCA: boolean;
 }): Promise<ConnectMongoClientResult> {
+  ({ uri, clientOptions } = transformAWSAuthMechanismOptions({
+    uri,
+    clientOptions,
+  }));
+
   const cleanupOnClientClose: (() => void | Promise<void>)[] = [];
   const runClose = async () => {
     let item: (() => void | Promise<void>) | undefined;