fix: auto-acquire Azure AD token for azure-active-directory-access-token when none supplied

The `azure-active-directory-access-token` branch passed
`token: config.token ?? config.access_token` to tedious. When neither
field was set on a connection (e.g. a `fabric-migration` entry that
declared the auth type but no token), tedious threw:

    TypeError: The "config.authentication.options.token" property
    must be of type string

This blocked any Fabric/MSSQL config that relied on ambient credentials
(Azure CLI / managed identity) but used the explicit
`azure-active-directory-access-token` type instead of the `default`
shorthand.

Refactor token acquisition (`DefaultAzureCredential` → `az` CLI
fallback) into a shared `acquireAzureToken()` helper used by both the
`default` path and the `access-token` path when no token was supplied.
Callers that pass an explicit token are unchanged.

Also harden `mock.module("node:child_process", ...)` in
`sqlserver-unit.test.ts` to spread the real module so sibling tests in
the same `bun test` run keep access to `spawn` / `exec` / `fork`.

Tests: 110 pass, 0 fail in `packages/drivers`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: suryaiyer95

packages/drivers/src/sqlserver.ts

@@ -56,21 +56,23 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
       if (authType?.startsWith("azure-active-directory")) {
         ;(mssqlConfig.options as any).encrypt = true
 
-        if (authType === "azure-active-directory-default") {
-          // Acquire a token ourselves and pass it as a raw access token string.
-          // We avoid using @azure/identity's DefaultAzureCredential because:
-          //  1. Bun can resolve @azure/identity to the browser bundle (inside
-          //     tedious or even our own import), where DefaultAzureCredential
-          //     is a non-functional stub that throws.
-          //  2. Passing a credential object via type:"token-credential" hits a
-          //     CJS/ESM isTokenCredential boundary mismatch in Bun.
-          //
-          // Strategy: try @azure/identity first (works when module resolution
-          // is correct), fall back to shelling out to `az account get-access-token`
-          // (works everywhere Azure CLI is installed).
+        // Resolve a raw Azure AD access token.
+        // Used by both `azure-active-directory-default` and by
+        // `azure-active-directory-access-token` when no token was provided.
+        //
+        // We acquire the token ourselves rather than letting tedious do it because:
+        //  1. Bun can resolve @azure/identity to the browser bundle (inside
+        //     tedious or even our own import), where DefaultAzureCredential
+        //     is a non-functional stub that throws.
+        //  2. Passing a credential object via type:"token-credential" hits a
+        //     CJS/ESM isTokenCredential boundary mismatch in Bun.
+        //
+        // Strategy: try @azure/identity first (works when module resolution
+        // is correct), fall back to shelling out to `az account get-access-token`
+        // (works everywhere Azure CLI is installed).
+        const acquireAzureToken = async (): Promise<string> => {
           let token: string | undefined
 
-          // Attempt 1: @azure/identity (fast, no subprocess)
           try {
             const azureIdentity = await import("@azure/identity")
             const credential = new azureIdentity.DefaultAzureCredential(
@@ -84,30 +86,32 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
             // @azure/identity unavailable or browser bundle — fall through
           }
 
-          // Attempt 2: Azure CLI subprocess (universal fallback)
           if (!token) {
             try {
               const { execSync } = await import("node:child_process")
-              const json = execSync(
+              const out = execSync(
                 "az account get-access-token --resource https://database.windows.net/ --query accessToken -o tsv",
                 { encoding: "utf-8", timeout: 15000, stdio: ["pipe", "pipe", "pipe"] },
               ).trim()
-              if (json) token = json
+              if (out) token = out
             } catch {
               // az CLI not installed or not logged in
             }
           }
 
           if (!token) {
             throw new Error(
-              "Azure AD default auth failed. Either install @azure/identity (npm install @azure/identity) " +
+              "Azure AD token acquisition failed. Either install @azure/identity (npm install @azure/identity) " +
               "or log in with Azure CLI (az login).",
             )
           }
+          return token
+        }
 
+        if (authType === "azure-active-directory-default") {
           mssqlConfig.authentication = {
             type: "azure-active-directory-access-token",
-            options: { token },
+            options: { token: await acquireAzureToken() },
           }
         } else if (authType === "azure-active-directory-password") {
           mssqlConfig.authentication = {
@@ -120,9 +124,12 @@ export async function connect(config: ConnectionConfig): Promise<Connector> {
             },
           }
         } else if (authType === "azure-active-directory-access-token") {
+          // If the caller supplied a token, use it; otherwise acquire one
+          // automatically (DefaultAzureCredential → az CLI).
+          const suppliedToken = (config.token ?? config.access_token) as string | undefined
           mssqlConfig.authentication = {
             type: "azure-active-directory-access-token",
-            options: { token: config.token ?? config.access_token },
+            options: { token: suppliedToken ?? (await acquireAzureToken()) },
           }
         } else if (
           authType === "azure-active-directory-msi-vm" ||

packages/drivers/test/sqlserver-unit.test.ts

@@ -73,7 +73,12 @@ mock.module("@azure/identity", () => ({
   },
 }))
 
+// Bun's mock.module() replaces the module for ALL test files in the same run,
+// so we re-export every symbol other tests might import (spawn, exec, fork, etc.)
+// in addition to the execSync stub used by the Azure CLI fallback path.
+const realChildProcess = await import("node:child_process")
 mock.module("node:child_process", () => ({
+  ...realChildProcess,
   execSync: (_cmd: string) => "mock-cli-token-fallback\n",
 }))
 
@@ -193,7 +198,7 @@ describe("SQL Server driver unit tests", () => {
       expect(cfg.password).toBeUndefined()
     })
 
-    test("azure-active-directory-access-token passes token", async () => {
+    test("azure-active-directory-access-token passes supplied token unchanged", async () => {
       resetMocks()
       const c = await connect({
         host: "myserver.database.windows.net",
@@ -209,6 +214,22 @@ describe("SQL Server driver unit tests", () => {
       })
     })
 
+    test("azure-active-directory-access-token with no token auto-acquires one", async () => {
+      // Regression: prior to this, omitting `token`/`access_token` resulted in
+      // `options.token: undefined`, which tedious rejects with
+      // "config.authentication.options.token must be of type string".
+      resetMocks()
+      const c = await connect({
+        host: "myserver.database.windows.net",
+        database: "db",
+        authentication: "azure-active-directory-access-token",
+      })
+      await c.connect()
+      const cfg = mockConnectCalls[0]
+      expect(cfg.authentication.type).toBe("azure-active-directory-access-token")
+      expect(cfg.authentication.options.token).toBe("mock-azure-token-12345")
+    })
+
     test("azure-active-directory-service-principal-secret builds SP auth", async () => {
       resetMocks()
       const c = await connect({