fix(NODE-7548): SCRAM authentication fails on non-Node runtimes (#4932)

PavelSafronov · web-flow · commit a10d2c937eaa · 2026-05-19T08:57:25.000+02:00
diff --git a/etc/bundle-driver.mjs b/etc/bundle-driver.mjs
@@ -17,15 +17,14 @@ await esbuild.build({
   entryPoints: [path.join(rootDir, 'test/mongodb_all.ts')],
   bundle: true,
   outfile: outputBundleFile,
-  platform: 'node',
+  platform: 'browser',
   format: 'cjs',
-  target: 'node20',
+  target: 'chrome112',
   external: [
     '@aws-sdk/credential-providers',
     '@mongodb-js/saslprep',
     '@mongodb-js/zstd',
     '@napi-rs/snappy*',
-    'bson',
     'gcp-metadata',
     'kerberos',
     'mongodb-client-encryption',
diff --git a/src/bson.ts b/src/bson.ts
@@ -55,6 +55,12 @@ export const readInt32LE = (buffer: Uint8Array, offset: number): number => {
   return NumberUtils.getInt32LE(buffer, offset);
 };
 
+// readUint8, reads a single unsigned byte from buffer at given offset
+export const readUint8 = (buffer: Uint8Array, offset: number): number => {
+  validateBufferInputs(buffer, offset, 1);
+  return buffer[offset];
+};
+
 export const setUint32LE = (destination: Uint8Array, offset: number, value: number): 4 => {
   destination[offset] = value;
   value >>>= 8;
diff --git a/src/cmap/auth/scram.ts b/src/cmap/auth/scram.ts
@@ -166,11 +166,10 @@ async function continueScramConversation(
   const clientKey = await HMAC(cryptoMethod, saltedPassword, 'Client Key');
   const serverKey = await HMAC(cryptoMethod, saltedPassword, 'Server Key');
   const storedKey = await H(cryptoMethod, clientKey);
-  const authMessage = [
-    clientFirstMessageBare(username, nonce),
-    payload.toString('utf8'),
-    withoutProof
-  ].join(',');
+  const firstMessageBytes = clientFirstMessageBare(username, nonce);
+  const firstMessage = ByteUtils.toUTF8(firstMessageBytes, 0, firstMessageBytes.length, false);
+  const payloadString = ByteUtils.toUTF8(payload.buffer, 0, payload.position, false);
+  const authMessage = [firstMessage, payloadString, withoutProof].join(',');
 
   const clientSignature = await HMAC(cryptoMethod, storedKey, authMessage);
   const clientProof = `p=${xor(clientKey, clientSignature)}`;
@@ -205,7 +204,7 @@ async function continueScramConversation(
 }
 
 function parsePayload(payload: Binary) {
-  const payloadStr = payload.toString('utf8');
+  const payloadStr = ByteUtils.toUTF8(payload.buffer, 0, payload.position, false);
   const dict: Document = {};
   const parts = payloadStr.split(',');
   for (let i = 0; i < parts.length; i++) {
diff --git a/test/integration/change-streams/change_stream.test.ts b/test/integration/change-streams/change_stream.test.ts
@@ -21,11 +21,12 @@ import {
   type MongoClient,
   MongoServerError,
   ReadPreference,
-  type ResumeToken
+  type ResumeToken,
+  runNodelessTests
 } from '../../mongodb';
 import * as mock from '../../tools/mongodb-mock/index';
 import { TestBuilder, UnifiedTestSuiteBuilder } from '../../tools/unified_suite_builder';
-import { type FailCommandFailPoint, sleep } from '../../tools/utils';
+import { ensureTypeByName, type FailCommandFailPoint, sleep } from '../../tools/utils';
 import { delay, filterForCommands } from '../shared';
 
 const initIteratorMode = async (cs: ChangeStream) => {
@@ -1826,7 +1827,11 @@ describe('Change Streams', function () {
             expect(result).to.exist;
 
             const change = await willBeChange;
-            expect(change).to.have.nested.property('fullDocument.a').that.is.instanceOf(Long);
+            if (runNodelessTests) {
+              ensureTypeByName(change?.fullDocument?.a, '_Long');
+            } else {
+              expect(change).to.have.nested.property('fullDocument.a').that.is.instanceOf(Long);
+            }
           }
         });
       });
diff --git a/test/integration/client-side-encryption/driver.test.ts b/test/integration/client-side-encryption/driver.test.ts
@@ -725,14 +725,16 @@ describe('CSOT', function () {
                   'test.test': {
                     bsonType: 'object',
                     encryptMetadata: {
-                      keyId: [new UUID(dataKey)]
+                      // NODE-7581: should be able to pass dataKey as-is, as UUID, w/o needing toHexString
+                      keyId: [new UUID(dataKey.toHexString(true))]
                     },
                     properties: {
                       a: {
                         encrypt: {
                           bsonType: 'int',
                           algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random',
-                          keyId: [new UUID(dataKey)]
+                          // NODE-7581: should be able to pass dataKey as-is, as UUID, w/o needing toHexString
+                          keyId: [new UUID(dataKey.toHexString(true))]
                         }
                       }
                     }
diff --git a/test/integration/crud/insert.test.ts b/test/integration/crud/insert.test.ts
@@ -1,5 +1,6 @@
 import * as Script from 'node:vm';
 
+import { ByteUtils } from 'bson';
 import { expect } from 'chai';
 import * as process from 'process';
 import { satisfies } from 'semver';
@@ -180,7 +181,7 @@ describe('crud - insert', function () {
       test.equal(date.toString(), doc.date.toString());
       test.equal(date.getTime(), doc.date.getTime());
       test.equal(motherOfAllDocuments.oid.toHexString(), doc.oid.toHexString());
-      test.equal(motherOfAllDocuments.binary.toString('hex'), doc.binary.value().toString('hex'));
+      test.equal(motherOfAllDocuments.binary.toString('hex'), ByteUtils.toHex(doc.binary.value()));
 
       test.equal(motherOfAllDocuments.int, doc.int);
       test.equal(motherOfAllDocuments.long, doc.long);
@@ -281,8 +282,8 @@ describe('crud - insert', function () {
       test.equal(date.getTime(), doc.date.getTime());
       test.equal(motherOfAllDocuments.oid.toHexString(), doc.oid.toHexString());
       test.equal(
-        motherOfAllDocuments.binary.value().toString('hex'),
-        doc.binary.value().toString('hex')
+        ByteUtils.toHex(motherOfAllDocuments.binary.value()),
+        ByteUtils.toHex(doc.binary.value())
       );
 
       test.equal(motherOfAllDocuments.int, doc.int);
diff --git a/test/integration/node-specific/bson-options/promote_buffers.test.ts b/test/integration/node-specific/bson-options/promote_buffers.test.ts
@@ -1,8 +1,9 @@
 import { expect } from 'chai';
 
+import { runOnlyInNodeMetadata } from '../../../tools/utils';
 import { setupDatabase } from '../../shared';
 
-describe('Promote Buffers', function () {
+describe('Promote Buffers', runOnlyInNodeMetadata, function () {
   before(function () {
     return setupDatabase(this.configuration);
   });
diff --git a/test/integration/node-specific/bson-options/raw.test.ts b/test/integration/node-specific/bson-options/raw.test.ts
@@ -1,8 +1,9 @@
 import { expect } from 'chai';
 
 import { type Collection, type MongoClient, ObjectId } from '../../../mongodb';
+import { runOnlyInNodeMetadata } from '../../../tools/utils';
 
-describe('raw bson support', () => {
+describe('raw bson support', runOnlyInNodeMetadata, () => {
   describe('raw', () => {
     describe('option inheritance', () => {
       // define client and option for tests to use
diff --git a/test/integration/node-specific/bson-options/utf8_validation.test.ts b/test/integration/node-specific/bson-options/utf8_validation.test.ts
@@ -11,7 +11,9 @@ import {
   MongoServerError,
   OpMsgResponse
 } from '../../../mongodb';
-describe('class MongoDBResponse', () => {
+import { runOnlyInNodeMetadata } from '../../../tools/utils';
+
+describe('class MongoDBResponse', runOnlyInNodeMetadata, () => {
   let client;
 
   afterEach(async () => {
@@ -72,7 +74,7 @@ describe('class MongoDBResponse', () => {
   );
 });
 
-describe('parsing of utf8-invalid documents with cursors', function () {
+describe('parsing of utf8-invalid documents with cursors', runOnlyInNodeMetadata, function () {
   let client: MongoClient;
   let collection: Collection;
   const compressionPredicate = () =>
diff --git a/test/mongodb_bundled.ts b/test/mongodb_bundled.ts
@@ -109,6 +109,7 @@ export const {
   decompress,
   decorateWithExplain,
   DEFAULT_ALLOWED_HOSTS,
+  DEFAULT_KEEP_ALIVE_INITIAL_DELAY_MS,
   DEFAULT_MAX_DOCUMENT_LENGTH,
   DEFAULT_PK_FACTORY,
   DeleteManyOperation,
@@ -176,6 +177,7 @@ export const {
   ListIndexesOperation,
   Long,
   makeClientMetadata,
+  makeSocket,
   MAX_SUPPORTED_SERVER_VERSION,
   MAX_SUPPORTED_WIRE_VERSION,
   MaxKey,
@@ -421,6 +423,7 @@ export type {
 import type {
   AbstractCursor as _AbstractCursor,
   AuthMechanism as _AuthMechanism,
+  Binary as _Binary,
   ChangeStream as _ChangeStream,
   ClientEncryption as _ClientEncryption,
   ClientSession as _ClientSession,
@@ -482,6 +485,7 @@ import type {
 // To re-sort: Highlight the list and use VSCode's "Sort Lines Ascending" command
 export type AbstractCursor = _AbstractCursor;
 export type AuthMechanism = _AuthMechanism;
+export type Binary = _Binary;
 export type ChangeStream = _ChangeStream;
 export type ClientEncryption = _ClientEncryption;
 export type ClientSession = _ClientSession;
diff --git a/test/tools/runner/metadata_ui.js b/test/tools/runner/metadata_ui.js
@@ -102,7 +102,8 @@ module.exports = Mocha.interfaces.metadata_ui = function (suite) {
         newSuite.parent._onlySuites = newSuite.parent._onlySuites.concat(newSuite);
         mocha.options.hasOnly = true;
       }
-      newSuite.metadata = testData.metadata || {};
+      // Inherit parent metadata if metadata is not explicitly provided
+      newSuite.metadata = testData.metadata || suites[1]?.metadata || {};
       if (typeof testData.fn === 'function') {
         testData.fn.call(newSuite);
         suites.shift();
diff --git a/test/tools/runner/vm_context_helper.ts b/test/tools/runner/vm_context_helper.ts
@@ -11,7 +11,6 @@ const allowedModules = new Set([
   '@aws-sdk/credential-providers',
   '@mongodb-js/saslprep',
   '@mongodb-js/zstd',
-  'bson',
   'gcp-metadata',
   'kerberos',
   'mongodb-client-encryption',
@@ -27,7 +26,6 @@ const exposedGlobals = new Set([
   'AbortController',
   'AbortSignal',
   'BigInt',
-  'Buffer',
   'Date',
   'Error',
   'Headers',
@@ -42,8 +40,9 @@ const exposedGlobals = new Set([
   'console',
   'crypto',
   'performance',
-  'process',
 
+  'atob',
+  'btoa',
   'clearImmediate',
   'clearInterval',
   'clearTimeout',
@@ -68,7 +67,9 @@ function createRestrictedRequire() {
     if (shouldBlock) {
       throw new Error(`Access to core module '${moduleName}' is restricted in this context`);
     }
-    return require(moduleName);
+
+    const required = require(moduleName);
+    return required;
   } as NodeJS.Require;
 }
 
@@ -96,6 +97,9 @@ const sandbox = vm.createContext(context);
 // Make globalThis point to the sandbox
 sandbox.globalThis = sandbox;
 
+// Export the sandbox for use in tests
+export { sandbox };
+
 /**
  * Load the bundled MongoDB driver module in a VM context
  * This allows us to control the globals that the driver has access to
diff --git a/test/tools/unified-spec-runner/operations.ts b/test/tools/unified-spec-runner/operations.ts
@@ -3,6 +3,7 @@
 import { Readable } from 'node:stream';
 import { pipeline } from 'node:stream/promises';
 
+import { ByteUtils } from 'bson';
 import { AssertionError, expect } from 'chai';
 import * as process from 'process';
 
@@ -125,7 +126,9 @@ operations.set('assertDifferentLsidOnLastTwoCommands', async ({ entities, operat
   expect(last.command).to.have.property('lsid');
   expect(secondLast.command).to.have.property('lsid');
 
-  expect(last.command.lsid.id.buffer.equals(secondLast.command.lsid.id.buffer)).to.be.false;
+  expect(
+    ByteUtils.compare(last.command.lsid.id.buffer, secondLast.command.lsid.id.buffer)
+  ).to.not.equal(0);
 });
 
 operations.set('assertSameLsidOnLastTwoCommands', async ({ entities, operation }) => {
@@ -144,7 +147,9 @@ operations.set('assertSameLsidOnLastTwoCommands', async ({ entities, operation }
   expect(last.command).to.have.property('lsid');
   expect(secondLast.command).to.have.property('lsid');
 
-  expect(last.command.lsid.id.buffer.equals(secondLast.command.lsid.id.buffer)).to.be.true;
+  expect(
+    ByteUtils.compare(last.command.lsid.id.buffer, secondLast.command.lsid.id.buffer)
+  ).to.equal(0);
 });
 
 operations.set('assertSessionDirty', async ({ operation }) => {
diff --git a/test/tools/utils.ts b/test/tools/utils.ts
@@ -21,6 +21,7 @@ import {
   OP_MSG,
   processTimeMS,
   resolveRuntimeAdapters,
+  runNodelessTests,
   type Runtime,
   type ServerApiVersion,
   Topology,
@@ -623,3 +624,19 @@ export function configureMongocryptdSpawnHooks(
  * A `Runtime` that resolves to entirely Nodejs modules, useful when tests must provide a default `runtime` object to an API.
  */
 export const runtime: Runtime = resolveRuntimeAdapters({});
+
+/**
+ * Metadata that can be used to skip tests in nodeless environments.
+ * Use this for tests that rely on Node.js-specific features and cannot be run in nodeless environments like Deno or the browser.
+ */
+export const runOnlyInNodeMetadata: MongoDBMetadataUI = {
+  requires: {
+    predicate: _test => {
+      if (runNodelessTests) {
+        return 'Test is a node specific test and should be not be run in nodeless environments';
+      } else {
+        return true;
+      }
+    }
+  }
+};
diff --git a/test/unit/client-side-encryption/state_machine.test.ts b/test/unit/client-side-encryption/state_machine.test.ts
@@ -15,6 +15,7 @@ import {
   Db,
   type FindOptions,
   MongoClient,
+  runNodelessTests,
   squashError,
   StateMachine
 } from '../../mongodb';
@@ -60,6 +61,10 @@ describe('StateMachine', function () {
     let clientStub;
 
     beforeEach(function () {
+      if (runNodelessTests) {
+        // sinon doesn't work in nodeless tests
+        this.skip();
+      }
       this.sinon = sinon.createSandbox();
       runCommandStub = this.sinon.stub().resolves({});
       dbStub = this.sinon.createStubInstance(Db, {
diff --git a/test/unit/cmap/commands.test.ts b/test/unit/cmap/commands.test.ts
@@ -1,8 +1,15 @@
 import * as BSON from 'bson';
 import { expect } from 'chai';
 
+// eslint-disable-next-line @typescript-eslint/no-restricted-imports
+import { readInt32LE } from '../../../src/bson';
 import { DocumentSequence, OpMsgRequest, OpReply } from '../../mongodb';
 
+// Helper to decode UTF-8 string from Uint8Array
+function utf8Slice(buffer: Uint8Array, start: number, end: number): string {
+  return BSON.ByteUtils.toUTF8(buffer, start, end, false);
+}
+
 describe('commands', function () {
   describe('OpMsgRequest', function () {
     describe('#toBin', function () {
@@ -41,12 +48,12 @@ describe('commands', function () {
 
           it('sets the length of the document sequence', function () {
             // Bytes starting at index 1 is a 4 byte length.
-            expect(buffers[3].readInt32LE(1)).to.equal(25);
+            expect(readInt32LE(buffers[3], 1)).to.equal(25);
           });
 
           it('sets the name of the first field to be replaced', function () {
             // Bytes starting at index 5 is the field name.
-            expect(buffers[3].toString('utf8', 5, 10)).to.equal('field');
+            expect(utf8Slice(buffers[3], 5, 10)).to.equal('field');
           });
         });
 
@@ -81,12 +88,12 @@ describe('commands', function () {
 
           it('sets the length of the first document sequence', function () {
             // Bytes starting at index 1 is a 4 byte length.
-            expect(buffers[3].readInt32LE(1)).to.equal(28);
+            expect(readInt32LE(buffers[3], 1)).to.equal(28);
           });
 
           it('sets the name of the first field to be replaced', function () {
             // Bytes starting at index 5 is the field name.
-            expect(buffers[3].toString('utf8', 5, 13)).to.equal('fieldOne');
+            expect(utf8Slice(buffers[3], 5, 13)).to.equal('fieldOne');
           });
 
           it('sets the document sequence sections second type to 1', function () {
@@ -96,12 +103,12 @@ describe('commands', function () {
 
           it('sets the length of the second document sequence', function () {
             // Bytes starting at index 1 is a 4 byte length.
-            expect(buffers[3].readInt32LE(30)).to.equal(28);
+            expect(readInt32LE(buffers[3], 30)).to.equal(28);
           });
 
           it('sets the name of the second field to be replaced', function () {
             // Bytes starting at index 33 is the field name.
-            expect(buffers[3].toString('utf8', 34, 42)).to.equal('fieldTwo');
+            expect(utf8Slice(buffers[3], 34, 42)).to.equal('fieldTwo');
           });
         });
       });
diff --git a/test/unit/cmap/connect.test.ts b/test/unit/cmap/connect.test.ts
diff --git a/test/unit/cmap/wire_protocol/on_demand/document.test.ts b/test/unit/cmap/wire_protocol/on_demand/document.test.ts
diff --git a/test/unit/commands.test.ts b/test/unit/commands.test.ts
diff --git a/test/unit/nodeless.test.ts b/test/unit/nodeless.test.ts
diff --git a/test/unit/sessions.test.ts b/test/unit/sessions.test.ts
diff --git a/test/unit/utils.test.ts b/test/unit/utils.test.ts

Original file line number	Diff line number	Diff line change
`@@ -725,14 +725,16 @@ describe('CSOT', function () {`
`725`	`725`	`'test.test': {`
`726`	`726`	`bsonType: 'object',`
`727`	`727`	`encryptMetadata: {`
`728`		`- keyId: [new UUID(dataKey)]`
	`728`	`+ // NODE-7581: should be able to pass dataKey as-is, as UUID, w/o needing toHexString`
	`729`	`+ keyId: [new UUID(dataKey.toHexString(true))]`
`729`	`730`	`},`
`730`	`731`	`properties: {`
`731`	`732`	`a: {`
`732`	`733`	`encrypt: {`
`733`	`734`	`bsonType: 'int',`
`734`	`735`	`algorithm: 'AEAD_AES_256_CBC_HMAC_SHA_512-Random',`
`735`		`- keyId: [new UUID(dataKey)]`
	`736`	`+ // NODE-7581: should be able to pass dataKey as-is, as UUID, w/o needing toHexString`
	`737`	`+ keyId: [new UUID(dataKey.toHexString(true))]`
`736`	`738`	`}`
`737`	`739`	`}`
`738`	`740`	`}`