enh(MongoDB): MongoDB 6.0/7.0/8.0 compat -- partial indexes, Decimal128, SCRAM-SHA-256 (#5359)

* docs(MongoDB): add server-feature compatibility README

Status tables for MongoDB 6.0/7.0/8.0 features (driver baseline,
aggregation, indexes, BSON types) plus features obsolete in recent
MongoDB that Poco still exposes. "Added 1.15.x" rows refer to the
gap-closing commits that follow in this patch series.

* feat(MongoDB): partial / hidden / collation / wildcard index options

New Database::createIndex overload taking a Document::Ptr extraOptions
merged into the per-index spec, making partialFilterExpression (3.2+),
collation (3.4+), wildcardProjection (4.2+ / 7.0 compound),
text/2dsphere/geo options reachable from the typed helper. Add
INDEX_HIDDEN (4.4+). Mark INDEX_BACKGROUND POCO_DEPRECATED (server
no-op since 4.2); kept for source compat, no longer forwarded.

* feat(MongoDB): add Decimal128, MinKey, MaxKey BSON types

Document::read previously threw NotImplementedException on TypeIds
0x13, 0xFF, 0x7F. Decimal128 implements the IEEE 754-2008 BID format
with canonical string conversion per Section 5.12.4; MinKey and MaxKey
are zero-payload sentinels used in shard-key bounds and admin command
output. No arithmetic on Decimal128 -- round-trip through std::string
for ops.

* feat(MongoDB): add SCRAM-SHA-256 authentication

SCRAM-SHA-256 (MongoDB 4.0+) is the server default for new users.
Database::authenticate() default flipped from SHA-1 to SHA-256; pass
AUTH_SCRAM_SHA1 explicitly for legacy deployments. Internal SCRAM
math factored into a templated runScramAuth<HashEngine> shared by
both mechanisms.

SASLprep (RFC 4013) on the password: ASCII fast-path only, non-ASCII
throws NotImplementedException pending full SASLprep.

* chore(MongoDB): mark deprecated features, rewrite count(), tls URI alias

- CMD_MAP_REDUCE: POCO_DEPRECATED (mapReduce deprecated by MongoDB in 5.0).
- Database::count() now uses aggregation [{$count:"n"}]: Stable API v1,
  accurate on sharded clusters, allowed in transactions.
- Connection URI parser accepts "tls=" as an alias for "ssl=" (canonical
  since 4.2).

* fix(MongoDB): apply review feedback

Bugs:
- README Quick Start example did not compile against the actual API.
- Connection::connect(uri) URI default authMechanism still SHA-1,
  contradicting the doc-comment after the SHA-256 flip; aligned to SHA-256.
- Decimal128::fromString silently accepted "1E"/"1E+" as the mantissa;
  now requires at least one exponent digit.
- Decimal128::fromString stripped trailing zeros from the coefficient,
  breaking the canonical (coefficient, exponent) pair per the BSON spec.
- Decimal128::toString large-coefficient path emitted "0E-1" instead of
  "0.0" for negative exponents; falls through to the standard renderer.
- Database::INDEX_SPARSE doc-comment attached to the wrong enumerator.
- testConnectionURITlsAlias third case had an inaccurate comment.
- CodeQL: removed for-loop counter mutation in Decimal128::fromString.

Cleanup: dead constants renamed in Decimal128.cpp; toString digit
emission consolidated; isAsciiOnly uses std::all_of; named constexpr
bools at runScramAuth call sites; tls test replaced with a 3-line
lambda; restates-WHAT comments trimmed; README version phrasing
normalized to "(since X.Y)".

Tests extended with trailing-zero preservation, SyntaxException and
RangeException paths in Decimal128.

* test(Foundation): accept ERROR_NO_SYSTEM_RESOURCES in SharedMemoryTest

Windows can reject an oversized SharedMemory allocation with either
ERROR_NOT_ENOUGH_MEMORY (8) or ERROR_NO_SYSTEM_RESOURCES (1450)
depending on which allocator tier runs out first; the test only
accepted the former, intermittently failing on windows-2025 CI
runners.

Author: matejk

CHANGELOG

@@ -6,6 +6,28 @@ Release 1.15.3 (Unreleased)
 
 API Changes:
 
+- Poco::MongoDB::Database::authenticate() default mechanism changed from
+  "SCRAM-SHA-1" to "SCRAM-SHA-256", matching the MongoDB server default
+  for new users since 4.0 and the convention used by every official
+  MongoDB driver. Existing callers that rely on SCRAM-SHA-1 should pass
+  Database::AUTH_SCRAM_SHA1 explicitly. SCRAM-SHA-256 currently requires
+  ASCII passwords; non-ASCII passwords throw NotImplementedException
+  pending full SASLprep (RFC 4013) support.
+- Poco::MongoDB::Database::count() now uses aggregation [{$count: "n"}]
+  instead of the legacy "count" command. The signature is unchanged.
+  Aggregation $count is in the Stable API v1, returns accurate results
+  on sharded clusters (the legacy command over-reports due to orphans),
+  and is permitted in multi-document transactions. Operators watching
+  server-side query metrics will see "aggregate" commands where they
+  previously saw "count".
+- Poco::MongoDB::Database::INDEX_BACKGROUND is now marked POCO_DEPRECATED
+  (deprecated by MongoDB in 4.2; server-side no-op). The flag is kept
+  for source compatibility but its value is no longer forwarded to the
+  server.
+- Poco::MongoDB::OpMsgMessage::CMD_MAP_REDUCE is now marked
+  POCO_DEPRECATED (mapReduce deprecated by MongoDB in 5.0); use the
+  aggregation pipeline.
+
 - GH #5322 PropertyFileConfiguration: the optional parent-configuration
   parameter (added in 1.15.1 via #5253) is now an AbstractConfiguration*
   raw non-owning pointer instead of AbstractConfiguration::Ptr. Callers

Foundation/testsuite/src/SharedMemoryTest.cpp

@@ -89,8 +89,11 @@ void SharedMemoryTest::testCreateLarge()
 	}
 	catch (Poco::SystemException& ex)
 	{
-		// no memory, quite posible to happen
-		assertEqual(ERROR_NOT_ENOUGH_MEMORY, ex.code());
+		// Windows returns either ERROR_NOT_ENOUGH_MEMORY or
+		// ERROR_NO_SYSTEM_RESOURCES depending on which allocation tier
+		// rejects the request.
+		assertTrue(ex.code() == ERROR_NOT_ENOUGH_MEMORY ||
+		           ex.code() == ERROR_NO_SYSTEM_RESOURCES);
 	}
 #endif
 }

MongoDB/Makefile

@@ -9,7 +9,7 @@ include $(POCO_BASE)/build/rules/global
 INCLUDE += -I $(POCO_BASE)/MongoDB/include/Poco/MongoDB
 
 objects = Array Binary Connection Cursor DeleteRequest  Database \
-	Document Element GetMoreRequest InsertRequest JavaScriptCode \
+	Decimal128 Document Element GetMoreRequest InsertRequest JavaScriptCode \
 	KillCursorsRequest Message MessageHeader ObjectId QueryRequest \
 	RegularExpression ReplicaSet RequestMessage ResponseMessage \
 	UpdateRequest OpMsgMessage OpMsgCursor

MongoDB/README.md

@@ -0,0 +1,165 @@
+# Poco::MongoDB
+
+C++ client library for MongoDB. Speaks the OP_MSG wire protocol over
+`Poco::Net::StreamSocket` and exposes BSON documents, CRUD operations,
+cursors, indexes, and replica-set topology discovery.
+
+Minimum server version: MongoDB 3.6. Legacy opcodes (`OP_QUERY`,
+`OP_INSERT`, etc.) were removed in 1.14 (GH #4781); only `OP_MSG` and
+`OP_COMPRESSED` are sent on the wire. Servers from 3.6 through 8.x are
+supported at the protocol level. The "Server feature compatibility" section
+below details which features are exposed at the API level.
+
+Replica-set support (SDAM, automatic failover, read preferences, topology
+change notifications) is documented in [README-ReplicaSet.md](README-ReplicaSet.md).
+
+## Quick start
+
+```cpp
+#include "Poco/MongoDB/Connection.h"
+#include "Poco/MongoDB/Database.h"
+#include "Poco/MongoDB/OpMsgMessage.h"
+
+using namespace Poco::MongoDB;
+
+Connection connection("localhost", 27017);
+Database db("test");
+
+auto request = db.createOpMsgMessage("users");
+request->setCommandName(OpMsgMessage::CMD_INSERT);
+
+Document::Ptr user = new Document;
+user->add("name", "Alice").add("age", 30);
+request->documents().push_back(user);
+
+OpMsgMessage response;
+connection.sendRequest(*request, response);
+```
+
+For `mongodb://` URI connections (including authentication), use the
+`Connection::connect(uri, socketFactory)` overload with a user-provided
+`SocketFactory`.
+
+## Server feature compatibility
+
+The tables below list MongoDB 6.0 / 7.0 / 8.0 server features and their
+status in Poco::MongoDB:
+
+- **Supported**: dedicated API.
+- **Partial**: command-level access via `OpMsgMessage` (caller assembles
+  the BSON body); no typed helper.
+- **Missing**: no API and no helper; out of reach without library changes.
+- **Added 1.15.x**: introduced by the patch series that ships this document.
+
+Any command can be sent via `OpMsgMessage` with a hand-built body, so
+"Missing" means "no typed helper", not "unreachable".
+
+### A. Driver baseline (pre-6.0 specs)
+
+Capabilities expected of any modern MongoDB driver.
+
+| Capability | Status | Notes |
+|---|---|---|
+| Stable API (`apiVersion: "1"`, since 5.0) | Missing | Set `apiVersion` manually on each command. |
+| SCRAM-SHA-256 (server default since 4.0) | Added 1.15.x | New `AUTH_SCRAM_SHA256`; default for `authenticate()`. |
+| SCRAM-SHA-1 | Supported | Pass `AUTH_SCRAM_SHA1` explicitly. |
+| x.509 / PLAIN / GSSAPI / MONGODB-AWS / MONGODB-OIDC | Missing | |
+| TLS / SSL | Partial | Default `SocketFactory` throws for secure; user must supply a `SocketFactory` returning a `Poco::Net::SecureStreamSocket`. |
+| `mongodb://` URI | Supported | |
+| `mongodb+srv://` DNS seedlist | Missing | Resolve the host list out of band. |
+| `tls=` URI option | Added 1.15.x | Alias for the historical `ssl=`. |
+| Retryable reads / writes | Missing | Transient network errors are not retried. |
+| Network compression (`zstd` / `zlib` / `snappy`) | Missing | `OP_COMPRESSED` opcode present; no codec or handshake. |
+| ClientSession, causal consistency, snapshot reads | Missing | No multi-document transactions. |
+
+### B. MongoDB 6.0
+
+| Feature | Status | Notes |
+|---|---|---|
+| OP_MSG-only wire protocol | Supported | Cleaned up in 1.14 (GH #4781). |
+| `$densify`, `$fill`, `$documents`, `$maxN`/`$minN`/`$lastN`/`$topN`/`$bottomN`, `$sortArray` | Partial | Hand-rolled aggregation pipeline. |
+| Change streams (`$changeStream`) with `fullDocumentBeforeChange` and DDL events | Missing | No `watch()`, no resume tokens. |
+| Clustered collections (`clusteredIndex`) | Partial | Raw `create` command. |
+| Time-series collections; secondary / compound indexes on them | Partial | Raw `create` command; new `createIndex(extraOptions)` covers the index side. |
+| **Partial indexes (`partialFilterExpression`, since 3.2)** | Added 1.15.x | Pass `partialFilterExpression` in the new `extraOptions` overload. |
+| Hidden indexes (since 4.4) | Added 1.15.x | New `INDEX_HIDDEN` flag. |
+| Text / 2dsphere / hashed / wildcard indexes | Partial | Reachable via `extraOptions`; wildcard via `"$**"` field name. |
+| Collation on indexes | Added 1.15.x | Pass `collation` in `extraOptions`. |
+| Queryable Encryption (preview) | Missing | No `ClientEncryption` class. |
+
+### C. MongoDB 7.0
+
+| Feature | Status | Notes |
+|---|---|---|
+| Queryable Encryption (GA) | Missing | No `ClientEncryption` class, no key-vault helper. |
+| MONGODB-OIDC authentication | Missing | |
+| Compound wildcard indexes | Partial | Reachable via `extraOptions` and a `"$**"` field. |
+| `$median`, `$percentile`, `$bitAnd` / `$bitOr` / `$bitXor` / `$bitNot` | Partial | Hand-rolled aggregation pipeline. |
+| `$changeStreamSplitLargeEvent` | Missing | No change-stream helper. |
+| `analyzeShardKey`, `configureQueryAnalyzer` | Partial | Raw admin command. |
+| Time-series delete relaxations | Supported | Transparent on the wire. |
+
+### D. MongoDB 8.0
+
+| Feature | Status | Notes |
+|---|---|---|
+| Cross-collection `bulkWrite` | Missing | Per-collection batched writes already work via `OpMsgMessage`. |
+| Queryable Encryption range queries | Missing | Depends on QE. |
+| `moveCollection`, `unshardCollection`, config-shard transitions | Partial | Raw admin command. |
+| `setQuerySettings`, `removeQuerySettings` | Partial | Raw admin command. |
+| `$convert` to BinData, `$toUUID`, `$toBinData` | Partial | Hand-rolled aggregation pipeline; UUID binary subtype already supported. |
+| Majority write concern oplog optimization | Supported | Server-side only. |
+
+### E. BSON type coverage
+
+| Type | TypeId | Status |
+|---|---|---|
+| Double | 0x01 | Supported |
+| String | 0x02 | Supported |
+| Document | 0x03 | Supported |
+| Array | 0x04 | Supported |
+| Binary (incl. UUID subtype 0x04) | 0x05 | Supported |
+| ObjectId | 0x07 | Supported |
+| Boolean | 0x08 | Supported |
+| UTC DateTime | 0x09 | Supported |
+| Null | 0x0A | Supported |
+| Regex | 0x0B | Supported |
+| JavaScript | 0x0D | Supported |
+| Int32 | 0x10 | Supported |
+| Timestamp | 0x11 | Supported |
+| Int64 | 0x12 | Supported |
+| **Decimal128** | 0x13 | Added 1.15.x |
+| **MinKey** | 0xFF | Added 1.15.x |
+| **MaxKey** | 0x7F | Added 1.15.x |
+| Code-with-scope | 0x0F | Missing |
+| DBPointer (deprecated) | 0x0C | Missing |
+| Symbol (deprecated) | 0x0E | Missing |
+
+### F. Features obsolete in recent MongoDB
+
+These work against current servers but the listed replacement is preferred.
+Nothing has been removed.
+
+| Surface | Status | Replacement |
+|---|---|---|
+| `OpMsgMessage::CMD_MAP_REDUCE` | `POCO_DEPRECATED` (server-deprecated since 5.0). | Aggregation pipeline with `$accumulator`, `$function`, `$out`, `$merge`. |
+| `OpMsgMessage::CMD_COUNT` | Outside Stable API v1; `Database::count()` no longer issues it directly. | Aggregation `$count` (used internally by `Database::count()`). |
+| `Database::INDEX_BACKGROUND` | `POCO_DEPRECATED` (server no-op since 4.2). | Drop the flag; index builds are online by default. |
+| `Database::INDEX_SPARSE` | Superseded by `partialFilterExpression` since 3.2. | Pass `partialFilterExpression` in `createIndex(extraOptions)`. |
+| `Database::createIndex(..., int version)` | Explicit `v=1` is incompatible with several modern index types. | Leave at 0; server picks v=2 (default since 3.4). |
+| Connection URI option `ssl=true` | Replaced by `tls=true` (canonical since 4.2). | Either accepted. |
+
+### Top blockers
+
+The largest remaining gaps for users targeting MongoDB 6.0 / 7.0 / 8.0:
+
+  1. `mongodb+srv://` Atlas connection strings.
+  2. Transactions and `ClientSession`.
+  3. Change streams.
+  4. Queryable Encryption.
+  5. MONGODB-OIDC and other modern auth mechanisms.
+  6. Retryable reads / writes.
+  7. Built-in TLS factory.
+  8. Stable API opt-in.
+  9. Cross-collection `bulkWrite` command.
+  10. Aggregation pipeline builder.

MongoDB/include/Poco/MongoDB/Connection.h

@@ -116,11 +116,13 @@ class MongoDB_API Connection
 		///
 		/// The following options are supported:
 		///
-		///   - ssl: If ssl=true is specified, a custom SocketFactory subclass creating
-		///     a SecureStreamSocket must be supplied.
+		///   - tls (or ssl, historical alias): If true, a custom SocketFactory
+		///     subclass creating a SecureStreamSocket must be supplied. "tls"
+		///     is the canonical option name since MongoDB 4.2; "ssl" remains
+		///     accepted as a synonym.
 		///   - connectTimeoutMS: Socket connection timeout in milliseconds.
 		///   - socketTimeoutMS: Socket send/receive timeout in milliseconds.
-		///   - authMechanism: Authentication mechanism. Only "SCRAM-SHA-1" is supported.
+		///   - authMechanism: "SCRAM-SHA-256" (default) or "SCRAM-SHA-1".
 		///
 		/// Unknown options are silently ignored.
 		///

MongoDB/include/Poco/MongoDB/Database.h

@@ -37,8 +37,14 @@ class MongoDB_API Database
 
 	enum IndexOptions {
 		INDEX_UNIQUE        = 1 << 0,
+			///< For new indexes with conditional-inclusion semantics, prefer
+			///< partialFilterExpression (see createIndex with extraOptions)
+			///< over INDEX_SPARSE.
 		INDEX_SPARSE        = 1 << 1,
-		INDEX_BACKGROUND    = 1 << 2
+		INDEX_BACKGROUND POCO_DEPRECATED("Deprecated since MongoDB 4.2; index builds are online by default") = 1 << 2,
+			///< Hybrid online index builds since 4.2; no longer forwarded to the server.
+		INDEX_HIDDEN        = 1 << 3
+			///< Hide the index from the query planner (since MongoDB 4.4).
 	};
 
 	using FieldIndex = std::tuple<std::string, bool>;
@@ -56,18 +62,20 @@ class MongoDB_API Database
 	[[nodiscard]] const std::string& name() const;
 		/// Database name
 
-	bool authenticate(Connection& connection, const std::string& username, const std::string& password, const std::string& method = AUTH_SCRAM_SHA1);
+	bool authenticate(Connection& connection, const std::string& username, const std::string& password, const std::string& method = AUTH_SCRAM_SHA256);
 		/// Authenticates against the database using the given connection,
-		/// username and password, as well as authentication method.
+		/// username and password, and authentication method:
 		///
-		/// "SCRAM-SHA-1" (default starting in MongoDB 3.0) is the only supported
-		/// authentication method. "MONGODB-CR" is no longer supported as it
-		/// requires the legacy wire protocol.
+		///   - "SCRAM-SHA-256" (MongoDB 4.0+)
+		///   - "SCRAM-SHA-1"   (MongoDB 3.0+)
 		///
-		/// Returns true if authentication was successful, otherwise false.
+		/// MONGODB-CR is not supported (requires the legacy wire protocol).
 		///
-		/// May throw a Poco::ProtocolException if authentication fails for a reason other than
-		/// invalid credentials.
+		/// SCRAM-SHA-256 accepts ASCII passwords only; SASLprep (RFC 4013)
+		/// is not implemented. Non-ASCII throws Poco::NotImplementedException.
+		///
+		/// Returns true on success, false on invalid credentials. Throws
+		/// Poco::ProtocolException on other failures.
 
 	[[nodiscard]] Document::Ptr queryBuildInfo(Connection& connection) const;
 		/// Queries server build info using OP_MSG protocol.
@@ -76,7 +84,12 @@ class MongoDB_API Database
 		/// Queries hello response from server using OP_MSG protocol.
 
 	[[nodiscard]] Int64 count(Connection& connection, const std::string& collectionName) const;
-		/// Sends a count request for the given collection to MongoDB using OP_MSG protocol.
+		/// Counts documents in the given collection using the aggregation
+		/// framework ([{$count: "n"}]) over OP_MSG. Aggregation-based counting
+		/// is preferred over the legacy "count" command because it is part of
+		/// the Stable API v1 (since MongoDB 5.0), is accurate on sharded
+		/// clusters (the legacy command can over-report due to orphaned
+		/// documents), and is permitted in multi-document transactions.
 		///
 		/// If the command fails, -1 is returned.
 
@@ -97,11 +110,46 @@ class MongoDB_API Database
 		unsigned long options = 0,
 		int expirationSeconds = 0,
 		int version = 0);
-		/// Creates an index. The document returned is the response body..
-		/// For more info look at the createIndex information on the MongoDB website. (new wire protocol)
+		/// Creates an index. The document returned is the response body.
+		/// For more info look at the createIndex information on the MongoDB
+		/// website. (new wire protocol)
+		///
+		/// Leave version at 0 to use the server default (v=2 since MongoDB 3.4).
+		/// Setting v=1 is only for compatibility with pre-3.4 servers and is
+		/// incompatible with text, wildcard, and several other modern index
+		/// types.
+
+	Document::Ptr createIndex(
+		Connection& connection,
+		const std::string& collection,
+		const IndexedFields& indexedFields,
+		const std::string& indexName,
+		Document::Ptr extraOptions,
+		unsigned long options = 0,
+		int expirationSeconds = 0,
+		int version = 0);
+		/// Creates an index, allowing arbitrary additional fields in the
+		/// per-index spec via extraOptions. Every element of extraOptions
+		/// is added to the index spec document on top of the fields derived
+		/// from indexedFields, indexName, options, expirationSeconds and
+		/// version. Typical keys to pass in extraOptions include:
+		///
+		///   - "partialFilterExpression" (Document): partial indexes,
+		///     MongoDB 3.2+. Preferred over INDEX_SPARSE for new code.
+		///   - "collation" (Document): per-index collation, MongoDB 3.4+.
+		///   - "wildcardProjection" (Document): wildcard / compound-wildcard
+		///     indexes (the wildcard field itself is specified as "$**" or
+		///     "path.$**" in indexedFields).
+		///   - "weights", "default_language", "language_override" (text indexes).
+		///   - "2dsphereIndexVersion", "bits", "min", "max" (geo indexes).
+		///
+		/// The document returned is the createIndexes response body.
 
 	static const std::string AUTH_SCRAM_SHA1;
-		/// Default authentication mechanism for MongoDB 3.0 and later.
+		/// SCRAM-SHA-1 authentication mechanism (MongoDB 3.0+).
+
+	static const std::string AUTH_SCRAM_SHA256;
+		/// SCRAM-SHA-256 authentication mechanism (MongoDB 4.0+).
 
 	enum WireVersion
 		/// Wire version as reported by the command hello.
@@ -133,6 +181,10 @@ class MongoDB_API Database
 
 protected:
 	bool authSCRAM(Connection& connection, const std::string& username, const std::string& password);
+		/// Performs SCRAM-SHA-1 authentication.
+
+	bool authSCRAM256(Connection& connection, const std::string& username, const std::string& password);
+		/// Performs SCRAM-SHA-256 authentication. ASCII passwords only.
 
 private:
 	std::string _dbname;