mongodb · PavelSafronov · Dec 11, 2025 · Dec 12, 2025 · Dec 15, 2025 · Dec 15, 2025
@@ -13,6 +13,3 @@ source ./.evergreen/prepare-shell.sh # should not run git clone
 
 # load node.js
 source $DRIVERS_TOOLS/.evergreen/init-node-and-npm-env.sh
-
-# run the tests
-npm install aws4
@@ -22,7 +22,5 @@ cd $DRIVERS_TOOLS/.evergreen/auth_aws
 
 cd $BEFORE
 
-npm install --no-save aws4
-
 # revert to show test output
 set -x
diff --git a/etc/aws-test.sh b/etc/aws-test.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+cd $DRIVERS_TOOLS/.evergreen/auth_aws
+
+. ./activate-authawsvenv.sh
+
+# Test with permanent credentials
+. aws_setup.sh env-creds
+unset MONGODB_URI
+echo "AWS_SESSION_TOKEN is set to '${AWS_SESSION_TOKEN-NOT SET}'"
+npm run check:test -- --grep "AwsSigV4"
+
+# Test with session credentials
+. aws_setup.sh session-creds
+unset MONGODB_URI
+echo "AWS_SESSION_TOKEN is set to '${AWS_SESSION_TOKEN-NOT SET}'"
+npm run check:test -- --grep "AwsSigV4"
+
+# Test with missing credentials
+unset MONGODB_URI
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset AWS_SESSION_TOKEN
+npm run check:test -- --grep "AwsSigV4"
diff --git a/src/aws4.ts b/src/aws4.ts
@@ -0,0 +1,141 @@
+import * as crypto from 'node:crypto';
+
+export type Options = {
+  path: '/';
+  body: string;
+  host: string;
+  method: 'POST';
+  headers: {
+    'Content-Type': 'application/x-www-form-urlencoded';
+    'Content-Length': number;
+    'X-MongoDB-Server-Nonce': string;
+    'X-MongoDB-GS2-CB-Flag': 'n';
+  };
+  service: string;
+  region: string;
+  date?: Date;
+};
+
+export type AwsSessionCredentials = {
+  accessKeyId: string;
+  secretAccessKey: string;
+  sessionToken: string;
+};
+
+export type AwsLongtermCredentials = {
+  accessKeyId: string;
+  secretAccessKey: string;
+};
+
+export type SignedHeaders = {
+  headers: {
+    Authorization: string;
+    'X-Amz-Date': string;
+  };
+};
+
+export interface AWS4 {
+  /**
+   * Created these inline types to better assert future usage of this API
+   * @param options - options for request
+   * @param credentials - AWS credential details, sessionToken should be omitted entirely if its false-y
+   */
+  sign(
+    this: void,
+    options: Options,
+    credentials: AwsSessionCredentials | AwsLongtermCredentials | undefined
+  ): SignedHeaders;
+}
+
+const getHash = (str: string): string => {
+  return crypto.createHash('sha256').update(str, 'utf8').digest('hex');
+};
+const getHmacArray = (key: string | Uint8Array, str: string): Uint8Array => {
+  return crypto.createHmac('sha256', key).update(str, 'utf8').digest();
+};
+const getHmacString = (key: Uint8Array, str: string): string => {
+  return crypto.createHmac('sha256', key).update(str, 'utf8').digest('hex');
+};
+
+const getEnvCredentials = () => {
+  const env = process.env;
+  return {
+    accessKeyId: env.AWS_ACCESS_KEY_ID || env.AWS_ACCESS_KEY,
+    secretAccessKey: env.AWS_SECRET_ACCESS_KEY || env.AWS_SECRET_KEY,
+    sessionToken: env.AWS_SESSION_TOKEN
+  };
+};
+
+const convertHeaderValue = (value: string | number) => {
+  return value.toString().trim().replace(/\s+/g, ' ');
+};
+
+export function aws4Sign(
+  this: void,
+  options: Options,
+  credentials: AwsSessionCredentials | AwsLongtermCredentials | undefined
+): SignedHeaders {
+  const method = options.method;
+  const canonicalUri = options.path;
+  const canonicalQuerystring = '';
+  const creds = credentials || getEnvCredentials();
+
+  const date = options.date || new Date();
+  const requestDateTime = date.toISOString().replace(/[:-]|\.\d{3}/g, '');
+  const requestDate = requestDateTime.substring(0, 8);
+
+  const headers: string[] = [
+    `content-length:${convertHeaderValue(options.headers['Content-Length'])}`,
+    `content-type:${convertHeaderValue(options.headers['Content-Type'])}`,
+    `host:${convertHeaderValue(options.host)}`,
+    `x-amz-date:${convertHeaderValue(requestDateTime)}`,
+    `x-mongodb-gs2-cb-flag:${convertHeaderValue(options.headers['X-MongoDB-GS2-CB-Flag'])}`,
+    `x-mongodb-server-nonce:${convertHeaderValue(options.headers['X-MongoDB-Server-Nonce'])}`
+  ];
+  if ('sessionToken' in creds && creds.sessionToken) {
+    headers.push(`x-amz-security-token:${convertHeaderValue(creds.sessionToken)}`);
+  }
+  const canonicalHeaders = headers.sort().join('\n');
+  const canonicalHeaderNames = headers.map(header => header.split(':', 2)[0].toLowerCase());
+  const signedHeaders = canonicalHeaderNames.sort().join(';');
+
+  const hashedPayload = getHash(options.body || '');
+
+  const canonicalRequest = [
+    method,
+    canonicalUri,
+    canonicalQuerystring,
+    canonicalHeaders + '\n',
+    signedHeaders,
+    hashedPayload
+  ].join('\n');
+
+  const canonicalRequestHash = getHash(canonicalRequest);
+  const credentialScope = `${requestDate}/${options.region}/${options.service}/aws4_request`;
+
+  const stringToSign = [
+    'AWS4-HMAC-SHA256',
+    requestDateTime,
+    credentialScope,
+    canonicalRequestHash
+  ].join('\n');
+
+  const dateKey = getHmacArray('AWS4' + creds.secretAccessKey, requestDate);
+  const dateRegionKey = getHmacArray(dateKey, options.region);
+  const dateRegionServiceKey = getHmacArray(dateRegionKey, options.service);
+  const signingKey = getHmacArray(dateRegionServiceKey, 'aws4_request');
+  const signature = getHmacString(signingKey, stringToSign);
+
+  const authorizationHeader = [
+    'AWS4-HMAC-SHA256 Credential=' + creds.accessKeyId + '/' + credentialScope,
+    'SignedHeaders=' + signedHeaders,
+    'Signature=' + signature
+  ].join(', ');
+
+  return {
+    headers: {
+      Authorization: authorizationHeader,
+      'X-Amz-Date': requestDateTime
+    }
+  };
+}
@@ -1,6 +1,6 @@
+import { aws4Sign } from '../../aws4';
 import type { Binary, BSONSerializeOptions } from '../../bson';
 import * as BSON from '../../bson';
-import { aws4 } from '../../deps';
 import {
   MongoCompatibilityError,
   MongoMissingCredentialsError,
@@ -45,11 +45,6 @@ export class MongoDBAWS extends AuthProvider {
       throw new MongoMissingCredentialsError('AuthContext must provide credentials.');
     }
 
-    if ('kModuleError' in aws4) {
-      throw aws4['kModuleError'];
-    }
-    const { sign } = aws4;
-
     if (maxWireVersion(connection) < 9) {
       throw new MongoCompatibilityError(
         'MONGODB-AWS authentication requires MongoDB version 4.4 or later'
@@ -114,7 +109,7 @@ export class MongoDBAWS extends AuthProvider {
     }
 
     const body = 'Action=GetCallerIdentity&Version=2011-06-15';
-    const options = sign(
+    const signed = aws4Sign(
       {
         method: 'POST',
         host,
@@ -133,8 +128,8 @@ export class MongoDBAWS extends AuthProvider {
     );
 
     const payload: AWSSaslContinuePayload = {
-      a: options.headers.Authorization,
-      d: options.headers['X-Amz-Date']
+      a: signed.headers.Authorization,
+      d: signed.headers['X-Amz-Date']
     };
 
     if (sessionToken) {

@@ -203,66 +203,6 @@ export function getSocks(): SocksLib | { kModuleError: MongoMissingDependencyErr
   }
 }
 
-interface AWS4 {
-  /**
-   * Created these inline types to better assert future usage of this API
-   * @param options - options for request
-   * @param credentials - AWS credential details, sessionToken should be omitted entirely if its false-y
-   */
-  sign(
-    this: void,
-    options: {
-      path: '/';
-      body: string;
-      host: string;
-      method: 'POST';
-      headers: {
-        'Content-Type': 'application/x-www-form-urlencoded';
-        'Content-Length': number;
-        'X-MongoDB-Server-Nonce': string;
-        'X-MongoDB-GS2-CB-Flag': 'n';
-      };
-      service: string;
-      region: string;
-    },
-    credentials:
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-          sessionToken: string;
-        }
-      | {
-          accessKeyId: string;
-          secretAccessKey: string;
-        }
-      | undefined
-  ): {
-    headers: {
-      Authorization: string;
-      'X-Amz-Date': string;
-    };
-  };
-}
-
-export const aws4: AWS4 | { kModuleError: MongoMissingDependencyError } = loadAws4();
-
-function loadAws4() {
-  let aws4: AWS4 | { kModuleError: MongoMissingDependencyError };
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    aws4 = require('aws4');
-  } catch (error) {
-    aws4 = makeErrorModule(
-      new MongoMissingDependencyError(
-        'Optional module `aws4` not found. Please install it to enable AWS authentication',
-        { cause: error, dependencyName: 'aws4' }
-      )
-    );
-  }
-
-  return aws4;
-}
-
 /** A utility function to get the instance of mongodb-client-encryption, if it exists. */
 export function getMongoDBClientEncryption():
   | typeof import('mongodb-client-encryption')