mongodb-js · durran · Sep 17, 2025 · Sep 16, 2025 · Sep 16, 2025 · Sep 16, 2025
@@ -34,8 +34,17 @@
     "prettier/prettier": "error",
     "no-console": "error",
     "valid-typeof": "error",
-    "eqeqeq": ["error", "always", {"null": "ignore"}],
-    "strict": ["error", "global"],
+    "eqeqeq": [
+      "error",
+      "always",
+      {
+        "null": "ignore"
+      }
+    ],
+    "strict": [
+      "error",
+      "global"
+    ],
     "no-restricted-syntax": [
       "error",
       {
@@ -66,6 +75,19 @@
         "no-console": "off",
         "no-restricted-syntax": "off"
       }
+    },
+    {
+      "files": [
+        "**/*.ts"
+      ],
+      "extends": [
+        "plugin:@typescript-eslint/eslint-recommended",
+        "plugin:@typescript-eslint/recommended"
+      ],
+      "plugins": [
+        "prettier",
+        "@typescript-eslint"
+      ]
     }
   ]
-}
+}
@@ -123,6 +123,35 @@ NOTE: The test suite requires an active kerberos deployment.
 <dd></dd>
 </dl>
 
+## Constants
+
+<dl>
+<dt><a href="#GSS_C_DELEG_FLAG">GSS_C_DELEG_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_MUTUAL_FLAG">GSS_C_MUTUAL_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_REPLAY_FLAG">GSS_C_REPLAY_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_SEQUENCE_FLAG">GSS_C_SEQUENCE_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_CONF_FLAG">GSS_C_CONF_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_INTEG_FLAG">GSS_C_INTEG_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_ANON_FLAG">GSS_C_ANON_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_PROT_READY_FLAG">GSS_C_PROT_READY_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_TRANS_FLAG">GSS_C_TRANS_FLAG</a></dt>
+<dd></dd>
+<dt><a href="#GSS_C_NO_OID">GSS_C_NO_OID</a></dt>
+<dd></dd>
+<dt><a href="#GSS_MECH_OID_KRB5">GSS_MECH_OID_KRB5</a></dt>
+<dd></dd>
+<dt><a href="#GSS_MECH_OID_SPNEGO">GSS_MECH_OID_SPNEGO</a></dt>
+<dd></dd>
+</dl>
+
 ## Functions
 
 <dl>
@@ -230,6 +259,42 @@ Perform the client side kerberos unwrap step
 
 Processes a single kerberos server-side step using the supplied client data.
 
+<a name="GSS_C_DELEG_FLAG"></a>
+
+## GSS_C_DELEG_FLAG
+<a name="GSS_C_MUTUAL_FLAG"></a>
+
+## GSS_C_MUTUAL_FLAG
+<a name="GSS_C_REPLAY_FLAG"></a>
+
+## GSS_C_REPLAY_FLAG
+<a name="GSS_C_SEQUENCE_FLAG"></a>
+
+## GSS_C_SEQUENCE_FLAG
+<a name="GSS_C_CONF_FLAG"></a>
+
+## GSS_C_CONF_FLAG
+<a name="GSS_C_INTEG_FLAG"></a>
+
+## GSS_C_INTEG_FLAG
+<a name="GSS_C_ANON_FLAG"></a>
+
+## GSS_C_ANON_FLAG
+<a name="GSS_C_PROT_READY_FLAG"></a>
+
+## GSS_C_PROT_READY_FLAG
+<a name="GSS_C_TRANS_FLAG"></a>
+
+## GSS_C_TRANS_FLAG
+<a name="GSS_C_NO_OID"></a>
+
+## GSS_C_NO_OID
+<a name="GSS_MECH_OID_KRB5"></a>
+
+## GSS_MECH_OID_KRB5
+<a name="GSS_MECH_OID_SPNEGO"></a>
+
+## GSS_MECH_OID_SPNEGO
 <a name="checkPassword"></a>
 
 ## checkPassword(username, password, service, [defaultRealm])
@@ -283,6 +348,8 @@ Details are looked up via the `/etc/keytab` file.
 | [options.principal] | <code>string</code> | Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com'). |
 | [options.flags] | <code>number</code> | Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG\|GSS_C_MUTUAL_FLAG\|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host) |
 | [options.mechOID] | <code>number</code> | Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`. |
+| [options.user] | <code>string</code> | The username with which to authenticate.  Only used on Windows. |
+| [options.pass] | <code>string</code> | The password with which to authenticate.  Only used on Windows. |
 
 Initializes a context for client-side authentication with the given service principal.
 

@@ -0,0 +1,185 @@
+export const GSS_C_DELEG_FLAG: number;
+export const GSS_C_MUTUAL_FLAG: number;
+export const GSS_C_REPLAY_FLAG: number;
+export const GSS_C_SEQUENCE_FLAG: number;
+export const GSS_C_CONF_FLAG: number;
+export const GSS_C_INTEG_FLAG: number;
+export const GSS_C_ANON_FLAG: number;
+export const GSS_C_PROT_READY_FLAG: number;
+export const GSS_C_TRANS_FLAG: number;
+
+export const GSS_C_NO_OID: number;
+export const GSS_MECH_OID_KRB5: number;
+export const GSS_MECH_OID_SPNEGO: number;
+
+/**
+ * Optional settings for *KerberosClient.wrap* method.
+ */
+export interface WrapOptions {
+  /**
+   * The user to authorize.
+   */
+  user?: string;
+
+  /**
+   * Indicates if the wrap should request message confidentiality.
+   */
+  protect?: boolean;
+}
+
+/**
+ * Options for `initializeClient()`.
+ */
+export interface InitializeClientOptions {
+  /**
+   * Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
+   */
+  principal?: string;
+  /**
+   * Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host).
+   */
+  gssFlag?: number;
+  /**
+   * Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`.
+   */
+  mechOID?: number;
+
+  /**
+   * The username with which to authenticate.  Only used on Windows.
+   */
+  user?: string;
+
+  /**
+   * The password with which to authenticate.  Only used on Windows.
+   */
+  pass?: string;
+}
+
+export class KerberosClient {
+  /**
+   * The username used for authentication.
+   */
+  username: string;
+  /**
+   * The last response received during authentication steps.
+   */
+  response: string;
+  /**
+   * Indicates whether confidentiality was applied or not (GSSAPI only).
+   */
+  responseConf: string;
+  /**
+   * Indicates that authentication has successfully completed or not.
+   */
+  contextComplete: boolean;
+
+  /**
+   * Processes a single kerberos client-side step using the supplied server challenge.
+   *
+   * @param challenge A string containing the base64-encoded server data (which may be empty for the first step)
+   */
+  step(challenge: string): Promise<string>;
+
+  /**
+   * Perform the client side kerberos wrap step.
+   *
+   * @param challenge The response returned after calling `unwrap`
+   * @param options Optional settings
+   */
+  wrap(challenge: string, options?: WrapOptions): Promise<string>;
+
+  /**
+   * Perform the client side kerberos unwrap step
+   *
+   * @param challenge A string containing the base64-encoded server data
+   */
+  unwrap(challenge: string): Promise<string>;
+}
+
+export class KerberosServer {
+  /**
+   * The username used for authentication
+   */
+  username: string;
+  /**
+   * @description The last response received during authentication steps
+   */
+  response: string;
+  /**
+   * @description The target used for authentication
+   */
+  targetName: string;
+  /**
+   * @description Indicates that authentication has successfully completed or not
+   */
+  contextComplete: boolean;
+
+  /**
+   * Processes a single kerberos server-side step using the supplied client data.
+   *
+   * @param challenge A string containing the base64-encoded client data
+   */
+  step(challenge: string): Promise<string>;
+}
+
+/**
+ * This function provides a simple way to verify that a user name and password
+ * match those normally used for Kerberos authentication.
+ * It does this by checking that the supplied user name and password can be
+ * used to get a ticket for the supplied service.
+ * If the user name does not contain a realm, then the default realm supplied
+ * is used.
+ *
+ * For this to work properly the Kerberos must be configured properly on this
+ * machine.
+ * That will likely mean ensuring that the edu.mit.Kerberos preference file
+ * has the correct realms and KDCs listed.
+ *
+ * IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should
+ * only be used for testing. Do not use this in any production system - your
+ * security could be compromised if you do.
+ *
+ * @param username The Kerberos user name. If no realm is supplied, then the `defaultRealm` will be used.
+ * @param password The password for the user.
+ * @param service The Kerberos service to check access for.
+ * @param defaultRealm The default realm to use if one is not supplied in the user argument.
+ */
+export function checkPassword(
+  name: string,
+  password: string,
+  service: string,
+  defaultRealm?: string
+): Promise<void>;
+
+/**
+ * This function returns the service principal for the server given a service type and hostname.
+ *
+ * Details are looked up via the `/etc/keytab` file.
+ *
+ * @param service The Kerberos service type for the server.
+ * @param hostname The hostname of the server.
+ */
+export function principalDetails(service: string, hostname: string): Promise<string>;
+
+/**
+ * Initializes a context for client-side authentication with the given service principal.
+ *
+ * @param service A string containing the service principal in the form '`type@fqdn`'.
+ * @param [options] Optional settings
+ */
+export function initializeClient(
+  service: string,
+  options?: InitializeClientOptions
+): Promise<KerberosClient>;
+
+/**
+ * Initializes a context for server-side authentication with the given service principal.
+ *
+ * @param service A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
+ */
+export function initializeServer(service: string): Promise<KerberosServer>;
+
+/**
+ * The version of the Kerberos package.
+ */
+export const version: string;
@@ -8,19 +8,31 @@ const KerberosClient = kerberos.KerberosClient;
 const KerberosServer = kerberos.KerberosServer;
 
 // GSS Flags
+/** @kind constant */
 const GSS_C_DELEG_FLAG = 1;
+/** @kind constant */
 const GSS_C_MUTUAL_FLAG = 2;
+/** @kind constant */
 const GSS_C_REPLAY_FLAG = 4;
+/** @kind constant */
 const GSS_C_SEQUENCE_FLAG = 8;
+/** @kind constant */
 const GSS_C_CONF_FLAG = 16;
+/** @kind constant */
 const GSS_C_INTEG_FLAG = 32;
+/** @kind constant */
 const GSS_C_ANON_FLAG = 64;
+/** @kind constant */
 const GSS_C_PROT_READY_FLAG = 128;
+/** @kind constant */
 const GSS_C_TRANS_FLAG = 256;
 
 // GSS_OID
+/** @kind constant */
 const GSS_C_NO_OID = 0;
+/** @kind constant */
 const GSS_MECH_OID_KRB5 = 9;
+/** @kind constant */
 const GSS_MECH_OID_SPNEGO = 6;
 
 /**
@@ -182,6 +194,8 @@ const promisifiedInitializeClient = promisify(kerberos.initializeClient);
  * @param {string} [options.principal] Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
  * @param {number} [options.flags] Optional integer used to set GSS flags. (e.g.  `GSS_C_DELEG_FLAG\|GSS_C_MUTUAL_FLAG\|GSS_C_SEQUENCE_FLAG` will allow for forwarding credentials to the remote host)
  * @param {number} [options.mechOID] Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`.
+ * @param {string} [options.user] The username with which to authenticate.  Only used on Windows.
+ * @param {string} [options.pass] The password with which to authenticate.  Only used on Windows.
  * @return {Promise<KerberosClient>} returns Promise
  */
 async function initializeClient(service, options = { mechOID: GSS_C_NO_OID }) {