mongodb · emadum · Aug 27, 2021 · Aug 27, 2021
diff --git a/lib/core/auth/mongo_credentials.js b/lib/core/auth/mongo_credentials.js
@@ -58,7 +58,10 @@ class MongoCredentials {
         this.password = process.env.AWS_SECRET_ACCESS_KEY;
       }
 
-      if (!this.mechanismProperties.AWS_SESSION_TOKEN && process.env.AWS_SESSION_TOKEN) {
+      if (
+        this.mechanismProperties.AWS_SESSION_TOKEN == null &&
+        process.env.AWS_SESSION_TOKEN != null
+      ) {
         this.mechanismProperties.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN;
       }
     }

diff --git a/lib/core/auth/mongodb_aws.js b/lib/core/auth/mongodb_aws.js
@@ -51,12 +51,21 @@ class MongoDBAWS extends AuthProvider {
       return;
     }
 
-    const username = credentials.username;
-    const password = credentials.password;
     const db = credentials.source;
-    const token = credentials.mechanismProperties.AWS_SESSION_TOKEN;
     const bson = this.bson;
 
+    const accessKeyId = credentials.username;
+    const secretAccessKey = credentials.password;
+    const sessionToken = credentials.mechanismProperties.AWS_SESSION_TOKEN;
+
+    // If all three defined, include sessionToken, else include username and pass, else no credentials
+    const awsCredentials =
+      accessKeyId && secretAccessKey && sessionToken
+        ? { accessKeyId, secretAccessKey, sessionToken }
+        : accessKeyId && secretAccessKey
+        ? { accessKeyId, secretAccessKey }
+        : undefined;
+
     crypto.randomBytes(32, (err, nonce) => {
       if (err) {
         callback(err);
@@ -109,18 +118,14 @@ class MongoDBAWS extends AuthProvider {
             path: '/',
             body
           },
-          {
-            accessKeyId: username,
-            secretAccessKey: password,
-            token
-          }
+          awsCredentials
         );
 
         const authorization = options.headers.Authorization;
         const date = options.headers['X-Amz-Date'];
         const payload = { a: authorization, d: date };
-        if (token) {
-          payload.t = token;
+        if (sessionToken) {
+          payload.t = sessionToken;
         }
 
         const saslContinue = {
@@ -164,6 +169,7 @@ function makeTempCredentials(credentials, callback) {
   if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
     request(
       `${AWS_RELATIVE_URI}${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`,
+      undefined,
       (err, res) => {
         if (err) return callback(err);
         done(res);
@@ -215,11 +221,6 @@ function deriveRegion(host) {
 }
 
 function request(uri, options, callback) {
-  if (typeof options === 'function') {
-    callback = options;
-    options = {};
-  }
-
   options = Object.assign(
     {
       method: 'GET',

diff --git a/test/functional/mongodb_aws.test.js b/test/functional/mongodb_aws.test.js
@@ -40,4 +40,13 @@ describe('MONGODB-AWS', function() {
       });
     });
   });
+
+  it('should allow empty string in authMechanismProperties.AWS_SESSION_TOKEN to override AWS_SESSION_TOKEN environment variable', function() {
+    const client = this.configuration.newClient(this.configuration.url(), {
+      authMechanismProperties: { AWS_SESSION_TOKEN: '' }
+    });
+    expect(client)
+      .to.have.nested.property('options.credentials.mechanismProperties.AWS_SESSION_TOKEN')
+      .that.equals('');
+  });
 });