node-mysql2 icon indicating copy to clipboard operation
node-mysql2 copied to clipboard

Published 20 hours ago verified publisher icon sidorares

Allow to connect with arbitrary plugin

Open sidorares opened this issue 2 years ago • 4 comments

WIP

Currently mysql2 driver always tries to connect with mysql_native_password plugin. For the servers supporting PLUGIN_AUTH and configured to use plugins other than mysql_native_password initial connection is usually followed by AUTH_SWITCH_REQUEST packet and additional handshake with another plugin. This PR will allow to use plugins other than mysql_native_password in the initial client hello response. The order of preference on the plugin used during connection is:

  • if the server does not support plugin authorisation and secure auth server capability flag is set - mysql_native_password ( aka auth4.1 )
  • if the server does not support plugin authorisation and secure auth server capability flag is not set- pre auth4.1 token
  • plugin indicated by defaultAuthenticationPlugin config parameter name, if set ( error if the parameter is set but no standard or user provided plugin under this name )
  • plugin returned in auth_plugin_name server hello packet field ( error if plugin not configured )
  • "mysql_native_password" if no defaultAuthenticationPlugin or serverHello.auth_plugin_name

related issues:

  • https://github.com/sidorares/node-mysql2/issues/560

  • https://github.com/sidorares/node-mysql2/issues/1617

  • [ ] fix dead link https://mysqlserverteam.com/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/ to point to https://dev.mysql.com/blog-archive/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/

  • [x] move standardAuthPlugins from auth_switch.js to connection. Make fields lazily loaded via getters. Also have a logic "given plugin name, return plugin instance" in the connection. Make sure it is possible to override standard plugins with custom ones

  • [x] remove authToken calculation from handshakeResponse. Calculate it in the client_handshake command and pass the token to handshake_response packet

  • [x] use plugin name from initial server hello packet to initialise plugin. Make it possible to override if defaultAuthenticationPlugin config option set ( mysql server uses default_authentication_plugin name in its config and sys variable - https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin ) Potentially allow defaultAuthenticationPlugin to be a function connection => Promise, but also maybe better to have connection => Promise instead to cover everything - see https://github.com/sidorares/node-mysql2/issues/1983#issuecomment-1524551716

  • [x] initialize _authPlugin in the client_handshake command ( also - make sure it is removed on auth / auth switch / change user success )

  • [ ] refactor change_user packet to use code from handshake_response packet

  • [ ] ~~MAJOR VERSION: delete all references to authSwitchHandler and related code ( documentation/en/Authentication-Switch.md, auth_switch.js: warnLegacyAuthSwitch etc )~~ later

  • [ ] tests for all 3 scenarios ( auth, auth switch, change user )

  • [ ] tests for explicit default plugin name

sidorares avatar Jul 20 '23 07:07 sidorares

Coverage report

The coverage rate is 89.2977066514253%

The branch rate is 84.63687150837988%

100% of new lines are covered.

github-actions[bot] avatar Jul 20 '23 07:07 github-actions[bot]