Allow to connect with arbitrary plugin #2143
Open
+71
−36
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
WIP
Currently mysql2 driver always tries to connect with mysql_native_password plugin. For the servers supporting PLUGIN_AUTH and configured to use plugins other than mysql_native_password initial connection is usually followed by AUTH_SWITCH_REQUEST packet and additional handshake with another plugin. This PR will allow to use plugins other than
mysql_native_password
in the initial client hello response. The order of preference on the plugin used during connection is:defaultAuthenticationPlugin
config parameter name, if set ( error if the parameter is set but no standard or user provided plugin under this name )auth_plugin_name
server hello packet field ( error if plugin not configured )"mysql_native_password"
if nodefaultAuthenticationPlugin
or serverHello.auth_plugin_namerelated issues:
allow to use arbitrary plugin as first auth method #560
Do not enable mysql_clear_password by default #1617
fix dead link https://mysqlserverteam.com/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/ to point to https://dev.mysql.com/blog-archive/mysql-8-0-4-new-default-authentication-plugin-caching_sha2_password/
move standardAuthPlugins from auth_switch.js to connection. Make fields lazily loaded via getters. Also have a logic "given plugin name, return plugin instance" in the connection. Make sure it is possible to override standard plugins with custom ones
remove authToken calculation from handshakeResponse. Calculate it in the client_handshake command and pass the token to handshake_response packet
use plugin name from initial server hello packet to initialise plugin. Make it possible to override if defaultAuthenticationPlugin config option set ( mysql server uses default_authentication_plugin name in its config and sys variable - https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin )
Potentially allow defaultAuthenticationPlugin to be a function connection => Promise, but also maybe better to have connection => Promise instead to cover everything - see Add a function to update pool default configurations #1983 (comment)
initialize _authPlugin in the client_handshake command ( also - make sure it is removed on auth / auth switch / change user success )
refactor change_user packet to use code from handshake_response packet
MAJOR VERSION: delete all references to authSwitchHandler and related code ( documentation/en/Authentication-Switch.md, auth_switch.js: warnLegacyAuthSwitch etc )latertests for all 3 scenarios ( auth, auth switch, change user )
tests for explicit default plugin name