Parsing of password with % gives malformed URI error

[Tathanen]

Line 196 in lib/index.js:

ret.auth.pass = parts[1] ? decodeURIComponent(parts[1]) : void 0;

If parts[1] is a password that contains a percent sign %, URIError: URI malformed is returned.

[jloveridge]

Why not encode the password so that % is encoded as %25?

[jloveridge]

More importantly the MongoDB driver will reject passwords that aren't properly URI encoded. As such there are a number of other characters that could be a problem as well. From the MongoDB native driver source code:

// Decode the authentication URI components and verify integrity
  let user = decodeURIComponent(auth[0]);
  if (auth[0] !== encodeURIComponent(user)) {
    throw new Error('Username contains an illegal unescaped character');
  }
  auth[0] = user;

  if (auth[1]) {
    let pass = decodeURIComponent(auth[1]);
    if (auth[1] !== encodeURIComponent(pass)) {
      throw new Error('Password contains an illegal unescaped character');
    }
    auth[1] = pass;
  }

As such, however you are getting the connection string it seems to me that it is imperative that the URI have values encoded properly for the underlying driver which includes encoding the username and passwords accordingly.

[vkarpov15]

Yeah this is expected behavior unfortunately. MongoDB says that username and password must be URI encoded, so if you have a '%' in your password you need to do encodeURIComponent() on your password if you are including it in a URI. With mongoose, you can also do:

mongoose.connect(uri, { user, pass });

If you pass username and password in the mongoose.connect() options, you don't need to do encodeURIComponent().

[Tathanen]

This is all good to know, thanks for the insight!