Provide AUTH fallback support for connection URLs with a username com…

…ponent

Prior to ACL support, redis-py ignored the username component of
Connection URLs. With ACL support, usernames are no longer ignored and
are used to authenticate against an ACL rule. Some cloud vendors with
managed Redis instances (like Heroku) provide connection URLs with a
username component pre-ACL that is not intended to be used. Sending that
username to Redis servers < 6.0.0 results in an error. Attempt to detect
this condition and retry the AUTH command with only the password such
that authentication continues to work for these users.

Fixes #1274

CHANGES

@@ -1,3 +1,12 @@
+* 3.4.1 (in development)
+    * Prior to ACL support, redis-py ignored the username component of
+      Connection URLs. With ACL support, usernames are no longer ignored and
+      are used to authenticate against an ACL rule. Some cloud vendors with
+      managed Redis instances (like Heroku) provide connection URLs with a
+      username component pre-ACL that is not intended to be used. Sending that
+      username to Redis servers < 6.0.0 results in an error. Attempt to detect
+      this condition and retry the AUTH command with only the password such
+      that authentication continues to work for these users. #1274
 * 3.4.0
     * Allow empty pipelines to be executed if there are WATCHed keys.
       This is a convenient way to test if any of the watched keys changed

redis/__init__.py

@@ -9,6 +9,7 @@
 from redis.utils import from_url
 from redis.exceptions import (
     AuthenticationError,
+    AuthenticationWrongNumberOfArgsError,
     BusyLoadingError,
     ChildDeadlockedError,
     ConnectionError,
@@ -35,6 +36,7 @@ def int_or_str(value):
 
 __all__ = [
     'AuthenticationError',
+    'AuthenticationWrongNumberOfArgsError',
     'BlockingConnectionPool',
     'BusyLoadingError',
     'ChildDeadlockedError',

redis/connection.py

@@ -17,6 +17,7 @@
                            sendall, shutdown, ssl_wrap_socket)
 from redis.exceptions import (
     AuthenticationError,
+    AuthenticationWrongNumberOfArgsError,
     BusyLoadingError,
     ChildDeadlockedError,
     ConnectionError,
@@ -135,6 +136,8 @@ class BaseParser(object):
             'max number of clients reached': ConnectionError,
             'Client sent AUTH, but no password is set': AuthenticationError,
             'invalid password': AuthenticationError,
+            'wrong number of arguments for \'auth\' command':
+                AuthenticationWrongNumberOfArgsError,
         },
         'EXECABORT': ExecAbortError,
         'LOADING': BusyLoadingError,
@@ -630,7 +633,18 @@ def on_connect(self):
             # avoid checking health here -- PING will fail if we try
             # to check the health prior to the AUTH
             self.send_command('AUTH', *auth_args, check_health=False)
-            if nativestr(self.read_response()) != 'OK':
+
+            try:
+                auth_response = self.read_response()
+            except AuthenticationWrongNumberOfArgsError:
+                # a username and password were specified but the Redis
+                # server seems to be < 6.0.0 which expects a single password
+                # arg. retry auth with just the password.
+                # https://github.com/andymccurdy/redis-py/issues/1274
+                self.send_command('AUTH', self.password, check_health=False)
+                auth_response = self.read_response()
+
+            if nativestr(auth_response) != 'OK':
                 raise AuthenticationError('Invalid Username or Password')
 
         # if a client_name is given, set it

redis/exceptions.py

@@ -72,3 +72,11 @@ class LockNotOwnedError(LockError):
 class ChildDeadlockedError(Exception):
     "Error indicating that a child process is deadlocked after a fork()"
     pass
+
+
+class AuthenticationWrongNumberOfArgsError(ResponseError):
+    """
+    An error to indicate that the wrong number of args
+    were sent to the AUTH command
+    """
+    pass