New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MongoDB version 3.0+ uses SCRAM-SHA-1 as default auth mechanism #1967

Open
ahmetsait opened this Issue Oct 28, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@ahmetsait

ahmetsait commented Oct 28, 2017

MongoDB Documentation:

Changed in version 3.0: New challenge-response users created in 3.0 will use SCRAM-SHA-1. If using 2.6 user data, MongoDB 3.0 will continue to use MONGODB-CR.

I realized this after enabling authentication on my mongod config because using mongodb://user:password@host/database as connection url kept failing. I had to specify auth mechanism like so: mongodb://user:password@host/database?authMechanism=SCRAM-SHA-1

So I guess the default auth mechanism should be determined according to MongoDB version.

Also, error messages can use some improvements (at least error codes instead of just "Authentication failed" message).

@dariusc93

This comment has been minimized.

Contributor

dariusc93 commented Nov 16, 2017

I believe this was mention a few time in other issues.

@wilzbach

This comment has been minimized.

Contributor

wilzbach commented Dec 6, 2017

What Vibe.d version were you using? This has been fixed a couple of months ago: #1843 (part of v0.8.1)

@ahmetsait

This comment has been minimized.

ahmetsait commented Dec 6, 2017

I'm able to reproduce this with v0.8.1. My dub.selections file has vibe-d : "0.8.1" so seems like it's not me doing something wrong. Maybe it's actually patched in a later version?

@wilzbach

This comment has been minimized.

Contributor

wilzbach commented Dec 6, 2017

Hmm, the patch is included in v0.8.1 and I remember needing this patch for deploying something to Heroku.
Do you have time to simply check whether the try catch of the patch is part of your vibe.d copy and maybe even insert a line to catch the exception?

@ahmetsait

This comment has been minimized.

ahmetsait commented Dec 6, 2017

Okay, so looking at the code:

if (m_settings.authMechanism == MongoAuthMechanism.none)
	authenticate();
else
{
	try
		scramAuthenticate();
	catch (MongoAuthException e)
		authenticate();
}

This doesn't make sense. The only place that ever modifies m_settings.authMechanism is parseAuthMechanism() function which is used inside parseMongoDBUrl() method parseMongoDBUrl() function, therefore m_settings.authMechanism stays as MongoAuthMechanism.none unless we explicitly specify it in connection url. I think it should check for mongoDBCR instead of "none":

if (m_settings.authMechanism == MongoAuthMechanism.mongoDBCR)
	authenticate(); //use old mechanism if explicitly stated
else
{
	try
		scramAuthenticate(); //scram-sha-1 is default in version v3.0+
	catch (MongoAuthException e)
		authenticate(); //fall back if scram-sha-1 fails
}
@wilzbach

This comment has been minimized.

Contributor

wilzbach commented Jan 10, 2018

@ahmetsait I just submitted your suggestion -> #2027

Did you manage to get it to work on your machine?
Does 0.8.2 still not work for you?

@ahmetsait

This comment has been minimized.

ahmetsait commented Jan 10, 2018

@wilzbach As far as I remember, it works with the change I suggested but I don't use mongodb and I don't have mongodb installed anymore (I don't feel like messing with it again) so I don't want to re-check it all over again unless you absolutely want me to.

Nevertheless, LGTM :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment