Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MongoDB version 3.0+ uses SCRAM-SHA-1 as default auth mechanism #1967

Closed
ahmetsait opened this issue Oct 28, 2017 · 8 comments
Closed

MongoDB version 3.0+ uses SCRAM-SHA-1 as default auth mechanism #1967

ahmetsait opened this issue Oct 28, 2017 · 8 comments

Comments

@ahmetsait
Copy link

MongoDB Documentation:

Changed in version 3.0: New challenge-response users created in 3.0 will use SCRAM-SHA-1. If using 2.6 user data, MongoDB 3.0 will continue to use MONGODB-CR.

I realized this after enabling authentication on my mongod config because using mongodb://user:password@host/database as connection url kept failing. I had to specify auth mechanism like so: mongodb://user:password@host/database?authMechanism=SCRAM-SHA-1

So I guess the default auth mechanism should be determined according to MongoDB version.

Also, error messages can use some improvements (at least error codes instead of just "Authentication failed" message).
@dariusc93
Copy link
Contributor

I believe this was mention a few time in other issues.

@wilzbach
Copy link
Member

wilzbach commented Dec 6, 2017

What Vibe.d version were you using? This has been fixed a couple of months ago: #1843 (part of v0.8.1)

@ahmetsait
Copy link
Author

I'm able to reproduce this with v0.8.1. My dub.selections file has vibe-d : "0.8.1" so seems like it's not me doing something wrong. Maybe it's actually patched in a later version?

@wilzbach
Copy link
Member

wilzbach commented Dec 6, 2017

Hmm, the patch is included in v0.8.1 and I remember needing this patch for deploying something to Heroku.
Do you have time to simply check whether the try catch of the patch is part of your vibe.d copy and maybe even insert a line to catch the exception?

@ahmetsait
Copy link
Author

ahmetsait commented Dec 6, 2017
edited
Loading

Okay, so looking at the code:

if (m_settings.authMechanism == MongoAuthMechanism.none)
	authenticate();
else
{
	try
		scramAuthenticate();
	catch (MongoAuthException e)
		authenticate();
}

This doesn't make sense. The only place that ever modifies m_settings.authMechanism is parseAuthMechanism() function which is used inside parseMongoDBUrl() method parseMongoDBUrl() function, therefore m_settings.authMechanism stays as MongoAuthMechanism.none unless we explicitly specify it in connection url. I think it should check for mongoDBCR instead of "none":

if (m_settings.authMechanism == MongoAuthMechanism.mongoDBCR)
	authenticate(); //use old mechanism if explicitly stated
else
{
	try
		scramAuthenticate(); //scram-sha-1 is default in version v3.0+
	catch (MongoAuthException e)
		authenticate(); //fall back if scram-sha-1 fails
}

@wilzbach wilzbach mentioned this issue Jan 10, 2018
Merged
@wilzbach
Copy link
Member

@ahmetsait I just submitted your suggestion -> #2027

Did you manage to get it to work on your machine?
Does 0.8.2 still not work for you?

@ahmetsait
Copy link
Author

@wilzbach As far as I remember, it works with the change I suggested but I don't use mongodb and I don't have mongodb installed anymore (I don't feel like messing with it again) so I don't want to re-check it all over again unless you absolutely want me to.

Nevertheless, LGTM :)

@ahmetsait
Copy link
Author

Closing it since #2027 is merged. The old mechanism is also no longer available:

MongoDB Documentation:

Starting in version 4.0, MongoDB removes support for the deprecated MongoDB Challenge-Response (MONGODB-CR) authentication mechanism.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dariusc93 @wilzbach @ahmetsait