Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upSupport MySQL 8 Authentication #2233
Conversation
nwoltman
force-pushed the
nwoltman:caching-sha2-password
branch
from
41f01c5
to
1044a14
This comment has been hidden.
This comment has been hidden.
|
This PR came in a bit before I took some time off. I am spending this weekend to get items on this module in place, though. I hope that helps. Now that the original PR has been rebased and CI is all passing, just need to do a quick review and then we can have a new version out here soon. |
|
An update to what I said above (since there are some thumbs ups): I'm currently dealing with some fallout where GitHub is flagging a module as a security issue when it is not, which is causing many folks to open support requests I need to respond to. I have been trying to get GitHub to correct the detection, but have been unsuccessful in getting any response from them. I may end up having no choice but to spend the time to rework a module to get a dependency updated just to get the support requests to stop if GitHub does not correct their detection. This may end up using all my time this weekend, but I will keep posted here. I wanted to post an update so folks don't think I'm ignoring this pr/repo if I don't get to it, just there is a higher priority issue at hand. |
|
@dougwilson Thank for your work. I really appreciate it. |
|
@dougwilson this comes from a place of absolute understanding of how much awesome work you do - would it be helpful if other people tested this PR? |
|
Yes, that would be awesome! I was also thinking this weekend to spin out an actual beta package to npm with this as well to help even myself get it testing in qa. |
|
For what it’s worth we have been running a build using this PR fork in our beta branch for a few months now and so far not encountered an issue |
|
If there's anything we (Oracle/MySQL) can do to help please let us know. |
Oh that would be fab - we (Ghost) would definitely be able to dedicate a bit of time to testing that next week |
| throw err; | ||
| } | ||
|
|
||
| var stage1 = xor((Buffer.from(password + '\0', 'utf8')).toString('binary'), scramble.toString('binary')); |
sidorares
Oct 24, 2019
•
Member
this needs to be changed to rolling xor, otherwise it'll fail for password longer than 19 characters
See discussion at sidorares/node-mysql2#1044
this needs to be changed to rolling xor, otherwise it'll fail for password longer than 19 characters
See discussion at sidorares/node-mysql2#1044
dougwilson
Oct 24, 2019
Member
Yea, I've been working to fix this PR up over the past week and I did notice that long passwords didn't work on the new auth. There are a bunch of other little minor issues I've been finding as well. I didn't intend to list them out and was just intending to push up all the changes here then merge, but let me know if you think I should list them all out in addition to pushing up the fixes.
Yea, I've been working to fix this PR up over the past week and I did notice that long passwords didn't work on the new auth. There are a bunch of other little minor issues I've been finding as well. I didn't intend to list them out and was just intending to push up all the changes here then merge, but let me know if you think I should list them all out in addition to pushing up the fixes.
sidorares
Oct 24, 2019
Member
Note that mysql2 is using slightly different api for this. No config required, and if you need to use non-defaults you pass custom configured plugin as authPlugins: { caching_sha2_password: XXXX }. Should not be a big problems for user migrating both ways mysql<->mysql2
Note that mysql2 is using slightly different api for this. No config required, and if you need to use non-defaults you pass custom configured plugin as authPlugins: { caching_sha2_password: XXXX }. Should not be a big problems for user migrating both ways mysql<->mysql2
|
Hi any update to this? |
|
Hi @ahrib thanks for asking! Just earlier this year I released a minor update with a few things. It may very will be the last 2.x release. This is because I am organizing work for a 3.x line which will include this new auth methods from this pr. Look forward to an alpha or beta releasing soon! I have been getting the things resolved this week. Sorry for the extended "lul" in work here, but I'm committed to full stream to get many of these prs merged and released into a 3.0 early this year! |
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This is a rebase + update of @ruiquelhas's PR #1962.
One thing that has been changed from the original PR is that only MySQL 8.0.x has been added to integration tests rather than multiple RC versions of MySQL 8. It's been long enough that people are probably only using GA versions of MySQL 8 now.
Fixes #2002
Original PR Description
This patch accommodates some breaking changes introduced with MySQL 8.
Closes #1959
In a nutshell, the
caching_sha2_password plugin(which is used by default since MySQL 8.0.4) hashes the password using SHA-256 and, after a first successful authentication attempt, saves it in a cache. That first attempt needs to be done under one of two conditions. The client either uses SSL and sends the password as clear text or it encrypts the password using the RSA public key generated by the server. On any subsequent attempt, until the password is somehow removed from the cache or the server shuts down, these rules no longer apply.The handshake process remains unchanged when connecting to any server with version lower or equal to
8.0.3. Whereas for8.0.4or above, the process is now the following:ClientAuthenticationPacketwith a scramble computed using a SHA-256 hashPerformFullAuthenticationPacketOkPacketAuthSwitchResponsePacketto which the server replies with aOkPacketAuthMoreDataPacketClientAuthenticationPacketwith aFastAuthSuccessPacket(which basically just signals that anOkPacketwill follow)If the account is created using the
mysql_native_passwordauthentication plugin, the client will just fall back to the "traditional" process during the handshake, keeping compatibility, by default for any previously supported server version.MySQL 8.0.2 disables the
local_infileserver variable by default, which breaks a couple of integration tests. The tests were updated to enable the feature by themselves (something that does not have any effect on older server versions and allows the tests to pass with newer versions).Additionally, one of the integration tests was updated to avoid failing after the first run (using any server version) since it tried to create a table that already existed from the previous runs.