In authentication_commands.cpp we load a user object, copy its credentials, release it, check if the credentials match and if so re-acquire the user object and add it to our list of authenticated users.

There is an (unlikely to hit) race here where if a client begins an authentication as a user, and while doing so that user is dropped and a new user with the same name but a different password and different privileges is added, the client authenticating with the credentials of the first user could wind up authenticating successfully as the second user.