[CDRIVER-2676] mongoc_database_add_user must not send hashed password Created: 31/May/18 Updated: 28/Oct/23 Resolved: 06/Jun/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.11.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kevin Albertson | Assignee: | Evgeni Dobranov |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Description |
|
The function mongoc_database_add_user is a C driver helper to construct a createUser command. Currently it does not send the correct form of the pwd field for MongoDB 4.0. The createUser command allows two ways to specify the password: The field pwd can be a plaintext password. Example in mongo shell (assuming mongod is running with --auth):
Or pwd can be the result of an MD5 hash of the form:
and digestPassword must be set to false. In MongoDB 4.0, we authenticate using a new more secure authentication mechanism, SCRAM-SHA-256. When creating a user with SCRAM-SHA-256 credentials, MongoDB 4.0 no longer allows specifying the password in a hashed form, and will return an error. Unfortunately, the mongoc_database_add_user does send pwd using the hashed form of the password. So currently this function always returns an error if connected to a MongoDB 4.0 server. Instead, we must do the simpler thing: send the plaintext password and omit sending the digestPassword field. Then, update the docs page for mongoc_database_add_user to warn the user to only call this method if the driver is using TLS. Then, update places in our tests which should be using mongoc_database_add_user but aren't: here and here. |
| Comments |
| Comment by Githook User [ 06/Jun/18 ] |
|
Author: {'username': 'edobranov', 'name': 'Evgeni Dobranov', 'email': 'evobranov@gmail.com'}Message: |