[CDRIVER-2676] mongoc_database_add_user must not send hashed password Created: 31/May/18  Updated: 28/Oct/23  Resolved: 06/Jun/18

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.11.0

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Evgeni Dobranov
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible

 Description   

The function mongoc_database_add_user is a C driver helper to construct a createUser command. Currently it does not send the correct form of the pwd field for MongoDB 4.0.

The createUser command allows two ways to specify the password:

The field pwd can be a plaintext password. Example in mongo shell (assuming mongod is running with --auth):

db.runCommand ( {createUser: "username", pwd: "plaintext_password", roles: [ { role: "root", db: "admin" } ] })

Or pwd can be the result of an MD5 hash of the form:

md5(username + ":mongo:" + password)

and digestPassword must be set to false.

In MongoDB 4.0, we authenticate using a new more secure authentication mechanism, SCRAM-SHA-256. When creating a user with SCRAM-SHA-256 credentials, MongoDB 4.0 no longer allows specifying the password in a hashed form, and will return an error.

Unfortunately, the mongoc_database_add_user does send pwd using the hashed form of the password. So currently this function always returns an error if connected to a MongoDB 4.0 server. Instead, we must do the simpler thing: send the plaintext password and omit sending the digestPassword field.

Then, update the docs page for mongoc_database_add_user to warn the user to only call this method if the driver is using TLS.

Then, update places in our tests which should be using mongoc_database_add_user but aren't: here and here.



 Comments   
Comment by Githook User [ 06/Jun/18 ]

Author:

{'username': 'edobranov', 'name': 'Evgeni Dobranov', 'email': 'evobranov@gmail.com'}

Message: CDRIVER-2676 fix add_user to omit hashed password
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/eb157380a965ae1ba26dd1e60f5d1bd3f5a82a3c

Generated at Wed Feb 07 21:15:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.