-
-
Notifications
You must be signed in to change notification settings - Fork 618
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow to use arbitrary plugin as first auth method #560
Comments
thinking about merging plugin auth and auth switch. Maybe api like this: const mysql2 = require('mysql');
const pool = mysql2.createPool({
authPlugins: {
sha256_password: (data, cb) => { /* ... probably going to be included by default. You should be able to disable it by specifying authPlugins: { sha256_password: null } */ },
mysql_clear_password: mysql2.authPlugins.mysql_clear_password(validateFunction), // not enabled by default but included with driver and documented
},
// better name for this option? "defaultPlugin" ? "initialConnectionPlugin" ?
// this is plugin name sent with initial connection (also handler executed at connection time and result of the handler included with initial connection"
// error if name does not match authPlugins keys ( or built-in plugins ). Default to "mysql_native_password" if not specified
connectAuthPluginName: 'mysql_native_password' // not used if server does not support PLUGIN_AUTH
// should it error if specified and no server support for PLUGIN_AUTH ?
// some way to handle dynamic plugin names? currently possible with authSwitchHandler but I want to deprecate it
} |
defaultAuthPlugin sounds like a good name to me. An auth plugin should likely be able to write it's own kinds of packets though or at least find some way for the plugin/function to return the next handler for the command. Considering how the caching_sha2 one appears to want a response to the fullauthentication request and there is also the fast auth path (https://dev.mysql.com/doc/dev/mysql-server/8.0.4/page_caching_sha2_authentication_exchanges.html), you'd want the plugin to handle all success responses until it says it is done (return null). |
I think it's ok to assume plugin is only able to send data or null, afaik it's never allowed to send any other packet than |
I think function that returns the next handler is fine. You as the middle man don't care for state, only what comes next. If I write a plugin then I'll worry about state on my side and know only to return to you what should be called next. Object is fine too but then you have to figure out how to structure the methods it should call right? Not too big a fan, but done right it will work. |
Is this stable? Is there a better example? My use case is AWS RDS IAM tokens. |
I believe new plugin auth api is stable. Currently connection is always started with Good example in the answer here: https://stackoverflow.com/a/60013378/705115 ( I'll copy it here as well with some minor changes ) const iamTokenPlugin =({connection, command}) => (authPluginDataFromServer) => {
return signer.getAuthToken({
region: '...',
hostname: '...',
port: '...',
username: '...'
})
}
mysql.createPool({
...,
ssl: 'Amazon RDS',
authPlugins: {
mysql_clear_password: iamTokenPlugin
}
}); The reason plugin has see how plugin is "instantinated" here node-mysql2/lib/commands/auth_switch.js Line 50 in ebc2cb4
node-mysql2/lib/commands/auth_switch.js Lines 79 to 82 in ebc2cb4
See mysql AuthSwitch docs here - https://dev.mysql.com/doc/internals/en/connection-phase-packets.html#packet-Protocol::AuthSwitchRequest |
Amazon has been planning for some time to change their certificates for TLS to RDS, at least for mySQL. If your RDS server has been upgraded (which Amazon will do in June 2020), when attempting IAM token login, you will get the error: Error: 139965154551680:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1929: If you use NodeJS 12 or lower, start node with --tls-min-v1.0 |
@sidorares I am trying to use this with AWS RDS IAM and when I execute it the error that is returned is
|
@silverbullettruck2001 : Provide a function to mysql_clear_password . See the comment above from Feb 20 2020. |
@terrisgit Here is what I put together. I am trying to avoid using the
|
@sidorares @terrisgit I made some progress, but still not working...It now errors with: Here's my latest code:
|
@silverbullettruck2001 please see this mysql2 helper package that supports AWS RDS passwordless connections. Pooling is optional. https://www.npmjs.com/package/@goodware/mysql |
@terrisgit I reviewed this helper package, but it also implements |
currently only allowed connect method initially is
mysql_native_password
. Some servers can potentially prefer to start with custom auth immediately, instead of rejectingmysql_native_password
and doing AUTH_SWITH_HANDLER sequence afterwards. Also some servers can be configured to allow 'plugin based auth' but not 'auth switch request' - those are two different capabilities flagsauthSwitchHandler
and rename it to beauthPluginHandler
mysql_native_password
also need to think of something to make it easy to chain handlers:
ref http://stackoverflow.com/questions/43448563/connecting-to-mariadb-with-nodejs-over-ssl-with-clear-text-password/43450396#43450396
The text was updated successfully, but these errors were encountered: