Fix caching_sha2_password authentication for MySQL 8.0.5+ #173
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Connection authentication was failing for
caching_sha2_password
when credentials weren't cached on the MySQL server. This particularly affected connection pools and initial connections afterFLUSH PRIVILEGES
.Error observed:
Root Cause
MySQL 8.0.5 introduced an incompatible change in RSA encryption for
caching_sha2_password
authentication:RSA_PKCS1_PADDING
RSA_PKCS1_OAEP_PADDING
Reference: MySQL Blog - Preparing your Community Connector for MySQL 8 – part 2 – SHA256
The current implementation was using RSA-OAEP with SHA-256, but empirical testing revealed that MySQL 8.0.5+ expects SHA-1 for the OAEP padding scheme.
Solution
Changes Made
caching_sha2_password
authenticationImportant Notes
SHA-1 Usage Clarification
Note: While SHA-1 is generally deprecated for cryptographic purposes, its use here is specific to MySQL's RSA-OAEP implementation for
caching_sha2_password
authentication. This is not the hash algorithm used for password storage (which remains SHA-256), but rather the hash used in the RSA-OAEP padding scheme for secure password transmission.Missing Documentation: MySQL's official documentation does not explicitly specify SHA-1 usage in RSA-OAEP for
caching_sha2_password
. This implementation choice was determined through empirical testing:Access denied
errorsThe discrepancy between documented behavior and actual implementation suggests this may be an undocumented implementation detail in MySQL 8.0.5+.
Authentication Flow Context
MySQL
caching_sha2_password
has two authentication phases:src/auth.ts:22-24
)This fix only affects the RSA encryption phase when credentials are not cached.
Testing & Verification
Test Environment
caching_sha2_password
(default for MySQL 8.0+)Comprehensive Testing
Access denied
Access denied
Test Coverage
New tests added to verify the fix:
testCreateUserWithCachingSha2Password
- Creates test user withcaching_sha2_password
testCachingSha2PasswordAuthenticateRoot
- Clears authentication cache withFLUSH PRIVILEGES
testCachingSha2PasswordWithClearCache
- Core test: Authenticates after cache clear (forces RSA encryption)testDropUserWithCachingSha2Password
- CleanupThe cache clearing test specifically forces the RSA encryption code path, ensuring the fix is properly validated.