mysqljs · elemount · Jul 20, 2017 · Aug 30, 2017 · dougwilson · Aug 10, 2017
diff --git a/Readme.md b/Readme.md
@@ -1324,6 +1324,7 @@ The following flags are sent by default on a new connection:
 - `RESERVED` - Old flag for the 4.1 protocol.
 - `SECURE_CONNECTION` - Support native 4.1 authentication.
 - `TRANSACTIONS` - Asks for the transaction status flags.
+- `PLUGIN_AUTH` - Support basic auth plugin protocol, including plugin `mysql_native_password` and `mysql_old_password`.
 
 In addition, the following flag will be sent if the option `multipleStatements`
 is set to `true`:
@@ -1339,7 +1340,6 @@ available to specify.
 - COMPRESS
 - INTERACTIVE
 - NO_SCHEMA
-- PLUGIN_AUTH
 - REMEMBER_OPTIONS
 - SSL
 - SSL_VERIFY_SERVER_CERT

diff --git a/lib/ConnectionConfig.js b/lib/ConnectionConfig.js
@@ -106,7 +106,7 @@ ConnectionConfig.getDefaultFlags = function getDefaultFlags(options) {
     '+LONG_PASSWORD',     // Use the improved version of Old Password Authentication
     '+MULTI_RESULTS',     // Can handle multiple resultsets for COM_QUERY
     '+ODBC',              // Special handling of ODBC behaviour
-    '-PLUGIN_AUTH',       // Does *NOT* support auth plugins
+    '+PLUGIN_AUTH',       // Support basic auth plugins, including mysql_native_method and mysql_old_password
     '+PROTOCOL_41',       // Uses the 4.1 protocol
     '+PS_MULTI_RESULTS',  // Can handle multiple resultsets for COM_STMT_EXECUTE
     '+RESERVED',          // Unused

diff --git a/lib/Pool.js b/lib/Pool.js
@@ -112,7 +112,9 @@ Pool.prototype.acquireConnection = function acquireConnection(connection, cb) {
 
   if (changeUser) {
     // restore user back to pool configuration
+    var previousClientPluginAuth = connection.config.clientPluginAuth;
     connection.config = this.config.newConnectionConfig();
+    connection.config.clientPluginAuth = previousClientPluginAuth;
     connection.changeUser({timeout: this.config.acquireTimeout}, onOperationComplete);
   } else {
     // ping connection

diff --git a/lib/protocol/Auth.js b/lib/protocol/Auth.js
@@ -150,3 +150,19 @@ Auth.int32Read = function(buffer, offset){
        + (buffer[offset + 2] << 8)
        + (buffer[offset + 3]);
 };
+
+Auth.tokenByPlugin = function(pluginName, pluginData, password) {
+  switch (pluginName) {
+    case 'mysql_native_password':
+      // mysql_native_password only need first 20 bytes scramble.
+      return this.token(password, pluginData.slice(0, 20));
+    case 'mysql_old_password':
+      // mysql_old_password only need first 8 bytes scramble.
+      return this.scramble323(pluginData.slice(0, 8), password);
+    default:
+      var err   = new Error('The auth plugin: ' + pluginName + ' is not supported by this client driver.');
+      err.code  = 'UNSUPPORTED_AUTH_PLUGIN';
+      err.fatal = true;
+      throw err;
+  }
+};
diff --git a/lib/protocol/Parser.js b/lib/protocol/Parser.js
@@ -309,6 +309,11 @@ Parser.prototype._nullByteOffset = function() {
   return offset;
 };
 
+Parser.prototype.parsePacketTerminatedBuffer = function() {
+  var length = this._packetEnd - this._offset;
+  return this.parseBuffer(length);
+};
+
 Parser.prototype.parsePacketTerminatedString = function() {
   var length = this._packetEnd - this._offset;
   return this.parseString(length);

diff --git a/lib/protocol/packets/AuthSwitchPacket.js b/lib/protocol/packets/AuthSwitchPacket.js
@@ -0,0 +1,13 @@
+module.exports = AuthSwitchPacket;
+function AuthSwitchPacket(options) {
+  options = options || {};
+  this.scrambleBuff = options.scrambleBuff;
+}
+
+AuthSwitchPacket.prototype.parse = function(parser) {
+  this.scrambleBuff = parser.parsePacketTerminatedBuffer();
+};
+
+AuthSwitchPacket.prototype.write = function(writer) {
+  writer.writeBuffer(this.scrambleBuff);
+};
diff --git a/lib/protocol/packets/ClientAuthenticationPacket.js b/lib/protocol/packets/ClientAuthenticationPacket.js
@@ -4,14 +4,16 @@ module.exports = ClientAuthenticationPacket;
 function ClientAuthenticationPacket(options) {
   options = options || {};
 
-  this.clientFlags   = options.clientFlags;
-  this.maxPacketSize = options.maxPacketSize;
-  this.charsetNumber = options.charsetNumber;
-  this.filler        = undefined;
-  this.user          = options.user;
-  this.scrambleBuff  = options.scrambleBuff;
-  this.database      = options.database;
-  this.protocol41    = options.protocol41;
+  this.clientFlags      = options.clientFlags;
+  this.maxPacketSize    = options.maxPacketSize;
+  this.charsetNumber    = options.charsetNumber;
+  this.filler           = undefined;
+  this.user             = options.user;
+  this.scrambleBuff     = options.scrambleBuff;
+  this.database         = options.database;
+  this.protocol41       = options.protocol41;
+  this.clientPluginAuth = options.clientPluginAuth;
+  this.authPluginName   = options.authPluginName;
 }
 
 ClientAuthenticationPacket.prototype.parse = function(parser) {
@@ -23,6 +25,9 @@ ClientAuthenticationPacket.prototype.parse = function(parser) {
     this.user          = parser.parseNullTerminatedString();
     this.scrambleBuff  = parser.parseLengthCodedBuffer();
     this.database      = parser.parseNullTerminatedString();
+    if (this.clientPluginAuth) {
+      this.authPluginName = parser.parseNullTerminatedString();
+    }
   } else {
     this.clientFlags   = parser.parseUnsignedNumber(2);
     this.maxPacketSize = parser.parseUnsignedNumber(3);
@@ -41,6 +46,9 @@ ClientAuthenticationPacket.prototype.write = function(writer) {
     writer.writeNullTerminatedString(this.user);
     writer.writeLengthCodedBuffer(this.scrambleBuff);
     writer.writeNullTerminatedString(this.database);
+    if (this.clientPluginAuth) {
+      writer.writeNullTerminatedString(this.authPluginName);
+    }
   } else {
     writer.writeUnsignedNumber(2, this.clientFlags);
     writer.writeUnsignedNumber(3, this.maxPacketSize);

diff --git a/lib/protocol/packets/ComChangeUserPacket.js b/lib/protocol/packets/ComChangeUserPacket.js
@@ -2,19 +2,26 @@ module.exports = ComChangeUserPacket;
 function ComChangeUserPacket(options) {
   options = options || {};
 
-  this.command       = 0x11;
-  this.user          = options.user;
-  this.scrambleBuff  = options.scrambleBuff;
-  this.database      = options.database;
-  this.charsetNumber = options.charsetNumber;
+  this.command          = 0x11;
+  this.user             = options.user;
+  this.scrambleBuff     = options.scrambleBuff;
+  this.database         = options.database;
+  this.charsetNumber    = options.charsetNumber;
+  this.clientPluginAuth = options.clientPluginAuth;
+  this.authPluginName   = options.authPluginName;
 }
 
 ComChangeUserPacket.prototype.parse = function(parser) {
   this.command       = parser.parseUnsignedNumber(1);
   this.user          = parser.parseNullTerminatedString();
   this.scrambleBuff  = parser.parseLengthCodedBuffer();
   this.database      = parser.parseNullTerminatedString();
-  this.charsetNumber = parser.parseUnsignedNumber(1);
+  if (!parser.reachedPacketEnd()) {
+    this.charsetNumber = parser.parseUnsignedNumber(2);
+    if (this.clientPluginAuth === true) {
+      this.authPluginName = parser.parseNullTerminatedString();
+    }
+  }
 };
 
 ComChangeUserPacket.prototype.write = function(writer) {
@@ -23,4 +30,7 @@ ComChangeUserPacket.prototype.write = function(writer) {
   writer.writeLengthCodedBuffer(this.scrambleBuff);
   writer.writeNullTerminatedString(this.database);
   writer.writeUnsignedNumber(2, this.charsetNumber);
+  if (this.clientPluginAuth) {
+    writer.writeNullTerminatedString(this.authPluginName);
+  }
 };
diff --git a/lib/protocol/packets/HandshakeInitializationPacket.js b/lib/protocol/packets/HandshakeInitializationPacket.js
@@ -20,11 +20,17 @@ function HandshakeInitializationPacket(options) {
   this.filler3             = options.filler3;
   this.pluginData          = options.pluginData;
   this.protocol41          = options.protocol41;
+  this.clientPluginAuth    = options.clientPluginAuth;
+  this.authPluginName      = options.authPluginName;
 
   if (this.protocol41) {
     // force set the bit in serverCapabilities1
     this.serverCapabilities1 |= Client.CLIENT_PROTOCOL_41;
   }
+
+  if (this.clientPluginAuth) {
+    this.serverCapabilities2 |= Client.CLIENT_PLUGIN_AUTH >> 16;
+  }
 }
 
 HandshakeInitializationPacket.prototype.parse = function(parser) {
@@ -38,16 +44,22 @@ HandshakeInitializationPacket.prototype.parse = function(parser) {
   this.serverStatus        = parser.parseUnsignedNumber(2);
 
   this.protocol41          = (this.serverCapabilities1 & (1 << 9)) > 0;
+  this.clientPluginAuth    = false;
 
   if (this.protocol41) {
     this.serverCapabilities2 = parser.parseUnsignedNumber(2);
+    this.clientPluginAuth    = (this.serverCapabilities2 & (1 << 3)) > 0;
     this.scrambleLength      = parser.parseUnsignedNumber(1);
     this.filler2             = parser.parseFiller(10);
     // scrambleBuff2 should be 0x00 terminated, but sphinx does not do this
     // so we assume scrambleBuff2 to be 12 byte and treat the next byte as a
     // filler byte.
-    this.scrambleBuff2       = parser.parseBuffer(12);
+    scrambleBuff2Length      = Math.max(12, this.scrambleLength - 9);
+    this.scrambleBuff2       = parser.parseBuffer(scrambleBuff2Length);
     this.filler3             = parser.parseFiller(1);
+    if (this.clientPluginAuth) {
+      this.authPluginName    = parser.parseNullTerminatedString();
+    }
   } else {
     this.filler2             = parser.parseFiller(13);
   }
@@ -80,8 +92,11 @@ HandshakeInitializationPacket.prototype.write = function(writer) {
     writer.writeUnsignedNumber(2, this.serverCapabilities2);
     writer.writeUnsignedNumber(1, this.scrambleLength);
     writer.writeFiller(10);
+    writer.writeNullTerminatedBuffer(this.scrambleBuff2);
+    if (this.clientPluginAuth) {
+      writer.writeNullTerminatedString(this.authPluginName);
+    }
   }
-  writer.writeNullTerminatedBuffer(this.scrambleBuff2);
 
   if (this.pluginData !== undefined) {
     writer.writeNullTerminatedString(this.pluginData);

diff --git a/lib/protocol/packets/UseAuthSwitchPacket.js b/lib/protocol/packets/UseAuthSwitchPacket.js
@@ -0,0 +1,19 @@
+module.exports = UseAuthSwitchPacket;
+function UseAuthSwitchPacket(options) {
+  options = options || {};
+  this.firstByte =  options.firstByte || 0xfe;
+  this.authPluginName = options.authPluginName || '';
+  this.authPluginData = options.authPluginData || '';
+}
+
+UseAuthSwitchPacket.prototype.parse = function(parser) {
+  this.firstByte = parser.parseUnsignedNumber(1);
+  this.authPluginName = parser.parseNullTerminatedString();
+  this.authPluginData = parser.parsePacketTerminatedBuffer();
+};
+
+UseAuthSwitchPacket.prototype.write = function(writer) {
+  writer.writeUnsignedNumber(1, this.firstByte);
+  writer.writeNullTerminatedString(this.authPluginName);
+  writer.writeBuffer(this.authPluginData);
+};
diff --git a/lib/protocol/packets/index.js b/lib/protocol/packets/index.js
@@ -1,3 +1,4 @@
+exports.AuthSwitchPacket = require('./AuthSwitchPacket');
 exports.ClientAuthenticationPacket = require('./ClientAuthenticationPacket');
 exports.ComChangeUserPacket = require('./ComChangeUserPacket');
 exports.ComPingPacket = require('./ComPingPacket');
@@ -17,4 +18,5 @@ exports.ResultSetHeaderPacket = require('./ResultSetHeaderPacket');
 exports.RowDataPacket = require('./RowDataPacket');
 exports.SSLRequestPacket = require('./SSLRequestPacket');
 exports.StatisticsPacket = require('./StatisticsPacket');
+exports.UseAuthSwitchPacket = require('./UseAuthSwitchPacket');
 exports.UseOldPasswordPacket = require('./UseOldPasswordPacket');
diff --git a/lib/protocol/sequences/ChangeUser.js b/lib/protocol/sequences/ChangeUser.js
@@ -8,22 +8,25 @@ Util.inherits(ChangeUser, Sequence);
 function ChangeUser(options, callback) {
   Sequence.call(this, options, callback);
 
-  this._user          = options.user;
-  this._password      = options.password;
-  this._database      = options.database;
-  this._charsetNumber = options.charsetNumber;
-  this._currentConfig = options.currentConfig;
+  this._user           = options.user;
+  this._password       = options.password;
+  this._database       = options.database;
+  this._charsetNumber  = options.charsetNumber;
+  this._currentConfig  = options.currentConfig;
+  this._authPluginName = options.authPluginName;
 }
 
 ChangeUser.prototype.start = function(handshakeInitializationPacket) {
   var scrambleBuff = handshakeInitializationPacket.scrambleBuff();
   scrambleBuff     = Auth.token(this._password, scrambleBuff);
 
   var packet = new Packets.ComChangeUserPacket({
-    user          : this._user,
-    scrambleBuff  : scrambleBuff,
-    database      : this._database,
-    charsetNumber : this._charsetNumber
+    user             : this._user,
+    scrambleBuff     : scrambleBuff,
+    database         : this._database,
+    charsetNumber    : this._charsetNumber,
+    clientPluginAuth : this._currentConfig.clientPluginAuth,
+    authPluginName   : this._authPluginName || this._currentConfig.authPluginName
   });
 
   this._currentConfig.user          = this._user;
@@ -34,8 +37,31 @@ ChangeUser.prototype.start = function(handshakeInitializationPacket) {
   this.emit('packet', packet);
 };
 
+ChangeUser.prototype.determinePacket = function(firstByte) {
+  if (firstByte === 0xff) {
+    return Packets.ErrorPacket;
+  }
+
+  if (firstByte === 0xfe) {
+    return Packets.UseAuthSwitchPacket;
+  }
+
+  return Packets.OkPacket;
+};
+
 ChangeUser.prototype['ErrorPacket'] = function(packet) {
   var err = this._packetToError(packet);
   err.fatal = true;
   this.end(err);
 };
+
+ChangeUser.prototype['UseAuthSwitchPacket'] = function(packet) {
+  try {
+    var scrambleBuff = Auth.tokenByPlugin(packet.authPluginName, packet.authPluginData, this._password);
+    this.emit('packet', new Packets.AuthSwitchPacket({
+      scrambleBuff: scrambleBuff
+    }));
+  } catch (err) {
+    this.end(err);
+  }
+};