sub _authenticate {
my ($self, $id) = @_;
my $mango = $self->mango;
my $cnx = $self->mango->{connections}{$id};
my $creds = $self->{credentials};
my ($db, $user, $pass) = @$creds;
my $scram_client = Authen::SCRAM::Client->new(
skip_saslprep => 1,
username => $user,
password => $pass
);
my $delay = Mojo::IOLoop::Delay->new;
my $conv_id;
my $end = $delay->begin;
my $command = $self->_cmd_sasl_start($scram_client->first_msg);
$mango->_fast($id, $db, $command, sub {
my ($mango, $err, $doc) = @_;
$conv_id = $doc->{conversationId};
my $final_msg = $scram_client->final_msg(b64_decode $doc->{payload});
my $command = $self->_cmd_sasl_continue($conv_id, $final_msg);
$mango->_fast($id, $db, $command, sub {
my ($mango, $err, $doc) = @_;
$scram_client->validate(b64_decode $doc->{payload});
my $command = $self->_cmd_sasl_continue($conv_id, '');
$mango->_fast($id, $db, $command, sub {
my ($mango, $err, $doc) = @_;
$mango->emit(connection => $id)->_next;
$end->();
})
})
});
$delay->wait;
}
It seems here is a bug:
https://metacpan.org/source/Mango::Auth::SCRAM#L40
Because Mojo::IOLoop::Delay doesn't guarantee the atomicity of consequential steps, some operation can be injected between auth steps, and the code will receive "not authorized for query" error.
I've investigated it on my server, but unfortunately didn't create a script to reproduce the bug separately. I could provide it if it necessary, it will take me some time.
Here is my fix:
(A pull request is also prepared #34)