Support authentication mechanism negotiation

[thekid]

...by adding saslSupportedMechs: <db.user> to the hello command. This will return an additional field hello.saslSupportedMechs in its result.

Negotation

If an authentication mechanism is explicitely supplied via the connection string, it's used regardless of what the server answers. Otherwise, negotation tries to find the preferred authentication mechanism.

If SCRAM-SHA-256 is present in the list of mechanism, then it MUST be used as the default; otherwise, SCRAM-SHA-1 MUST be used as the default, regardless of whether SCRAM-SHA-1 is in the list. If saslSupportedMechs is not present in the handshake response for mechanism negotiation, then SCRAM-SHA-1 MUST be used

(see https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#defaults)

Connection string	Server-supplied saslSupportedMechs	Result
?authMechanism=SCRAM-SHA-256	(anything)	SCRAM-SHA-256
?authMechanism=SCRAM-SHA-1	(anything)	SCRAM-SHA-1
?authMechanism=PLAIN	(anything)	Error 1️⃣
(not supplied)	[SCRAM-SHA-256, SCRAM-SHA-1]	SCRAM-SHA-256
(not supplied)	[SCRAM-SHA-1, SCRAM-SHA-256]	SCRAM-SHA-256
(not supplied)	[SCRAM-SHA-1, AWS]	SCRAM-SHA-1
(not supplied)	[PLAIN, AWS]	Error 2️⃣
(not supplied)	(empty or missing)	SCRAM-SHA-1

Errors

1. Unsupported authentication mechanism "PLAIN"
2. None of the supplied authentication mechanisms "PLAIN", "AWS" is supported

Real-life examples

...when adding a var_dump() of the returned hello.saslSupportedMechs key:

Local 5.0.20 (Ubuntu)

$ xp connect.script.php mongodb://user:*********@localhost/test
array(2) {
  [0]=>
  string(11) "SCRAM-SHA-1"
  [1]=>
  string(13) "SCRAM-SHA-256"
}

MongoDB Atlas

$ xp connect.script.php mongodb+srv://user:*********@example.abcdefg.mongodb.net
array(1) {
  [0]=>
  string(11) "SCRAM-SHA-1"
}

[thekid]

Released in https://github.com/xp-forge/mongodb/releases/tag/v1.15.0