mysql2 3.18.2 → 3.18.3-canary.b57c671c

package/lib/auth_plugins/caching_sha2_password.js

@@ -42,7 +42,7 @@ function encrypt(password, scramble, key) {
   );
 }
 
-module.exports =
+const pluginFactory =
   (pluginOptions = {}) =>
   ({ connection }) => {
     let state = 0;
@@ -106,3 +106,9 @@ module.exports =
       );
     };
   };
+
+// Export the plugin factory as default
+module.exports = pluginFactory;
+
+// Export calculateToken for reuse in initial handshake optimization
+module.exports.calculateToken = calculateToken;

package/lib/commands/auth_switch.js

@@ -11,12 +11,31 @@ const caching_sha2_password = require('../auth_plugins/caching_sha2_password.js'
 const mysql_native_password = require('../auth_plugins/mysql_native_password.js');
 const mysql_clear_password = require('../auth_plugins/mysql_clear_password.js');
 
-const standardAuthPlugins = {
+// Use Object.create(null) to avoid prototype pollution
+// This prevents server-controlled pluginName values like "toString" or "__proto__"
+// from resolving to prototype properties
+const standardAuthPlugins = Object.assign(Object.create(null), {
   sha256_password: sha256_password({}),
   caching_sha2_password: caching_sha2_password({}),
   mysql_native_password: mysql_native_password({}),
   mysql_clear_password: mysql_clear_password({}),
-};
+});
+
+// Helper function to get auth plugin (custom or standard)
+function getAuthPlugin(pluginName, connection) {
+  const customPlugins = connection.config.authPlugins;
+
+  // Check custom plugins with hasOwnProperty for safety
+  if (
+    customPlugins &&
+    Object.prototype.hasOwnProperty.call(customPlugins, pluginName)
+  ) {
+    return customPlugins[pluginName];
+  }
+
+  // Safe to access standardAuthPlugins directly since it has no prototype
+  return standardAuthPlugins[pluginName];
+}
 
 function warnLegacyAuthSwitch() {
   console.warn(
@@ -35,8 +54,6 @@ function authSwitchPluginError(error, command) {
 function authSwitchRequest(packet, connection, command) {
   const { pluginName, pluginData } =
     Packets.AuthSwitchRequest.fromPacket(packet);
-  let authPlugin =
-    connection.config.authPlugins && connection.config.authPlugins[pluginName];
 
   // legacy plugin api don't allow to override mysql_native_password
   // if pluginName is mysql_native_password it's using standard auth4.1 auth
@@ -54,9 +71,8 @@ function authSwitchRequest(packet, connection, command) {
     });
     return;
   }
-  if (!authPlugin) {
-    authPlugin = standardAuthPlugins[pluginName];
-  }
+
+  const authPlugin = getAuthPlugin(pluginName, connection);
   if (!authPlugin) {
     throw new Error(
       `Server requests authentication using unknown plugin ${pluginName}. See ${'TODO: add plugins doco here'} on how to configure or author authentication plugins.`
@@ -108,4 +124,6 @@ function authSwitchRequestMoreData(packet, connection, command) {
 module.exports = {
   authSwitchRequest,
   authSwitchRequestMoreData,
+  getAuthPlugin,
+  standardAuthPlugins,
 };

package/lib/commands/client_handshake.js

@@ -15,6 +15,10 @@ const Packets = require('../packets/index.js');
 const ClientConstants = require('../constants/client.js');
 const CharsetToEncoding = require('../constants/charset_encodings.js');
 const auth41 = require('../auth_41.js');
+const { getAuthPlugin } = require('./auth_switch.js');
+const {
+  calculateToken: calculateSha2Token,
+} = require('../auth_plugins/caching_sha2_password.js');
 
 function flagNames(flags) {
   const res = [];
@@ -67,6 +71,61 @@ class ClientHandshake extends Command {
     this.passwordSha1 = connection.config.passwordSha1;
     this.database = connection.config.database;
     this.authPluginName = this.handshake.authPluginName;
+
+    // Optimization: Try to use the server's preferred authentication method
+    // to avoid an unnecessary auth switch roundtrip
+    const serverAuthMethod = this.handshake.authPluginName;
+    const isSecureConnection =
+      connection.config.ssl || connection.config.socketPath;
+
+    // Combine auth plugin data for easier handling
+    // Note: authPluginData2 can include a trailing NUL byte when PLUGIN_AUTH is set
+    // We must ensure exactly 20 bytes for the scramble
+    const authPluginData =
+      this.handshake.authPluginData1 && this.handshake.authPluginData2
+        ? Buffer.concat([
+            this.handshake.authPluginData1,
+            this.handshake.authPluginData2,
+          ]).slice(0, 20)
+        : Buffer.alloc(20);
+
+    // Check if user has custom auth plugin or legacy handler for the server-advertised method
+    // If so, we must not bypass the auth switch flow with our built-in implementation
+    const hasCustomAuthPlugin =
+      connection.config.authPlugins &&
+      Object.prototype.hasOwnProperty.call(
+        connection.config.authPlugins,
+        serverAuthMethod
+      );
+    const hasLegacyAuthSwitchHandler =
+      typeof connection.config.authSwitchHandler === 'function';
+
+    // Determine which auth method to use
+    // Try to use server's preferred method if we can, otherwise fallback to native
+    const canUseDirectAuth =
+      !hasCustomAuthPlugin &&
+      !hasLegacyAuthSwitchHandler &&
+      this.canUseAuthMethodDirectly(serverAuthMethod, isSecureConnection);
+
+    const clientAuthMethod = canUseDirectAuth
+      ? serverAuthMethod
+      : 'mysql_native_password';
+
+    // Calculate the auth token for the chosen method
+    const authToken = this.calculateAuthToken(
+      clientAuthMethod,
+      this.password,
+      authPluginData
+    );
+
+    if (connection.config.debug) {
+      console.log(
+        'Server auth method: %s, Using auth method: %s',
+        serverAuthMethod,
+        clientAuthMethod
+      );
+    }
+
     const handshakeResponse = new Packets.HandshakeResponse({
       flags: this.clientFlags,
       user: this.user,
@@ -78,8 +137,17 @@ class ClientHandshake extends Command {
       authPluginData2: this.handshake.authPluginData2,
       compress: connection.config.compress,
       connectAttributes: connection.config.connectAttributes,
+      authToken: authToken,
+      authPluginName: clientAuthMethod,
     });
     connection.writePacket(handshakeResponse.toPacket());
+
+    // If we used a non-native auth method in the initial handshake response,
+    // we need to prepare for potential AuthMoreData packets by creating
+    // the appropriate auth plugin instance
+    if (clientAuthMethod !== 'mysql_native_password') {
+      this.initializeAuthPlugin(clientAuthMethod, authPluginData, connection);
+    }
   }
 
   calculateNativePasswordAuthToken(authPluginData) {
@@ -103,6 +171,82 @@ class ClientHandshake extends Command {
     return authToken;
   }
 
+  calculateSha256Token(password, scramble) {
+    // Reuse the token calculation from caching_sha2_password plugin
+    // to avoid code duplication and ensure consistency
+    return calculateSha2Token(password, scramble);
+  }
+
+  // Helper: Calculate auth token for a specific auth method
+  calculateAuthToken(authMethod, password, authPluginData) {
+    switch (authMethod) {
+      case 'mysql_native_password':
+        return this.calculateNativePasswordAuthToken(authPluginData);
+
+      case 'caching_sha2_password':
+        return this.calculateSha256Token(password, authPluginData);
+
+      case 'sha256_password':
+      case 'mysql_clear_password':
+        // These methods send plaintext password over secure connections
+        return password
+          ? Buffer.from(`${password}\0`, 'utf8')
+          : Buffer.alloc(0);
+
+      default:
+        // Unknown method - use native password as fallback
+        return this.calculateNativePasswordAuthToken(authPluginData);
+    }
+  }
+
+  // Helper: Determine if we can use a specific auth method directly
+  canUseAuthMethodDirectly(authMethod, isSecureConnection) {
+    switch (authMethod) {
+      case 'mysql_native_password':
+      case 'caching_sha2_password':
+        // These methods work with or without SSL
+        return true;
+
+      case 'sha256_password':
+      case 'mysql_clear_password':
+        // These methods require secure connection for direct use
+        return isSecureConnection;
+
+      default:
+        // Unknown methods - fallback to native password
+        return false;
+    }
+  }
+
+  // Helper: Initialize auth plugin for handling subsequent AuthMoreData packets
+  initializeAuthPlugin(authMethod, authPluginData, connection) {
+    const authPlugin = getAuthPlugin(authMethod, connection);
+    if (!authPlugin) {
+      return; // Plugin not found, will fallback to auth switch if needed
+    }
+
+    // Initialize the plugin with connection and command context
+    const pluginHandler = authPlugin({ connection, command: this });
+    connection._authPlugin = pluginHandler;
+
+    // Prime the plugin by calling it with the scramble data
+    // This advances the plugin's state machine (e.g., to STATE_TOKEN_SENT)
+    // We don't send the result because we already included it in the handshake response
+    try {
+      Promise.resolve(pluginHandler(authPluginData)).catch((err) => {
+        // Ignore errors during initialization since we already sent the token
+        if (connection.config.debug) {
+          console.log('Auth plugin initialization:', err.message);
+        }
+      });
+    } catch (err) {
+      // Ignore synchronous errors during initialization
+      if (connection.config.debug) {
+        console.log('Auth plugin initialization error:', err.message);
+      }
+    }
+  }
+
   handshakeInit(helloPacket, connection) {
     this.on('error', (e) => {
       connection._fatalError = e;

package/lib/packets/handshake_response.js

@@ -16,22 +16,47 @@ class HandshakeResponse {
     this.authPluginData2 = handshake.authPluginData2;
     this.compress = handshake.compress;
     this.clientFlags = handshake.flags;
-    // TODO: pre-4.1 auth support
-    let authToken;
-    if (this.passwordSha1) {
-      authToken = auth41.calculateTokenFromPasswordSha(
-        this.passwordSha1,
-        this.authPluginData1,
-        this.authPluginData2
-      );
+
+    // Accept pre-calculated authToken and authPluginName from caller
+    // This allows the caller to optimize by using the server's preferred auth method
+    if (
+      handshake.authToken !== undefined &&
+      handshake.authPluginName !== undefined
+    ) {
+      // Validate types to fail fast with clear errors
+      if (!Buffer.isBuffer(handshake.authToken)) {
+        throw new TypeError(
+          'HandshakeResponse authToken must be a Buffer when provided'
+        );
+      }
+      if (typeof handshake.authPluginName !== 'string') {
+        throw new TypeError(
+          'HandshakeResponse authPluginName must be a string when provided'
+        );
+      }
+      this.authToken = handshake.authToken;
+      this.authPluginName = handshake.authPluginName;
     } else {
-      authToken = auth41.calculateToken(
-        this.password,
-        this.authPluginData1,
-        this.authPluginData2
-      );
+      // Fallback to legacy behavior: calculate mysql_native_password token
+      // TODO: pre-4.1 auth support
+      let authToken;
+      if (this.passwordSha1) {
+        authToken = auth41.calculateTokenFromPasswordSha(
+          this.passwordSha1,
+          this.authPluginData1,
+          this.authPluginData2
+        );
+      } else {
+        authToken = auth41.calculateToken(
+          this.password,
+          this.authPluginData1,
+          this.authPluginData2
+        );
+      }
+      this.authToken = authToken;
+      this.authPluginName = 'mysql_native_password';
     }
-    this.authToken = authToken;
+
     this.charsetNumber = handshake.charsetNumber;
     this.encoding = CharsetToEncoding[handshake.charsetNumber];
     this.connectAttributes = handshake.connectAttributes;
@@ -62,8 +87,12 @@ class HandshakeResponse {
       packet.writeNullTerminatedString(this.database, encoding);
     }
     if (isSet('PLUGIN_AUTH')) {
-      // TODO: pass from config
-      packet.writeNullTerminatedString('mysql_native_password', 'latin1');
+      // Use the auth plugin name specified by the caller (optimized for server's preference)
+      // or fall back to mysql_native_password for backward compatibility
+      packet.writeNullTerminatedString(
+        this.authPluginName || 'mysql_native_password',
+        'latin1'
+      );
     }
     if (isSet('CONNECT_ATTRS')) {
       const connectAttributes = this.connectAttributes || {};

package/lib/packets/packet.js

@@ -660,14 +660,27 @@ class Packet {
     if (len === null) {
       return null;
     }
+    if (len === 0) {
+      return 0; // TODO: assert? exception?
+    }
+
+    // For numbers with many digits (>17), use built-in parseFloat to avoid
+    // precision loss from accumulated rounding errors in repeated *10 operations.
+    // This fixes issues #2928 (MAX_VALUE doubles) and #3690 (DECIMAL(36,18))
+    // where very large numbers or numbers with many fractional digits lose precision.
+    // The threshold of 17 is based on IEEE 754 double precision (~15-17 significant digits).
+    // Testing shows minimal performance impact as most real-world numbers are shorter.
+    if (len > 17) {
+      const str = this.buffer.toString('utf8', this.offset, this.offset + len);
+      this.offset += len;
+      return Number.parseFloat(str);
+    }
+
     let result = 0;
     const end = this.offset + len;
     let factor = 1;
     let pastDot = false;
     let charCode = 0;
-    if (len === 0) {
-      return 0; // TODO: assert? exception?
-    }
     if (this.buffer[this.offset] === minus) {
       this.offset++;
       factor = -1;
@@ -681,9 +694,13 @@ class Packet {
         pastDot = true;
         this.offset++;
       } else if (charCode === exponent || charCode === exponentCapital) {
-        this.offset++;
-        const exponentValue = this.parseInt(end - this.offset);
-        return (result / factor) * Math.pow(10, exponentValue);
+        // Scientific notation detected - bail out to parseFloat for exact match.
+        // Manual calculation with Math.pow(10, exp) cannot match parseFloat()
+        // exactly for most non-zero exponents due to accumulated rounding errors.
+        const start = end - len;
+        const str = this.buffer.toString('utf8', start, end);
+        this.offset = end;
+        return Number.parseFloat(str);
       } else {
         result *= 10;
         result += this.buffer[this.offset] - 48;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mysql2",
-  "version": "3.18.2",
+  "version": "3.18.3-canary.b57c671c",
   "description": "fast mysql driver. Implements core protocol, prepared statements, ssl and compression in native JS",
   "main": "index.js",
   "typings": "typings/mysql/index",