From 8a93882d1dae98274c2f44752c10df05ce55035b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Jaramago=20Fern=C3=A1ndez?=
 <jaramago.fernandez.javier@gmail.com>
Date: Tue, 20 Aug 2024 18:45:43 +0200
Subject: [PATCH] Fix assert on COM_CHANGE_USER with hashed pass for
 'caching_sha2_password'

For now, we always reply with an auth failure until 'Auth Switch
Support' is added for 'caching_sha2_password'.
---
 lib/MySQL_Protocol.cpp | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/MySQL_Protocol.cpp b/lib/MySQL_Protocol.cpp
index 5b02b562a..5392a229e 100644
--- a/lib/MySQL_Protocol.cpp
+++ b/lib/MySQL_Protocol.cpp
@@ -1208,9 +1208,19 @@ bool MySQL_Protocol::verify_user_pass(
 				ret=true;
 			}
 		} else if (auth_plugin_id == 2) { // caching_sha2_password
-			// FIXME: not supported yet
-			// we assert() here because auth_plugin_id should never be 3 unless it is fully implemented
-			assert(0);
+			// ## FIXME: Current limitation
+			// For now, if a 'COM_CHANGE_USER' is received with a hashed 'password' for
+			// 'caching_sha2_password', we fail to authenticate. This is part of the broader limitation of
+			// 'Auth Switch' support for 'caching_sha2_password' (See
+			// https://proxysql.com/documentation/authentication-methods/#limitations).
+			//
+			// ## Future Fix
+			// The right approach is to perform an 'Auth Switch Request' or to accept the hash if the clear
+			// text password is already known and the hash can be verified. This processing is now performed
+			// in 'process_pkt_COM_CHANGE_USER', state at which it should be determine if we can accept the
+			// hash, or if we should prepare the state machine for a 'Auth Switch Request'. Progress for this
+			// is tracked in https://github.com/sysown/proxysql/issues/4618.
+			ret = false;
 		} else {
 			ret = false;
 		}