By default, if not explicitly set, user must be the current os user (mandatory for some authentication plugin, like GSSAPI for example).

rusher · rusher · commit 5d80303f133d · 2025-04-11T12:40:34.000+02:00
diff --git a/README.md b/README.md
@@ -101,7 +101,7 @@ db.SetMaxIdleConns(10)
 
 The Data Source Name has a common format, like e.g. [PEAR DB](http://pear.php.net/manual/en/package.database.db.intro-dsn.php) uses it, but without type-prefix (optional parts marked by squared brackets):
 ```
-[username[:password]@][protocol[(address)]]/dbname[?param1=value1&...&paramN=valueN]
+[[username][:password]@][protocol[(address)]]/dbname[?param1=value1&...&paramN=valueN]
 ```
 
 A DSN in its fullest form:
diff --git a/auth_test.go b/auth_test.go
@@ -16,6 +16,8 @@ import (
 	"encoding/pem"
 	"fmt"
 	"testing"
+
+	osuser "os/user"
 )
 
 var testPubKey = []byte("-----BEGIN PUBLIC KEY-----\n" +
@@ -79,6 +81,47 @@ func TestScrambleSHA256Pass(t *testing.T) {
 	}
 }
 
+func TestDefaultUser(t *testing.T) {
+	conn, mc := newRWMockConn(1)
+	mc.cfg.User = ""
+	mc.cfg.Passwd = "secret"
+
+	authData := []byte{90, 105, 74, 126, 30, 48, 37, 56, 3, 23, 115, 127, 69,
+		22, 41, 84, 32, 123, 43, 118}
+	plugin := "mysql_native_password"
+
+	// Send Client Authentication Packet
+	authPlugin, exists := globalPluginRegistry.GetPlugin(plugin)
+	if !exists {
+		t.Fatalf("plugin not registered")
+	}
+	var expectedUsername string
+	currentUser, err := osuser.Current()
+	if err != nil {
+		expectedUsername = ""
+	} else {
+		expectedUsername = currentUser.Username
+	}
+
+	authResp, err := authPlugin.InitAuth(authData, mc.cfg)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = mc.writeHandshakeResponsePacket(authResp, plugin)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// check written auth response
+	authRespStart := 4 + 4 + 4 + 1 + 23
+	authRespEnd := authRespStart + len(expectedUsername)
+	writtenAuthResp := conn.written[authRespStart:authRespEnd]
+	expectedAuthResp := []byte(expectedUsername)
+	if !bytes.Equal(writtenAuthResp, expectedAuthResp) || conn.written[authRespEnd] != 0 {
+		t.Fatalf("unexpected written auth response: %v", writtenAuthResp)
+	}
+}
+
 func TestAuthFastCachingSHA256PasswordCached(t *testing.T) {
 	conn, mc := newRWMockConn(1)
 	mc.cfg.User = "root"
diff --git a/dsn.go b/dsn.go
@@ -256,14 +256,18 @@ func writeDSNParam(buf *bytes.Buffer, hasParam *bool, name, value string) {
 func (cfg *Config) FormatDSN() string {
 	var buf bytes.Buffer
 
-	// [username[:password]@]
+	// [[username][:password]@]
 	if len(cfg.User) > 0 {
 		buf.WriteString(cfg.User)
 		if len(cfg.Passwd) > 0 {
 			buf.WriteByte(':')
 			buf.WriteString(cfg.Passwd)
 		}
 		buf.WriteByte('@')
+	} else if len(cfg.Passwd) > 0 {
+		buf.WriteByte(':')
+		buf.WriteString(cfg.Passwd)
+		buf.WriteByte('@')
 	}
 
 	// [protocol[(address)]]
@@ -408,7 +412,7 @@ func ParseDSN(dsn string) (cfg *Config, err error) {
 	// New config with some default values
 	cfg = NewConfig()
 
-	// [user[:password]@][net[(addr)]]/dbname[?param1=value1&paramN=valueN]
+	// [[username][:password]@][net[(addr)]]/dbname[?param1=value1&paramN=valueN]
 	// Find the last '/' (since the password or the net addr might contain a '/')
 	foundSlash := false
 	for i := len(dsn) - 1; i >= 0; i-- {
@@ -418,11 +422,11 @@ func ParseDSN(dsn string) (cfg *Config, err error) {
 
 			// left part is empty if i <= 0
 			if i > 0 {
-				// [username[:password]@][protocol[(address)]]
+				// [[username][:password]@][protocol[(address)]]
 				// Find the last '@' in dsn[:i]
 				for j = i; j >= 0; j-- {
 					if dsn[j] == '@' {
-						// username[:password]
+						// [username][:password]
 						// Find the first ':' in dsn[:j]
 						for k = 0; k < j; k++ {
 							if dsn[k] == ':' {
diff --git a/dsn_test.go b/dsn_test.go
@@ -47,6 +47,9 @@ var testDSNs = []struct {
 }, {
 	"user:p@ss(word)@tcp([de:ad:be:ef::ca:fe]:80)/dbname?loc=Local",
 	&Config{User: "user", Passwd: "p@ss(word)", Net: "tcp", Addr: "[de:ad:be:ef::ca:fe]:80", DBName: "dbname", Loc: time.Local, MaxAllowedPacket: defaultMaxAllowedPacket, Logger: defaultLogger, AllowNativePasswords: true, CheckConnLiveness: true},
+}, {
+	":p@ss(word)@tcp([de:ad:be:ef::ca:fe]:80)/dbname?loc=Local",
+	&Config{Passwd: "p@ss(word)", Net: "tcp", Addr: "[de:ad:be:ef::ca:fe]:80", DBName: "dbname", Loc: time.Local, MaxAllowedPacket: defaultMaxAllowedPacket, Logger: defaultLogger, AllowNativePasswords: true, CheckConnLiveness: true},
 }, {
 	"/dbname",
 	&Config{Net: "tcp", Addr: "127.0.0.1:3306", DBName: "dbname", Loc: time.UTC, MaxAllowedPacket: defaultMaxAllowedPacket, Logger: defaultLogger, AllowNativePasswords: true, CheckConnLiveness: true},
diff --git a/packets.go b/packets.go
@@ -17,6 +17,7 @@ import (
 	"fmt"
 	"io"
 	"math"
+	osuser "os/user"
 	"strconv"
 	"time"
 )
@@ -303,8 +304,17 @@ func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, plugin string
 		// length encoded integer
 		clientFlags |= clientPluginAuthLenEncClientData
 	}
+	var userName string
+	if len(mc.cfg.User) > 0 {
+		userName = mc.cfg.User
+	} else {
+		// Get current user if username is empty
+		if currentUser, err := osuser.Current(); err == nil {
+			userName = currentUser.Username
+		}
+	}
 
-	pktLen := 4 + 4 + 1 + 23 + len(mc.cfg.User) + 1 + len(authRespLEI) + len(authResp) + 21 + 1
+	pktLen := 4 + 4 + 1 + 23 + len(userName) + 1 + len(authRespLEI) + len(authResp) + 21 + 1
 
 	// To specify a db name
 	if n := len(mc.cfg.DBName); n > 0 {
@@ -372,8 +382,8 @@ func (mc *mysqlConn) writeHandshakeResponsePacket(authResp []byte, plugin string
 	}
 
 	// User [null terminated string]
-	if len(mc.cfg.User) > 0 {
-		pos += copy(data[pos:], mc.cfg.User)
+	if len(userName) > 0 {
+		pos += copy(data[pos:], userName)
 	}
 	data[pos] = 0x00
 	pos++
