Authentication #1696
Authentication #1696
Conversation
* ensuring performance schema is enabled when testing some performance schema results * Added logic to check if the default collation is overridden by the server character_set_collations * ensure using IANA timezone in test, since tzinfo depending on system won't have deprecated tz like "US/Central" and "US/Pacific"
Current implementation was requiring authentication plugin that are have multiple step to begin with iAuthMoreData, but that's only required for "caching_sha2_password" and "sha256_password" plugins. Additionally, now permits multi-authentication (in mariadb: https://mariadb.com/kb/en/create-user/#identified-viawith-authentication_plugin / mysql: https://dev.mysql.com/doc/refman/8.0/en/multifactor-authentication.html) goal is to add MariaDB main authentication plugins (like parsec, PAM, GSSAPI, ...)
WalkthroughThis change introduces a modular authentication plugin system for the Go MySQL driver. The authentication logic is refactored to use a plugin interface, with each authentication method implemented in its own file as a plugin. The connector now retrieves plugins from a global registry and delegates authentication steps to them, removing hardcoded logic for individual plugins. The README and AUTHORS files are updated to document the new system and contributors. The test suite is updated to use the plugin interface, and new tests are added for multi-step authentication flows. Several legacy functions and constants are removed as their responsibilities move to the new plugin structure. Changes
Sequence Diagram(s)sequenceDiagram
participant Connector
participant PluginRegistry
participant AuthPlugin
participant MySQLServer
Connector->>PluginRegistry: GetPlugin(pluginName)
PluginRegistry-->>Connector: AuthPlugin instance
Connector->>AuthPlugin: InitAuth(authData, config)
AuthPlugin-->>Connector: Initial response
Connector->>MySQLServer: Send initial response
loop (Up to maximum switches)
MySQLServer-->>Connector: Auth result packet
alt Auth switch requested
Connector->>AuthPlugin: ContinuationAuth(packet, authData, conn)
AuthPlugin-->>Connector: Next response
Connector->>MySQLServer: Send next response
else OK or Error
Connector-->>Connector: Exit loop
end
end
Suggested reviewers
Poem
Tip ⚡💬 Agentic Chat (Pro Plan, General Availability)
✨ Finishing Touches
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (5)
driver.go (1)
42-44: Global plugin registry introduction
This new variable and initialization appear well-structured for the upcoming plugin-based authentication system. Ensure theglobalPluginRegistryregistration and usage is thread-safe, especially if plugin registrations can occur at runtime.README.md (1)
540-546: Use consistent list style per markdownlint
Static analysis flags these lines for inconsistent unordered list style. Switch from dashes to asterisks to comply with the configured Markdown style guidelines.Apply the following diff to update the list style:
- - `mysql_native_password` - The default MySQL authentication method - - `caching_sha2_password` - Default authentication method in MySQL 8.0+ - - `mysql_clear_password` - Cleartext authentication (requires `allowCleartextPasswords=true`) - - `mysql_old_password` - Old MySQL authentication (requires `allowOldPasswords=true`) - - `sha256_password` - SHA256 authentication - - `client_ed25519` - MariaDB Ed25519 authentication + * `mysql_native_password` - The default MySQL authentication method + * `caching_sha2_password` - Default authentication method in MySQL 8.0+ + * `mysql_clear_password` - Cleartext authentication (requires `allowCleartextPasswords=true`) + * `mysql_old_password` - Old MySQL authentication (requires `allowOldPasswords=true`) + * `sha256_password` - SHA256 authentication + * `client_ed25519` - MariaDB Ed25519 authentication🧰 Tools
🪛 markdownlint-cli2 (0.17.2)
541-541: Unordered list style
Expected: asterisk; Actual: dash(MD004, ul-style)
542-542: Unordered list style
Expected: asterisk; Actual: dash(MD004, ul-style)
543-543: Unordered list style
Expected: asterisk; Actual: dash(MD004, ul-style)
544-544: Unordered list style
Expected: asterisk; Actual: dash(MD004, ul-style)
545-545: Unordered list style
Expected: asterisk; Actual: dash(MD004, ul-style)
546-546: Unordered list style
Expected: asterisk; Actual: dash(MD004, ul-style)
auth_ed25519.go (1)
29-63: Ed25519 authentication logic appears correct.
The scalar clamping, base multiplication, uniform hashing, and final combined signature steps reflect standard Ed25519 signing internals. Error handling for scalar creation is handled properly. One optional consideration is whether to sanitize (zero) sensitive intermediate data in memory once done, if there's concern about side-channel leaks in ephemeral memory. Overall, the plugin method is well-structured.auth_caching_sha2.go (1)
67-74: Use descriptive constants for magic numbers.
The sub-switch values3and4can be replaced by clearly named constants to enhance maintainability and code clarity.auth_sha256.go (1)
107-131: RSA-OAEP with SHA1.
While this aligns with MySQL's required method, note that SHA1 is considered weaker cryptographically. Keep it for compatibility, or consider offering a stronger alternative if not constrained by server support.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (16)
AUTHORS(1 hunks)README.md(1 hunks)auth.go(2 hunks)auth_caching_sha2.go(1 hunks)auth_cleartext.go(1 hunks)auth_ed25519.go(1 hunks)auth_mysql_native.go(1 hunks)auth_old_password.go(1 hunks)auth_plugin.go(1 hunks)auth_sha256.go(1 hunks)auth_test.go(53 hunks)connector.go(2 hunks)const.go(0 hunks)driver.go(1 hunks)driver_test.go(4 hunks)packets.go(0 hunks)
💤 Files with no reviewable changes (2)
- const.go
- packets.go
🧰 Additional context used
🧬 Code Graph Analysis (9)
driver.go (1)
auth_plugin.go (1)
NewPluginRegistry(42-47)
auth_cleartext.go (3)
auth_plugin.go (2)
SimpleAuth(28-30)RegisterAuthPlugin(61-63)dsn.go (1)
Config(37-84)errors.go (1)
ErrCleartextPassword(23-23)
auth_plugin.go (1)
dsn.go (1)
Config(37-84)
auth_old_password.go (3)
auth_plugin.go (2)
SimpleAuth(28-30)RegisterAuthPlugin(61-63)dsn.go (1)
Config(37-84)errors.go (1)
ErrOldPassword(25-25)
auth_mysql_native.go (3)
auth_plugin.go (2)
SimpleAuth(28-30)RegisterAuthPlugin(61-63)dsn.go (1)
Config(37-84)errors.go (1)
ErrNativePassword(24-24)
auth_sha256.go (3)
auth_plugin.go (2)
AuthPlugin(12-26)RegisterAuthPlugin(61-63)dsn.go (1)
Config(37-84)errors.go (1)
ErrMalformPkt(21-21)
auth_test.go (2)
auth_old_password.go (1)
OldPasswordPlugin(12-12)auth_mysql_native.go (1)
NativePasswordPlugin(14-16)
auth_caching_sha2.go (3)
auth_plugin.go (2)
AuthPlugin(12-26)RegisterAuthPlugin(61-63)dsn.go (1)
Config(37-84)errors.go (1)
ErrMalformPkt(21-21)
auth.go (2)
auth_plugin.go (1)
AuthPlugin(12-26)errors.go (1)
ErrMalformPkt(21-21)
🪛 markdownlint-cli2 (0.17.2)
README.md
541-541: Unordered list style
Expected: asterisk; Actual: dash
(MD004, ul-style)
542-542: Unordered list style
Expected: asterisk; Actual: dash
(MD004, ul-style)
543-543: Unordered list style
Expected: asterisk; Actual: dash
(MD004, ul-style)
544-544: Unordered list style
Expected: asterisk; Actual: dash
(MD004, ul-style)
545-545: Unordered list style
Expected: asterisk; Actual: dash
(MD004, ul-style)
546-546: Unordered list style
Expected: asterisk; Actual: dash
(MD004, ul-style)
🔇 Additional comments (96)
AUTHORS (1)
40-40: No concerns found with this addition
Adding the new author entry in alphabetical order is correct and maintains consistency with the file’s structure.README.md (1)
537-539: Good addition of the new authentication section
Introducing a dedicated subsection clarifies how the new pluggable authentication system works. The explanation gives a clear overview for end users.connector.go (4)
147-150: Appropriate plugin existence check
Returning an error if the plugin is missing is a good defensive approach. Make sure any dynamic plugin loading is handled before this point to avoid unexpected failures for known custom plugins.
153-156: Plugin-driven auth initialization
DelegatingInitAuthto the plugin fosters modularity. The cleanup after error is correct.
164-165: Bounded authentication flow
PassingauthMaximumSwitchand reusing the same plugin instance ensures a controlled multi-step authentication without fallback confusion.
21-23:✅ Verification successful
Reasonable limit on plugin switch attempts
Using a constant for the maximum number of authentication plugin switches keeps the logic maintainable. Confirm that the limit of 5 attempts aligns with all supported multi-factor authentication scenarios.
🏁 Script executed:
#!/bin/bash # Description: Check references to authMaximumSwitch across the codebase to ensure it is not exceeded or bypassed during multi-factor auth flows. rg -A 5 "authMaximumSwitch"Length of output: 876
Verification Confirmed: Consistent and Intentional Limit
The constant
authMaximumSwitchis set to 5 inconnector.goand is referenced both in the authentication flow (mc.handleAuthResult) and in generating the error message ("maximum of %d authentication switch reached") inauth.go. The grep output confirms that the limit is applied consistently across the multi-factor authentication logic.
- The constant is declared and used in a way that prevents exceeding the intended number of switch attempts.
- There’s no evidence from the codebase that the limit is bypassed or that additional scenarios require a higher count.
If later multi-factor authentication scenarios demand a different limit, please update the constant accordingly.
driver_test.go (3)
1633-1658: Improved collation test to handle server overrides - good approach.The added code correctly handles cases where the server overrides the default collation based on
character_set_collations. This makes the test more robust against different server configurations by:
- Fetching the server's character set collations mapping
- Parsing it into a usable dictionary structure
- Checking if the expected collation's charset has a server-mandated override
- Using the overridden value for comparison when necessary
1721-1721: Updated timezone test locations for broader coverage.Changed test timezones from "US/Central", "US/Pacific" to "America/New_York", "Asia/Hong_Kong" which provides more global timezone coverage and uses IANA standard timezone names.
3577-3585: Good addition of performance_schema availability check.This change adds an important check to verify the performance_schema is enabled before attempting to query connection attributes. This prevents test failures when running against MySQL servers with performance_schema disabled.
auth_cleartext.go (4)
11-23: Good implementation of the cleartext password plugin.The ClearPasswordPlugin is well-structured and properly embeds SimpleAuth. The comments clearly document the security implications of cleartext authentication and when it should be used (TLS/SSL, Unix sockets, PAM).
25-27: Appropriate plugin registration in init.The plugin correctly registers itself with the global plugin registry during package initialization, allowing the driver to discover it without manual registration.
29-31: Plugin identification method.The GetPluginName method correctly returns "mysql_clear_password" which matches MySQL's internal plugin name.
33-46: Well-implemented authentication initialization.The InitAuth method has good security practices:
- It checks if cleartext passwords are allowed in the configuration
- Returns an appropriate error if not allowed
- Correctly appends a null terminator to the password as required by the protocol
The null termination handling is particularly important for external authentication systems that need access to the original password.
auth_mysql_native.go (5)
13-16: Proper implementation of native password plugin.The plugin structure is clean and correctly embeds SimpleAuth for shared functionality.
18-20: Self-registration pattern is consistent.The plugin registers itself in init, matching the pattern used in other authentication plugins.
22-24: Plugin name matches MySQL's internal name.The GetPluginName method correctly returns "mysql_native_password" in accordance with MySQL's naming.
26-34: Security check in initialization method.InitAuth properly checks configuration settings before proceeding:
- Verifies AllowNativePasswords configuration flag
- Handles empty passwords correctly
- Calls scramblePassword with the correct portion of authData (first 20 bytes)
36-64: Accurate implementation of MySQL 4.1+ password hashing.The scramblePassword function correctly implements the MySQL 4.1+ native password hashing algorithm:
- Properly handles empty passwords
- Calculates the SHA1 hash of the password (stage1)
- Creates a SHA1 hash of the stage1 hash
- Creates a SHA1 hash of the scramble + stage1 hash
- XORs the scramble hash with stage1 to produce the authentication token
The implementation follows the MySQL protocol specification precisely.
auth_plugin.go (4)
11-26: Well-designed plugin interface for authentication.The AuthPlugin interface is cleanly defined with three essential methods:
- GetPluginName - Identifies the plugin
- InitAuth - Handles initial authentication
- ContinuationAuth - Manages subsequent authentication steps
The interface provides enough flexibility for different authentication mechanisms while maintaining a consistent API. The documentation for each method clearly explains parameters and purpose.
28-34: Good base implementation with SimpleAuth.The SimpleAuth struct provides a sensible default implementation for ContinuationAuth, making it easier to implement simple plugins by embedding this struct. This avoids code duplication for plugins that don't need multi-step authentication.
36-58: Clean implementation of plugin registry.The PluginRegistry implementation is straightforward and effective:
- Uses a map to store plugins by name
- Provides methods to register and retrieve plugins
- Has a proper constructor (NewPluginRegistry)
- Returns a boolean status with GetPlugin to safely handle missing plugins
This design allows for efficient plugin lookup while avoiding panics for unavailable plugins.
60-63: Global registry access with RegisterAuthPlugin.This helper function simplifies plugin registration by accessing the global registry, following a common pattern in Go libraries. This makes it easy for both built-in and external plugins to register themselves.
auth_ed25519.go (4)
1-8: License and package header look good.
No issues found in the licensing block or package declaration.
16-19: Struct definition is straightforward.
EmbeddingSimpleAuthaligns with the plugin-based design. No immediate concerns.
21-23: Plugin registration is correct.
RegisterAuthPlugininvocation follows the new authentication system’s pattern.
25-27: Plugin name retrieval is fine.
The function name and return value match plugin naming conventions.auth_test.go (41)
53-55: Initiating OldPasswordPlugin in test.
Constructing the plugin directly is acceptable for targeted testing. No issues.
122-122: Invocation of handleAuthResult.
Looks consistent with new multi-step auth approach.
137-138: Retrieving plugin from registry and calling InitAuth.
This is correct and aligns with the plugin-based design.
179-186: Setting up plugin and verifying handshake response flow.
Combining registry lookup withInitAuthis correct. The subsequentwriteHandshakeResponsePacketcall properly handles the returned bytes.
236-237: Caching SHA2 plugin retrieval and initialization.
Implementation follows the same pattern as other plugins. No issues.
289-290: Secure plugin initialization.
Reading from registry and callingInitAuthis consistent.
346-347: Cleartext password plugin retrieval and InitAuth check.
This test ensures errors are returned when not allowed. Logic is fine.
364-365: Acquiring plugin instance and retrieving auth response.
Matches the plugin design. Good coverage for empty password.
391-391: handleAuthResult usage.
Consistent approach to finalizing authentication.
407-408: Same pattern for plugin acquisition and initialization.
Design is uniform—straightforward test validation.
511-511: InitAuth with native password plugin in test.
Implementation is correct, verifying empty password logic.
553-553: sha256_password plugin test.
Empty password scenario is covered. Appropriately tested.
602-602: SHA256 password plugin retrieval & initialization.
No issues—standard plugin usage.
631-631: handleAuthResult for RSA scenario.
Ensures RSA logic is properly tested.
652-652: SHA256 plugin with custom pubKey.
Test coverage is thorough, ensuring plugin handles configured RSA key.
685-685: sha256_password plugin with secure connection.
Test ensures fallback to sending decrypted password over TLS. Implementation is correct.
714-714: handleAuthResult final check.
Standard multi-step auth logic, no issues.
741-741: Auth switch with &NativePasswordPlugin{}.
Matches plugin-based approach. No concerns.
773-773: handleAuthResult with empty password.
Trivial test scenario is validated.
807-807: Multi-step RSA-based handshake switch.
Test ensures partial hush vs. final hush approach. No issues.
849-849: Authorization switch with provided pubKey.
Flow is consistent with the plugin’s logic.
889-889: handleAuthResult for secure SHA256.
Ensures it sends cleartext password if TLS is verified. Good coverage.
913-913: Invalid plugin switch for cleartext password.
Expects error. Aligned with new plugin design.
935-935: handleAuthResult with explicit plugin object.
Demonstrates multi-auth switch for cleartext password.
959-959: Empty password old auth test.
Ensures correct fallback or error.
979-979: Disallow old password scenario.
Tests the config-based restriction. Good coverage.
1001-1001: Handling native password switch with non-empty password.
Ensures the scramble is created properly.
1029-1029: Empty password with native password switch.
Covered scenario; no issues.
1047-1047: handleAuthResult for old password not allowed.
Correctly returnsErrOldPassword. Test logic is fine.
1062-1062: handleAuthResult for old password with OldAuthSwitch request.
Same approach, verifying it fails.
1084-1084: Allowed old passwords.
Ensures scramble logic is tested.
1109-1109: Handling OldAuthSwitch with allowed old passwords.
Test confirms fallback is correct.
1132-1132: Handling old password with empty credentials.
Test ensures short-circuit for empty password.
1155-1155: Confirm empty old password switch.
No issues. Good coverage for an edge case.
1180-1180: Auth switch for sha256 with empty plugin data.
Verifies no crash or unexpected errors.
1211-1211: RSA-based pub key response.
Ensures correctness of encryption step.
1243-1243: RSA-based key scenario with custom pubKey.
Ensures no break with user-provided key.
1275-1275: Secure connection usage.
Checks fallback to sending password in cleartext over TLS.
1315-1319: Verifying Ed25519 client output.
Checks 64-byte response correctness, ensuring the derived signature matches expectations. Logic is correct.
1335-1370: TestMultiAuthSimpleSwitch.
Demonstrates multi-step switch fromcaching_sha2_passwordtomysql_clear_password. Asserts the correct handshake sequence is written.
1372-1413: TestMultiAuthSwitch.
Similar multi-step example, now adding RSA pub key steps before switching to cleartext. Thorough test coverage of multi-factor flow.auth_old_password.go (6)
1-8: License and package declaration.
No concerns with the added header.
11-16: Plugin struct registration.
EmbeddingSimpleAuthand registering undermysql_old_passwordis consistent with the new system.
18-20: Plugin name retrieval.
Matches the typical plugin naming pattern. No issues.
22-33: InitAuth method for old password.
Properly checksAllowOldPasswordsconfig flag. ThescrambleOldPasswordcall is restricted to the first 8 bytes of the server scramble, matching MySQL’s old approach. This is correct for pre-4.1 style.
35-55: scrambleOldPassword implementation.
The code matches the historical MySQL algorithm, including skipping tabs/spaces and performing an insecure hash-based scramble. The approach is intentionally insecure but historically compatible. No immediate issues beyond inherent weakness of the scheme.
57-109: myRnd and pwHash logic.
Implements the legacy MySQL random generator and two-component hashing precisely. This is correct for old-style password scrambling.auth_caching_sha2.go (12)
19-24: Clean separation of the plugin struct.
EmbeddingAuthPlugininCachingSha2PasswordPluginaligns well with the new plugin-based approach, making the design modular and maintainable.
26-28: Automatic plugin registration.
Registering the plugin in theinit()function ensures it is discovered without additional user code, improving developer experience.
30-32: Correct and consistent plugin name.
Returning"caching_sha2_password"matches MySQL’s official plugin name and fulfills theAuthPlugininterface requirement.
34-42: Clear initial scramble implementation.
Delegating the scrambling logic toscrambleSHA256Passwordkeeps the implementation focused and maintainable.
55-57: Empty packet handling.
It's good to error on an empty authentication response packet. Confirm there's no valid scenario in which the server sends an empty packet mid-auth.
59-62: iERR case verification.
Returning(packet, nil)foriERRrelies on higher-level logic to recognize an error packet. Double-check that the caller properly treats it as an error and does not inadvertently proceed.
63-66: Fast auth success scenario.
This path indicates an immediate indication of success and proceeds tomc.readPacket(). Ensure this matches MySQL's spec for cached credentials with zero extended data.
75-127: Validate cleartext sending logic.
When TLS or a Unix socket is used, the password is sent in cleartext. Verify if you need to respectAllowCleartextPasswordsor similar flags to avoid unexpected exposures.
129-131: Clear error for unknown state.
Throwing an error on unrecognized state ensures robust error handling and quicker debugging.
133-135: Unexpected packet length fallback.
Raising an error for mismatched lengths prevents subtle protocol mishandling.
136-139: Failsafe for invalid packet types.
Rejecting unknown packet types maintains stability, ensuring the driver doesn’t silently ignore server anomalies.
141-176: MySQL 8+ scramble algorithm.
The three-step SHA256-based hashing followed by XOR is consistent with caching_sha2_password specification.auth_sha256.go (5)
20-22: Struct embedding for sha256_password plugin.
Adhering to the same plugin pattern keeps authentication logic uniform across plugins.
24-26: Init-based plugin registration.
Similar to the other plugins, this ensures the plugin is discovered and available at runtime.
28-30: Accurate plugin naming.
"sha256_password" properly identifies the authentication method for MySQL and matches server expectations.
32-62: Comprehensive InitAuth logic.
Handles empty passwords, TLS-based cleartext, RSA encryption fallback, and public key requests. Confirm any relevantAllowCleartextPasswordsor usage constraints are enforced as needed.
64-105: ContinuationAuth multi-step support.
The switch statement properly handles OK, error, or public-key retrieval. Double-check iERR handling to ensure the caller interprets the error scenario correctly.auth.go (6)
12-12: Introducing thebytesimport.
Used to parse and locate the plugin name from null-terminated data, which is appropriate within packet parsing logic.
59-65: Guard against infinite re-auth loops.
LimitingremainingSwitchavoids potential recursion issues in multi-factor or repeated authentication switch scenarios.
67-79: Delegation toContinuationAuth.
Continuing the authentication flow via the plugin maintains modular design. Ensure the returned packet is consistently valid for follow-up logic.
80-85: Direct handling of OK/ERR.
Returning the result or error packet as-is is concise. Validate that a server error viaiERRis recognized upstream.
86-104: Auth switch recursion with new plugin.
Efficiently fetches next plugin from the registry and re-invokes auth logic, decrementingremainingSwitch. This structure elegantly supports multi-step authentication.
110-132: Plugin name extraction.
Automatically falls back tomysql_old_passwordif only a single byte remains, preserving legacy compatibility. Good approach for older server versions.
|
|
| // mysql.RegisterServerPubKey("mykey", rsaPubKey) | ||
| // } else { | ||
| // log.Fatal("not a RSA public key") | ||
| // } |
| } | ||
|
|
||
| // PluginRegistry is a registry of available authentication plugins | ||
| type PluginRegistry struct { |
There was a problem hiding this comment.
Why is this public?
I don't want add library surface as much as possible because every surface can be technical debt.
| } | ||
|
|
||
| // NewPluginRegistry creates a new plugin registry | ||
| func NewPluginRegistry() *PluginRegistry { |
There was a problem hiding this comment.
same here. make it private unless strict necessary.
| dials map[string]DialContextFunc | ||
| dialsLock sync.RWMutex | ||
| dials map[string]DialContextFunc | ||
| globalPluginRegistry = NewPluginRegistry() |
There was a problem hiding this comment.
| globalPluginRegistry = NewPluginRegistry() | |
| pluginRegistry = NewPluginRegistry() |
| // GetPluginName returns the name of the authentication plugin | ||
| GetPluginName() string |
There was a problem hiding this comment.
| // GetPluginName returns the name of the authentication plugin | |
| GetPluginName() string | |
| // PluginName returns the name of the authentication plugin | |
| PluginName() string |
| // packet is the data from the server's auth response | ||
| // authData is the initial auth data from the server | ||
| // conn is the MySQL connection (for performing additional interactions if needed) | ||
| ContinuationAuth(packet []byte, authData []byte, conn *mysqlConn) ([]byte, error) |
There was a problem hiding this comment.
Can external plugins use mysqlConn?
We should not expose plugin interface until its design is complete and stable.
|
Maybe, its time to use internal package. |
Description
authentication has been revamp. this is a simplification of #1694, without new authentication plugin addition, since it's already a big change.
Current implementation was requiring authentication switch plugins data to begin with iAuthMoreData, but that's only required for "caching_sha2_password" and "sha256_password" plugins.
Additionally, now permits multi-authentication (in mariadb: https://mariadb.com/kb/en/create-user/#identified-viawith-authentication_plugin / mysql: https://dev.mysql.com/doc/refman/8.0/en/multifactor-authentication.html)
goal is to add MariaDB main authentication plugins (like parsec, PAM, GSSAPI, ...) based on plugin like this
Checklist
Summary by CodeRabbit
New Features
Bug Fixes
Refactor
Chores