Skip to content

feat(client): support custom authSource for SCRAM authentication#41

Merged
abnegate merged 2 commits into
mainfrom
feat-auth-source
Jul 8, 2026
Merged

feat(client): support custom authSource for SCRAM authentication#41
abnegate merged 2 commits into
mainfrom
feat-auth-source

Conversation

@abnegate

@abnegate abnegate commented Jul 7, 2026

Copy link
Copy Markdown
Member

What does this PR do?

SCRAM authentication (saslStart/saslContinue) was hardcoded to run against the admin database. That fails for deployments where the user is created in the application database itself (db.createUser() executed inside the target database) — a common pattern for per-database app users.

  • Auth accepts an authSource option (defaults to admin) and runs both SCRAM steps against it.
  • Client gains a trailing, optional authSource constructor parameter, passed through to Auth.

Fully backward compatible: omitted/null authSource behaves exactly as before.

Test plan

  • tests/AuthTest.php: asserts the default is admin and that a provided authSource is used for both start() and continue().
  • Verified live against mongo:8: a user created inside appdb fails SCRAM with the default (admin) and connects + writes successfully with authSource: 'appdb'.
  • Full suite: 28 tests / 104 assertions green; Pint and PHPStan clean.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added support for configuring a custom MongoDB authentication source (defaults to admin when not provided).
    • Connection/login now uses the specified authentication source consistently, including during authentication continuation.
  • Tests

    • Added PHPUnit coverage verifying the default authentication source behavior.
    • Added PHPUnit coverage verifying custom authentication source handling across both initial login and continuation flows.

SCRAM authentication was hardcoded to run against the admin database,
which fails when the MongoDB user was created in the application
database itself (db.createUser() run inside the target database). Add
an authSource option to Auth and a matching constructor parameter to
Client so callers can authenticate against the database that actually
holds the user. Defaults to admin, preserving existing behaviour.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 7, 2026 14:53

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e30a120f-a02f-4dbe-8d10-550195f18986

📥 Commits

Reviewing files that changed from the base of the PR and between 1d45f5f and 28ed5cd.

📒 Files selected for processing (1)
  • src/Client.php
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/Client.php

📝 Walkthrough

Walkthrough

Adds configurable MongoDB authSource support. Auth now stores and uses a configurable auth source in SASL start/continue payloads, Client accepts and forwards an optional authSource, and new tests cover default and custom behavior.

Changes

Configurable authSource

Layer / File(s) Summary
Auth class authSource field and command payloads
src/Auth.php
Adds a private authSource property initialized from options with default 'admin', and uses it in start() and continue() SASL command payloads.
Client constructor authSource parameter
src/Client.php
Adds an optional ?string $authSource = null constructor parameter with docblock guidance, and passes it as $authSource ?? 'admin' when constructing Auth.
AuthTest coverage for authSource
tests/AuthTest.php
Adds tests covering the default admin auth source, a provided authSource in start(), and preservation of authSource in continue().

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
    participant App
    participant Client
    participant Auth
    participant MongoDB

    App->>Client: __construct(..., authSource)
    Client->>Auth: new Auth(authcid, secret, authSource ?? 'admin')
    App->>Auth: start()
    Auth->>MongoDB: saslStart with authSource
    App->>Auth: continue()
    Auth->>MongoDB: saslContinue with authSource
Loading

Related Issues: None specified

Related PRs: None specified

Suggested labels: enhancement, tests

Suggested reviewers: None specified

🐰 A source once fixed, now set at will,
Through start and continue it travels still,
Defaulting to admin unless told,
With tests that keep the contract bold.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly states the main change: adding custom authSource support for SCRAM authentication in the client.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat-auth-source

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@greptile-apps

greptile-apps Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR makes the SCRAM authentication database configurable, fixing authentication failures for deployments where the MongoDB user is created inside the application database rather than admin.

  • Auth gains an authSource option (defaults to 'admin') that replaces the two hardcoded 'admin' strings in start() and continue().
  • Client exposes a new optional trailing ?string $authSource = null constructor parameter and passes it through to Auth; three new unit tests cover the default and the custom-source paths.

Confidence Score: 5/5

Safe to merge — the change is backward-compatible and touches only the SCRAM auth flow.

The change is minimal and well-scoped: two hardcoded strings replaced by a configurable property, with a sensible default, an optional constructor parameter, and matching test coverage. No existing behaviour is altered when the parameter is omitted.

No files require special attention.

Important Files Changed

Filename Overview
src/Auth.php Adds authSource property defaulting to 'admin'; replaces hardcoded 'admin' strings in start() and continue() return values with the property.
src/Client.php Adds optional trailing ?string $authSource = null constructor parameter; fills in previously missing @param docs for $tls and $tlsOptions; passes $authSource ?? 'admin' to Auth.
tests/AuthTest.php New test file covering default admin authSource, custom authSource in start(), and custom authSource in continue(); assertions are correct.

Reviews (2): Last reviewed commit: "Apply suggestion from @greptile-apps[bot..." | Re-trigger Greptile

Comment thread src/Client.php

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
src/Auth.php (1)

27-27: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Redundant default duplicated in Client.php.

Client::__construct passes $authSource ?? 'admin' into Auth, but Auth::__construct (Line 27) already defaults to 'admin' when the key is absent/null. Having the same default hardcoded in two places risks drift if the default ever changes.

Consider letting Client pass $authSource through as-is (including null) and rely solely on Auth's default.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/Auth.php` at line 27, The default auth source is duplicated between
Client::__construct and Auth::__construct, which can drift over time. Update
Client to pass the authSource value through unchanged, including null, and keep
the defaulting behavior only in Auth::__construct where $this->authSource is
set. Use the Auth constructor and Client constructor symbols to locate the call
site and remove the extra hardcoded 'admin' fallback.
tests/AuthTest.php (1)

10-55: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider a Client-level test for authSource pass-through.

These tests validate Auth directly, but the PR also changes Client::__construct to forward authSource to Auth. A small test (e.g., via reflection on the private $auth property, or exposing it for testing) would verify the cross-file wiring described in the PR objectives.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/AuthTest.php` around lines 10 - 55, Add a Client-level test for
authSource pass-through: the current AuthTest only covers Auth directly, but the
changed Client::__construct wiring should also be verified. Create a small test
around Client that confirms the private $auth instance receives the provided
authSource (for example by inspecting the Client::$auth property via reflection
or another test-only access path), and keep the existing Auth::start and
Auth::continue coverage as-is.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/Auth.php`:
- Line 27: The default auth source is duplicated between Client::__construct and
Auth::__construct, which can drift over time. Update Client to pass the
authSource value through unchanged, including null, and keep the defaulting
behavior only in Auth::__construct where $this->authSource is set. Use the Auth
constructor and Client constructor symbols to locate the call site and remove
the extra hardcoded 'admin' fallback.

In `@tests/AuthTest.php`:
- Around line 10-55: Add a Client-level test for authSource pass-through: the
current AuthTest only covers Auth directly, but the changed Client::__construct
wiring should also be verified. Create a small test around Client that confirms
the private $auth instance receives the provided authSource (for example by
inspecting the Client::$auth property via reflection or another test-only access
path), and keep the existing Auth::start and Auth::continue coverage as-is.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0a9b542b-9e71-4bd3-99e5-ce29d8565edc

📥 Commits

Reviewing files that changed from the base of the PR and between 0b0aac1 and 1d45f5f.

📒 Files selected for processing (3)
  • src/Auth.php
  • src/Client.php
  • tests/AuthTest.php

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
@abnegate abnegate merged commit 44eeb4d into main Jul 8, 2026
5 checks passed
@abnegate abnegate deleted the feat-auth-source branch July 8, 2026 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants