Unexport Credential methods

Author: ramnes

server/auth.go

@@ -67,14 +67,14 @@ func scrambleValidation(cached, nonce, scramble []byte) bool {
 
 func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential Credential) error {
 	if len(clientAuthData) == 0 {
-		if credential.HasEmptyPassword() {
+		if credential.hasEmptyPassword() {
 			return nil
 		}
 		return ErrAccessDeniedNoPassword
 	}
 
 	for _, password := range credential.Passwords {
-		hash, err := credential.HashPassword(password)
+		hash, err := credential.hashPassword(password)
 		if err != nil {
 			continue
 		}
@@ -92,7 +92,7 @@ func (c *Conn) compareNativePasswordAuthData(clientAuthData []byte, credential C
 func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential Credential) error {
 	// Empty passwords are not hashed, but sent as empty string
 	if len(clientAuthData) == 0 {
-		if credential.HasEmptyPassword() {
+		if credential.hasEmptyPassword() {
 			return nil
 		}
 		return ErrAccessDeniedNoPassword
@@ -119,7 +119,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 		}
 	}
 	for _, password := range credential.Passwords {
-		hash, err := credential.HashPassword(password)
+		hash, err := credential.hashPassword(password)
 		if err != nil {
 			continue
 		}
@@ -137,7 +137,7 @@ func (c *Conn) compareSha256PasswordAuthData(clientAuthData []byte, credential C
 func (c *Conn) compareCacheSha2PasswordAuthData(clientAuthData []byte) error {
 	// Empty passwords are not hashed, but sent as empty string
 	if len(clientAuthData) == 0 {
-		if c.credential.HasEmptyPassword() {
+		if c.credential.hasEmptyPassword() {
 			return nil
 		}
 		return ErrAccessDeniedNoPassword

server/auth_switch_response.go

@@ -72,14 +72,14 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 
 func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {
 	if len(clientAuthData) == 0 {
-		if credential.HasEmptyPassword() {
+		if credential.hasEmptyPassword() {
 			return nil
 		}
 		return ErrAccessDeniedNoPassword
 	}
 
 	for _, password := range credential.Passwords {
-		hash, err := credential.HashPassword(password)
+		hash, err := credential.hashPassword(password)
 		if err != nil {
 			continue
 		}

server/authentication_handler.go

@@ -16,7 +16,8 @@ import (
 // if the password in a third-party auth handler could be updated at runtime, we have to invalidate the caching
 // for 'caching_sha2_password' by calling 'func (s *Server)InvalidateCache(string, string)'.
 type AuthenticationHandler interface {
-	// get user credential (supports multiple valid passwords per user)
+	// GetCredential returns the user credential (supports multiple valid passwords per user).
+	// Implementations must be safe for concurrent use.
 	GetCredential(username string) (credential Credential, found bool, err error)
 
 	// OnAuthSuccess is called after successful authentication, before the OK packet.
@@ -45,8 +46,8 @@ type Credential struct {
 	AuthPluginName string
 }
 
-// HashPassword computes the password hash for a given password using the credential's auth plugin.
-func (c Credential) HashPassword(password string) (string, error) {
+// hashPassword computes the password hash for a given password using the credential's auth plugin.
+func (c Credential) hashPassword(password string) (string, error) {
 	if password == "" {
 		return "", nil
 	}
@@ -69,8 +70,8 @@ func (c Credential) HashPassword(password string) (string, error) {
 	}
 }
 
-// HasEmptyPassword returns true if any password in the credential is empty.
-func (c Credential) HasEmptyPassword() bool {
+// hasEmptyPassword returns true if any password in the credential is empty.
+func (c Credential) hasEmptyPassword() bool {
 	return slices.Contains(c.Passwords, "")
 }