Make sure to send using password: NO in auth switches as well

Author: ramnes

server/auth_switch_response.go

@@ -71,6 +71,12 @@ func (c *Conn) handleCachingSha2PasswordFullAuth(authData []byte) error {
 }
 
 func (c *Conn) checkSha2CacheCredentials(clientAuthData []byte, credential Credential) error {
+	if len(clientAuthData) == 0 {
+		if credential.Password == "" {
+			return nil
+		}
+		return ErrAccessDeniedNoPassword
+	}
 	match, err := auth.CheckHashingPassword([]byte(credential.Password), string(clientAuthData), mysql.AUTH_CACHING_SHA2_PASSWORD)
 	if match && err == nil {
 		return nil

server/auth_switch_response_test.go

@@ -0,0 +1,43 @@
+package server
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCheckSha2CacheCredentials_EmptyPassword(t *testing.T) {
+	tests := []struct {
+		name           string
+		clientAuthData []byte
+		serverPassword string
+		wantErr        error
+	}{
+		{
+			name:           "empty client auth, empty server password",
+			clientAuthData: []byte{},
+			serverPassword: "",
+			wantErr:        nil,
+		},
+		{
+			name:           "empty client auth, non-empty server password",
+			clientAuthData: []byte{},
+			serverPassword: "secret",
+			wantErr:        ErrAccessDeniedNoPassword,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Conn{
+				credential: Credential{Password: tt.serverPassword},
+			}
+			err := c.checkSha2CacheCredentials(tt.clientAuthData, c.credential)
+			if tt.wantErr == nil {
+				require.NoError(t, err)
+			} else {
+				require.ErrorIs(t, err, tt.wantErr)
+			}
+		})
+	}
+}