Remove assumption that the auth response is AuthenticateOk

yoshihikoueno · arp242 · commit 3815d03993a5 · 2026-01-24T16:33:06.000Z
pq currently assumes the message sent from the server after sending
PasswordMessage to be AuthenticationOk. However, this assumption doesn't
always stand as the server may send some other messages other than
AuthenticationOk such as another authentication request.

That occurs when lib/pq is trying to connect to a PgPool-II server,
where the following procedure is required as PgPool-II wants to have the
password in both Cleartext and MD5 formats:

	[Client -&gt; Server] StartupMessage
	[Server -&gt; Client] AuthenticationCleartextPassword
	[Client -&gt; Server] PasswordMessage
	[Server -&gt; Client] AuthenticationMD5Password
	[Client -&gt; Server] PasswordMessage
	[Server -&gt; Client] AuthenticationOk
	[Server -&gt; Client] ReadyForQuery

Current implementation of auth function of pq will fail if the message
after sending credentials is not AuthenticationOk, but we can just
return before checking it and let another loop of auth check it instead.

libpq does support handling multiple authentication requests, thus it
can connect to PgPool-II just fine with the procedure above. So making
pq check the message sent from the server after PasswordMessage will
solve the described issue and align its behavior with the official
client.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -83,6 +83,9 @@ newer. Previously PostgreSQL 8.4 and newer were supported.
 
 - Treat nil []byte in query parameters as nil/NULL rather than `""` ([#838]).
 
+- Accept multiple authentication methods before checking AuthOk, which improves
+  compatibility with PgPool-II ([#1188]).
+
 [`sslnegotiation`]: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-SSLNEGOTIATION
 [#595]: https://github.com/lib/pq/pull/595
 [#745]: https://github.com/lib/pq/pull/745
@@ -99,6 +102,7 @@ newer. Previously PostgreSQL 8.4 and newer were supported.
 [#1179]: https://github.com/lib/pq/pull/1179
 [#1180]: https://github.com/lib/pq/pull/1180
 [#1184]: https://github.com/lib/pq/pull/1184
+[#1188]: https://github.com/lib/pq/pull/1188
 [#1211]: https://github.com/lib/pq/pull/1211
 [#1212]: https://github.com/lib/pq/pull/1212
 [#1214]: https://github.com/lib/pq/pull/1214
diff --git a/conn.go b/conn.go
@@ -1227,50 +1227,22 @@ func (cn *conn) auth(r *readBuf, cfg Config) error {
 		return fmt.Errorf("pq: unknown authentication response: %s", code)
 	case proto.AuthReqKrb4, proto.AuthReqKrb5, proto.AuthReqCrypt, proto.AuthReqSSPI:
 		return fmt.Errorf("pq: unsupported authentication method: %s", code)
-
 	case proto.AuthReqOk:
 		return nil
 
 	case proto.AuthReqPassword:
 		w := cn.writeBuf(proto.PasswordMessage)
 		w.string(cfg.Password)
-		err := cn.send(w)
-		if err != nil {
-			return err
-		}
-
-		t, r, err := cn.recv()
-		if err != nil {
-			return err
-		}
-		if t != proto.AuthenticationRequest {
-			return fmt.Errorf("pq: unexpected password response: %q", t)
-		}
-		if r.int32() != int(proto.AuthReqOk) {
-			return fmt.Errorf("pq: unexpected authentication response: %q", t)
-		}
-		return nil
+		// Don't need to check AuthOk response here; auth() is called in a loop,
+		// which catches the errors and AuthReqOk responses.
+		return cn.send(w)
 
 	case proto.AuthReqMD5:
 		s := string(r.next(4))
 		w := cn.writeBuf(proto.PasswordMessage)
 		w.string("md5" + md5s(md5s(cfg.Password+cfg.User)+s))
-		err := cn.send(w)
-		if err != nil {
-			return err
-		}
-
-		t, r, err := cn.recv()
-		if err != nil {
-			return err
-		}
-		if t != proto.AuthenticationRequest {
-			return fmt.Errorf("pq: unexpected password response: %q", t)
-		}
-		if r.int32() != int(proto.AuthReqOk) {
-			return fmt.Errorf("pq: unexpected authentication response: %q", t)
-		}
-		return nil
+		// Same here.
+		return cn.send(w)
 
 	case proto.AuthReqGSS: // GSSAPI, startup
 		if newGss == nil {
