MongoDB authSource defaults to admin, causing non-admin users to fail authentication #177
Description
Context
When using MongoDB with users created on a specific database (not admin), authentication fails unless authSource is explicitly provided.
This behavior is confusing because:
- Root users authenticate successfully
- Database-scoped users fail with
Authentication failed - No clear indication that
authSourceis the root cause
This has been reproduced consistently on MongoDB 8.x.
Root Cause
In the current connection logic, authSource is only set when the environment variable MONGO_AUTH_SOURCE exists.
If it is not set, authSource becomes null, and MongoDB defaults it to admin.
As a result:
- Users created inside a specific database (e.g. mydb) cannot authenticate
- Root users (stored in admin) work correctly
This behavior matches MongoDB’s default authentication rules, but the current default in AdminNeo makes non-admin users fail silently.
Impact
- Non-admin MongoDB users cannot log in
- Encourages unsafe use of root credentials
- Causes confusion for users managing multiple databases
- Common pitfall for MongoDB newcomers and production setups
Proposed Fix
If authSource is not explicitly defined, default it to the selected database instead of admin.
Current behavior
$Ra = getenv("MONGO_AUTH_SOURCE") ?: null;
Proposed change
$Ra = getenv("MONGO_AUTH_SOURCE") ?: $_c;
This preserves backward compatibility:
- Users who rely on MONGO_AUTH_SOURCE are unaffected
- Root users still work
- Database-scoped users authenticate correctly by default
Environment
- AdminNeo: 5.2.1
- MongoDB: 8.0
- PHP: 7.x
- Authentication mechanism: SCRAM-SHA-256
Additional Notes
This issue is not MongoDB-specific to version 8.0 and affects all versions where authentication is database-scoped.
I am happy to open a pull request if this approach is acceptable.
Chương Minh (VinaDB)