mongodb · matthewdale · Jun 17, 2025 · Jun 28, 2025 · Jun 28, 2025
@@ -68,7 +68,7 @@ type ContextDialer interface {
 // Credential can be used to provide authentication options when configuring a Client.
 //
 // AuthMechanism: the mechanism to use for authentication. Supported values include "SCRAM-SHA-256", "SCRAM-SHA-1",
-// "MONGODB-CR", "PLAIN", "GSSAPI", "MONGODB-X509", and "MONGODB-AWS". This can also be set through the "authMechanism"
+// "PLAIN", "GSSAPI", "MONGODB-X509", and "MONGODB-AWS". This can also be set through the "authMechanism"
 // URI option. (e.g. "authMechanism=PLAIN"). For more information, see
 // https://www.mongodb.com/docs/manual/core/authentication-mechanisms/.
 //

@@ -11,6 +11,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"go.mongodb.org/mongo-driver/v2/mongo/address"
 	"go.mongodb.org/mongo-driver/v2/x/mongo/driver"
@@ -31,7 +32,6 @@ func init() {
 	RegisterAuthenticatorFactory("", newDefaultAuthenticator)
 	RegisterAuthenticatorFactory(SCRAMSHA1, newScramSHA1Authenticator)
 	RegisterAuthenticatorFactory(SCRAMSHA256, newScramSHA256Authenticator)
-	RegisterAuthenticatorFactory(MONGODBCR, newMongoDBCRAuthenticator)
 	RegisterAuthenticatorFactory(PLAIN, newPlainAuthenticator)
 	RegisterAuthenticatorFactory(GSSAPI, newGSSAPIAuthenticator)
 	RegisterAuthenticatorFactory(MongoDBX509, newMongoDBX509Authenticator)
@@ -41,6 +41,12 @@ func init() {
 
 // CreateAuthenticator creates an authenticator.
 func CreateAuthenticator(name string, cred *Cred, httpClient *http.Client) (Authenticator, error) {
+	// Return a custom error to indicate why auth mechanism "MONGODB-CR" is
+	// missing, even though it was previously available.
+	if strings.EqualFold(name, "MONGODB-CR") {
+		return nil, errors.New(`auth mechanism "MONGODB-CR" is no longer available in any supported version of MongoDB`)
+	}
+
 	if f, ok := authFactories[name]; ok {
 		return f(cred, httpClient)
 	}

@@ -8,6 +8,7 @@ package auth_test
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"testing"
@@ -29,11 +30,12 @@ func TestCreateAuthenticator(t *testing.T) {
 		name   string
 		source string
 		auth   auth.Authenticator
+		err    error
 	}{
 		{name: "", auth: &auth.DefaultAuthenticator{}},
 		{name: "SCRAM-SHA-1", auth: &auth.ScramAuthenticator{}},
 		{name: "SCRAM-SHA-256", auth: &auth.ScramAuthenticator{}},
-		{name: "MONGODB-CR", auth: &auth.MongoDBCRAuthenticator{}},
+		{name: "MONGODB-CR", err: errors.New(`auth mechanism "MONGODB-CR" is no longer available in any supported version of MongoDB`)},
 		{name: "PLAIN", auth: &auth.PlainAuthenticator{}},
 		{name: "MONGODB-X509", auth: &auth.MongoDBX509Authenticator{}},
 	}
@@ -47,6 +49,10 @@ func TestCreateAuthenticator(t *testing.T) {
 			}
 
 			a, err := auth.CreateAuthenticator(test.name, cred, &http.Client{})
+			if test.err != nil {
+				require.EqualError(t, err, test.err.Error())
+				return
+			}
 			require.NoError(t, err)
 			require.IsType(t, test.auth, a)
 		})

@@ -32,8 +32,8 @@ func newDefaultAuthenticator(cred *Cred, httpClient *http.Client) (Authenticator
 	}, nil
 }
 
-// DefaultAuthenticator uses SCRAM-SHA-1 or MONGODB-CR depending
-// on the server version.
+// DefaultAuthenticator uses SCRAM-SHA-1 or SCRAM-SHA-256, depending on the
+// server's SASL supported mechanisms.
 type DefaultAuthenticator struct {
 	Cred *Cred
 
@@ -53,18 +53,20 @@ func (a *DefaultAuthenticator) CreateSpeculativeConversation() (SpeculativeConve
 
 // Auth authenticates the connection.
 func (a *DefaultAuthenticator) Auth(ctx context.Context, cfg *driver.AuthConfig) error {
-	var actual Authenticator
-	var err error
-
-	switch chooseAuthMechanism(cfg) {
-	case SCRAMSHA256:
-		actual, err = newScramSHA256Authenticator(a.Cred, a.httpClient)
-	case SCRAMSHA1:
-		actual, err = newScramSHA1Authenticator(a.Cred, a.httpClient)
-	default:
-		actual, err = newMongoDBCRAuthenticator(a.Cred, a.httpClient)
-	}
+	actual, err := func() (Authenticator, error) {
+		// If a server provides a list of supported mechanisms, we choose
+		// SCRAM-SHA-256 if it exists or else MUST use SCRAM-SHA-1.
+		// Otherwise, we decide based on what is supported.
+		if saslSupportedMechs := cfg.HandshakeInfo.SaslSupportedMechs; saslSupportedMechs != nil {
+			for _, v := range saslSupportedMechs {
+				if v == SCRAMSHA256 {
+					return newScramSHA256Authenticator(a.Cred, a.httpClient)
+				}
+			}
+		}
 
+		return newScramSHA1Authenticator(a.Cred, a.httpClient)
+	}()
 	if err != nil {
 		return newAuthError("error creating authenticator", err)
 	}
@@ -76,18 +78,3 @@ func (a *DefaultAuthenticator) Auth(ctx context.Context, cfg *driver.AuthConfig)
 func (a *DefaultAuthenticator) Reauth(_ context.Context, _ *driver.AuthConfig) error {
 	return newAuthError("DefaultAuthenticator does not support reauthentication", nil)
 }
-
-// If a server provides a list of supported mechanisms, we choose
-// SCRAM-SHA-256 if it exists or else MUST use SCRAM-SHA-1.
-// Otherwise, we decide based on what is supported.
-func chooseAuthMechanism(cfg *driver.AuthConfig) string {
-	if saslSupportedMechs := cfg.HandshakeInfo.SaslSupportedMechs; saslSupportedMechs != nil {
-		for _, v := range saslSupportedMechs {
-			if v == SCRAMSHA256 {
-				return v
-			}
-		}
-	}
-
-	return SCRAMSHA1
-}
@@ -197,3 +197,10 @@ func TestPlainAuthenticator_SucceedsBoolean(t *testing.T) {
 	)
 	compareResponses(t, <-c.Written, expectedCmd, "$external")
 }
+
+func writeReplies(c chan []byte, docs ...bsoncore.Document) {
+	for _, doc := range docs {
+		reply := drivertest.MakeReply(doc)
+		c <- reply
+	}
+}