Redis [BUG] "auth default foo" returns OK even if there is no password set for "default"

Describe the bug

I launched a Redis Docker instance of Redis 7.0.5. I did not set password for the default user.

root@a3f4913c94dd:/data# redis-cli -h localhost -p 6379
localhost:6379> scan 0
1) "0"
2) (empty array)
localhost:6379> set hello world ex 10
OK
localhost:6379> get hello
"world"

However, the auth default foo command works as follows.

root@a3f4913c94dd:/data# redis-cli -h localhost -p 6379
localhost:6379> auth default foo
OK
localhost:6379> set hello world ex 10
OK
localhost:6379> get hello
"world"

To reproduce

1. Docker run

bash ~ $ docker run --name tredis --rm -dit redis:7.0.5 9563cebae4b40b67b62c974dc7b9bdab4b639f2baf7945b7deb1d6dd34153a70

1. Get into the container.

bash ~ $ docker exec -it tredis bash root@9563cebae4b4:/data#

1. Issue the auth command.

bash root@9563cebae4b4:/data# redis-cli 127.0.0.1:6379> auth default foo OK

Expected behavior

As the default username does not require password, auth default foo should error.

Additional information

127.0.0.1:6379> info server
# Server
redis_version:7.0.5
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:2e713f81c77ffebe
redis_mode:standalone
os:Linux 6.6.12-linuxkit aarch64
arch_bits:64
monotonic_clock:POSIX clock_gettime
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:10.2.1
process_id:1
process_supervised:no
run_id:767e986479167818d2cd7313a9e39fdf31772730
tcp_port:6379
server_time_usec:1728541379594873
uptime_in_seconds:196
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:488131
executable:/data/redis-server
config_file:
io_threads_active:0

Comment From: sundb

@outsinre it's not just an issue for default user.

ACL SETUSER foo ON +@all ~* nopass
AUTH foo abc

we should return an error, but it could be break change. @oranagra

Comment From: oranagra

right, nopass means that any password will work. I imagine it was discussed in the past a few times. i think that changing it now could be an unnecessary breaking change.

the only reason to fix it is that someone may be incorrectly assuming his server is password protected and safe, while it isn't. @yossigo @itamarhaber do you remember any discussion about this topic? what's your view on this? i prefer to leave it as is.

Comment From: outsinre

Seems if I issue auth default without arbitrary string followed, then Redis correctly returns error.

So, the behaviour is inconsistent?

Comment From: sundb

auth default means that your default user's password is default.

Comment From: itamarhaber

I don't recall previous discussions on that specific topic, and I agree we can leave it as is.

Comment From: outsinre

I came across this issue when I try to authenticate with a Redis instance without password enabled. The application returns OK and puts me under the illusion that the connection to Redis is protected.

By the way, I am curious on the ACL part of Redis. We can create a username and password via ACL after connected to Redis without auth. But the username and password won't enforce auth for future connections. Does that mean Redis auth is enforced by listening ports at startup?

Comment From: sundb

But the username and password won't enforce auth for future connections.

i can't follow it, do you mean that future connections will be able to connect without auth? or does it mean that you can still log in directly to the default user?

Comment From: outsinre

But the username and password won't enforce auth for future connections.

i can't follow it, do you mean that future connections will be able to connect without auth? or does it mean that you can still log in directly to the default user?

I mean future connections will be able to connect without auth, though I added a username with password.

Comment From: sundb

@outsinre if so you should change the password of default user.

ACL SETUSER default ...

Comment From: outsinre

@sundb make sense.

Seems the only way to enforce password connection is setting password for the default user?

Comment From: sundb

@sundb make sense.

Seems the only way to enforce password connection is setting password for the default user?

yes, and it's better to enable protected mode to prevent external connections without password.

Comment From: outsinre

@sundb how about this inconsistency? auth default foo ok but auth foo error.

root@a3f4913c94dd:/data# redis-cli
127.0.0.1:6379> scan 0
1) "0"
2) (empty array)
127.0.0.1:6379> auth default foo
OK
127.0.0.1:6379> auth foo
(error) ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
127.0.0.1:6379>

Comment From: sundb

@outsinre the behavor of auth foo should be the same as auth default foo. just for historical reasons, one is requirepass and the other is ACL.

Comment From: ShooterIT

I think we should keep current design for nopass user. Maybe it already is a feature for some users. For ACL, we only store the HASH code of password instead of original, so admin can just clear password when users forget password, to make them access redis quickly.