JVMCBC-1706 (followup) Prevent switching authenticator types

dnault · dnault · commit fa9e6a583907 · 2026-01-27T06:01:40.000Z
Motivation ---------- Prevent edge cases where the new authenticator doesn't support features required by old connections authenticated with the previous authenticator. For example, if we allowed switching from Password to Certificate, HTTP requests on old password-auth connections would be missing the auth header, since CertificateAuthenticator doesn't set HTTP headers. Modifications ------------- Add the authenticator type check. Update the API reference documentation. Change-Id: I2ab3c4c6fb1a7765384f9827408aadf67f05aa25 Reviewed-on: https://review.couchbase.org/c/couchbase-jvm-clients/+/239130 Reviewed-by: David Nault <david.nault@couchbase.com> Tested-by: Build Bot <build@couchbase.com>
diff --git a/core-io/src/main/java/com/couchbase/client/core/Core.java b/core-io/src/main/java/com/couchbase/client/core/Core.java
@@ -1027,12 +1027,24 @@ public Authenticator authenticator() {
 
   @Override
   public void authenticator(Authenticator newAuthenticator) {
+    requireSameClass(authenticator.wrapped(), newAuthenticator);
+
     this.authenticator.setDelegate(newAuthenticator);
     if (newAuthenticator.getSingleStepSaslAuthParameters() != null) {
       authenticationRefreshTriggers.publish(AuthenticationRefreshTrigger.INSTANCE);
     }
   }
 
+  static void requireSameClass(Authenticator currentAuth, Authenticator newAuth) {
+    Class<?> currentClass = currentAuth.getClass();
+    Class<?> newClass = newAuth.getClass();
+    if (!newClass.equals(currentClass)) {
+      throw InvalidArgumentException.fromMessage (
+        "Switching authenticator types is not supported; cannot switch from " + currentClass + " to " + newClass
+      );
+    }
+  }
+
   @Stability.Internal
   public AppTelemetryCollector appTelemetryCollector() { return appTelemetry.collector; }
 
diff --git a/core-io/src/main/java/com/couchbase/client/core/CoreProtostellar.java b/core-io/src/main/java/com/couchbase/client/core/CoreProtostellar.java
@@ -69,6 +69,7 @@
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ConcurrentHashMap;
 
+import static com.couchbase.client.core.Core.requireSameClass;
 import static com.couchbase.client.core.api.CoreCouchbaseOps.checkConnectionStringScheme;
 import static com.couchbase.client.core.logging.RedactableArgument.redactSystem;
 import static com.couchbase.client.core.util.CbCollections.mapOf;
@@ -228,6 +229,8 @@ public Authenticator authenticator() {
 
   @Override
   public void authenticator(Authenticator newAuthenticator) {
+    requireSameClass(authenticator.wrapped(), newAuthenticator);
+
     this.authenticator.setDelegate(newAuthenticator);
   }
 
diff --git a/core-io/src/main/java/com/couchbase/client/core/env/DelegatingAuthenticator.java b/core-io/src/main/java/com/couchbase/client/core/env/DelegatingAuthenticator.java
@@ -58,7 +58,7 @@ public void setDelegate(Authenticator delegate) {
     setDelegate(delegate);
   }
 
-  protected Authenticator wrapped() {
+  public Authenticator wrapped() {
     return delegate;
   }
 
diff --git a/java-client/src/main/java/com/couchbase/client/java/AsyncCluster.java b/java-client/src/main/java/com/couchbase/client/java/AsyncCluster.java
@@ -265,6 +265,9 @@ String clusterToStringHelper(Class clusterClass) {
     ));
   }
 
+  /**
+   * @see Cluster#authenticator(Authenticator)
+   */
   public void authenticator(Authenticator newAuthenticator) {
     couchbaseOps.authenticator(newAuthenticator);
   }
diff --git a/java-client/src/main/java/com/couchbase/client/java/Cluster.java b/java-client/src/main/java/com/couchbase/client/java/Cluster.java
@@ -24,10 +24,12 @@
 import com.couchbase.client.core.diagnostics.DiagnosticsResult;
 import com.couchbase.client.core.diagnostics.PingResult;
 import com.couchbase.client.core.env.Authenticator;
+import com.couchbase.client.core.env.JwtAuthenticator;
 import com.couchbase.client.core.env.OwnedOrExternal;
 import com.couchbase.client.core.env.PasswordAuthenticator;
 import com.couchbase.client.core.env.SeedNode;
 import com.couchbase.client.core.error.CouchbaseException;
+import com.couchbase.client.core.error.InvalidArgumentException;
 import com.couchbase.client.core.error.TimeoutException;
 import com.couchbase.client.core.error.context.ReducedQueryErrorContext;
 import com.couchbase.client.core.util.ConnectionString;
@@ -317,6 +319,26 @@ public ReactiveCluster reactive() {
     return reactiveCluster;
   }
 
+  /**
+   * Sets the authenticator used by the client.
+   * <p>
+   * Use this method to update a client certificate or JSON Web Token (JWT)
+   * before it expires.
+   * <p>
+   * The new authenticator must be of the same class as the existing authenticator.
+   * <p>
+   * If the new authenticator is a {@link JwtAuthenticator}, the new credential is
+   * immediately applied to all existing server connections.
+   * <p>
+   * <b>CAVEAT:</b> For all other types of authenticators, the new credential takes effect
+   * at an unspecified time in the future. Existing connections might continue
+   * to use the old credential indefinitely, while newly created connections
+   * are authenticated with the new credential. Consequently, changing to a credential
+   * with different privileges is strongly discouraged.
+   *
+   * @param newAuthenticator The authenticator bearing the updated user credential.
+   * @throws InvalidArgumentException If the given authenticator is a different type than the existing authenticator.
+   */
   public void authenticator(Authenticator newAuthenticator) {
     asyncCluster.authenticator(newAuthenticator);
   }
diff --git a/java-client/src/main/java/com/couchbase/client/java/ReactiveCluster.java b/java-client/src/main/java/com/couchbase/client/java/ReactiveCluster.java
@@ -188,6 +188,9 @@ private ReactiveCluster(
     this.reactor = asyncCluster.environment();
   }
 
+  /**
+   * @see Cluster#authenticator(Authenticator)
+   */
   public void authenticator(Authenticator newAuthenticator) {
     asyncCluster.authenticator(newAuthenticator);
   }
diff --git a/kotlin-client/src/main/kotlin/com/couchbase/client/kotlin/Cluster.kt b/kotlin-client/src/main/kotlin/com/couchbase/client/kotlin/Cluster.kt
@@ -27,6 +27,7 @@ import com.couchbase.client.core.diagnostics.HealthPinger
 import com.couchbase.client.core.env.Authenticator
 import com.couchbase.client.core.env.CertificateAuthenticator
 import com.couchbase.client.core.env.ConnectionStringPropertyLoader
+import com.couchbase.client.core.env.JwtAuthenticator
 import com.couchbase.client.core.env.PasswordAuthenticator
 import com.couchbase.client.core.error.UnambiguousTimeoutException
 import com.couchbase.client.core.service.ServiceType
@@ -123,6 +124,26 @@ public class Cluster internal constructor(
     private val couchbaseOps = CoreCouchbaseOps.create(env, initialAuthenticator, connectionString)
     private val searchOps = couchbaseOps.searchOps(null)
 
+    /**
+     * Sets the authenticator used by the client.
+     *
+     * Use this method to update a client certificate or JSON Web Token (JWT)
+     * before it expires.
+     *
+     * The new authenticator must be of the same class as the existing authenticator.
+     *
+     * If the new authenticator is a [JwtAuthenticator], the new credential is
+     * immediately applied to all existing server connections.
+     *
+     * **CAVEAT:** For all other types of authenticators, the new credential takes effect
+     * at an unspecified time in the future. Existing connections might continue
+     * to use the old credential indefinitely, while newly created connections
+     * are authenticated with the new credential. Consequently, changing to a credential
+     * with different privileges is strongly discouraged.
+     *
+     * @throws com.couchbase.client.core.error.InvalidArgumentException
+     * If the given authenticator is a different type than the existing authenticator.
+     */
     public var authenticator: Authenticator
         @Deprecated("Property 'authenticator' is write-only.", level = DeprecationLevel.ERROR)
         get() = throw UnsupportedOperationException()
diff --git a/scala-client/src/main/scala/com/couchbase/client/scala/AsyncClusterBase.scala b/scala-client/src/main/scala/com/couchbase/client/scala/AsyncClusterBase.scala
@@ -106,12 +106,7 @@ trait AsyncClusterBase { this: AsyncCluster =>
     new AsyncBucket(bucketName, couchbaseOps, environment)
   }
 
-  /** Sets a new authenticator, that will be used for any future connections created to Couchbase services.
-    *
-    * Note that existing connections will not be terminated.
-    *
-    * This method is thread-safe.
-    */
+  /** @see [[ClusterBase.authenticator]] */
   def authenticator(authenticator: Authenticator): Try[Unit] = {
     Try(couchbaseOps.authenticator(authenticator))
   }
diff --git a/scala-client/src/main/scala/com/couchbase/client/scala/ClusterBase.scala b/scala-client/src/main/scala/com/couchbase/client/scala/ClusterBase.scala
@@ -19,7 +19,7 @@ package com.couchbase.client.scala
 import com.couchbase.client.core.annotation.Stability
 import com.couchbase.client.core.annotation.Stability.Uncommitted
 import com.couchbase.client.core.diagnostics._
-import com.couchbase.client.core.env.{Authenticator, PasswordAuthenticator}
+import com.couchbase.client.core.env.{Authenticator, JwtAuthenticator, PasswordAuthenticator}
 import com.couchbase.client.core.transaction.CoreTransactionsReactive
 import com.couchbase.client.core.util.ConnectionString
 import com.couchbase.client.core.util.ConnectionStringUtil.asConnectionString
@@ -82,11 +82,23 @@ trait ClusterBase { this: Cluster =>
     new Bucket(async.bucket(bucketName))
   }
 
-  /** Sets a new authenticator, that will be used for any future connections created to Couchbase services.
+  /** Sets the authenticator used by the client.
     *
-    * Note that existing connections will not be terminated.
+    * Use this method to update a client certificate or JSON Web Token (JWT)
+    * before it expires.
     *
-    * This method is thread-safe.
+    * The new authenticator must be of the same class as the existing authenticator.
+    *
+    * If the new authenticator is a [[JwtAuthenticator]], the new credential is
+    * immediately applied to all existing server connections.
+    *
+    * <b>CAVEAT:</b> For all other types of authenticators, the new credential takes effect
+    * at an unspecified time in the future. Existing connections might continue
+    * to use the old credential indefinitely, while newly created connections
+    * are authenticated with the new credential. Consequently, changing to a credential
+    * with different privileges is strongly discouraged.
+    *
+    * @param authenticator The authenticator bearing the updated user credential.
     */
   def authenticator(authenticator: Authenticator): Try[Unit] = {
     async.authenticator(authenticator)

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ public void setDelegate(Authenticator delegate) {`
`58`	`58`	`setDelegate(delegate);`
`59`	`59`	`}`
`60`	`60`
`61`		`- protected Authenticator wrapped() {`
	`61`	`+ public Authenticator wrapped() {`
`62`	`62`	`return delegate;`
`63`	`63`	`}`
`64`	`64`
Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,9 @@ String clusterToStringHelper(Class clusterClass) {`
`265`	`265`	`));`
`266`	`266`	`}`
`267`	`267`
	`268`	`+ /**`
	`269`	`+ * @see Cluster#authenticator(Authenticator)`
	`270`	`+ */`
`268`	`271`	`public void authenticator(Authenticator newAuthenticator) {`
`269`	`272`	`couchbaseOps.authenticator(newAuthenticator);`
`270`	`273`	`}`
Original file line number	Diff line number	Diff line change
`@@ -188,6 +188,9 @@ private ReactiveCluster(`
`188`	`188`	`this.reactor = asyncCluster.environment();`
`189`	`189`	`}`
`190`	`190`
	`191`	`+ /**`
	`192`	`+ * @see Cluster#authenticator(Authenticator)`
	`193`	`+ */`
`191`	`194`	`public void authenticator(Authenticator newAuthenticator) {`
`192`	`195`	`asyncCluster.authenticator(newAuthenticator);`
`193`	`196`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,12 +106,7 @@ trait AsyncClusterBase { this: AsyncCluster =>`
`106`	`106`	`new AsyncBucket(bucketName, couchbaseOps, environment)`
`107`	`107`	`}`
`108`	`108`
`109`		`- /** Sets a new authenticator, that will be used for any future connections created to Couchbase services.`
`110`		`- *`
`111`		`- * Note that existing connections will not be terminated.`
`112`		`- *`
`113`		`- * This method is thread-safe.`
`114`		`- */`
	`109`	`+ /** @see [[ClusterBase.authenticator]] */`
`115`	`110`	`def authenticator(authenticator: Authenticator): Try[Unit] = {`
`116`	`111`	`Try(couchbaseOps.authenticator(authenticator))`
`117`	`112`	`}`