lost status 'STATUS_EOF' for authentication when using 'MD5' or 'scram-sha-256'

Hello:

  I'm an extension writer and I wrote an extension to lock users who tried to enter the wrong password too much. This extension is hooking 'ClientAuthentication_hook' and checking the hook's 'status' parameter

to count the times of wrong password. It’s work fine when auth is 'password', but get double count when auth is'MD5'or'scram-sha-256'.

1. create an user without password

2. set pg_hba.conf with ‘MD5’ or ‘scram-sha-256’

3. use psql without -W or -w or .pgpass file or env PGPASSFILE

when I read the source, find an incorret logical way on CheckPWChallengeAuth at src/backend/libpq/auth.c

Like

​static int
CheckPWChallengeAuth(Port *port, char **logdetail)

{

   ...

   /* the CheckMD5Auth or CheckSCRAMAuth returns STATUS_EOF because psql is not provide password,

    * It will prompt user to type and send the password to other backend process next time.

    * The current backend will exit normally.

    */

   if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
        auth_result = CheckMD5Auth(port, shadow_pass, logdetail);
   else
        auth_result = CheckSCRAMAuth(port, shadow_pass, logdetail);
    ...

    /*
     * If get_role_password() returned error, return error, even if the
     * authentication succeeded.
     */

    /* The get_role_password returns NULL when the user without password */

    if (!shadow_pass)
    {
        Assert(auth_result != STATUS_OK);

        /* lost STATUS_EOF */

        return STATUS_ERROR;
    }

   ...

}

The above code does not affect the database execution,but ClientAuthentication_hook will be confused whether the password is incorrect or not currently entered?

so.. The CheckPWChallengeAuth should returns STATUS_EOF when It is, I think.

Try to change the code