MongoDB authSource defaults to admin, causing non-admin users to fail authentication

[chuongminhofficial]

Context

When using MongoDB with users created on a specific database (not admin), authentication fails unless authSource is explicitly provided.

This behavior is confusing because:

• Root users authenticate successfully
• Database-scoped users fail with Authentication failed
• No clear indication that authSource is the root cause

This has been reproduced consistently on MongoDB 8.x.

Root Cause

In the current connection logic, authSource is only set when the environment variable MONGO_AUTH_SOURCE exists.

If it is not set, authSource becomes null, and MongoDB defaults it to admin.

As a result:

• Users created inside a specific database (e.g. mydb) cannot authenticate
• Root users (stored in admin) work correctly

This behavior matches MongoDB’s default authentication rules, but the current default in AdminNeo makes non-admin users fail silently.

Impact

• Non-admin MongoDB users cannot log in
• Encourages unsafe use of root credentials
• Causes confusion for users managing multiple databases
• Common pitfall for MongoDB newcomers and production setups

Proposed Fix

If authSource is not explicitly defined, default it to the selected database instead of admin.

Current behavior

$Ra = getenv("MONGO_AUTH_SOURCE") ?: null;

Proposed change

$Ra = getenv("MONGO_AUTH_SOURCE") ?: $_c;

This preserves backward compatibility:

• Users who rely on MONGO_AUTH_SOURCE are unaffected
• Root users still work
• Database-scoped users authenticate correctly by default

Environment

• AdminNeo: 5.2.1
• MongoDB: 8.0
• PHP: 7.x
• Authentication mechanism: SCRAM-SHA-256

Additional Notes

This issue is not MongoDB-specific to version 8.0 and affects all versions where authentication is database-scoped.

I am happy to open a pull request if this approach is acceptable.

Chương Minh (VinaDB)

[peterpp]

I am sorry fort the late answer. You can of course create a pull request.