The function mongoc_database_add_user is a C driver helper to construct a createUser command. Currently it does not send the correct form of the pwd field for MongoDB 4.0.

The createUser command allows two ways to specify the password:

The field pwd can be a plaintext password. Example in mongo shell (assuming mongod is running with --auth):

db.runCommand ( {createUser: "username", pwd: "plaintext_password", roles: [ { role: "root", db: "admin" } ] })

Or pwd can be the result of an MD5 hash of the form:

md5(username + ":mongo:" + password)

and digestPassword must be set to false.

In MongoDB 4.0, we authenticate using a new more secure authentication mechanism, SCRAM-SHA-256. When creating a user with SCRAM-SHA-256 credentials, MongoDB 4.0 no longer allows specifying the password in a hashed form, and will return an error.

Unfortunately, the mongoc_database_add_user does send pwd using the hashed form of the password. So currently this function always returns an error if connected to a MongoDB 4.0 server. Instead, we must do the simpler thing: send the plaintext password and omit sending the digestPassword field.

Then, update the docs page for mongoc_database_add_user to warn the user to only call this method if the driver is using TLS.

Then, update places in our tests which should be using mongoc_database_add_user but aren't: here and here.