1 files changed, 30 insertions, 7 deletions

diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js
index ca0048c301a..4493b2a1192 100644
--- a/src/mongo/shell/db.js
+++ b/src/mongo/shell/db.js
@@ -544,9 +544,10 @@ var DB;
         }
 
         if (!mechanism) {
-            mechanism = this._getDefaultAuthenticationMechanism();
+            mechanism = this._getDefaultAuthenticationMechanism(username, fromdb);
         }
-        assert(mechanism == "SCRAM-SHA-1" || mechanism == "MONGODB-CR");
+        assert(mechanism == "SCRAM-SHA-1" || mechanism == "SCRAM-SHA-256" ||
+               mechanism == "MONGODB-CR");
 
         // Check for no auth or copying from localhost
         if (!username || !password || fromhost == "") {
@@ -554,8 +555,8 @@ var DB;
                 {copydb: 1, fromhost: fromhost, fromdb: fromdb, todb: todb, slaveOk: slaveOk});
         }
 
-        // Use the copyDatabase native helper for SCRAM-SHA-1
-        if (mechanism == "SCRAM-SHA-1") {
+        // Use the copyDatabase native helper for SCRAM-SHA-1/256
+        if (mechanism != "MONGODB-CR") {
             // TODO SERVER-30886: Add session support for Mongo.prototype.copyDatabaseWithSCRAM().
             return this.getMongo().copyDatabaseWithSCRAM(
                 fromdb, todb, fromhost, username, password, slaveOk);
@@ -1563,7 +1564,28 @@ var DB;
 
     DB.prototype._defaultAuthenticationMechanism = null;
 
-    DB.prototype._getDefaultAuthenticationMechanism = function() {
+    DB.prototype._getDefaultAuthenticationMechanism = function(username, database) {
+        if (username !== undefined) {
+            const userid = database + "." + username;
+            const result = this.runCommand({isMaster: 1, saslSupportedMechs: userid});
+            if (result.ok && (result.saslSupportedMechs !== undefined)) {
+                const mechs = result.saslSupportedMechs;
+                if (!Array.isArray(mechs)) {
+                    throw Error("Server replied with invalid saslSupportedMechs response");
+                }
+                // Never include PLAIN in auto-negotiation.
+                const priority = ["GSSAPI", "SCRAM-SHA-256", "SCRAM-SHA-1"];
+                for (var i = 0; i < priority.length; ++i) {
+                    if (mechs.includes(priority[i])) {
+                        return priority[i];
+                    }
+                }
+            }
+            // If isMaster doesn't support saslSupportedMechs,
+            // or if we couldn't agree on a mechanism,
+            // then fallthrough to configured default or SCRAM-SHA-1.
+        }
+
         // Use the default auth mechanism if set on the command line.
         if (this._defaultAuthenticationMechanism != null)
             return this._defaultAuthenticationMechanism;
@@ -1586,8 +1608,9 @@ var DB;
                 "auth expects either (username, password) or ({ user: username, pwd: password })");
         }
 
-        if (params.mechanism === undefined)
-            params.mechanism = this._getDefaultAuthenticationMechanism();
+        if (params.mechanism === undefined) {
+            params.mechanism = this._getDefaultAuthenticationMechanism(params.user, this.getName());
+        }
 
         if (params.db !== undefined) {
             throw Error("Do not override db field on db.auth(). Use getMongo().auth(), instead.");