Fix auth errors with complex MySQL passwords

[Copilot]

Some passwords triggered auth error from upstream when connecting through the proxy, even though the same credentials worked in direct clients. The original error message discarded MySQL's actual error, making diagnosis impossible, and DATABASE_URL in URL format (******host:3306/db) was silently broken for the EXPLAIN feature.

Changes

proxy/mysql/conn.go

• Surface the actual MySQL error from the ERR packet in the auth error message instead of swallowing it:

  before: mysql: auth error from upstream
  after:  mysql: auth error from upstream: Access denied for user 'root'@'...' (using password: YES)
  

• Add errPacketMsgOffset = 9 constant documenting the ERR packet layout (0xFF + error_code(2) + # + sqlstate(5))

dsn/dsn.go

• Add mysqlURLToDriverDSN(): converts a bare user:pass@host:3306/db address to the go-sql-driver-required user:pass@tcp(host:3306)/db form after stripping the mysql:// prefix. Previously this caused an immediate sql.Open error ("default addr for network 'host:3306' unknown"), silently disabling EXPLAIN for users providing standard URL-format DSNs. Handles passwords containing @, unix socket paths, and query parameters correctly.

Tests

• TestComplexPasswordAuth — proxy auth with the exact password from the issue report
• TestCachingSHA2PasswordFullAuth — explicit caching_sha2_password full-auth path (RSA key exchange, cold cache, non-root user) confirming the proxy relays auth correctly without SSL
• TestMySQLURLToDriverDSN — unit tests for DSN conversion covering special-char passwords, @-containing passwords, query params, and already-wrapped addresses

[gitguardian]

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
30064254	Triggered	Generic Password	1bc3958	proxy/mysql/proxy_test.go	View secret
30064254	Triggered	Generic Password	1bc3958	proxy/mysql/proxy_test.go	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}