What steps will reproduce the problem?
1. enable mod_auth_external
2. have many people connect at same time
3. have them experience auth failures
What is the expected output? What do you see instead?
User gets "invalid login or password" sometimes.
What version of the product are you using? On what operating system?
trunk-743, also tried 0.10-343
Please provide any additional information below.
Script logs that password is okay. Maybe that is because auth_external expects to get answer in one call to lpty:read while it may receive several consecutive writes and also several answers in one return. Or I just have buggy script. With ejabberd it worked, I first tried to use it in ejabberd mode but it worked bad then rewrote it to use native protocol. Of course I flush after each write.
I wonder if this is related to https://prosody.im/issues/855. I saw similar behaviour on my setup with just a few people. The way I read #855, every time your auth script crashes you're going to get at least one auth error, which will clear up the next attempt, because mod_auth_external is misreading its own output as input, because lpty is mis-echoing the first input back to it.
Tagging issue as affecting a community module, not officially supported by the Prosody team.
Even worse: Sometimes wrong passwords are accepted.