maint: enable SCRAM support #193
Merged
Commits on May 21, 2024
-
In order to support SCRAM support for the new Heroku Postgres "Essential" plans, we need to shift from MD5 hashed passwords in `auth_file` to plain text. This does not materially change the threat model, as anyone with dyno access can read the passwords from the environment just as well as the file. See: https://www.pgbouncer.org/config.html#authentication-file-format for more. This commit switches the `auth_type` to `scram-sha-256` and also pushes `server_tls_sslmode` up to `require` over `prefer`. Why not use a method like `auth_query`? Exposing something like `pg_authid` or `pg_shadow` in a safe way via a `SECURITY DEFINER` function is extremely challenging in a multi-tenant environment. This may change in the future. Fixes #155. Ref: https://gus.my.salesforce.com/a07EE00001rjvVBYAY
-
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.