heroku · troycoll · May 23, 2024 · May 21, 2024 · May 21, 2024 · May 21, 2024
diff --git a/Changelog.md b/Changelog.md
@@ -1,4 +1,5 @@
 ## Unreleased
+* Support SCRAM authentication, use plain passwords in auth_file
 
 ## v0.14.0 (May 20, 2024)
 * Converted our remaining CircleCI tests to Github Actions

diff --git a/bin/gen-pgbouncer-conf.sh b/bin/gen-pgbouncer-conf.sh
@@ -19,9 +19,9 @@ cat >> "$CONFIG_DIR/pgbouncer.ini" << EOFEOF
 [pgbouncer]
 listen_addr = 127.0.0.1
 listen_port = 6000
-auth_type = md5
+auth_type = scram-sha-256
 auth_file = $CONFIG_DIR/users.txt
-server_tls_sslmode = prefer
+server_tls_sslmode = require
 server_tls_protocols = secure
 server_tls_ciphers = HIGH:!ADH:!AECDH:!LOW:!EXP:!MD5:!3DES:!SRP:!PSK:@STRENGTH
 
@@ -72,8 +72,6 @@ do
     fi
   done
 
-  DB_MD5_PASS="md5"$(echo -n "${DB_PASS}""${DB_USER}" | md5sum | awk '{print $1}')
-
   CLIENT_DB_NAME="db${n}"
 
   echo "Setting ${POSTGRES_URL}_PGBOUNCER config var"
@@ -86,7 +84,7 @@ do
   fi
 
   cat >> "$CONFIG_DIR/users.txt" << EOFEOF
-"$DB_USER" "$DB_MD5_PASS"
+"$DB_USER" "$DB_PASS"
 EOFEOF
 
   cat >> "$CONFIG_DIR/pgbouncer.ini" << EOFEOF

diff --git a/test/gen-pgbouncer-conf.bats b/test/gen-pgbouncer-conf.bats
@@ -34,7 +34,8 @@ teardown_file() {
     assert_success
     cat "$PGBOUNCER_CONFIG_DIR/pgbouncer.ini"
     assert_line 'Setting DATABASE_URL_PGBOUNCER config var'
-    assert grep "server_tls_sslmode = prefer" "$PGBOUNCER_CONFIG_DIR/pgbouncer.ini"
+    assert grep "auth_type = scram-sha-256" "$PGBOUNCER_CONFIG_DIR/pgbouncer.ini"
+    assert grep "server_tls_sslmode = require" "$PGBOUNCER_CONFIG_DIR/pgbouncer.ini"
     assert grep "db1= host=host dbname=name?query port=5432" "$PGBOUNCER_CONFIG_DIR/pgbouncer.ini"
     assert grep "db2= host=host2 dbname=dbname port=7777" "$PGBOUNCER_CONFIG_DIR/pgbouncer.ini"
     assert grep "user" "$PGBOUNCER_CONFIG_DIR/users.txt"