maint: enable SCRAM support

In order to support SCRAM support for the new Heroku Postgres
"Essential" plans, we need to shift from MD5 hashed passwords in
`auth_file` to plain text. This does not materially change the threat
model, as anyone with dyno access can read the passwords from the
environment just as well as the file.

See: https://www.pgbouncer.org/config.html#authentication-file-format
for more.

This commit switches the `auth_type` to `scram-sha-256` and also pushes
`server_tls_sslmode` up to `require` over `prefer`.

Why not use a method like `auth_query`? Exposing something like
`pg_authid` or `pg_shadow` in a safe way via a `SECURITY DEFINER`
function is extremely challenging in a multi-tenant environment. This
may change in the future.

Fixes #155.

Ref: https://gus.my.salesforce.com/a07EE00001rjvVBYAY

Changelog.md

@@ -1,4 +1,5 @@
 ## Unreleased
+* Support SCRAM authentication, use plain passwords in auth_file
 
 ## v0.14.0 (May 20, 2024)
 * Converted our remaining CircleCI tests to Github Actions

bin/gen-pgbouncer-conf.sh

@@ -19,9 +19,9 @@ cat >> "$CONFIG_DIR/pgbouncer.ini" << EOFEOF
 [pgbouncer]
 listen_addr = 127.0.0.1
 listen_port = 6000
-auth_type = md5
+auth_type = scram-sha-256
 auth_file = $CONFIG_DIR/users.txt
-server_tls_sslmode = prefer
+server_tls_sslmode = require
 server_tls_protocols = secure
 server_tls_ciphers = HIGH:!ADH:!AECDH:!LOW:!EXP:!MD5:!3DES:!SRP:!PSK:@STRENGTH
 
@@ -72,8 +72,6 @@ do
     fi
   done
 
-  DB_MD5_PASS="md5"$(echo -n "${DB_PASS}""${DB_USER}" | md5sum | awk '{print $1}')
-
   CLIENT_DB_NAME="db${n}"
 
   echo "Setting ${POSTGRES_URL}_PGBOUNCER config var"
@@ -86,7 +84,7 @@ do
   fi
 
   cat >> "$CONFIG_DIR/users.txt" << EOFEOF
-"$DB_USER" "$DB_MD5_PASS"
+"$DB_USER" "$DB_PASS"
 EOFEOF
 
   cat >> "$CONFIG_DIR/pgbouncer.ini" << EOFEOF