Add config setting auth_methods #220
Conversation
There was a problem hiding this comment.
Overall this is good, and meets what I was looking for in having cleartext be opt-in. Thank you
Is there any place where documentation can be added?
The only place right now is the ever growing and not well organized readme. I suppose we should eventually build some better doc thing sooner or later.
anything about OK authentication frame.
Yeah this is a little more complex. For the reason you say and also, if I remember correctly, if you're connecting over like a local unix socket, and pg is doing ident/peer auth, you just get OK and that is legitimately ok. I think we can probably leave this one be for now, but we can wait a bit to see if there are any counter examples.
But again, overall looks good :) Let me know when you think it's ready ready.
|
I think this is ready to merge. As you said, further improvements can follow later. |
Sounds good, I'll do this tomorrow. |
|
Thank you! Going to wrap up a few other things then do a release soon. |
This adds a
auth_methodsconfig setting which allows to configure which auth methods the client should accept.The settings value is a list of comma separated values. The default is
scram-sha-256,md5.cleartextneeds to be explicitly enabled.Is there any place where documentation can be added?
I didn't do anything about
OKauthentication frame. A safe default should also fail if the server just passes you through without a credential check.But this is more complicated because it is fine with SSL client certificate for example.
So it needs more work. For now I'm just posting this patch.
Superseeds #218
cf crystal-lang/crystal-db#141