-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamic password change #2513
Comments
No, the dynamic password function is not invoked only once. It's invoked each time an authentication is requested for a client connection. For a pool that would be once per connection at the time the connection created. PostgreSQL only requests authentication once at the beginning of the connection handshake so there's no situation where it would be invoked more than once for the same connection. Add some logging to your dynamic password function to see if it's being called at all. I bet it's not. I think the issue here is from using both a connection string and a password function. If you try to use both via something like: const pool = new pg.Pool({
connectionString: 'postgresql://user@db.example:5432/my-db',
password: async () => 'random-' + Date.now(),
}) The connection string parser assigns node-postgres/packages/pg-connection-string/index.js Lines 30 to 32 in 6121bd3
And then the undefined password in the config from the connection string is overriding any password function: node-postgres/packages/pg/lib/connection-parameters.js Lines 51 to 57 in 6121bd3
If you instead use a pool with the entire config specified as an object (no const pool = new pg.Pool({
host: 'db.example.com',
port: 5432,
user: 'user',
database: 'my-db',
password: async () => 'random-' + Date.now(),
}); I think the fix to support mixed configs (both URI and object) is to only set the values in parsed |
@sehrope Excellent! I was searching for this exact issue, because I am looking to migrate from a password environment variable to an IAM role on my AWS RDS db (generates an auth token/password that is only valid for 15 minutes). However, the documentation does not mention this feature. I'll submit an issue on the docs repo. |
Documentation should mention supported feature. brianc/node-postgres#2513
Ok 👍 |
What is the recommended approach to dealing with passwords that can change dynamically?
At first, I saw this PR, only to find out it is actually useless for this, as it only invokes the callback once, in the beginning. In my case, the password can change at any point, and the pool connection needs to be updated accordingly.
At first, I tried destroying and then re-creating the pool, but this seemed too radical, and awkward, having to track authentication issues to figure out when to re-create the pool.
Then I tried setting
pool.options.password = 'new-password'
whenever I was about to reuse the pool object. But this would only work when a connection object was used. For a connection string, I had to re-generate the string, and set it topool.options.connectionString
before every use of the pool.This all looks like a hack. Is there a recommended approach to updating the pool with the new password?
The text was updated successfully, but these errors were encountered: