feat(auth): SASL SCRAM-SHA-256 support

.gitignore

@@ -3,3 +3,4 @@ dist/
 dbs/
 *.pem
 *.srl
+tsconfig.tsbuildinfo

biome.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "organizeImports": {
+    "enabled": true
+  },
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true
+    }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "single"
+    }
+  }
+}

examples/pglite-multiple/biome.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "extends": ["../../biome.json"]
+}

examples/pglite-multiple/index.ts

@@ -1,9 +1,10 @@
-import { PGlite, PGliteInterface } from '@electric-sql/pglite';
 import { mkdir, readFile } from 'node:fs/promises';
 import net from 'node:net';
+import { PGlite, type PGliteInterface } from '@electric-sql/pglite';
 import {
+  type BackendError,
   PostgresConnection,
-  TlsOptionsCallback,
+  type TlsOptionsCallback,
   hashMd5Password,
 } from 'pg-gateway';
 
@@ -29,26 +30,25 @@ const server = net.createServer((socket) => {
 
   const connection = new PostgresConnection(socket, {
     serverVersion: '16.3 (PGlite 0.2.0)',
-    authMode: 'md5Password',
-    tls,
-    async validateCredentials(credentials) {
-      if (credentials.authMode === 'md5Password') {
+    auth: {
+      method: 'md5',
+      async validateCredentials(credentials) {
         const { hash, salt } = credentials;
         const expectedHash = await hashMd5Password(
           'postgres',
           'postgres',
-          salt
+          salt,
         );
         return hash === expectedHash;
-      }
-      return false;
+      },
     },
+    tls,
     async onTlsUpgrade({ tlsInfo }) {
       if (!tlsInfo) {
         connection.sendError({
           severity: 'FATAL',
           code: '08000',
-          message: `ssl connection required`,
+          message: 'ssl connection required',
         });
         connection.socket.end();
         return;
@@ -58,7 +58,7 @@ const server = net.createServer((socket) => {
         connection.sendError({
           severity: 'FATAL',
           code: '08000',
-          message: `ssl sni extension required`,
+          message: 'ssl sni extension required',
         });
         connection.socket.end();
         return;
@@ -81,10 +81,13 @@ const server = net.createServer((socket) => {
 
       // Forward raw message to PGlite
       try {
-        const [[_, responseData]] = await db.execProtocol(data);
-        connection.sendData(responseData);
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
       } catch (err) {
-        connection.sendError(err);
+        connection.sendError(err as BackendError);
         connection.sendReadyForQuery();
       }
       return true;

examples/pglite-multiple/package.json

@@ -1,15 +1,21 @@
 {
   "name": "pglite-multiple-example",
+  "type": "module",
   "scripts": {
-    "dev": "tsx index.ts"
+    "dev": "tsx index.ts",
+    "format": "biome format --write .",
+    "lint": "biome lint --error-on-warnings .",
+    "type-check": "tsc --noEmit"
   },
   "dependencies": {
     "pg-gateway": "*"
   },
   "devDependencies": {
-    "@electric-sql/pglite": "npm:@gregnr/pglite@0.2.0-dev.8",
+    "@biomejs/biome": "1.8.3",
+    "@electric-sql/pglite": "0.2.0-alpha.7",
+    "@total-typescript/tsconfig": "^1.0.4",
     "@types/node": "^20.14.11",
     "tsx": "^4.16.2",
     "typescript": "^5.5.3"
   }
-}
+}

examples/pglite-multiple/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "@total-typescript/tsconfig/tsc/no-dom/app",
+  "include": ["index.ts"]
+}

examples/pglite/biome.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "extends": ["../../biome.json"]
+}

examples/pglite/index.ts

@@ -1,24 +1,28 @@
-import { PGlite } from '@electric-sql/pglite';
 import net from 'node:net';
-import { PostgresConnection, hashMd5Password } from 'pg-gateway';
+import { PGlite } from '@electric-sql/pglite';
+import {
+  type BackendError,
+  PostgresConnection,
+  type ScramSha256Data,
+  createScramSha256Data,
+} from 'pg-gateway';
 
 const db = new PGlite();
 
+let data: ScramSha256Data | undefined;
+
 const server = net.createServer((socket) => {
   const connection = new PostgresConnection(socket, {
     serverVersion: '16.3 (PGlite 0.2.0)',
-    authMode: 'md5Password',
-    async validateCredentials(credentials) {
-      if (credentials.authMode === 'md5Password') {
-        const { hash, salt } = credentials;
-        const expectedHash = await hashMd5Password(
-          'postgres',
-          'postgres',
-          salt
-        );
-        return hash === expectedHash;
-      }
-      return false;
+    auth: {
+      method: 'scram-sha-256',
+      async getScramSha256Data({ username }) {
+        if (!data) {
+          // helper function to create the metadata for SASL auth
+          data = createScramSha256Data('postgres');
+        }
+        return data;
+      },
     },
     async onStartup() {
       // Wait for PGlite to be ready before further processing
@@ -33,21 +37,24 @@ const server = net.createServer((socket) => {
 
       // Forward raw message to PGlite
       try {
-        const [[_, responseData]] = await db.execProtocol(data);
-        connection.sendData(responseData);
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
       } catch (err) {
-        connection.sendError(err);
+        connection.sendError(err as BackendError);
         connection.sendReadyForQuery();
       }
       return true;
     },
   });
 
-  socket.on('end', () => {
+  socket.on('close', () => {
     console.log('Client disconnected');
   });
 });
 
-server.listen(5432, () => {
+server.listen(2345, () => {
   console.log('Server listening on port 5432');
 });

examples/pglite/package.json

@@ -1,15 +1,21 @@
 {
   "name": "pglite-example",
+  "type": "module",
   "scripts": {
-    "dev": "tsx index.ts"
+    "dev": "tsx index.ts",
+    "format": "biome format --write .",
+    "lint": "biome lint --error-on-warnings .",
+    "type-check": "tsc --noEmit"
   },
   "dependencies": {
     "pg-gateway": "*"
   },
   "devDependencies": {
-    "@electric-sql/pglite": "npm:@gregnr/pglite@0.2.0-dev.8",
+    "@biomejs/biome": "1.8.3",
+    "@electric-sql/pglite": "0.2.0-alpha.7",
+    "@total-typescript/tsconfig": "^1.0.4",
     "@types/node": "^20.14.11",
     "tsx": "^4.16.2",
     "typescript": "^5.5.3"
   }
-}
+}

examples/pglite/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "@total-typescript/tsconfig/tsc/no-dom/app",
+  "include": ["index.ts"]
+}

examples/reverse-proxy-sni/biome.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "extends": ["../../biome.json"]
+}

examples/reverse-proxy-sni/index.ts

@@ -1,6 +1,6 @@
 import { readFile } from 'node:fs/promises';
-import net, { connect, Socket } from 'node:net';
-import { PostgresConnection, TlsOptionsCallback } from '../../src';
+import net, { connect } from 'node:net';
+import { PostgresConnection, type TlsOptionsCallback } from 'pg-gateway';
 
 const tls: TlsOptionsCallback = async ({ sniServerName }) => {
   // Optionally serve different certs based on `sniServerName`
@@ -31,7 +31,7 @@ const server = net.createServer((socket) => {
         connection.sendError({
           severity: 'FATAL',
           code: '08000',
-          message: `ssl connection required`,
+          message: 'ssl connection required',
         });
         connection.socket.end();
         return;
@@ -41,7 +41,7 @@ const server = net.createServer((socket) => {
         connection.sendError({
           severity: 'FATAL',
           code: '08000',
-          message: `ssl sni extension required`,
+          message: 'ssl sni extension required',
         });
         connection.socket.end();
         return;
@@ -51,6 +51,16 @@ const server = net.createServer((socket) => {
       // ie. 12345.db.example.com -> 12345
       const [serverId] = tlsInfo.sniServerName.split('.');
 
+      if (!serverId) {
+        connection.sendError({
+          severity: 'FATAL',
+          code: '08000',
+          message: 'server id required',
+        });
+        connection.socket.end();
+        return;
+      }
+
       // Lookup the server host/port based on ID
       const serverInfo = await getServerById(serverId);
 

examples/reverse-proxy-sni/package.json

@@ -1,14 +1,20 @@
 {
   "name": "reverse-proxy-sni-example",
+  "type": "module",
   "scripts": {
-    "dev": "tsx index.ts"
+    "dev": "tsx index.ts",
+    "format": "biome format --write .",
+    "lint": "biome lint --error-on-warnings .",
+    "type-check": "tsc --noEmit"
   },
   "dependencies": {
     "pg-gateway": "*"
   },
   "devDependencies": {
+    "@biomejs/biome": "1.8.3",
+    "@total-typescript/tsconfig": "^1.0.4",
     "@types/node": "^20.14.11",
     "tsx": "^4.16.2",
     "typescript": "^5.5.3"
   }
-}
+}

examples/reverse-proxy-sni/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "@total-typescript/tsconfig/tsc/no-dom/app",
+  "include": ["index.ts"]
+}