feat(auth): SASL SCRAM-SHA-256 support

.gitignore

@@ -3,3 +3,4 @@ dist/
 dbs/
 *.pem
 *.srl
+tsconfig.tsbuildinfo

biome.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "organizeImports": {
+    "enabled": true
+  },
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true
+    }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "single"
+    }
+  }
+}

examples/pglite-auth/biome.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "extends": ["../../biome.json"]
+}

examples/pglite/index.ts → examples/pglite-auth/cert.ts

@@ -1,25 +1,21 @@
-import { PGlite } from '@electric-sql/pglite';
+import fs from 'node:fs';
 import net from 'node:net';
-import { PostgresConnection, hashMd5Password } from 'pg-gateway';
+import { PGlite } from '@electric-sql/pglite';
+import { type BackendError, PostgresConnection } from 'pg-gateway';
 
 const db = new PGlite();
 
 const server = net.createServer((socket) => {
   const connection = new PostgresConnection(socket, {
     serverVersion: '16.3 (PGlite 0.2.0)',
-    authMode: 'md5Password',
-    async validateCredentials(credentials) {
-      if (credentials.authMode === 'md5Password') {
-        const { hash, salt } = credentials;
-        const expectedHash = await hashMd5Password(
-          'postgres',
-          'postgres',
-          salt
-        );
-        return hash === expectedHash;
-      }
-      return false;
+    tls: {
+      key: fs.readFileSync('key.pem'),
+      cert: fs.readFileSync('cert.pem'),
+    },
+    auth: {
+      method: 'cert',
     },
+
     async onStartup() {
       // Wait for PGlite to be ready before further processing
       await db.waitReady;
@@ -33,10 +29,13 @@ const server = net.createServer((socket) => {
 
       // Forward raw message to PGlite
       try {
-        const [[_, responseData]] = await db.execProtocol(data);
-        connection.sendData(responseData);
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
       } catch (err) {
-        connection.sendError(err);
+        connection.sendError(err as BackendError);
         connection.sendReadyForQuery();
       }
       return true;

examples/pglite-auth/md5.ts

@@ -0,0 +1,54 @@
+import net from 'node:net';
+import { PGlite } from '@electric-sql/pglite';
+import {
+  type BackendError,
+  PostgresConnection,
+  createPreHashedPassword,
+} from 'pg-gateway';
+
+const db = new PGlite();
+
+const server = net.createServer((socket) => {
+  const connection = new PostgresConnection(socket, {
+    serverVersion: '16.3 (PGlite 0.2.0)',
+    auth: {
+      method: 'md5',
+      getPreHashedPassword({ username }) {
+        return createPreHashedPassword(username, 'postgres');
+      },
+    },
+
+    async onStartup() {
+      // Wait for PGlite to be ready before further processing
+      await db.waitReady;
+      return false;
+    },
+    async onMessage(data, { isAuthenticated }) {
+      // Only forward messages to PGlite after authentication
+      if (!isAuthenticated) {
+        return false;
+      }
+
+      // Forward raw message to PGlite
+      try {
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
+      } catch (err) {
+        connection.sendError(err as BackendError);
+        connection.sendReadyForQuery();
+      }
+      return true;
+    },
+  });
+
+  socket.on('end', () => {
+    console.log('Client disconnected');
+  });
+});
+
+server.listen(5432, () => {
+  console.log('Server listening on port 5432');
+});

examples/pglite-auth/package.json

@@ -0,0 +1,20 @@
+{
+  "name": "pglite-auth-example",
+  "type": "module",
+  "scripts": {
+    "format": "biome format --write .",
+    "lint": "biome lint --error-on-warnings .",
+    "type-check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "pg-gateway": "*"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "1.8.3",
+    "@electric-sql/pglite": "0.2.0-alpha.7",
+    "@total-typescript/tsconfig": "^1.0.4",
+    "@types/node": "^20.14.11",
+    "tsx": "^4.16.2",
+    "typescript": "^5.5.3"
+  }
+}

examples/pglite-auth/password.ts

@@ -0,0 +1,58 @@
+import net from 'node:net';
+import { PGlite } from '@electric-sql/pglite';
+import { type BackendError, PostgresConnection } from 'pg-gateway';
+
+const db = new PGlite();
+
+const server = net.createServer((socket) => {
+  const connection = new PostgresConnection(socket, {
+    serverVersion: '16.3 (PGlite 0.2.0)',
+    auth: {
+      method: 'password',
+      // this is the password stored in the server
+      getClearTextPassword(credentials) {
+        return 'postgres';
+      },
+      // uncomment to override the default password validation logic
+      // async validateCredentials(credentials) {
+      //   const { clearTextPassword, password } = credentials;
+      //   // we allow case insensitive password validation
+      //   return password.toUpperCase() === clearTextPassword.toUpperCase();
+      // },
+    },
+
+    async onStartup() {
+      // Wait for PGlite to be ready before further processing
+      await db.waitReady;
+      return false;
+    },
+    async onMessage(data, { isAuthenticated }) {
+      // Only forward messages to PGlite after authentication
+      if (!isAuthenticated) {
+        return false;
+      }
+
+      // Forward raw message to PGlite
+      // Forward raw message to PGlite
+      try {
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
+      } catch (err) {
+        connection.sendError(err as BackendError);
+        connection.sendReadyForQuery();
+      }
+      return true;
+    },
+  });
+
+  socket.on('end', () => {
+    console.log('Client disconnected');
+  });
+});
+
+server.listen(5432, () => {
+  console.log('Server listening on port 5432');
+});

examples/pglite-auth/scram-sha-256.ts

@@ -0,0 +1,55 @@
+import net from 'node:net';
+import { PGlite } from '@electric-sql/pglite';
+import {
+  type BackendError,
+  PostgresConnection,
+  createScramSha256Data,
+} from 'pg-gateway';
+
+const db = new PGlite();
+
+const server = net.createServer((socket) => {
+  const connection = new PostgresConnection(socket, {
+    serverVersion: '16.3 (PGlite 0.2.0)',
+    auth: {
+      method: 'scram-sha-256',
+      async getScramSha256Data(credentials) {
+        // Utility function to generate scram-sha-256 data (like salt) for the given user
+        // You would likely store this info in a database and retrieve it here
+        return createScramSha256Data('postgres');
+      },
+    },
+    async onStartup() {
+      // Wait for PGlite to be ready before further processing
+      await db.waitReady;
+      return false;
+    },
+    async onMessage(data, { isAuthenticated }) {
+      // Only forward messages to PGlite after authentication
+      if (!isAuthenticated) {
+        return false;
+      }
+
+      // Forward raw message to PGlite
+      try {
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
+      } catch (err) {
+        connection.sendError(err as BackendError);
+        connection.sendReadyForQuery();
+      }
+      return true;
+    },
+  });
+
+  socket.on('close', () => {
+    console.log('Client disconnected');
+  });
+});
+
+server.listen(5432, () => {
+  console.log('Server listening on port 5432');
+});

examples/pglite-auth/trust.ts

@@ -0,0 +1,47 @@
+import net from 'node:net';
+import { PGlite } from '@electric-sql/pglite';
+import { type BackendError, PostgresConnection } from 'pg-gateway';
+
+const db = new PGlite();
+
+const server = net.createServer((socket) => {
+  const connection = new PostgresConnection(socket, {
+    serverVersion: '16.3 (PGlite 0.2.0)',
+    auth: {
+      method: 'trust',
+    },
+
+    async onStartup() {
+      // Wait for PGlite to be ready before further processing
+      await db.waitReady;
+      return false;
+    },
+    async onMessage(data, { isAuthenticated }) {
+      // Only forward messages to PGlite after authentication
+      if (!isAuthenticated) {
+        return false;
+      }
+
+      // Forward raw message to PGlite
+      try {
+        const [result] = await db.execProtocol(data);
+        if (result) {
+          const [_, responseData] = result;
+          connection.sendData(responseData);
+        }
+      } catch (err) {
+        connection.sendError(err as BackendError);
+        connection.sendReadyForQuery();
+      }
+      return true;
+    },
+  });
+
+  socket.on('end', () => {
+    console.log('Client disconnected');
+  });
+});
+
+server.listen(5432, () => {
+  console.log('Server listening on port 5432');
+});

examples/pglite-auth/tsconfig.json

@@ -0,0 +1,4 @@
+{
+  "extends": "@total-typescript/tsconfig/tsc/no-dom/app",
+  "include": ["*.ts"]
+}

examples/pglite-multiple/biome.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://biomejs.dev/schemas/1.8.3/schema.json",
+  "extends": ["../../biome.json"]
+}