Closed TianzeMYou closed 3 months ago
Since this is an expected and documented client-side behaviour [1], we shouldn't try to change this on the pg_tle side. However it's worth adding a note in the example for users to be aware.
[1] https://www.postgresql.org/docs/devel/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
Description
For the lockout-after-a-specific-number-of-login-attempts example, login attempts could increment by 2 depending on SSLMode
https://www.postgresql.org/message-id/flat/17032-7ad69968e744de35%40postgresql.org#:~:text=It%20tries%20to%20connect%20with%20encryption%20and%20fails%2C%20then%20tries%20to%20connect%0Awithout%20encryption%20and%20also%20fails
Steps to reproduce
Run the example here with sslmode set to allow/prefer https://github.com/aws/pg_tle/blob/main/examples/client_lockout/client_lockout--1.0.sql
Expected outcome
Client should be locked out after 5 attempts
Actual outcome
Client is locked out before 5 attempts
Analysis
Could potentially check the SSLMode in hook sql, which requires a C code change. https://github.com/aws/pg_tle/blob/main/src/clientauth.c#L144-L166