search

brianc / node-postgres

PostgreSQL client for node.js.
https://node-postgres.com
MIT License
12.26k stars 1.22k forks source link

Add pg-password-util to wiki #3164

Closed sehrope closed 5 months ago

sehrope commented 7 months ago

Please add pg-password-util to the wiki: https://www.npmjs.com/package/pg-password-util

It's a standalone lib that handles encoding PostgreSQL passwords client-side so that CREATE USER ... / ALTER USER ... statements do not include the plaintext of passwords in your application logs. It includes TypeScript type declarations as well.

So it replaces SQL like this being sent to your DB:

ALTER USER app PASSWORD 'Super Duper Secret!'

With SQL like this:

ALTER USER app PASSWORD 'SCRAM-SHA-256$4096:M1A3zTFR9TzaX5NuvytilQ==$TZtMCtrZ8wkkZVkS7vursem77PsBqthl8GqkPohscJw=:POfEEJ9BOrm6upeAFKU3awWqMg+kKYXyPOG5E5tuhJc='

It defaults to using SCRAM-SHA-256 for the encoding but also supports md5 for older versions of PG. It also includes a helper to change a user's password using whatever the database says is the preferred encoding (i.e. SCRAM-SHA-256 for anything 10+ and md5 for anything older):

// client is a pg.Client
await alterUserPassword(client, {
    username: 'app',
    password: 'my-new-secret-password',
});
charmander commented 5 months ago

Added! Please let me know if you have a better one-line summary.