search

sosedoff / pgweb

Cross-platform client for PostgreSQL databases
https://sosedoff.github.io/pgweb
MIT License
8.53k stars 724 forks source link

Bookmarks with no passwords #652

Open dani opened 1 year ago

dani commented 1 year ago

Hi.

Since pgweb 0.13, bookmarks with no password defined aren't working anymore (it was OK in 0.12).

I'm running pgweb with the following args 

opt/pgweb/bin/pgweb \
             --listen 8086 \
             --bind 127.0.0.1 \
             --bookmarks-dir=/opt/pgweb/bookmarks \
             --no-ssh \
             --sessions \
             --skip-open \
             --readonly

In /opt/pgweb/bookmarks, I create files like

host = "localhost"
database = "appdb"
port = 5432
user = "fr00000113"

The idea is to have host, db, user preconfigured when selecting the bookmark, but I must manually enter the DB password.

Since 0.13.0 (and still in 0.14.0), when selecting a bookmark, all the fields are greyed out, so I cannot enter the password anymore

image

sosedoff commented 1 year ago

This was changed to prevent host / credentials leak, though the UX is not the best. What stops you from saving the password in the bookmark file?

dani commented 1 year ago

I need users to enter the DB password to access it (that's how users are authenticated)

dani commented 1 year ago

If the bookmark has no password, shouldn't the password field of the welcome page be available ?

sosedoff commented 1 year ago

If the bookmark is missing the password it's not really a bookmark, ie no one can actually use it without knowing the password. But i understand your point of view regarding the missing field, so we could fix that in future releases.

What is your use case and how are you running Pgweb? If you're running Pgweb for internal users that need access to various DB resources, you could take a look at https://github.com/sosedoff/pgweb/wiki/Connect-Backend - it was designed to eliminate the use of credentials for multi-session setups.

dani commented 1 year ago

Bookmarks are still useful to pre-fill all the other parameters. My use case is an application appliance, using various postgres databases. Pgweb is exposed by an nginx frontend with no authentication itself, so even if the appliance is usually not exposed to the outside, not everyone having network access should be able to browse the databases. Only admins (tech profiles, having the postgres DB should). I could probably write a connect backend, but bookmarks (without password) was just enough for my use case until 0.13.0

NeckBeardPrince commented 10 months ago

Is this still a limitation in the newer releases? I have the same use case as @dani.