pg-password-util
Advanced tools
Client-side encoding of PostgreSQL user passwords for use in CREATE USER and ALTER USER
Utility library for password encoding for PostgreSQL.
This solves the problem of plaintext passwords appearing in server logs by replacing:
ALTER USER app PASSWORD 'Super Duper Secret!'
With the password encoded client side:
ALTER USER app PASSWORD 'SCRAM-SHA-256$4096:M1A3zTFR9TzaX5NuvytilQ==$TZtMCtrZ8wkkZVkS7vursem77PsBqthl8GqkPohscJw=:POfEEJ9BOrm6upeAFKU3awWqMg+kKYXyPOG5E5tuhJc='
That hashed value does not contain the plaintext of the password and matches how PostgreSQL stores the value in pg_shadow.
$ npm install pg-password-util
The only direct dependency is pg-format used to escape literals and identifiers.
The ALTER USER helpers accept a client argument that must provide the same signature as pg.Client (i.e. the client from the pg node-postgres driver). It's not a direct dependency of this module though.
import { genAlterUserPasswordSql } = require('pg-password-util');
const sql = genAlterUserPasswordSql({
username: 'app',
password: 'my-new-secret-password',
passwordEncryption: 'scram-sha-256',
});
import { encodeScramSha256 } = require('pg-password-util');
import * as pgFormat from 'pg-format';
const encodedPassword = encodeScramSha256({
password: 'my-new-secret-password',
iterations: 10000,
});
const sql = pgFormat('CREATE USER app PASSWORD %L LOGIN', encodedPassword);
import { alterUserPassword } = require('pg-password-util');
// client is a pg.Client
await alterUserPassword(client, {
username: 'app',
password: 'my-new-secret-password',
});
To build the module run:
$ make
Testing requires a PostgreSQL database. You can start one in the foreground via:
$ bin/postgres-server
Then, to run the tests run:
$ make test
ISC. See the file LICENSE.
FAQs
Client-side encoding of PostgreSQL user passwords for use in CREATE USER and ALTER USER
We found that pg-password-util demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket Fix 2.0 brings targeted CVE remediation, smarter upgrade planning, and broader ecosystem support to help developers get to zero alerts.
Security News
Socket CEO Feross Aboukhadijeh joins Risky Business Weekly to unpack recent npm phishing attacks, their limited impact, and the risks if attackers get smarter.
Product
Socket’s new Tier 1 Reachability filters out up to 80% of irrelevant CVEs, so security teams can focus on the vulnerabilities that matter.