Utility library for password encoding for PostgreSQL.
This solves the problem of plaintext passwords appearing in server logs by replacing:
ALTER USER app PASSWORD 'Super Duper Secret!'With the password encoded client side:
ALTER USER app PASSWORD 'SCRAM-SHA-256$4096:M1A3zTFR9TzaX5NuvytilQ==$TZtMCtrZ8wkkZVkS7vursem77PsBqthl8GqkPohscJw=:POfEEJ9BOrm6upeAFKU3awWqMg+kKYXyPOG5E5tuhJc='That hashed value does not contain the plaintext of the password and matches how PostgreSQL stores the value in pg_shadow.
$ npm install pg-password-util
The only direct dependency is pg-format used to escape literals and identifiers.
The ALTER USER helpers accept a client argument that must provide the same signature as pg.Client (i.e. the client from the pg node-postgres driver). It's not a direct dependency of this module though.
- Encoding passwords using SCRAM-SHA-256 (recommended)
- Encoding passwords using md5 (for legacy systems)
- Generating SQL to change a user's password
- Inferring the password_encryption from the target database
import { genAlterUserPasswordSql } = require('pg-password-util');
const sql = genAlterUserPasswordSql({
username: 'app',
password: 'my-new-secret-password',
passwordEncryption: 'scram-sha-256',
});import { encodeScramSha256 } = require('pg-password-util');
import * as pgFormat from 'pg-format';
const encodedPassword = encodeScramSha256({
password: 'my-new-secret-password',
iterations: 10000,
});
const sql = pgFormat('CREATE USER app PASSWORD %L LOGIN', encodedPassword);import { alterUserPassword } = require('pg-password-util');
// client is a pg.Client
await alterUserPassword(client, {
username: 'app',
password: 'my-new-secret-password',
});To build the module run:
$ make
Testing requires a PostgreSQL database. You can start one in the foreground via:
$ bin/postgres-server
Then, to run the tests run:
$ make test
ISC. See the file LICENSE.