Dynamic password change

[vitaly-t]

What is the recommended approach to dealing with passwords that can change dynamically?

At first, I saw this PR, only to find out it is actually useless for this, as it only invokes the callback once, in the beginning. In my case, the password can change at any point, and the pool connection needs to be updated accordingly.

At first, I tried destroying and then re-creating the pool, but this seemed too radical, and awkward, having to track authentication issues to figure out when to re-create the pool.

Then I tried setting pool.options.password = 'new-password' whenever I was about to reuse the pool object. But this would only work when a connection object was used. For a connection string, I had to re-generate the string, and set it to pool.options.connectionString before every use of the pool.

This all looks like a hack. Is there a recommended approach to updating the pool with the new password?

[sehrope]

No, the dynamic password function is not invoked only once. It's invoked each time an authentication is requested for a client connection. For a pool that would be once per connection at the time the connection created. PostgreSQL only requests authentication once at the beginning of the connection handshake so there's no situation where it would be invoked more than once for the same connection.

Add some logging to your dynamic password function to see if it's being called at all. I bet it's not.

I think the issue here is from using both a connection string and a password function. If you try to use both via something like:

const pool = new pg.Pool({
    connectionString: 'postgresql://user@db.example:5432/my-db',
    password: async () => 'random-' + Date.now(),
})

The connection string parser assigns config.password = undefined:

node-postgres/packages/pg-connection-string/index.js

Lines 30 to 32 in 6121bd3

	var auth = (result.auth || ':').split(':')
	config.user = auth[0]
	config.password = auth.splice(1).join(':')

And then the undefined password in the config from the connection string is overriding any password function:

node-postgres/packages/pg/lib/connection-parameters.js

Lines 51 to 57 in 6121bd3

	config = typeof config === 'string' ? parse(config) : config || {}
	// if the config has a connectionString defined, parse IT into the config we use
	// this will override other default values with what is stored in connectionString
	if (config.connectionString) {
	config = Object.assign({}, config, parse(config.connectionString))
	}

If you instead use a pool with the entire config specified as an object (no connectionString property) it works because the password property is passed as-is to the client.

const pool = new pg.Pool({
    host: 'db.example.com',
    port: 5432,
    user: 'user',
    database: 'my-db',
    password: async () => 'random-' + Date.now(),
});

I think the fix to support mixed configs (both URI and object) is to only set the values in parsed connectionString if they are not undefined.

[JoelVenable]

@sehrope Excellent! I was searching for this exact issue, because I am looking to migrate from a password environment variable to an IAM role on my AWS RDS db (generates an auth token/password that is only valid for 15 minutes).

However, the documentation does not mention this feature. I'll submit an issue on the docs repo.

[vitaly-t]

Ok 👍