Skip to content

Fix passthrough auth for users without a password #780

Open
howenyap wants to merge 4 commits intopgdogdev:mainfrom
howenyap:howen/passthrough-auth-without-password
Open

Fix passthrough auth for users without a password #780
howenyap wants to merge 4 commits intopgdogdev:mainfrom
howenyap:howen/passthrough-auth-without-password

Conversation

@howenyap
Copy link

@howenyap howenyap commented Feb 19, 2026
edited
Loading

Closes #373

Logic change

  • when building a new Cluster with new_pool, pause the cluster if passthrough auth is enabled and password is empty
  • on login, resume cluster if passthrough password exists

Testcases

Test is AuthType::Trust? is password empty? cluster state
test_passthrough_empty_password_starts_paused false true paused
test_passthrough_user_with_password_unpaused false false not paused
test_passthrough_empty_password_trust_starts_unpaused true true not paused

  • test_replace_empty_password_cluster_with_passthrough_password

    • start with empty password, cluster should be paused
    • add new connection pool with passthrough password, cluster should resume

  • test_pause_resume_toggles_all_pools: cluster.pause() should pause every pool, while cluster.resume() should resume every pool`

cargo nextest run --profile dev

image

bash integration/go/run.sh

image

@CLAassistant
Copy link

CLAassistant commented Feb 19, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@codecov
Copy link

codecov bot commented Feb 19, 2026

Codecov Report

❌ Patch coverage is 91.90476% with 17 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pgdog/src/backend/databases.rs 95.83% 7 Missing ⚠️
pgdog/src/backend/pool/connection/mod.rs 25.00% 6 Missing ⚠️
pgdog/src/frontend/client/mod.rs 0.00% 4 Missing ⚠️

📢 Thoughts on this report? Let us know!

@levkk
Copy link
Collaborator

levkk commented Feb 19, 2026

Looks great! Quick ask, would you be able to add an integration test in integration/rust/src/auth.rs? You can create an additional [[users]] entry without a password in integration/users.toml and then try to connect to it from the integration test - just to confirm it works as expected.

Another thing, in client/mod.rs:

if passthrough_password.is_some() {
      conn.resume_cluster_pools();
}

While this is quick and pretty harmless, I think we should still check if the pool already has a password set, i.e., another client connected already and we configured the auth and resumed the pool. I think you can do this quickly by checking the Cluster struct for the password (we set it there, I believe).

@howenyap
Copy link
Author

howenyap commented Feb 20, 2026

thanks for reviewing @levkk ! made changes as requested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Auth] Passthrough auth for users without a password is broken

3 participants

@howenyap @CLAassistant @levkk

Comments