fix: apply SASLprep (RFC 4013) to passwords before SCRAM-SHA-256 PBKDF2 #1844
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: [push, pull_request] | |
| permissions: | |
| contents: read | |
| jobs: | |
| lint: | |
| timeout-minutes: 5 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 18 | |
| cache: yarn | |
| - run: yarn install --frozen-lockfile | |
| - run: yarn lint | |
| build: | |
| timeout-minutes: 15 | |
| needs: lint | |
| services: | |
| postgres: | |
| image: ghcr.io/railwayapp-templates/postgres-ssl | |
| env: | |
| POSTGRES_USER: postgres | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_HOST_AUTH_METHOD: 'md5' | |
| POSTGRES_DB: ci_db_test | |
| ports: | |
| - 5432:5432 | |
| options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| node: | |
| - '16' | |
| - '18' | |
| - '20' | |
| - '22' | |
| - '24' | |
| - '25' | |
| os: | |
| - ubuntu-latest | |
| name: Node.js ${{ matrix.node }} | |
| runs-on: ubuntu-latest | |
| env: | |
| PGUSER: postgres | |
| PGPASSWORD: postgres | |
| PGHOST: localhost | |
| PGDATABASE: ci_db_test | |
| PGTESTNOSSL: 'true' | |
| SCRAM_TEST_PGUSER: scram_test | |
| SCRAM_TEST_PGPASSWORD: test4scram | |
| SCRAM_TEST_PGUSER_UNICODE: scram_unicode_test | |
| # Raw form of a password whose NFKC normalization differs from itself. | |
| # U+2168 (ROMAN NUMERAL IX) decomposes to ASCII "IX" under NFKC; the | |
| # server stores the verifier from the SASLprep-normalized form, so the | |
| # client must apply SASLprep too. This is the regression check for the | |
| # RFC 4013 fix in packages/pg/lib/crypto/sasl.js. | |
| SCRAM_TEST_PGPASSWORD_UNICODE: "IX-\u2168" | |
| steps: | |
| - name: Show OS | |
| run: | | |
| uname -a | |
| - run: | | |
| psql \ | |
| -c "SET password_encryption = 'scram-sha-256'" \ | |
| -c "CREATE ROLE scram_test LOGIN PASSWORD 'test4scram'" \ | |
| -c "CREATE ROLE scram_unicode_test LOGIN PASSWORD U&'IX-\2168'" | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: yarn | |
| - run: yarn install --frozen-lockfile | |
| - run: yarn test |