feat: password-less database login (#3885)

Author: sweatybridge

cmd/root.go

@@ -111,7 +111,7 @@ var (
 					}
 				}
 			}
-			if err := flags.ParseDatabaseConfig(cmd.Flags(), fsys); err != nil {
+			if err := flags.ParseDatabaseConfig(ctx, cmd.Flags(), fsys); err != nil {
 				return err
 			}
 			// Prepare context

internal/bootstrap/bootstrap.go

@@ -113,7 +113,7 @@ func Run(ctx context.Context, starter StarterTemplate, fsys afero.Fs, options ..
 		return err
 	}
 	// 6. Push migrations
-	config := flags.NewDbConfigWithPassword(flags.ProjectRef)
+	config := flags.NewDbConfigWithPassword(ctx, flags.ProjectRef)
 	if err := writeDotEnv(keys, config, fsys); err != nil {
 		fmt.Fprintln(os.Stderr, "Failed to create .env file:", err)
 	}

internal/link/link.go

@@ -14,7 +14,6 @@ import (
 	"github.com/spf13/afero"
 	"github.com/spf13/viper"
 	"github.com/supabase/cli/internal/utils"
-	"github.com/supabase/cli/internal/utils/credentials"
 	"github.com/supabase/cli/internal/utils/flags"
 	"github.com/supabase/cli/internal/utils/tenant"
 	"github.com/supabase/cli/pkg/api"
@@ -43,15 +42,9 @@ func Run(ctx context.Context, projectRef string, fsys afero.Fs, options ...func(
 	LinkServices(ctx, projectRef, keys.Anon, fsys)
 
 	// 2. Check database connection
-	config := flags.GetDbConfigOptionalPassword(projectRef)
-	if len(config.Password) > 0 {
-		if err := linkDatabase(ctx, config, fsys, options...); err != nil {
-			return err
-		}
-		// Save database password
-		if err := credentials.StoreProvider.Set(projectRef, config.Password); err != nil {
-			fmt.Fprintln(os.Stderr, "Failed to save database password:", err)
-		}
+	config := flags.NewDbConfigWithPassword(ctx, projectRef)
+	if err := linkDatabase(ctx, config, fsys, options...); err != nil {
+		return err
 	}
 
 	// 3. Save project ref

internal/link/link_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/supabase/cli/pkg/api"
 	"github.com/supabase/cli/pkg/migration"
 	"github.com/supabase/cli/pkg/pgtest"
+	"github.com/supabase/cli/pkg/pgxv5"
 	"github.com/zalando/go-keyring"
 )
 
@@ -47,7 +48,9 @@ func TestLinkCommand(t *testing.T) {
 		// Setup mock postgres
 		conn := pgtest.NewConn()
 		defer conn.Close(t)
-		conn.Query(GET_LATEST_STORAGE_MIGRATION).
+		conn.Query(pgxv5.SET_SESSION_ROLE).
+			Reply("SET ROLE").
+			Query(GET_LATEST_STORAGE_MIGRATION).
 			Reply("SELECT 1", []interface{}{"custom-metadata"})
 		helper.MockMigrationHistory(conn)
 		helper.MockSeedHistory(conn)
@@ -92,6 +95,9 @@ func TestLinkCommand(t *testing.T) {
 			Get("/v1/projects/" + project + "/network-restrictions").
 			Reply(200).
 			JSON(api.NetworkRestrictionsResponse{})
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + project + "/database/query").
+			Reply(http.StatusCreated)
 		// Link versions
 		auth := tenant.HealthResponse{Version: "v2.74.2"}
 		gock.New("https://" + utils.GetSupabaseHost(project)).
@@ -158,8 +164,11 @@ func TestLinkCommand(t *testing.T) {
 			ReplyError(errors.New("network error"))
 		gock.New(utils.DefaultApiHost).
 			Get("/v1/projects/" + project + "/network-restrictions").
-			Reply(200).
+			Reply(http.StatusOK).
 			JSON(api.NetworkRestrictionsResponse{})
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + project + "/database/query").
+			Reply(http.StatusServiceUnavailable)
 		// Link versions
 		gock.New("https://" + utils.GetSupabaseHost(project)).
 			Get("/auth/v1/health").
@@ -181,6 +190,15 @@ func TestLinkCommand(t *testing.T) {
 	t.Run("throws error on write failure", func(t *testing.T) {
 		// Setup in-memory fs
 		fsys := afero.NewReadOnlyFs(afero.NewMemMapFs())
+		// Setup mock postgres
+		conn := pgtest.NewConn()
+		defer conn.Close(t)
+		conn.Query(pgxv5.SET_SESSION_ROLE).
+			Reply("SET ROLE").
+			Query(GET_LATEST_STORAGE_MIGRATION).
+			Reply("SELECT 1", []interface{}{"custom-metadata"})
+		helper.MockMigrationHistory(conn)
+		helper.MockSeedHistory(conn)
 		// Flush pending mocks after test execution
 		defer gock.OffAll()
 		// Mock project status
@@ -212,8 +230,11 @@ func TestLinkCommand(t *testing.T) {
 			ReplyError(errors.New("network error"))
 		gock.New(utils.DefaultApiHost).
 			Get("/v1/projects/" + project + "/network-restrictions").
-			Reply(200).
+			Reply(http.StatusOK).
 			JSON(api.NetworkRestrictionsResponse{})
+		gock.New(utils.DefaultApiHost).
+			Post("/v1/projects/" + project + "/database/query").
+			Reply(http.StatusCreated)
 		// Link versions
 		gock.New("https://" + utils.GetSupabaseHost(project)).
 			Get("/auth/v1/health").
@@ -225,7 +246,7 @@ func TestLinkCommand(t *testing.T) {
 			Get("/v1/projects").
 			ReplyError(errors.New("network error"))
 		// Run test
-		err := Run(context.Background(), project, fsys)
+		err := Run(context.Background(), project, fsys, conn.Intercept)
 		// Check error
 		assert.ErrorContains(t, err, "operation not permitted")
 		assert.Empty(t, apitest.ListUnmatchedRequests())

internal/utils/flags/db_url.go

@@ -1,11 +1,16 @@
 package flags
 
 import (
+	"bytes"
+	"context"
 	"crypto/rand"
+	_ "embed"
 	"fmt"
 	"math/big"
+	"net/http"
 	"os"
 	"strings"
+	"text/template"
 
 	"github.com/go-errors/errors"
 	"github.com/jackc/pgconn"
@@ -14,7 +19,9 @@ import (
 	"github.com/spf13/viper"
 	"github.com/supabase/cli/internal/utils"
 	"github.com/supabase/cli/internal/utils/credentials"
+	"github.com/supabase/cli/pkg/api"
 	"github.com/supabase/cli/pkg/config"
+	"github.com/supabase/cli/pkg/pgxv5"
 )
 
 type connection int
@@ -29,7 +36,7 @@ const (
 
 var DbConfig pgconn.Config
 
-func ParseDatabaseConfig(flagSet *pflag.FlagSet, fsys afero.Fs) error {
+func ParseDatabaseConfig(ctx context.Context, flagSet *pflag.FlagSet, fsys afero.Fs) error {
 	// Changed flags take precedence over default values
 	var connType connection
 	if flag := flagSet.Lookup("db-url"); flag != nil && flag.Changed {
@@ -77,7 +84,7 @@ func ParseDatabaseConfig(flagSet *pflag.FlagSet, fsys afero.Fs) error {
 		if err := LoadConfig(fsys); err != nil {
 			return err
 		}
-		DbConfig = NewDbConfigWithPassword(ProjectRef)
+		DbConfig = NewDbConfigWithPassword(ctx, ProjectRef)
 	case proxy:
 		token, err := utils.LoadAccessTokenFS(fsys)
 		if err != nil {
@@ -95,23 +102,71 @@ func ParseDatabaseConfig(flagSet *pflag.FlagSet, fsys afero.Fs) error {
 	return nil
 }
 
-func NewDbConfigWithPassword(projectRef string) pgconn.Config {
-	config := getDbConfig(projectRef)
-	config.Password = getPassword(projectRef)
-	return config
+const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+
+func RandomString(size int) (string, error) {
+	data := make([]byte, size)
+	_, err := rand.Read(data)
+	if err != nil {
+		return "", errors.Errorf("failed to read random: %w", err)
+	}
+	for i := range data {
+		n := int(data[i]) % len(letters)
+		data[i] = letters[n]
+	}
+	return string(data), nil
 }
 
-func getPassword(projectRef string) string {
-	if password := viper.GetString("DB_PASSWORD"); len(password) > 0 {
-		return password
+func NewDbConfigWithPassword(ctx context.Context, projectRef string) pgconn.Config {
+	config := getDbConfig(projectRef)
+	config.Password = viper.GetString("DB_PASSWORD")
+	if len(config.Password) > 0 {
+		return config
 	}
-	if password, err := credentials.StoreProvider.Get(projectRef); err == nil {
-		return password
+	var err error
+	if config.Password, err = RandomString(32); err == nil {
+		newRole := pgconn.Config{
+			User:     pgxv5.CLI_LOGIN_ROLE,
+			Password: config.Password,
+		}
+		if err := initLoginRole(ctx, projectRef, newRole); err == nil {
+			// Special handling for pooler username
+			if suffix := "." + projectRef; strings.HasSuffix(config.User, suffix) {
+				newRole.User += suffix
+			}
+			config.User = newRole.User
+			return config
+		}
+	}
+	if config.Password, err = credentials.StoreProvider.Get(projectRef); err == nil {
+		return config
 	}
 	resetUrl := fmt.Sprintf("%s/project/%s/settings/database", utils.GetSupabaseDashboardURL(), projectRef)
 	fmt.Fprintln(os.Stderr, "Forgot your password? Reset it from the Dashboard:", utils.Bold(resetUrl))
 	fmt.Fprint(os.Stderr, "Enter your database password: ")
-	return credentials.PromptMasked(os.Stdin)
+	config.Password = credentials.PromptMasked(os.Stdin)
+	return config
+}
+
+var (
+	//go:embed queries/role.sql
+	initRoleEmbed    string
+	initRoleTemplate = template.Must(template.New("initRole").Parse(initRoleEmbed))
+)
+
+func initLoginRole(ctx context.Context, projectRef string, config pgconn.Config) error {
+	fmt.Fprintf(os.Stderr, "Initialising %s role...\n", config.User)
+	var initRoleBuf bytes.Buffer
+	if err := initRoleTemplate.Option("missingkey=error").Execute(&initRoleBuf, config); err != nil {
+		return errors.Errorf("failed to exec template: %w", err)
+	}
+	body := api.V1RunQueryBody{Query: initRoleBuf.String()}
+	if resp, err := utils.GetSupabase().V1RunAQueryWithResponse(ctx, projectRef, body); err != nil {
+		return errors.Errorf("failed to initialise login role: %w", err)
+	} else if resp.StatusCode() != http.StatusCreated {
+		return errors.Errorf("unexpected query status %d: %s", resp.StatusCode(), string(resp.Body))
+	}
+	return nil
 }
 
 const PASSWORD_LENGTH = 16
@@ -148,13 +203,3 @@ func getDbConfig(projectRef string) pgconn.Config {
 		Database: "postgres",
 	}
 }
-
-func GetDbConfigOptionalPassword(projectRef string) pgconn.Config {
-	config := getDbConfig(projectRef)
-	config.Password = viper.GetString("DB_PASSWORD")
-	if config.Password == "" {
-		fmt.Fprint(os.Stderr, "Enter your database password (or leave blank to skip): ")
-		config.Password = credentials.PromptMasked(os.Stdin)
-	}
-	return config
-}

internal/utils/flags/db_url_test.go

@@ -1,19 +1,23 @@
 package flags
 
 import (
+	"context"
 	"os"
 	"testing"
 
 	"github.com/spf13/afero"
 	"github.com/spf13/pflag"
-	"github.com/spf13/viper"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/supabase/cli/internal/testing/apitest"
 	"github.com/supabase/cli/internal/utils"
 )
 
 func TestParseDatabaseConfig(t *testing.T) {
+	// Setup valid access token
+	token := apitest.RandomAccessToken(t)
+	t.Setenv("SUPABASE_ACCESS_TOKEN", string(token))
+
 	t.Run("parses direct connection from db-url flag", func(t *testing.T) {
 		flagSet := pflag.NewFlagSet("test", pflag.ContinueOnError)
 		flagSet.String("db-url", "postgres://postgres:password@localhost:5432/postgres", "")
@@ -22,7 +26,7 @@ func TestParseDatabaseConfig(t *testing.T) {
 
 		fsys := afero.NewMemMapFs()
 
-		err = ParseDatabaseConfig(flagSet, fsys)
+		err = ParseDatabaseConfig(context.Background(), flagSet, fsys)
 
 		assert.NoError(t, err)
 		assert.Equal(t, "db.example.com", DbConfig.Host)
@@ -44,7 +48,7 @@ func TestParseDatabaseConfig(t *testing.T) {
 		utils.Config.Db.Port = 54322
 		utils.Config.Db.Password = "local-password"
 
-		err = ParseDatabaseConfig(flagSet, fsys)
+		err = ParseDatabaseConfig(context.Background(), flagSet, fsys)
 
 		assert.NoError(t, err)
 		assert.Equal(t, "localhost", DbConfig.Host)
@@ -66,7 +70,7 @@ func TestParseDatabaseConfig(t *testing.T) {
 		err = afero.WriteFile(fsys, utils.ProjectRefPath, []byte(project), 0644)
 		require.NoError(t, err)
 
-		err = ParseDatabaseConfig(flagSet, fsys)
+		err = ParseDatabaseConfig(context.Background(), flagSet, fsys)
 
 		assert.NoError(t, err)
 		assert.Equal(t, utils.GetSupabaseDbHost(project), DbConfig.Host)
@@ -105,14 +109,3 @@ func TestPromptPassword(t *testing.T) {
 		assert.NotEqual(t, "", password)
 	})
 }
-
-func TestGetDbConfigOptionalPassword(t *testing.T) {
-	t.Run("uses environment variable when available", func(t *testing.T) {
-		viper.Set("DB_PASSWORD", "env-password")
-		projectRef := apitest.RandomProjectRef()
-
-		config := GetDbConfigOptionalPassword(projectRef)
-
-		assert.Equal(t, "env-password", config.Password)
-	})
-}

internal/utils/flags/queries/role.sql

@@ -0,0 +1,16 @@
+do $func$
+begin
+  if not exists (
+    select 1
+    from pg_roles
+    where rolname = '{{ .User }}'
+  )
+  then
+    create role "{{ .User }}" noinherit login noreplication in role postgres;
+  end if;
+  execute format(
+    $$alter role "{{ .User }}" with password '{{ .Password }}' valid until %L$$,
+    now() + interval '5 minutes'
+  );
+end
+$func$ language plpgsql;

pkg/pgxv5/connect.go

@@ -4,12 +4,18 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/go-errors/errors"
 	"github.com/jackc/pgconn"
 	"github.com/jackc/pgx/v4"
 )
 
+const (
+	CLI_LOGIN_ROLE   = "cli_login_postgres"
+	SET_SESSION_ROLE = "SET SESSION ROLE postgres"
+)
+
 // Extends pgx.Connect with support for programmatically overriding parsed config
 func Connect(ctx context.Context, connString string, options ...func(*pgx.ConnConfig)) (*pgx.Conn, error) {
 	// Parse connection url
@@ -20,6 +26,11 @@ func Connect(ctx context.Context, connString string, options ...func(*pgx.ConnCo
 	config.OnNotice = func(pc *pgconn.PgConn, n *pgconn.Notice) {
 		fmt.Fprintf(os.Stderr, "%s (%s): %s\n", n.Severity, n.Code, n.Message)
 	}
+	if strings.HasPrefix(config.User, CLI_LOGIN_ROLE) {
+		config.AfterConnect = func(ctx context.Context, pgconn *pgconn.PgConn) error {
+			return pgconn.Exec(ctx, SET_SESSION_ROLE).Close()
+		}
+	}
 	// Apply config overrides
 	for _, op := range options {
 		op(config)