scram: SASLPrep for passwords
will opened this issue · comments
Right now the scram support does not run the password through sasl prep, so not all technically valid passwords will be able to authenticate using scram. I decided to release scram support even with this deficiency, since without scram support 100% of the passwords for scram would fail ;)
Some information from copied from @jkatz's comments on #176
The password needs to be normalized with SASLPrep (well, PostgreSQL flavored SASLPrep), otherwise some valid passwords will fail. Here is an example of how to do it:
https://github.com/MagicStack/asyncpg/blob/master/asyncpg/protocol/scram.pyx#L263
and
So what PostgreSQL does is that any UTF8 string goes through SASLprep. If it's not a UTF-8 string, or if it fails at certain parts of the SASLprep, then it just passes the string through. The server-side implementation can be found here:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/common/saslprep.c
Certain password will fail without following it. Here's an example of some of the test cases to try:
https://github.com/MagicStack/asyncpg/blob/master/tests/test_connect.py#L238
It doesn't look like Crystal has unicode_normalize_kc
or any sort of unicode normalization yet.
Also I'm not sure all of the tables in crystal's stdlib src/unicode/data.cr
exactly match up for the things needed for saslprep, so some custom tables might need to be added.
I pushed a branch that mostly just has failing tests, but this seems like it'll be a bit of work before it comes together. So any help here would be welcome.