Skip to content

feat(pgpm): opt-in authenticated_client role via admin-users bootstrap --client#1344

Merged
pyramation merged 3 commits into
mainfrom
feat/authenticated-client-bootstrap
Jul 8, 2026
Merged

feat(pgpm): opt-in authenticated_client role via admin-users bootstrap --client#1344
pyramation merged 3 commits into
mainfrom
feat/authenticated-client-bootstrap

Conversation

@pyramation

@pyramation pyramation commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Productionizes the restricted authenticated_client role (prototyped in constructive-db's proxy/pg-wire-proxy test bootstrap) as an opt-in pgpm primitive. The base bootstrap command is unchanged; the client role is only created with the new --client flag:

pgpm admin-users bootstrap --client

What the role is: a NOLOGIN, NOBYPASSRLS variant of authenticated for SQL-level proxy clients — it inherits table/schema grants (GRANT authenticated TO authenticated_client) with a server-enforced statement_timeout = '15s' baseline (ALTER ROLE ... SET).

Deliberately NOT included: grant-level hardening like REVOKE EXECUTE ON set_config/pg_notify FROM PUBLIC. Those revokes affect every non-superuser role in the database — the app's GraphQL server (jwt.claims injection via set_config) and job workers (pg_notify) depend on both — so they remain a proxy-deployment concern (constructive-db proxy/pg-wire-proxy/src/deployment.ts + its test bootstrap), applied only to proxy-facing databases with explicit re-grants.

Changes:

  • RoleMapping (pgpm/types): new optional authenticatedClient?: string, default 'authenticated_client' in pgpmDefaults and pgsql-client's DEFAULT_ROLE_MAPPING
  • generateCreateClientRoleSQL(roles, statementTimeout='15s') in pgpm/core/src/roles — idempotent (IF NOT EXISTS pre-checks + TOCTOU exception handling), same style as the other generators
  • PgpmInit.bootstrapClientRole(roles) + --client flag on pgpm admin-users bootstrap

Verified live against constructiveio/postgres-plus:18: role created NOLOGIN/NOBYPASSRLS, membership granted, statement_timeout=15s applied, and re-running bootstrap --client is a no-op.

Link to Devin session: https://app.devin.ai/sessions/b759cb7edaaa42348d402e10a5f4ca4b
Requested by: @pyramation

@pyramation pyramation self-assigned this Jul 8, 2026
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@pyramation pyramation merged commit 2fb7a40 into main Jul 8, 2026
36 checks passed
@pyramation pyramation deleted the feat/authenticated-client-bootstrap branch July 8, 2026 06:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant