-
Notifications
You must be signed in to change notification settings - Fork 41
Conversation
@paragonie-scott correct me if we are wrong, but we do have to use password authentication since our driver is using networking? |
@paragonie-scott I just went through the code for the Factory and it appears that there is no way to set an empty username&password which I believe is required for unix socket communication with postgres so trust authentication is out. |
We can change the code in the Factory to allow blank credentials, you know. :) |
This works with the current setup, but if you would prefer to find another solution outside using a hardcoded password it probably would be better. In that case the psql user would probably need to be www-data in the docker file. |
The "unix_socket" use case seems like a rabbit hole with PDO. I'll merge this for now, and look at adding UNIX socket support in 2.0.0 (alongside MariaDB). |
Actually, I believe we could use curl or something to skip the database setup screen (while prefilling values) and we should consider doing this for the docker image. Or make it available programmatically. Therefore we could randomly generate a password so there is less attack surface. But shell access in the Docker container is death anyway. |
That's not going to be straightforward. We could, however, write out the JSON file from within docker. |
I knew there was CSRF :P |
I mean, I could probably create a URL that sets the cookie? And we can just do this:
|
Oh, I get why It's hard now haha, whoops All that being said, I'd put this aside on the back burner. |
Okay, I'll make an issue for version 2.0.0 and tackle it then. |
We should also think about using Docker Compose and run PostgreSQL in a separate container. |
Summary
Since were using network sockets for database connections we cannot peer authenticate, so our DB user needs a password.
secret
will work for now.Issues Addressed (Optional)
Contributing to #42
Contributor Agreement (Required)
I am submitting this pull request under one or more of the following
licenses:
Furthermore, I understand that CMS Airship is released under the GNU Public
License to the general public, as well as private commercial licenses
(purchasable from Paragon Initiative Enterprises).
By submitting this pull request, I acknowledge that my contribution will be
incorporated into CMS Airship, and consent for it to be handled as outlined
above.
(This does not in any way restrict your rights to use your own modifications.
The purpose of this agreement is to maximize awareness and transparency.)