pgwire_replication/auth/mod.rs
1//! Authentication mechanisms for PostgreSQL connections.
2//!
3//! This module provides implementations for PostgreSQL authentication methods:
4//!
5//! - **SCRAM-SHA-256** (feature: `scram`): Modern, secure password authentication
6//! recommended for PostgreSQL 10+. Provides mutual authentication and doesn't
7//! transmit the password.
8//!
9//! # Feature Flags
10//!
11//! - `scram`: Enables SCRAM-SHA-256 authentication support. Adds dependencies on
12//! `sha2`, `hmac`, `rand`, and `base64`.
13//!
14//! # Example
15//!
16//! ```no_run
17//! #[cfg(feature = "scram")]
18//! fn main() -> Result<(), Box<dyn std::error::Error>> {
19//! use pgwire_replication::auth::scram::ScramClient;
20//! // Create SCRAM client with random nonce
21//! let client = ScramClient::new("postgres");
22//!
23//! // Send client-first-message to server
24//! let _client_first = &client.client_first;
25//!
26//! // In a real exchange, these come from the server.
27//! // Placeholders here so the example compiles.
28//! let server_first = String::new();
29//! let server_final = String::new();
30//!
31//! // After receiving server-first-message, compute response
32//! let (client_final, auth_msg, salted_pw) =
33//! client.client_final("mypassword", &server_first)?;
34//! let _ = client_final;
35//!
36//! // After receiving server-final-message, verify server
37//! ScramClient::verify_server_final(&server_final, &salted_pw, &auth_msg)?;
38//!
39//! Ok(())
40//! }
41//! ```
42//!
43//! # Unsupported Methods
44//!
45//! The following authentication methods are not currently supported:
46//! - MD5 (deprecated, insecure)
47//! - GSSAPI / Kerberos
48//! - SSPI (Windows)
49//! - Certificate authentication (handled at TLS layer)
50
51pub mod scram;
52
53#[cfg(feature = "scram")]
54pub use scram::ScramClient;