database icon indicating copy to clipboard operation
database copied to clipboard

Published 20 hours ago • verified publisher icon nette

Support short-time passwords (tokens) in connection strings

Open kratkyzobak opened this issue 2 years ago • 2 comments

There are possibilities to connect database servers using token credentials. For example https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication

tl;dr - there are situations where you can use short-lived token instead of long-lived password to connect to database

Problem(s):

  • Access token used as password can be really short-lived (5-60 minutes). When using lazy connections in some long-running jobs, token may be already expired when trying to connect if token obtained in service creation time instead in connection time.
  • Same as previous for reconnecting during long-running job
  • Access token shoud not be obtained before lazy connection is ready made

Potential solutions:

  • Wierd one - pass reference to password instead of password itself (for example in Azure Storage SDK) - this does not solve latest issue - token has to be released not only even connection is not made, but has to be updated every tim
  • Provider of connections - using some layer above current connection class and do lazines again (doable outside of Nette)
  • Provider of password - allow password to be not only ?string, but null|string|callable():string

I would preffer last one of course. I wanted to do it and send as PR, but I feel like to need approval that it is acceptable at all. As I looked to another frameworks, their configuration usually does not support this scenario too.

kratkyzobak avatar Apr 10 '23 17:04 kratkyzobak

Are there some problem with using the second solution, i.e. having custom connection factory?

JanTvrdik avatar Apr 11 '23 09:04 JanTvrdik

Problem is only in mindset. Of course I can handle solving this by connection factory and/or decorator above current Connection class, where I would re-implement connection laziness.

I belive, this kind of stuff should be somehow supported by framework as short-lived passwords will be used more and more.

But I may be alone with this opinion. This is reason, why I asked first, before trying to create PR.

kratkyzobak avatar Apr 11 '23 09:04 kratkyzobak

Solved by https://github.com/nette/database/commit/abd38ef93eb366e4e661e0012343cc3551f58a17 (moving PDO::connect call from Connection to Driver class). Driver is injectable to Connection, so we can create own Driver without mangling with Connection.

kratkyzobak avatar Jun 25 '24 07:06 kratkyzobak