Skip to content

Reliability improvements to PostgreSQL plugin and performance improvements to SHIELD auth flow #794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: develop
Choose a base branch
from
Open

Reliability improvements to PostgreSQL plugin and performance improvements to SHIELD auth flow #794

wants to merge 15 commits into from

Conversation

@tristanpoland
Copy link

@tristanpoland tristanpoland commented Aug 19, 2025

This pull request introduces an important new feature to the Postgres plugin: Upfront permission checks before restore operations. Additionally, it improves the authentication flow for WebSocket connections in the frontend by verifying user credentials before establishing the connection. These changes enhance both the security and usability of the system.

Postgres Plugin Enhancements:

  • Added a new pg_skip_permission_check boolean field to the plugin configuration, allowing users to bypass permission checks before restore with a clear warning about the risks.
  • Implemented the checkRestorePermissions function, which performs a database privilege check to ensure the user has sufficient rights to perform a restore. This check is now executed by default unless explicitly skipped.
  • Updated the PostgresConnectionInfo struct and connection info logic to support and propagate the new skip permission check option. [1] [2] [3]
  • Integrated the permission check into the restore workflow, with debug logging and error handling for insufficient privileges.

Frontend Authentication Improvements:

  • Modified the WebSocket subscription logic in data.js to first verify authentication via a bearings API call before attempting to establish the WebSocket connection, improving security and error handling. [1] [2] [3]

@tristanpoland
Add upfront permission check to Postgres restore
21e2f05 
Introduces a checkRestorePermissions function to verify that the user has sufficient privileges before starting a restore operation. This helps prevent restore failures due to inadequate permissions by checking for superuser status or database creation rights.
@tristanpoland
Add option to skip Postgres permission check
d885111 
Introduces a new 'pg_skip_permission_check' boolean field to allow skipping upfront permission validation during restore. This is useful for advanced users who understand the risks and want to bypass permission checks, with appropriate warnings in the help text. The PostgresConnectionInfo struct and related logic are updated to support this option.
@tristanpoland
Fix permission check and add postgres.exe binary
9108476 
Corrected the method call to BooleanValueDefault for 'pg_skip_permission_check' in plugin.go and made minor formatting improvements. Added the postgres.exe binary to the repository.
@tristanpoland
Authenticate before establishing WebSocket connection
ed9b95b 
Added a preliminary authentication check via bearings API before attempting to connect to the WebSocket. Refactored code to fetch and process bearings data only once, improving efficiency by rejecting subscription if authentication fails.
@tristanpoland
Improve WebSocket reconnection logic
d1e8c7b 
Refactored WebSocket handling to add a dedicated _reconnect method that validates authentication before reconnecting. Bearings data is now only processed on initial connection, not on reconnection, preventing redundant state updates.
@tristanpoland
Refactor bearings data handling on WebSocket connect
8ed7339 
Improves logic for processing bearings data on initial connection versus reconnection. On initial connection, all bearings data is cleared and reloaded; on reconnection, only core authentication data and grants are updated. Also fixes passing of bearings data during reconnection.
@tristanpoland
Delete postgres.exe
beeafc4
@tristanpoland tristanpoland changed the title Reliability and performance patches to PostgreSQL plugin and SHIELD auth flow Reliability improvements to PostgreSQL plugin and performance improvements to SHIELD auth flow Aug 19, 2025
krutten
krutten approved these changes Aug 20, 2025
View reviewed changes
Copy link
Contributor

@krutten krutten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed Changes.
PostgreSQL changes will need validation in upgrade environments but look correct

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krutten krutten krutten approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tristanpoland @krutten