You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My team, while trying to initialize CAP, has found a severe error in usage of EntityFrameworkCore with DotNetCore.CAP.PostgreSql using methods of yours:
Followed by:
We’ve reproduced that issue separately in the repository for you to try it (just don’t forget to create database manually and provide correct credentials): https://github.com/AnakovaK/CAPPostgres
(Many thanks to @CAPCHIK for help in locating and replicating the problem!)
The problem is, that you've done similar (copied) logic of retrieving connection strings for all of contexts (MySql, SqlServer, PostgreSql):
But that does not work with Postgres default security options. The parameter Persist Security Info makes retrieving of Password in connection string a one-time thing: once the connection has been made there is no way of retrieving password through usual GetConnectionString() method – so it results in
Initializing the storage structure failed!
Npgsql.NpgsqlException (0x80004005): No password has been provided but the backend requires one (in SASL/SCRAM-SHA-256)
That problem is a security issue, as the only way of stopping it from appearing right now is setting Persist Security Info = true, which permanently saves password for the further retrievals in any place of code.
One way to resolve it would be using DataSource, which you’ve started to use: but that will result in using the hidden EFCore methods with the warnings of the possibility of them being changed: (the “It may be changed or removed without notice in any release.” warning).
Main question is: what is the purpose of UseEntityFramework option if it uses same methods as UsePostgreSql inside? (both register PostgreSqlCapOptionsExtension() and use DotNetCore.CAP.PostgreSql library). The issue is fully fixed by using normal UsePostgreSql and giving the parameters straight-on, as opposed to how it is retrieved when using the EntityFrameworkCore and not being able to get the password (rightfully so!).
Wouldn’t it be logical to make it obsolete and/or remove it completely?
One more thing: if that method has to stay, please, update README explaining the mandatory parameter for Postgres users in EFCore: the Persist Security Info, indicating the risk of its alteration.
The text was updated successfully, but these errors were encountered:
Good day to you folks!
My team, while trying to initialize CAP, has found a severe error in usage of EntityFrameworkCore with DotNetCore.CAP.PostgreSql using methods of yours:
Followed by:
We’ve reproduced that issue separately in the repository for you to try it (just don’t forget to create database manually and provide correct credentials):
https://github.com/AnakovaK/CAPPostgres
(Many thanks to @CAPCHIK for help in locating and replicating the problem!)
The problem is, that you've done similar (copied) logic of retrieving connection strings for all of contexts (MySql, SqlServer, PostgreSql):
But that does not work with Postgres default security options. The parameter Persist Security Info makes retrieving of Password in connection string a one-time thing: once the connection has been made there is no way of retrieving password through usual GetConnectionString() method – so it results in
As it reaches that point only passing through switch of trying to connect with CleartextPassword and MD5Password.
In our repository we've made two actions showcasing the problems of using two different connection strings. Where there is no
Persist Security Info = true(a.k.a the default value) everything crashes: https://github.com/AnakovaK/CAPPostgres/actions/runs/12903111381/job/35977818745#step:5:1Where
Persist Security Info = trueis present in connection string everything works: https://github.com/AnakovaK/CAPPostgres/actions/runs/12903111381/job/35977819035#step:5:1That problem is a security issue, as the only way of stopping it from appearing right now is setting
Persist Security Info = true, which permanently saves password for the further retrievals in any place of code.One way to resolve it would be using DataSource, which you’ve started to use: but that will result in using the hidden EFCore methods with the warnings of the possibility of them being changed: (the “It may be changed or removed without notice in any release.” warning).
Main question is: what is the purpose of UseEntityFramework option if it uses same methods as UsePostgreSql inside? (both register PostgreSqlCapOptionsExtension() and use DotNetCore.CAP.PostgreSql library). The issue is fully fixed by using normal UsePostgreSql and giving the parameters straight-on, as opposed to how it is retrieved when using the EntityFrameworkCore and not being able to get the password (rightfully so!).
Wouldn’t it be logical to make it obsolete and/or remove it completely?
One more thing: if that method has to stay, please, update README explaining the mandatory parameter for Postgres users in EFCore: the Persist Security Info, indicating the risk of its alteration.
The text was updated successfully, but these errors were encountered: