Reliability improvements to PostgreSQL plugin and performance improvements to SHIELD auth flow #794
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces a checkRestorePermissions function to verify that the user has sufficient privileges before starting a restore operation. This helps prevent restore failures due to inadequate permissions by checking for superuser status or database creation rights.
Introduces a new 'pg_skip_permission_check' boolean field to allow skipping upfront permission validation during restore. This is useful for advanced users who understand the risks and want to bypass permission checks, with appropriate warnings in the help text. The PostgresConnectionInfo struct and related logic are updated to support this option.
Corrected the method call to BooleanValueDefault for 'pg_skip_permission_check' in plugin.go and made minor formatting improvements. Added the postgres.exe binary to the repository.
Added a preliminary authentication check via bearings API before attempting to connect to the WebSocket. Refactored code to fetch and process bearings data only once, improving efficiency by rejecting subscription if authentication fails.
Refactored WebSocket handling to add a dedicated _reconnect method that validates authentication before reconnecting. Bearings data is now only processed on initial connection, not on reconnection, preventing redundant state updates.
Improves logic for processing bearings data on initial connection versus reconnection. On initial connection, all bearings data is cleared and reloaded; on reconnection, only core authentication data and grants are updated. Also fixes passing of bearings data during reconnection.
tristanpoland
changed the title
krutten
approved these changes
Aug 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces an important new feature to the Postgres plugin: Upfront permission checks before restore operations. Additionally, it improves the authentication flow for WebSocket connections in the frontend by verifying user credentials before establishing the connection. These changes enhance both the security and usability of the system.
Postgres Plugin Enhancements:
pg_skip_permission_checkboolean field to the plugin configuration, allowing users to bypass permission checks before restore with a clear warning about the risks.checkRestorePermissionsfunction, which performs a database privilege check to ensure the user has sufficient rights to perform a restore. This check is now executed by default unless explicitly skipped.PostgresConnectionInfostruct and connection info logic to support and propagate the new skip permission check option. [1] [2] [3]Frontend Authentication Improvements:
data.jsto first verify authentication via a bearings API call before attempting to establish the WebSocket connection, improving security and error handling. [1] [2] [3]