Description
Hi,
First, thanks for this extension. I use it for (FAT, native) client applications connected to PostgreSQL using libpq, to capture in a secure manner the LOGIN and current ROLEs of the client connection. So that those applications can contact over HTTP a mid-tier server that will do on their behalf (in its own higher privileged connection, after checking the roles against an internal security model) DDLs that the client connections cannot do directly (they can only do DMLs).
I unit tested my transposition of your code, and things were fine.
But then in production it was failing.
I tracked it down to ROLE names with embedded dash '-' and colon ':' characters (spaces OTOH were OK).
Those role names appear in the JSON payload used to sign the JWT.
The payload (and thus role names) come back OK on verify.
BUT... the JWT is reported as invalid.
I'll try to track it down on my own, but since I'm not much of a pg/plSQL dev, you may get there before me :)
Here's the exact JSON payload (and random secret) I'm using, in case that helps
- Payload = '{"user":"ut_reg_user_ddevienne_dw_go1db1auzzughxivgjyvbd","role":"Acme-FOO:EuqSNTjP:dKDu8U9cb0FFx develop","exp":1701874834,"nbf":1701874234}'
- Secret = '73a53d0e5db95808816fd831e0d01d39'
Update: I may have jumped the gun. Even with - and : replaced by _ in the payload, it sometimes failed. Earlier I thought it ran fine, but repeatedly calling a test that just signs and verify, fails sometimes. Given that I manually add 600s to nbf to set the exp it can't be an expired token. So something else is afoot...
PS: Note that I've adapted your code from an extension, to just functions I create in my own schema. Because you cannot add extensions in cloud-managed PostgreSQL instances, AFAIK. So it is possible the error is in my transposition of your code as a non-extension.