Don't use SCRAM-specific "e=invalid-proof" on invalid password. Instead, send the same FATAL message as with other password-based authentication mechanisms. This gives a more user-friendly message:
psql: FATAL: password authentication failed for user "test" instead of: psql: error received from server in SASL exchange: invalid-proof Even before this patch, the server sent that FATAL message, after the SCRAM-specific "e=invalid-proof" message. But libpq would stop at the SCRAM error message, and not process the ErrorResponse that would come after that. We could've taught libpq to check for an ErrorResponse after failed authentication, but it's simpler to modify the server to send only the ErrorResponse. The SCRAM specification allows for aborting the authentication at any point, using an application-defined error mechanism, like PostgreSQL's ErrorResponse. Using the e=invalid-proof message is optional. Reported by Jeff Janes. Discussion: https://www.postgresql.org/message-id/camku%3d1w3jq53m1oenfn8cxd9o%2ba_9vonjivtbyoyrrdrslt...@mail.gmail.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/344a113079888c9b9a81ffa3c3a7d95666347119 Modified Files -------------- src/backend/libpq/auth-scram.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) -- Sent via pgsql-committers mailing list (pgsql-committers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-committers
