NpgsqlRest

Appearance

Comments
Written with Claude
IMPORTANT

As you may notice, this page and pretty much the entire website were obviously created with the help of AI. I wonder how you could tell? Was it a big "Written With Claude" badge on every page? I moved it to the top now (with the help of AI of course) to make it even more obvious. There are a few blogposts that were written by me manually, the old-fashioned way, I hope there will be more in the future, and those have a similar "Human Written" badge. This project (not the website), on the other hand, is a very, very different story. It took me more than two years of painstaking and unpaid work in my own free time. A story that, hopefully, I will tell someday. But meanwhile, what would you like me to do? To create a complex documentation website with a bunch of highly technical articles with the help of AI and fake it, to give you an illusion that I also did that manually? Like the half of itnernet is doing at this point? How does that makes any sense? Is that even fair to you? Or maybe to create this website manually, the old-fashioned way, just for you? While working a paid job for a salary, most of you wouldn't even get up in the morning. Would you like me to sing you a song while we're at it? For your personal entertainment? Seriously, get a grip. Do you find this information less valuable because of the way this website was created? I give my best to fix it to keep the information as accurate as possible, and I think it is very accurate at this point. If you find some mistakes, inaccurancies or problems, there is a comment section at the bottom of every page, which I also made with the help of the AI. And I woould very much appreciate if you leave your feedback there. Look, I'm just a guy who likes SQL, that's all. If you don't approve of how this website was constructed and the use of AI tools, I suggest closing this page and never wever coming back. And good riddance. And I would ban your access if I could know how. Thank you for your attention to this matter.

BASIC_AUTH

Also known as

basic_authentication (with or without @ prefix)

Enable HTTP Basic Authentication for the endpoint.

Syntax 

@basic_auth
@basic_auth <username> <password_hash>
  • username: The expected username for authentication.
  • password_hash: The hashed password generated using the NpgsqlRest CLI --hash command.

Generating Password Hashes

Use the NpgsqlRest CLI to generate password hashes:

bash
# Generate a hash for a password
./npgsqlrest --hash my_password

# Output example:
# Myb55+6lW6iiUOI3opLkysOaS8J0NNIuQ+qE2SGaKs3r62ngDJROrhX75+zmLC7t

Generating Authorization Headers

Use the NpgsqlRest CLI to generate Base64-encoded Basic Auth headers for testing:

bash
# Generate Authorization header value
./npgsqlrest --basic_auth my_name my_password

# Output example:
# Authorization: Basic bXlfbmFtZTpteV9wYXNzd29yZA==

Examples

Basic Auth Without Credentials (Requires Challenge Command)

When basic_auth is used without credentials, a challenge_command must be configured to validate the user:

sql
create function get_basic_auth_no_creds(
    _user_name text = null -- mapped to name claim
)
returns text
language sql as $$
select _user_name;
$$;

comment on function get_basic_auth_no_creds(text) is '
@basic_auth
@user_params
';

Note: Without credentials and without a challenge_command, all requests will return 401 Unauthorized.

Basic Auth With Credentials

sql
create function get_basic_auth_user(
    _user_name text = null -- mapped to name claim
)
returns text
language sql as $$
select _user_name;
$$;

-- Generate hash: ./npgsqlrest --hash my_password
-- Output: Myb55+6lW6iiUOI3opLkysOaS8J0NNIuQ+qE2SGaKs3r62ngDJROrhX75+zmLC7t

comment on function get_basic_auth_user(text) is '
@basic_auth my_name Myb55+6lW6iiUOI3opLkysOaS8J0NNIuQ+qE2SGaKs3r62ngDJROrhX75+zmLC7t
@user_params
';

Test with:

bash
# Generate header: ./npgsqlrest --basic_auth my_name my_password
curl -H "Authorization: Basic bXlfbmFtZTpteV9wYXNzd29yZA==" \
     http://localhost:5000/api/get-basic-auth-user
# Returns: my_name

Multiple Users

You can define multiple users by adding multiple basic_auth annotations:

sql
create function get_basic_auth_multiple_users(
    _user_name text = null -- mapped to name claim
)
returns text
language sql as $$
select _user_name;
$$;

-- Generate hashes:
-- ./npgsqlrest --hash pass1  =>  um4K594nL6pBQx2el0lcbKKLADof1k9atRYKy+G14f6BQPtSCkwO6qz1wJ1d9Tx/
-- ./npgsqlrest --hash pass2  =>  TIDVxenk9gSqApyI82XDuqUaigQ5OdBIecfRtq7wFWtHT3Ffx2s+noIjvFCAw90z

comment on function get_basic_auth_multiple_users(text) is '
@basic_auth user1 um4K594nL6pBQx2el0lcbKKLADof1k9atRYKy+G14f6BQPtSCkwO6qz1wJ1d9Tx/
@basic_auth user2 TIDVxenk9gSqApyI82XDuqUaigQ5OdBIecfRtq7wFWtHT3Ffx2s+noIjvFCAw90z
@user_params
';

Test with:

bash
# ./npgsqlrest --basic_auth user1 pass1
curl -H "Authorization: Basic dXNlcjE6cGFzczE=" \
     http://localhost:5000/api/get-basic-auth-multiple-users
# Returns: user1

# ./npgsqlrest --basic_auth user2 pass2
curl -H "Authorization: Basic dXNlcjI6cGFzczI=" \
     http://localhost:5000/api/get-basic-auth-multiple-users
# Returns: user2

Behavior

  • Requires HTTP Basic Authentication header in the format Authorization: Basic <base64(username:password)>.
  • Returns 401 Unauthorized with WWW-Authenticate: Basic realm="..." header if:
    • No Authorization header is provided.
    • The header is malformed or cannot be decoded.
    • Username or password is missing.
    • Username is not found in configured users.
    • Password verification fails.
  • When credentials are specified in the annotation, passwords are verified using the configured password hasher.
  • When no credentials are specified, a challenge_command must be configured to handle authentication.
  • The authenticated username is available via the user_params annotation as the name claim.

SSL Requirements

Basic Authentication transmits credentials encoded (not encrypted). The behavior when SSL is disabled is controlled by the SslRequirement configuration:

  • Required: Rejects all non-SSL requests with 401 Unauthorized.
  • Warning: Allows requests but logs a warning.
  • Ignore: Allows requests with only a debug-level log.

Comments

Released under the MIT License.

Copyright © 2024-2026 VB Consulting