NpgsqlRest

Appearance

Comments
Written with Claude
IMPORTANT

As you may notice, this page and pretty much the entire website were obviously created with the help of AI. I wonder how you could tell? Was it a big "Written With Claude" badge on every page? I moved it to the top now (with the help of AI of course) to make it even more obvious. There are a few blogposts that were written by me manually, the old-fashioned way, I hope there will be more in the future, and those have a similar "Human Written" badge. This project (not the website), on the other hand, is a very, very different story. It took me more than two years of painstaking and unpaid work in my own free time. A story that, hopefully, I will tell someday. But meanwhile, what would you like me to do? To create a complex documentation website with a bunch of highly technical articles with the help of AI and fake it, to give you an illusion that I also did that manually? Like the half of itnernet is doing at this point? How does that makes any sense? Is that even fair to you? Or maybe to create this website manually, the old-fashioned way, just for you? While working a paid job for a salary, most of you wouldn't even get up in the morning. Would you like me to sing you a song while we're at it? For your personal entertainment? Seriously, get a grip. Do you find this information less valuable because of the way this website was created? I give my best to fix it to keep the information as accurate as possible, and I think it is very accurate at this point. If you find some mistakes, inaccurancies or problems, there is a comment section at the bottom of every page, which I also made with the help of the AI. And I woould very much appreciate if you leave your feedback there. Look, I'm just a guy who likes SQL, that's all. If you don't approve of how this website was constructed and the use of AI tools, I suggest closing this page and never wever coming back. And good riddance. And I would ban your access if I could know how. Thank you for your attention to this matter.

PARAMETER_HASH

Also known as

param (with or without @ prefix)

Hash one parameter value using another parameter as the hash input. This annotation is commonly used to create user registration endpoints that securely store hashed passwords in the database.

Syntax

code
@param <target_param> is hash of <source_param>
@parameter <target_param> is hash of <source_param>
  • target_param: The parameter that will receive the hashed value.
  • source_param: The parameter whose value will be hashed.

Examples

Simple User Registration

sql
sql
create function register(_email text, _password text, _hash text)
returns int
language sql
begin atomic;
insert into users (email, password_hash) values (_email, _hash) returning id;
end;

comment on function register(text, text, text) is '
@param _hash is hash of _password
';

User Registration with Response

sql
sql
create function create_user(
    _username text,
    _password text,
    _password_hash text
)
returns json
language sql
begin atomic;
insert into users (username, password_hash)
values (_username, _password_hash)
returning json_build_object('id', id, 'username', username);
end;

comment on function create_user(text, text, text) is '
HTTP POST
@param _password_hash is hash of _password
';

When called with {"username": "john", "password": "secret123"}:

  • _password receives the plain text "secret123"
  • _password_hash receives the hashed value of "secret123"

Behavior

  • The hash is computed using the built-in password hasher.
  • The source parameter value remains unchanged and can still be used in the function.
  • The target parameter receives the hashed value before the function is executed.
  • Both parameters must exist in the function signature.
  • This is typically used for securely storing passwords without exposing them in plain text in the database.

Built-in Password Hasher

The default password hasher uses PBKDF2 (Password-Based Key Derivation Function 2) with:

  • SHA-256 algorithm
  • 128-bit salt
  • 600,000 iterations (OWASP-recommended as of 2025)

This provides secure password hashing out of the box. A custom IPasswordHasher implementation can be injected in source code if needed.

Complete Registration and Login Flow

The param is hash of annotation works together with the LOGIN annotation to provide a complete authentication flow using the same built-in password hasher:

  1. Registration: Use param <target> is hash of <source> to hash passwords before storing them
  2. Login: Return the stored hash in a hash column and NpgsqlRest verifies it automatically

Registration Function

sql
sql
create function register(_email text, _password text, _hash text)
returns int
language sql
begin atomic;
insert into users (email, password_hash) values (_email, _hash) returning id;
end;

comment on function register(text, text, text) is '
HTTP POST /auth/register
@param _hash is hash of _password
@sensitive
';

Login Function

sql
sql
create function login(_email text, _password text)
returns table(hash text, id int, name text, email text)
language sql
begin atomic;
select u.password_hash as hash, u.id, u.name, u.email
from users u where u.email = _email;
end;

comment on function login(text, text) is '
HTTP POST /auth/login
@login
@sensitive
';

Both functions use the same PBKDF2 hasher, ensuring passwords hashed during registration can be verified during login.

  • LOGIN - Authentication endpoint that verifies hashed passwords
  • BASIC_AUTH - Basic authentication with hashed passwords
  • SECURITY_SENSITIVE - Obfuscate parameter values in logs

Comments