nette
added CredentialProvider
- new feature: https://github.com/nette/database/issues/299
- BC break: no
- doc PR after approoval of this concept
Adds support for dynamic passwords in connection level. Dynamic passwords are supported in various Cloud SQL solutions (Google Cloud SQL, Azure Database For MySQL etc). Usually works as OIDC tokens, which are considered more secure since their short time expiration. "Negative" consequence of short time expiration are lazy instances with statically set password in long running jobs. Password can expire before connection is initialized.
We used "hack" to change password by reflection, but since 3.2.2 is password readonly property, there is no other "simple" solution. Other solutions mentioned in issue 229 are hard to write in legacy code. This PR uses non-BC way to improve security (by removing static passwords) for legacy codes with simple solution.
PR does not anyhow propose, how should anyone obtain token as it is highly dependent on environment. So password now can be either string (as usuall) or Nette\Database\CredentialProvider interface.
After https://github.com/nette/database/commit/abd38ef93eb366e4e661e0012343cc3551f58a17 this PR would not be needed (we can inject own driver, which can handle dynamic password and ignore the one from configuration).
@dg will https://github.com/nette/database/commit/abd38ef93eb366e4e661e0012343cc3551f58a17 be available in 3.2.x or should we wait to 4.0?