cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon supabase

db push fails with "failed SASL auth (invalid SCRAM server-final-message received from server)"

Open mtimour opened this issue 8 months ago • 2 comments

Describe the bug

Our org is on the PRO plan.

db push -p [password] (with and without --dry-run) fail with error message

failed to connect to postgres: failed to connect to `host=aws-0-ca-central-1.pooler.supabase.com user=postgres.[projectid] database=postgres`: failed SASL auth (invalid SCRAM server-final-message received from server)

Both login and link command work fine.

To Reproduce Steps to reproduce the behavior:

  1. From locally running supabase env (using CLI)
  2. supabase login
  3. supabase link
  4. supabase db push --dry-run -p [password]

Expected behavior migration pushed to remote server

Screenshots N/A

System information Rerun the failing command with --create-ticket flag.

  • Ticket ID: 687f933387a74b7390a12a2662fe2131
  • Version of OS: Ubuntu 24.04.2 LTS
  • Version of CLI: 2.22.6
  • Version of Docker: 27.3.1, build ce12230
  • Versions of services:
SERVICE IMAGE LOCAL LINKED
supabase/postgres 15.8.1.073 15.8.1.073
supabase/gotrue v2.171.0 v2.171.0
postgrest/postgrest v12.2.3 v12.2.3
supabase/realtime v2.34.47 -
supabase/storage-api v1.22.6 v1.22.4
supabase/edge-runtime v1.67.4 -
supabase/studio 2025.04.21-sha-173cc56 -
supabase/postgres-meta v0.88.9 -
supabase/logflare 1.12.0 -

Additional context

network IPv4

supabase db push --debug Using connection pooler: postgresql://postgres.[project-id]]:[YOUR-PASSWORD]@aws-0-ca-central-1.pooler.supabase.com:6543/postgres Supabase CLI 2.22.6 Connecting to remote database... 2025/05/05 17:02:28 PG Send: {"Type":"StartupMessage","ProtocolVersion":196608,"Parameters":{"database":"postgres","user":"postgres.[project-id]]"}} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASL","AuthMechanisms":["SCRAM-SHA-256"]} 2025/05/05 17:02:28 PG Send: {"Type":"SASLInitialResponse","AuthMechanism":"SCRAM-SHA-256","Data":"n,,n=,r=LExhedQPptwz02vYGfu9gMle"} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLContinue","Data":"r=LExhedQPptwz02vYGfu9gMleRUZmR1RkQ1dyUC9jZVRPRUM1WkhibllDRTRYaUFnPT0=,s=aX7KmOjc1Taj6YK7Q7Nnyg==,i=4096"} 2025/05/05 17:02:28 PG Send: {"Type":"SASLResponse","Data":"c=biws,r=LExhedQPptwz02vYGfu9gMleRUZmR1RkQ1dyUC9jZVRPRUM1WkhibllDRTRYaUFnPT0=,p=oVyPveQRmjQdcKx0j/EIodBG/topNl5rxdDhh3ROW4k="} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLFinal","Data":"e=Wrong password"} 2025/05/05 17:02:28 PG Send: {"Type":"StartupMessage","ProtocolVersion":196608,"Parameters":{"database":"postgres","user":"postgres.[project-id]]"}} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASL","AuthMechanisms":["SCRAM-SHA-256"]} 2025/05/05 17:02:28 PG Send: {"Type":"SASLInitialResponse","AuthMechanism":"SCRAM-SHA-256","Data":"n,,n=,r=hw1R6ZgoiprhxMbjDmiaYgFl"} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLContinue","Data":"r=hw1R6ZgoiprhxMbjDmiaYgFlRUVwQlphMjd4Q291aGNreHFLMjVyUWdDSnJVUElnPT0=,s=aX7KmOjc1Taj6YK7Q7Nnyg==,i=4096"} 2025/05/05 17:02:28 PG Send: {"Type":"SASLResponse","Data":"c=biws,r=hw1R6ZgoiprhxMbjDmiaYgFlRUVwQlphMjd4Q291aGNreHFLMjVyUWdDSnJVUElnPT0=,p=C4HNHD6aYcj3VOydZtNwLzLkYmP9hwTnFlGi7tw1Lq8="} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLFinal","Data":"e=Wrong password"} 2025/05/05 17:02:28 PG Send: {"Type":"StartupMessage","ProtocolVersion":196608,"Parameters":{"database":"postgres","user":"postgres.[project-id]]"}} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASL","AuthMechanisms":["SCRAM-SHA-256"]} 2025/05/05 17:02:28 PG Send: {"Type":"SASLInitialResponse","AuthMechanism":"SCRAM-SHA-256","Data":"n,,n=,r=sBW1afwESYO6+mcwniYNOcp7"} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLContinue","Data":"r=sBW1afwESYO6+mcwniYNOcp7RUJwN3RoM2tTelJTaHIrcFRGUFo5Zk1DSnJVUG9nPT0=,s=aX7KmOjc1Taj6YK7Q7Nnyg==,i=4096"} 2025/05/05 17:02:28 PG Send: {"Type":"SASLResponse","Data":"c=biws,r=sBW1afwESYO6+mcwniYNOcp7RUJwN3RoM2tTelJTaHIrcFRGUFo5Zk1DSnJVUG9nPT0=,p=sr7Z5f7To25KeLeT2BZ7Go2qvv8L4E0mh3H/SDR/W7k="} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLFinal","Data":"e=Wrong password"} 2025/05/05 17:02:28 PG Send: {"Type":"StartupMessage","ProtocolVersion":196608,"Parameters":{"database":"postgres","user":"postgres.[project-id]]"}} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASL","AuthMechanisms":["SCRAM-SHA-256"]} 2025/05/05 17:02:28 PG Send: {"Type":"SASLInitialResponse","AuthMechanism":"SCRAM-SHA-256","Data":"n,,n=,r=cg8PnskOa1loA+sOshzvBkVc"} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLContinue","Data":"r=cg8PnskOa1loA+sOshzvBkVcRUQvbm1ORnEzWEc0OTVpZ1JRWjZJY3NDRTRYallnPT0=,s=aX7KmOjc1Taj6YK7Q7Nnyg==,i=4096"} 2025/05/05 17:02:28 PG Send: {"Type":"SASLResponse","Data":"c=biws,r=cg8PnskOa1loA+sOshzvBkVcRUQvbm1ORnEzWEc0OTVpZ1JRWjZJY3NDRTRYallnPT0=,p=m44Ejsq8erfPpkJMiIXGtV+0o2aMpj9nwtosmw8loQQ="} 2025/05/05 17:02:28 PG Recv: {"Type":"AuthenticationSASLFinal","Data":"e=Wrong password"}

mtimour avatar May 05 '25 21:05 mtimour

Hmm, everything works fine on macOS. Probably some library are messed on Ubuntu VM. I will look into it.

mtimour avatar May 06 '25 19:05 mtimour

Hi, I have the exact same problem on MacOS 15.4.1, supabase 2.22.12

XStarlink avatar May 07 '25 08:05 XStarlink

The latest CLI release no longer requires the database password for linking.

npx supabase@latest link
npx supabase@latest db push

sweatybridge avatar Jul 29 '25 15:07 sweatybridge

@sweatybridge I am receiving this error with github actions? Any insight/recommendations? It worked fine two days ago.

`jobs: deploy-infrastructure: runs-on: ubuntu-latest environment: staging steps: - uses: actions/checkout@v4

  - name: Setup Node.js
    uses: actions/setup-node@v4
    with:
      node-version: '18'
      
  - name: Install dependencies
    run: npm ci
    
  - name: Setup Supabase CLI
    uses: supabase/setup-cli@v1
    with:
      version: latest
      
  - name: Link to staging project
    run: |
      supabase link --project-ref ${{ secrets.SUPABASE_PROJECT_REF }}
    env:
      SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}`

failed to connect to postgres: failed to connect to host=aws-0-us-east-1.pooler.supabase.com user=postgres.*** database=postgres: failed SASL auth (invalid SCRAM server-final-message received from server)

johnstonisaac99 avatar Jul 29 '25 22:07 johnstonisaac99

I've having the same problem intermittently now as well:

    env:
      SUPABASE_ACCESS_TOKEN: ${{ secrets.SUPABASE_ACCESS_TOKEN }}
      PROJECT_ID: ${{ secrets.STAGING_PROJECT_ID }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
      - name: Setup Supabase CLI
        uses: supabase/setup-cli@v1
        with:
          version: latest
      - run: supabase link --project-ref $PROJECT_ID

amerryma avatar Jul 29 '25 23:07 amerryma

For those having errors on CI, you can set the SUPABASE_DB_PASSWORD env var to fallback to the old auth method.

See example here https://github.com/supabase/supabase-action-example/blob/main/.github/workflows/ci.yaml#L43

sweatybridge avatar Jul 31 '25 04:07 sweatybridge