Skip to content

fix: password-slash#62

Merged
RambokDev merged 20 commits into
mainfrom
fix/password-slash
Jun 19, 2026
Merged

fix: password-slash#62
RambokDev merged 20 commits into
mainfrom
fix/password-slash

Conversation

@RambokDev

@RambokDev RambokDev commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • New Features

    • Added support for PostgreSQL passwords containing special characters.
  • Refactor

    • Updated PostgreSQL connection handling to use environment variables for credential management.
  • Tests

    • Added integration test for PostgreSQL authentication with special characters in passwords.

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Postgres backup and restore operations are refactored to pass connection credentials via explicit CLI flags (--host, --port, --username, --dbname) and a PGPASSWORD environment variable instead of embedding the password in a postgresql:// URL. The tokio_postgres::connect call is migrated to use a Config builder. A new integration test validates passwords containing slashes. The EDGE_KEY in docker-compose.yml is also updated.

Changes

Postgres special-character password fix

Layer / File(s) Summary
tokio_postgres::Config builder in connect
src/domain/postgres/connection.rs
Replaces manual DSN string construction with tokio_postgres::Config chained setters (host/port/user/password/dbname) before calling config.connect(NoTls).await.
build_env, backup::run, and restore::run env parameter
src/domain/postgres/database.rs, src/domain/postgres/backup.rs, src/domain/postgres/restore.rs
database.rs adds build_env to snapshot process env and inject PGPASSWORD; backup::run and restore::run gain an env: HashMap<String, String> parameter and switch pg_dump/pg_restore invocations from URL-based --dbname to explicit --host/--port/--username/--dbname with .envs(env).
Integration test: password with slash
src/tests/domain/postgres.rs
Adds postgres_password_with_slash_test that starts a testcontainer with password "ch/ange:me@1", constructs DatabaseConfig, creates a backup client, pings the DB, and asserts success.

docker-compose EDGE_KEY rotation

Layer / File(s) Summary
EDGE_KEY value update
docker-compose.yml
Replaces the prior encoded EDGE_KEY value with a new encoded value for the rust-app service.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

Possibly related PRs

  • Portabase/agent#53: Also updates the EDGE_KEY environment variable for the rust-app service in docker-compose.yml.
  • Portabase/agent#55: Also modifies docker-compose.yml to update the EDGE_KEY value for the rust-app service.

Poem

🐇 Hop, hop, no more slashes in my URL stew,
The password with a / now passes safely through!
PGPASSWORD rides the env, no secrets in the string,
Config builder chains along — oh what joy it brings!
Tests confirm the bunny's fix: special chars can't sting. 🌿

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title 'fix: password-slash' is vague and uses a hyphenated term that doesn't clearly convey the nature or scope of the changes, making it unclear what specific password-related issue is being addressed. Use a more descriptive title that explains the fix, such as 'fix: handle special characters in database passwords' or 'fix: use environment variables instead of URL encoding for database credentials'.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/password-slash

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
src/tests/domain/postgres.rs (1)

110-149: ⚡ Quick win

Consider extending test coverage to verify backup/restore operations.

The test validates that ping() works with special-character passwords (exercising the tokio_postgres::Config path), but doesn't exercise the PGPASSWORD environment variable path used by pg_dump/pg_restore. Since the PR's main goal is fixing backup/restore with special passwords, consider adding a backup assertion.

💡 Optional: Add backup verification
     let db = DatabaseFactory::create_for_backup(config.clone()).await;
     let reachable = db.ping().await.unwrap_or(false);
-
     assert_eq!(reachable, true);
+
+    // Verify backup also works with special-character password
+    let backup_dir = tempfile::tempdir().unwrap();
+    let logger = Arc::new(JobLogger::new());
+    let backup_result = db.backup(backup_dir.path(), logger).await;
+    assert!(backup_result.is_ok(), "Backup should succeed with special-character password");
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/tests/domain/postgres.rs` around lines 110 - 149, The
postgres_password_with_slash_test function currently only validates that ping()
succeeds with the special-character password, but does not exercise the
backup/restore code path that uses the PGPASSWORD environment variable with
pg_dump/pg_restore. After the existing ping assertion, add a backup operation
(by calling the appropriate backup method on the db object) and verify it
completes successfully to ensure the special password handling works end-to-end
for the actual backup/restore functionality that the PR is meant to fix.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-compose.yml`:
- Line 22: The EDGE_KEY environment variable on line 22 of docker-compose.yml
contains a rotated base64-encoded payload with sensitive masterKeyB64 material
that must not be committed to the repository. Replace the concrete rotated key
value with a non-sensitive placeholder example string, and configure the actual
EDGE_KEY value to be sourced from environment variables or a local .env file
instead, ensuring sensitive key material is not exposed in version control.

In `@src/domain/postgres/database.rs`:
- Around line 23-28: The build_env method in database.rs contains an info-level
log statement that outputs the entire environment variables map, which includes
the PGPASSWORD containing plaintext database credentials. Remove the info
logging statement that logs envs with the {:?} debug formatter entirely, or if
debugging information is necessary, modify it to log only the non-sensitive keys
of the environment map instead of the entire map with its values.

---

Nitpick comments:
In `@src/tests/domain/postgres.rs`:
- Around line 110-149: The postgres_password_with_slash_test function currently
only validates that ping() succeeds with the special-character password, but
does not exercise the backup/restore code path that uses the PGPASSWORD
environment variable with pg_dump/pg_restore. After the existing ping assertion,
add a backup operation (by calling the appropriate backup method on the db
object) and verify it completes successfully to ensure the special password
handling works end-to-end for the actual backup/restore functionality that the
PR is meant to fix.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cfb981d3-6d41-4861-b6cc-fed7f837b693

📥 Commits

Reviewing files that changed from the base of the PR and between dc32c44 and f94656a.

📒 Files selected for processing (6)
  • docker-compose.yml
  • src/domain/postgres/backup.rs
  • src/domain/postgres/connection.rs
  • src/domain/postgres/database.rs
  • src/domain/postgres/restore.rs
  • src/tests/domain/postgres.rs

Comment thread docker-compose.yml
Comment thread src/domain/postgres/database.rs
@codecov

codecov Bot commented Jun 19, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 83.82353% with 11 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/domain/postgres/backup.rs 50.00% 6 Missing ⚠️
src/domain/postgres/restore.rs 54.54% 5 Missing ⚠️

📢 Thoughts on this report? Let us know!

@RambokDev RambokDev merged commit 02105a8 into main Jun 19, 2026
3 checks passed
@RambokDev RambokDev deleted the fix/password-slash branch June 19, 2026 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant