Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vUk6A-006xOG-1Q for pgsql-hackers@arkaria.postgresql.org; Sun, 14 Dec 2025 11:17:11 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vUk69-00CgAK-0m for pgsql-hackers@arkaria.postgresql.org; Sun, 14 Dec 2025 11:17:10 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vUk68-00CgAC-2w for pgsql-hackers@lists.postgresql.org; Sun, 14 Dec 2025 11:17:09 +0000 Received: from mail-wm1-x32d.google.com ([2a00:1450:4864:20::32d]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vUk67-000g20-0e for pgsql-hackers@postgresql.org; Sun, 14 Dec 2025 11:17:09 +0000 Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-47790b080e4so11253805e9.3 for ; Sun, 14 Dec 2025 03:17:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1765711026; x=1766315826; darn=postgresql.org; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:from:to:cc :subject:date:message-id:reply-to; bh=O0w3J2AMhqM9CF6zU+UJg17+hmOT0UOmFBtSp27UxR0=; b=Brfv0hG6i3unmqys3Mc7u5szBAXgaIH7Ldgjryrf+Zor37qZxUUY92I0krwsomeNlB fI6FraH4uCNxhISW29MMRK3tGzfaAVq2MurDAJ/WOMwgnEuuA1KDUm2CyEmYc9icBcLQ z047zMaUp3PiBEYFPPNgjD1y1Aq0SwtkhkHi3yUuvgGpE/VlMS7MgkrF7gQIq1A+gtW5 tkTwdINyK9i3ZWIC1yjxc31sBxH86F6wmdjhaEUcxupNjzYHGsG5W4DOhx5FpQWUhCXA 3cC0HuPPrvkcWn05agJDNXs9/nLiEB8sErTV89BfL1z3lTLyT/1RwFVMkzugwWrf55Rd aDqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765711026; x=1766315826; h=user-agent:mime-version:date:content-transfer-encoding:autocrypt :references:in-reply-to:cc:to:from:subject:message-id:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=O0w3J2AMhqM9CF6zU+UJg17+hmOT0UOmFBtSp27UxR0=; b=P9BLcJ90MlSv4H9KYQbL2a/4Z8EPxIM4DCK6IRRxBhUwTu8ZhRhlAu5ETNM312qKX6 e9kQFzj9L+baW86ccKQCXm6InaTXihqD1FW3/9iV7tzt/jEyYQDnK8Y2vB6XjTo0Ou3v Kxp2U0t6iubzoSPu+lJnpIOJ9YMimHNZKwAju6MGzXw3P3lKDNk/QJtbkxxrfOIulz5w JHPIGZmRrdwHruXPYNLa730tmObKxaNy0GMQDtI0nh5XLzvVLWbbSPpqWgORft0O07Yn QmGURX9ziHsUQTT34B0GwPaIr3fMD4eHeHek/lmlPjVonqx68+6Nd71zN2YUOk+6rgb+ UN3Q== X-Forwarded-Encrypted: i=1; AJvYcCXNv1I56atxpL9Y8gD73m+haQZWIybH9m8XW9X8h37Jv1FVQHOiDzaOZ+8Iuy1zHRmqNf8drbceR4CyHlpu@postgresql.org X-Gm-Message-State: AOJu0YyWjzZuaDik6NE0XGZZWPCIS0SFWDvpBczj0ggPuvcuoAX2/KNs MOD3x87W4erBounY0mdMUoz+vDFGIHFgtLgvnszhBaZgkghyIluElhuNVBAqBxE= X-Gm-Gg: AY/fxX7a6jciISkwS8RrgzF9tYTHVqlU5jJx5L/M4aQvQ4dJfPqPqtHSuCgq06uC/75 evKT01+eo1p0n1hrSyu52jx7FBHL/VIWKkGzG2iavf2OKkUOZlfQEb4eRqM/Mt+56vi6f7ofjJc To94wDucFdvlvzaq1dNe6aI9oQHCXls4BTe5VHc5p0i5hVLwEN6l/Pcs7XXwo7FDfRxKAJXLTCJ bOZrl1FMB37LQA8BcghExLtda/fC2Tj2dU1DO7pi6v7HusbdfClS3+ZHA+WYaRnp+xl31TPBq1n i3LVmPSO4k5P820QhtoD1avIDZjooul0OpyZq5FDJvEa944y4nfEXUZAQ4n8wXB6dRClMHHdxaQ 73esnKyibXoL+T7z4Tv1DchJfJKUc7LxbuvKWmcl9yyXj/RD/3y87f2wTyobM2Zt5WQYRlooMyC KiF8nAu847bWZziuEjMcXam1kkxv4iepYEeniLOUKjxXMlsxh/gjREY6nLX+sOXsujTp7BbaytP BjwpYpcVwBkfdH23AzPPDomXPY= X-Google-Smtp-Source: AGHT+IEmm3PSxehVzacqZCPU9zgcbb8h9HQAOhRB/qgh4R2amGQ3gzHU8cbaS5c4x6mMLob2iyL7mA== X-Received: by 2002:a05:600c:4e49:b0:477:aed0:f401 with SMTP id 5b1f17b1804b1-47a8f90653bmr70326215e9.23.1765711026080; Sun, 14 Dec 2025 03:17:06 -0800 (PST) Received: from [192.168.65.40] (ip-217-65-133-21.ptr.icomera.net. [217.65.133.21]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-430f639c132sm5341998f8f.35.2025.12.14.03.17.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 Dec 2025 03:17:05 -0800 (PST) Message-ID: Subject: Re: Make PGOAUTHCAFILE in libpq-oauth work out of debug mode From: "Jonathan Gonzalez V." To: Jacob Champion , Zsolt Parragi Cc: Daniel Gustafsson , PostgreSQL Hackers In-Reply-To: References: <16a91d02795cb991963326a902afa764e4d721db.camel@gmail.com> <3D82D240-1CC5-4CE6-BE30-6065B693D40C@yesql.se> Autocrypt: addr=jonathan.abdiel@gmail.com; prefer-encrypt=mutual; keydata=mQINBF1Rbm8BEADc2lW3toboDjMLry1spo/hxUiMKlA+CDCMwXPZPvyB4TGCQAVYnU+gS NgBJ8H7CF8ghllm9OYeqdRoRvr1unQN5RUShUWTsLhznUu5KV0KfhFbEjQyH7lDeVCzMRNr5r27QT RrmycqAacistMqtjfnsG/j8+HQU9tLrOdnhsxIRUZN/guHBEwx3LVp77lf9HMWabnSgGQVOqhUzA6 P97j8oWRwQNDZjHFVf5k4HMHJRp8OzcvXUOSa+ynH33xBsrLPDza0X6y7pZlfYbmjXdwU/XKSd7oB 4BeChFbrmdilIeSAGKLAHURH9jKeRxDt9pzYMvsIiK9UZlThnEgAVM2IqQzhnzd4jxG13Hi8HZ82O 2Ng4n36kVh5uz0NoIGJ6Guw9R+gqHHxbeSdt8S0P+2VO80UTX+hF7OPbLjE7w8wsTt37Ekp+jRxUs RooShDvnUENiw+TkyPszUZ0k9BZmfwcaC3++WDYyWvGK20wty3ZZMjl69SDdQXQaRu8E59leIpKw6 p8HBBAGZgytVPUN61w52r9dgX9RW0ujBrEztRNWPaDauedKGCXrL678mq7KwYW6Rg+y9orvZJPLUq Z7/m8RJUaeuJdz2LJ2bioUJ2BaPX7YxXdqMm9LZWknzy/pyF8iZHXD5D3H+WNJROlcQ6TQNLqUB11 KRK0koNeqiNbwARAQABtDlKb25hdGhhbiBHb256YWxleiBWLiA8am9uYXRoYW4uZ29uemFsZXpAZW 50ZXJwcmlzZWRiLmNvbT6JAlQEEwEKAD4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD6 5ytnQRUDy/MNDze8Kc6UcxQUCZ6trnAUJDDswrQAKCRBDze8Kc6UcxaPWD/4lqAiJJjJaB1DXblDi 9SKUSCDg9jGAj9rZUjIsI4bhznxtMwGQfaH7AlmjYtnOgUNZJz1cQ8v2Qv2gR2sXu5BCosPCuOuww +v5vUa+88ydXxnUOs1fVwXrqSKciohhEuZA5vYfcSolgHavEjF4v/W+SB8+7CyJm4sEZauk2Q8gHp In0l2zpTDig2pyp/POM+8FFWzq8fDgMc9AjU+ePIfqMXXSCcLUB8mAUaBrYU3Ezwa/29H5fhvKBJ6 fIFgr4V7dPlTaMhMRlG7Kt4aecjp2TMhoH5da1a2r7CUFHDx7RL7UEMaNYJnEa2IhcwH06cdQl7BY lBhfzy2dvfYvNTrhiUGGLRIS4xwsxJtRYBytOKYO6rZLjsEgHcW3B8DHG3YALc1BVpdCFj030jZ/y oaiHxjs9ZPUuUVqnp21hE5MwczKLzutDk2Mm8hYtGpfAxikOetFkiYxKeBVQsN6za4ff/iLKNrZfj qEk7E28NEg0fY4eYoMXZT8WlTRJOancVVuRtjLyQ+D4hET2qBIMhoXQ27YPWowmG6oxyM531j89wt OTsH3yuV4VnWc02MGrgi+lYPeKk0KUk3pcmwHB2GqDxZS6aSyX7k7jNOiHYN/dY1W6QslOrQggmkZ +QaKtn9YeOx2aZ7CWLiiTVYK4W2Kii9pS71XhcJrMAldvJAeurQwSm9uYXRoYW4gR29uemFsZXogV i4gPGpvbmF0aGFuLmFiZGllbEBnbWFpbC5jb20+iQJUBBMBCgA+AhsDAh4BAheABQsJCAcDBRUKCQ gLBRYCAwEAFiEEEmw+ucrZ0EVA8vzDQ83vCnOlHMUFAmera5wFCQw7MK0ACgkQQ83vCnOlHMVWbxA AxQiwerHqAoq1ahb0uaCiw6eLpEXFbDD7a5BcILo5/lNtill8qkRP1wRdL7iPZWhGRyd4nQB6q1fK vggf6PkQGv2I35kq3/30sT+7TDXla6UFPyI012ipaU/7WW14ipZLeU+/rvUbdKMcWpEYTMHU89w2C Z9LSVHkxm1v3SvkOw1DgnUQvA11L4pzZVtTDluER717y2B0tlo43qMYGjlVNNWAuxHnAzJWC4Acj5 j0XgADAW78h+zFQfQ+b5znRC6tv9C4Pf5vRiw0TaMD2Tn6b8BTpflBX7zh0CINPUsrD8SEw0uZcCv JeSmZSHiHeS8uHcHVIxoxj1d5mcT18tyFC3n2JCfR4RkK/zNYXhBBRJbmiWmFqvzesSQEsGOu3G8X kvZGlN8RBFkj5ScZ4gWjsXwxGv2Hrf8FILycCcS2xkD2Sp2JBfZFHSvi2OI1ItHyrcXiBOSXZu6MU fyJoIWFQDkWkQcWPHxO9n7ZA+c+ACaBtW7rfEoCXYSk4pnUUj6eXA1meY1DI71G39O3k6B5T/yzdL k5h7H3R3ITpGvFNhePjuIYcbdF7stAcc7e46PzjFnApwmG27qXBE8agYtCYMwqcYweMzWvyzAtX3x 9BE8BIicy944IZnQmnhsNn5zT4HXl8xCBedEnYv/qdw32bp7qFhkn6/xNemwhgEFjgNC0N0pvbmF0 aGFuIEdvbnphbGV6IFYgPGpvbmF0aGFuLmdvbnphbGV6QDJuZHF1YWRyYW50LmNvbT6JAlQEEwEKA D4CGwMCHgECF4AFCwkIBwMFFQoJCAsFFgIDAQAWIQQSbD65ytnQRUDy/MNDze8Kc6UcxQUCZ6trnA UJDDswrQAKCRBDze8Kc6UcxY0OD/9svV6f/BSn6OsZ+nIe5birEIEejiU3rEVORNmDxYalHt0MLay YYFRC7WV6Hds/EsokUO+rkqpjXVh8Ee0IIvTolNWgGzW4ZaguP7G+RqXAGndDpT31wG588Ft0fkeN 0Y6+2odoUHNeXkzgLddNrQN3iXlWnfQLMEWBo/uvEpPMls+fO6zvArnrxsMpeS5i2c/BQoN3A2VBr Pk9mQBKoyU+fCQEsTwUl4THVAma4LoXvgd9PZSI9yWUZ1KK2Wb6XnZKqIEv6QN2qIy+g9KqGiUM+6 H4q0D3SDtDaZFrzi3l8ql9iCflgL5fe6gvvU3lmLfRpBrNROfuWSL+Xm+TKClX9PHJ2nAUzgGu8M7 egSXzGhBVvYxKNMqmgpOy6LRa01T9/bfSfMB4zyrEpJm8GRKBDochFEVX+ZDJSGFtgdV9KXSEpe0+ Ei+dOdmptPjeLEtvY7/JtYO/7/ByIGrkZjSGP3L3urShTo1gs6gbIYaXeuSfRpzJ1cy8WepOjTxP2 j52IiH/CIjiXjmzD2KZ0ETyZn3eQY2E/ROqsGmBonTo/xrg2PuSSRbP9xeW9H8LVn0Vh+YRKlUnVn Cn1qQsrrZGEl6FFXI3P1n04mslSzWrlgCjOHJfhbbxqcvLkY2tnPv3vX/b+vd1HmihKz5UpijmBFQ oQ0KXJ6d0Ud8Vdn/b0A== X-Priority: 1 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 14 Dec 2025 12:15:48 +0100 MIME-Version: 1.0 User-Agent: Evolution 3.56.2-4 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi! >=20 > I'm not sure if we have prior art for expressing bitflags in Postgres > envvars, other than maybe PGREQUIREAUTH. A comma-separated list would > be easy to do. We could name these things according to whether > they're > unsafe or not, like >=20 > =A0=A0=A0 PGOAUTHDEBUG=3DUNSAFE-http,UNSAFE-trace,print-counts >=20 > Or maybe that's too verbose, and we could say that to use any of the > unsafe options, you have to say it up front: >=20 > =A0=A0=A0 # http and trace are dangerous > =A0=A0=A0 PGOAUTHDEBUG=3DUNSAFE:http,trace,print-counts > =A0=A0=A0 # these two are safe > =A0=A0=A0 PGOAUTHDEBUG=3Dprint-counts,print-plugin-errors >=20 > Or something else? Since this is developer-facing, I don't think it > has to necessarily be intuitive for end users, as long as the lack of > safety remains obvious to them. We can just focus on ergonomics for > us. I will for sure try to avoid this kind of format with comma separated options, this mainly because are really hard to parse and manage in an automated way, and sometimes, are hard to read when there's too many options, and at some point, there could be many options since the flows can start getting really complicated. Why not keep something with debug levels? Even if it sounds really classic, for parsing reasons are really good. Now, if what is required it's counts or HTTP calls, probably this could be like a "flow debug" an option like "PGOAUTHFLOWDEBUG" that depending on the levels (info, debug, trace) can print from the hosts and/or url calls, to the headers sent and received from the hosts. The debug of a flow can be an entire set of levels due to the current complexity and that may or may not increase in time, what do you think?