Skip to content

Configurable/explicit password sources and precedence#2018

Merged
rolandwalker merged 1 commit into
mainfrom
RW/password-source-precedence
Jul 18, 2026
Merged

Configurable/explicit password sources and precedence#2018
rolandwalker merged 1 commit into
mainfrom
RW/password-source-precedence

Conversation

@rolandwalker

Copy link
Copy Markdown
Contributor

Description

Track the various password sources in PasswordCandidates, rather than overwriting values, and resolve the credential to use in a defined order, making explicit the precedence which was previously laid out only in a code comment.

The sources, and the precedence, then easily become configurable in ~/.myclirc.

Motivation: as we add more sources, such as Vault, some users may wish to disable those sources entirely. Similarly, the precedence of the environment variable may be something users may want to change. It comes before the DSN, but after the CLI literal, which is a bit wonky if you think of the DSN as a CLI literal.

Followups here might be warnings on uses of insecure password sources, and some additional finesse such as skipping the system keyring in the case of taking the credentials from Vault.

It could also be nice to settle all PasswordCandidates in one place, before calling connect().

Checklist

  • I added this contribution to the changelog.md file.
  • I added my name to the AUTHORS file (or it's already there).
  • To lint and format the code, I ran
    uv run ruff check && uv run ruff format && uv run mypy --install-types .

Track the various password sources in PasswordCandidates, rather than
overwriting values, and resolve the credential to use in a defined
order, making explicit the precedence which was previously laid out
only in a code comment.

The sources, and the precedence, then easily become configurable in
~/.myclirc.

Motivation: as we add more sources, such as Vault, some users may wish
to disable those sources entirely.  Similarly, the precedence of the
environment variable may be something users may want to change.  It
comes before the DSN, but after the CLI literal, which is a bit wonky
if you think of the DSN as a CLI literal.

Followups here might be warnings on uses of insecure password sources,
and some additional finesse such as skipping the system keyring in the
case of taking the credentials from Vault.

It could also be nice to settle all PasswordCandidates in one place,
before calling connect().
@rolandwalker
rolandwalker requested a review from amjith July 18, 2026 11:54
@rolandwalker rolandwalker self-assigned this Jul 18, 2026
@rolandwalker
rolandwalker merged commit 1842919 into main Jul 18, 2026
11 checks passed
@rolandwalker
rolandwalker deleted the RW/password-source-precedence branch July 18, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant