Fix SCRAM password SASLprep (#4201)

var4yn · web-flow · commit 18ffed2af676 · 2026-04-07T18:19:03.000-07:00
* Fix SCRAM password SASLprep

* remove panic!()

* fmt

* add error description
diff --git a/sqlx-postgres/src/connection/sasl.rs b/sqlx-postgres/src/connection/sasl.rs
@@ -56,8 +56,11 @@ pub(crate) async fn authenticate(
     let username = format!("{}={}", USERNAME_ATTR, options.username);
     let username = match saslprep(&username) {
         Ok(v) => v,
-        // TODO(danielakhterov): Remove panic when we have proper support for configuration errors
-        Err(_) => panic!("Failed to saslprep username"),
+        Err(error) => {
+            return Err(Error::Configuration(
+                format!("Failed to saslprep username: {:?}", error).into(),
+            ))
+        }
     };
 
     // nonce = "r=" c-nonce [s-nonce] ;; Second part provided by server.
@@ -86,13 +89,19 @@ pub(crate) async fn authenticate(
         }
     };
 
+    // Normalize(password):
+    let password = options.password.as_deref().unwrap_or_default();
+    let password = match saslprep(password) {
+        Ok(v) => v,
+        Err(error) => {
+            return Err(Error::Configuration(
+                format!("Failed to saslprep password: {:?}", error).into(),
+            ))
+        }
+    };
+
     // SaltedPassword := Hi(Normalize(password), salt, i)
-    let salted_password = hi(
-        options.password.as_deref().unwrap_or_default(),
-        &cont.salt,
-        cont.iterations,
-    )
-    .await?;
+    let salted_password = hi(&password, &cont.salt, cont.iterations).await?;
 
     // ClientKey := HMAC(SaltedPassword, "Client Key")
     let mut mac = Hmac::<Sha256>::new_from_slice(&salted_password).map_err(Error::protocol)?;
