From 7bd5dd4a7f0e435e1495876a34269e89a084307b Mon Sep 17 00:00:00 2001
From: felipe stival <v0idpwn@gmail.com>
Date: Wed, 23 Jul 2025 14:52:08 -0300
Subject: [PATCH] Handle SASL SCRAM server error responses

Add proper error handling for SCRAM-SERVER-FINAL-MESSAGE error attribute.
The SCRAM specification allows servers to return error messages via the 'e'
attribute in the server final message. Currently, these errors are ignored
and authentication fails later during signature verification.

Postgres typically doesn't return this error (see [here](https://github.com/postgres/postgres/blob/2047ad068139f0b8c6da73d0b845ca9ba30fb33d/src/backend/libpq/auth-scram.c#L423)
on why), but poolers, or other applications using the postgres protocol might,
and it's part of the SCRAM spec, so it probably makes sense for node-postgres
to handle it.

Aligns behaviour with psql, postgrex, and somewhat with pgJDBC
(pgJDBC in particular is stricter with scram errors).

For reference:

- libpq handling it: https://github.com/postgres/postgres/blob/2047ad068139f0b8c6da73d0b845ca9ba30fb33d/src/interfaces/libpq/fe-auth-scram.c#L708
---
 packages/pg/lib/crypto/sasl.js                  |  6 ++++++
 .../pg/test/unit/client/sasl-scram-tests.js     | 17 +++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/packages/pg/lib/crypto/sasl.js b/packages/pg/lib/crypto/sasl.js
index 47b77610c..a782ae48a 100644
--- a/packages/pg/lib/crypto/sasl.js
+++ b/packages/pg/lib/crypto/sasl.js
@@ -178,7 +178,13 @@ function parseServerFirstMessage(data) {
 
 function parseServerFinalMessage(serverData) {
   const attrPairs = parseAttributePairs(serverData)
+  const error = attrPairs.get('e')
   const serverSignature = attrPairs.get('v')
+
+  if (error) {
+    throw new Error(`SASL: SCRAM-SERVER-FINAL-MESSAGE: server returned error: "${error}"`)
+  }
+
   if (!serverSignature) {
     throw new Error('SASL: SCRAM-SERVER-FINAL-MESSAGE: server signature is missing')
   } else if (!isBase64(serverSignature)) {
diff --git a/packages/pg/test/unit/client/sasl-scram-tests.js b/packages/pg/test/unit/client/sasl-scram-tests.js
index 07d15f660..060a22ee4 100644
--- a/packages/pg/test/unit/client/sasl-scram-tests.js
+++ b/packages/pg/test/unit/client/sasl-scram-tests.js
@@ -284,6 +284,23 @@ suite.test('sasl/scram', function () {
       )
     })
 
+    suite.test('fails when server returns an error', function () {
+      assert.throws(
+        function () {
+          sasl.finalizeSession(
+            {
+              message: 'SASLResponse',
+              serverSignature: 'abcd',
+            },
+            'e=no-resources'
+          )
+        },
+        {
+          message: 'SASL: SCRAM-SERVER-FINAL-MESSAGE: server returned error: "no-resources"',
+        }
+      )
+    })
+
     suite.test('fails when server signature does not match', function () {
       assert.throws(
         function () {