• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

supabase / supavisor
75%

Build:
DEFAULT BRANCH: main
Repo Added 17 Dec 2024 03:43PM UTC
Files 73
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH main
branch: SELECT
CHANGE BRANCH
x
  • No branch selected
  • add-instance_id-to-metrics-metadata
  • add-location_id-to-global-metadata
  • add-mix_audit
  • add-sobelow-security-report
  • az-test2
  • bump-version
  • case-insensitive-names
  • change-caputre-verbisity-in-tests
  • chore/bench-workflow-test
  • chore/bump
  • chore/bump-poolboy
  • chore/bump-to-v2.6.0
  • chore/bump-version
  • chore/bump-version-2.6.2
  • chore/bump-version-2.7.3
  • chore/dont-return-queue-genstatem
  • chore/improve-metrics-colleciton-o11y
  • chore/log-only-once-after-metrics-cleaning
  • chore/make-fixes
  • chore/more-histogram-resolution
  • chore/remove-unused-field
  • chore/remove-version-bump-check
  • chore/supa_poolboy
  • chore/test-upgrade-script
  • chore/tool-versions
  • chore/update-dependencies
  • chore/update-local-postgres-setup
  • chore/update-pg_query
  • cleanup-credo-issues
  • cleanup-metrics-gathering
  • cleanup-network-metrics-gathering
  • correctly-cleanup-metric-tables
  • create-separate-tenant-for-stats-test
  • da/fix-compromise
  • do-not-delete-metrics-in-syn_handler
  • do-not-fix-db-version-in-migrations
  • do-not-handle-errors-in-postgres-libcluster-strategy
  • do-not-have-time-limit-in-test
  • do-not-use-meck-when-testing-metrics-controller
  • do-not-verify-tls-cert
  • docs/envs-description
  • docs/typo-in-readme
  • etienne/sec-456-support-password-auth-in-pooler
  • etienne/sec-488-support-jit-access-in-supavisor
  • even-more-missing-verify_none-options
  • fail_fast-in-integration-tests
  • feat/accept-gzip
  • feat/add-cluster-metrics-plugin
  • feat/add-http-api-to-clear-tenant-ban
  • feat/add-http-api-to-list-tenants-ban
  • feat/add-log-for-slow-pool-checkout
  • feat/add-network-bans-api-and-cluster-wide-bans
  • feat/better-memory-metrics
  • feat/change-user-credentials
  • feat/compress-metrics
  • feat/configurable-retries
  • feat/health-check
  • feat/large_heap
  • feat/manually-written-appups
  • feat/metadb-ipv6
  • feat/postgres-errors-on-scram-errors
  • feat/prepared-statements-support
  • feat/promex-refresh-hot-reload
  • feat/proxy_ports
  • feat/ranch-instances
  • feat/ssl_req_macros
  • feat/telemetry-client-connection-age
  • feat/use-multicast-instead-of-cast-in-loop
  • fix-e2e-case-to-use-transaction-connections
  • fix/authn-retry
  • fix/backport-directory-check
  • fix/cancel
  • fix/clear-cache-tenant-creation
  • fix/config-logger
  • fix/config-regression
  • fix/correct-vault-enc-key
  • fix/coverage-ignore
  • fix/create-schema-before-migrations
  • fix/data-race
  • fix/db-handler-active-true
  • fix/db-handler-terminating-with-error
  • fix/dialyzer-and-404-on-metrics
  • fix/dont-restart-pool-without-need
  • fix/error-and-improve-logs
  • fix/fork-promex-phoenix-plugin
  • fix/hot-upgrade
  • fix/ignore-ready-for-query-when-idle
  • fix/integration-test-tag
  • fix/ipv6-postgres-topology-strategy
  • fix/logflare-backend-conformance
  • fix/logger-formatter
  • fix/logging
  • fix/logs-context
  • fix/metrics
  • fix/metrics-cleaning
  • fix/missing-error-log
  • fix/monitor-tcp-socket
  • fix/no-warm-pool
  • fix/race-condition-tenant-settings-update
  • fix/redact
  • fix/remove-activation
  • fix/revert-gha-bump
  • fix/secret-checker-database
  • fix/session-query-metrics
  • fix/skip-bun-failing
  • fix/startup
  • fix/startup-order
  • fix/stop-db-hadler-on-owner-death
  • fix/syn
  • fix/tenant-metrics
  • fix/tenant-supervisor-child-type
  • fix/tests
  • fix/use-cached-tenant
  • fix/waiting-for-secrets
  • fix/websocket-hanging
  • fix/zombie-connections
  • hauleth/pool-124-connect-coveralls-to-the-supavisor-ci
  • ignore-tasks-in-coverage
  • ignore-tests-support-in-coverage-report
  • ignore-tmp
  • infinity-retry
  • invalid-search-path-handling-psql-based-tests
  • json-log-format
  • la/get_tenant_cache
  • la/get_user_cache
  • la/handle-db-auth-tests
  • la/pg_auth_methods
  • la/ssl-connection
  • la/tenant_controller_tests
  • la/tenants_context_tests
  • la/use-dbhandler-checkout
  • lower-log-level-when-removing-stopped-listener
  • main
  • ne/libclang
  • parallel-coverage-reporting
  • patch-1
  • plarson/fix-openapi-schema-required-fields
  • pooler-127
  • pooler-131-update-erlang-otp-to-27
  • pooler-132-update-elixir-to-1_18
  • pooler-138
  • postgres-switching
  • prepare-release
  • refactor/improve-statems
  • refactor/protocol-server-cleanup
  • refactor/remove-dead-code
  • refactor/rework-errors-add-codes
  • refactor/store-encrypted-secrets
  • refs/pull/575/merge
  • release-v2.4.15
  • remaining-peer-verification-setup-in-OTP-27
  • remove-commented-out-code
  • remove-duplicated-configuration-entry
  • remove-unused-module
  • rename-host-metadata-field-to-avoid-conflict
  • reuse-sessions-when-possible
  • run-tests-on-main
  • security-token
  • submit-dependencies-to-github
  • tag-flaky-test
  • test/cascade-drop-schema-in-integration-tests
  • test/deno-bun
  • test/fix-logflare_formatter-flaky-test
  • test/integration-test-for-stats-on-other-node
  • test/psql-integration
  • test/skip-flaky-bun-deno-test
  • typo-in-api-schema
  • unload-mecked-module
  • update-dependencies
  • update-erlang-and-elixir
  • update-mailmap
  • update-runner-image-for-version_updated
  • update-rustler
  • upgrade-github-actions-node24
  • upgrade-github-actions-node24-general
  • use-built-in-json-module
  • use-iodata-for-metrics
  • use-location_id-for-cluster-identification
  • use-proper-output-in-mix-tasks
  • use-sarif-output-for-credo-report
  • v2.7.0

18 Feb 2026 03:12PM UTC coverage: 75.129% (+1.4%) from 73.729%
22145415097

push

github

web-flow
feat: support jit access in supavisor (#725)

## What kind of change does this PR introduce?

Feature

Introduces support for Just-in-time (JIT) access via a Personal Access
Token (PAT) or JWT, which is validated against a remote API. This is
implemented as a separate tenant feature, since it is not a standard
postgres feature. The upstream tenant must also be configured for JIT,
which requires a PAM to be installed and configured in the pg_hba.

With JIT in use, a disconnect happens between what the server expects
for auth (pg_hba.conf) and what `pg_authid` stores for user auth. In
most cases pg_authid will have the credentials saved as scram-sha-256,
but with the use of PAM for authentication, the database uses
`AuthenticationCleartext_password`. For this reason, the Supavisor must
be made aware of the tenants changed auth, and we use a new `use_jit`
configuration value for the tenant. When this is active, the pooler will
use AuthenticationCleartext_password, and support either logging in with
the valid user password (which will be checked against the scram-sha-256
retrieved from pg_authid) or a PAT/JWT that is validated against the
upstream API server configured via `jit_api_url`.

Cached credentials keep working as before, except in the case of the
PAT/JWT, the check is always performed against the upstream API server.
This ensures that any revocation of JIT access is respected, alongside
the expiration/revocation of the auth tokens, something that happens
outside of the database.

## What is the current behavior?

Doesn't support JIT.

## What is the new behavior?

Supports JIT, allowing login with:

JWT:
```
psql 'postgresql://postgres.dev_tenant2:eyJhbGciOiJSUzI1NiIsImtpZCI6IjcyYjY2NjA1IiwidHlwIjoiSldUIn0.eyJhYWwiOiJhYWwyIiwiYW1yIjpbeyJtZXRob2QiOiJ0b3RwIiwidGltZXN0YW1wIjOnt9fQ.XbOq_XWg@localhost:6543/postgres'
```

PAT:
```
psql 'postgresql://postgres.dev_tenant2:sbp_39wBdIEXAMPLESdMIg@localhost:6543/postgres'
```

Password:

```
psql 'postgres... (continued)

87 of 102 new or added lines in 7 files covered. (85.29%)

4 existing lines in 3 files now uncovered.

2190 of 2915 relevant lines covered (75.13%)

4241.22 hits per line

Relevant lines Covered
Build:
Build:
2915 RELEVANT LINES 2190 COVERED LINES
4241.22 HITS PER LINE
Source Files on main
  • Tree
  • List 73
  • Changed 13
  • Source Changed 8
  • Coverage Changed 13
Coverage ∆ File Lines Relevant Covered Missed Hits/Line

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
22145415097 main feat: support jit access in supavisor (#725) ## What kind of change does this PR introduce? Feature Introduces support for Just-in-time (JIT) access via a Personal Access Token (PAT) or JWT, which is validated against a remote API. This is impl... push 18 Feb 2026 03:25PM UTC web-flow github
75.13
22144659588 etienne/sec-488-support-jit-access-in-supavisor Merge a344dc5e2 into cae1ebfb6 Pull #725 18 Feb 2026 03:09PM UTC web-flow github
75.06
22144531148 main feat: add log for slow pool checkout (#861) push 18 Feb 2026 02:59PM UTC web-flow github pending completion  
22138746602 etienne/sec-488-support-jit-access-in-supavisor Merge 81a0dc32d into bdcbf2f18 Pull #725 18 Feb 2026 12:09PM UTC web-flow github
75.03
22138575056 feat/add-log-for-slow-pool-checkout Merge 4beff7bb1 into bdcbf2f18 Pull #861 18 Feb 2026 11:59AM UTC web-flow github
73.52
21983118864 refactor/rework-errors-add-codes Merge 5fd3e64da into bdcbf2f18 Pull #841 13 Feb 2026 10:24AM UTC web-flow github
76.66
21979016732 refactor/rework-errors-add-codes Merge d6420ab5a into bdcbf2f18 Pull #841 13 Feb 2026 08:00AM UTC web-flow github
75.94
21978221491 refactor/rework-errors-add-codes Merge ec04e48b5 into bdcbf2f18 Pull #841 13 Feb 2026 07:33AM UTC web-flow github
84.29
21976342222 refactor/rework-errors-add-codes Merge 7b1feb0a5 into bdcbf2f18 Pull #841 13 Feb 2026 06:00AM UTC web-flow github
76.29
21976134663 refactor/rework-errors-add-codes Merge 13dd9f537 into bdcbf2f18 Pull #841 13 Feb 2026 05:49AM UTC web-flow github
82.61
See All Builds (742)
  • Repo on GitHub
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc