fix(cli): fall back to .pgpass for omitted test db password

pgconn's ParseConfig reads ~/.pgpass (or PGPASSFILE) into config.Password when
the password is omitted, and test.go passes it to pg_prove as PGPASSWORD. The
parser resolved an omitted password to empty (unless PGPASSWORD was set), so
pgpass-authenticated DSNs failed. Add legacy-pgpass (a 1:1 port of
jackc/pgpassfile: parse + FindPassword with * wildcards and \/\: escapes,
PGPASSFILE/~/.pgpass path, unix-socket→localhost) and resolve the password as
connection-string → PGPASSWORD → .pgpass in both parse paths.

Author: Coly010

apps/cli/src/legacy/shared/legacy-db-config.parse.ts

@@ -1,5 +1,6 @@
 import { existsSync } from "node:fs";
 import type { LegacyPgConnInput } from "./legacy-db-connection.service.ts";
+import { legacyPgpassPassword } from "./legacy-pgpass.ts";
 
 /** Go's `pgconn` default direct Postgres port. */
 const DIRECT_PORT = 5432;
@@ -143,13 +144,20 @@ function parseUrlConnectionString(value: string): LegacyPgConnInput | undefined
     if (port === undefined) {
       return undefined;
     }
+    const host = rawHost.length > 0 ? rawHost : (libpqEnv("PGHOST") ?? defaultLibpqHost());
+    // Absent database → PGDATABASE, then the resolved user (libpq default).
+    const database = rawDatabase.length > 0 ? rawDatabase : (libpqEnv("PGDATABASE") ?? user);
+    // Password precedence (pgconn): connection string → PGPASSWORD → `.pgpass`.
+    const password =
+      rawPassword.length > 0
+        ? rawPassword
+        : (libpqEnv("PGPASSWORD") ?? legacyPgpassPassword(host, port, database, user));
     return {
-      host: rawHost.length > 0 ? rawHost : (libpqEnv("PGHOST") ?? defaultLibpqHost()),
+      host,
       port,
       user,
-      password: rawPassword.length > 0 ? rawPassword : (libpqEnv("PGPASSWORD") ?? ""),
-      // Absent database → PGDATABASE, then the resolved user (libpq default).
-      database: rawDatabase.length > 0 ? rawDatabase : (libpqEnv("PGDATABASE") ?? user),
+      password,
+      database,
       ...(options !== null && options.length > 0 ? { options } : {}),
       ...(sslmode !== null && sslmode.length > 0 ? { sslmode } : {}),
       ...(sslrootcert !== null && sslrootcert.length > 0 ? { sslrootcert } : {}),
@@ -219,11 +227,16 @@ function parseKeywordValueDsn(value: string): LegacyPgConnInput | undefined {
   if (isInvalidSslmode(sslmode)) return undefined;
   const sslrootcert = params.get("sslrootcert") ?? libpqEnv("PGSSLROOTCERT");
   const options = params.get("options");
+  // Password precedence (pgconn): connection string → PGPASSWORD → `.pgpass`.
+  const password =
+    params.get("password") ??
+    libpqEnv("PGPASSWORD") ??
+    legacyPgpassPassword(host, port, database, user);
   return {
     host,
     port,
     user,
-    password: params.get("password") ?? libpqEnv("PGPASSWORD") ?? "",
+    password,
     database,
     ...(options !== undefined && options.length > 0 ? { options } : {}),
     ...(sslmode !== undefined && sslmode.length > 0 ? { sslmode } : {}),

apps/cli/src/legacy/shared/legacy-pgpass.ts

@@ -0,0 +1,118 @@
+import { readFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+/**
+ * libpq `.pgpass` password lookup, a 1:1 port of `jackc/pgpassfile`
+ * (`ParsePassfile` + `FindPassword`) as used by `pgconn.ParseConfig`
+ * (`config.go:369-378`): when a connection string omits the password, pgconn
+ * reads the passfile and returns the first entry matching host/port/database/
+ * user (with `*` wildcards). For a unix-socket host pgconn matches `localhost`.
+ */
+
+const TMP_BACKSLASH = "\r";
+const TMP_COLON = "\n";
+
+interface PgpassEntry {
+  readonly hostname: string;
+  readonly port: string;
+  readonly database: string;
+  readonly username: string;
+  readonly password: string;
+}
+
+/**
+ * Parse a single `.pgpass` line into an entry, or `undefined` for comments and
+ * unparsable lines. Handles `\\` and `\:` escapes via temporary placeholders,
+ * then splits on the remaining unescaped colons (must yield exactly 5 fields).
+ */
+function parsePgpassLine(line: string): PgpassEntry | undefined {
+  const trimmed = line.trim();
+  if (trimmed.length === 0 || trimmed.startsWith("#")) {
+    return undefined;
+  }
+  const escaped = trimmed.replaceAll("\\\\", TMP_BACKSLASH).replaceAll("\\:", TMP_COLON);
+  const parts = escaped.split(":");
+  if (parts.length !== 5) {
+    return undefined;
+  }
+  const unescape = (part: string): string =>
+    part.replaceAll(TMP_BACKSLASH, "\\").replaceAll(TMP_COLON, ":");
+  return {
+    hostname: unescape(parts[0]!),
+    port: unescape(parts[1]!),
+    database: unescape(parts[2]!),
+    username: unescape(parts[3]!),
+    password: unescape(parts[4]!),
+  };
+}
+
+/**
+ * Find the password for the given connection fields in `.pgpass` file contents,
+ * returning the first matching entry's password (or `""`). Each entry field
+ * matches when it is `*` or equals the connection field.
+ */
+export function legacyFindPgpassPassword(
+  contents: string,
+  hostname: string,
+  port: string,
+  database: string,
+  username: string,
+): string {
+  for (const line of contents.split("\n")) {
+    const entry = parsePgpassLine(line);
+    if (entry === undefined) {
+      continue;
+    }
+    if (
+      (entry.hostname === "*" || entry.hostname === hostname) &&
+      (entry.port === "*" || entry.port === port) &&
+      (entry.database === "*" || entry.database === database) &&
+      (entry.username === "*" || entry.username === username)
+    ) {
+      return entry.password;
+    }
+  }
+  return "";
+}
+
+/** Resolve the passfile path: `PGPASSFILE`, else the libpq per-OS default. */
+function pgpassFilePath(): string | undefined {
+  const explicit = process.env["PGPASSFILE"];
+  if (explicit !== undefined && explicit.length > 0) {
+    return explicit;
+  }
+  if (process.platform === "win32") {
+    const appData = process.env["APPDATA"];
+    return appData !== undefined && appData.length > 0
+      ? join(appData, "postgresql", "pgpass.conf")
+      : undefined;
+  }
+  const home = homedir();
+  return home.length > 0 ? join(home, ".pgpass") : undefined;
+}
+
+/**
+ * Resolve a password from the `.pgpass` file for the given connection, or `""`
+ * when the file is absent/unreadable or has no matching entry. A unix-socket
+ * host (a path) matches `localhost`, mirroring pgconn's `NetworkAddress`.
+ */
+export function legacyPgpassPassword(
+  host: string,
+  port: number,
+  database: string,
+  username: string,
+): string {
+  const path = pgpassFilePath();
+  if (path === undefined) {
+    return "";
+  }
+  let contents: string;
+  try {
+    contents = readFileSync(path, "utf8");
+  } catch {
+    return "";
+  }
+  const matchHost = host.startsWith("/") ? "localhost" : host;
+  return legacyFindPgpassPassword(contents, matchHost, String(port), database, username);
+}

apps/cli/src/legacy/shared/legacy-pgpass.unit.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, it } from "vitest";
+
+import { legacyFindPgpassPassword } from "./legacy-pgpass.ts";
+
+describe("legacyFindPgpassPassword", () => {
+  const file = [
+    "# a comment",
+    "db.example.com:5432:appdb:alice:s3cret",
+    "*:*:*:*:wildcard-pass",
+  ].join("\n");
+
+  it("returns the password of the first matching entry", () => {
+    expect(legacyFindPgpassPassword(file, "db.example.com", "5432", "appdb", "alice")).toBe(
+      "s3cret",
+    );
+  });
+
+  it("falls through to a wildcard entry when no exact match", () => {
+    expect(legacyFindPgpassPassword(file, "other.host", "5432", "db", "bob")).toBe("wildcard-pass");
+  });
+
+  it("returns empty string when nothing matches and no wildcard", () => {
+    expect(
+      legacyFindPgpassPassword("db.example.com:5432:appdb:alice:s3cret", "h", "5432", "d", "u"),
+    ).toBe("");
+  });
+
+  it("honors escaped colons and backslashes in fields (jackc/pgpassfile parity)", () => {
+    // Password `a:b\c` written with escaped colon and backslash.
+    expect(legacyFindPgpassPassword("h:5432:d:u:a\\:b\\\\c", "h", "5432", "d", "u")).toBe("a:b\\c");
+  });
+
+  it("skips lines that do not have exactly five fields", () => {
+    expect(legacyFindPgpassPassword("h:5432:d:u", "h", "5432", "d", "u")).toBe("");
+  });
+});