oauth: Classify oauth_client_secret as a password

Tell UIs to hide the value of oauth_client_secret, like the other
passwords. Due to the previous commit, this does not affect postgres_fdw
and dblink, but add a comment to try to warn others of the hazard in the
future.

Reported-by: Noah Misch <[email protected]>
Reviewed-by: Noah Misch <[email protected]>
Discussion: https://postgr.es/m/20250415191435.55.nmisch%40google.com

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index bd51e6115cf97d9c0264807aada8b064c7ab8939..430c0fa44428a2545dfdbf1baeac2a5758f7ff56 100644 (file)
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -158,6 +158,12 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options,
  *     "*"     Password field - hide value
  *     "D"     Debug option - don't show by default
  *
+ * NB: Server-side clients -- dblink, postgres_fdw, libpqrcv -- use dispchar to
+ * determine which options to expose to end users, and how. Changing dispchar
+ * has compatibility and security implications for those clients. For example,
+ * postgres_fdw will attach a "*" option to USER MAPPING instead of the default
+ * SERVER, and it disallows setting "D" options entirely.
+ *
  * PQconninfoOptions[] is a constant static array that we use to initialize
  * a dynamically allocated working copy.  All the "val" fields in
  * PQconninfoOptions[] *must* be NULL.  In a working copy, non-null "val"
@@ -394,7 +400,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
    offsetof(struct pg_conn, oauth_client_id)},
 
    {"oauth_client_secret", NULL, NULL, NULL,
-       "OAuth-Client-Secret", "", 40,
+       "OAuth-Client-Secret", "*", 40,
    offsetof(struct pg_conn, oauth_client_secret)},
 
    {"oauth_scope", NULL, NULL, NULL,