Description
The Kafka documentation page states DBCode supports
"No Auth, SASL/PLAIN, SCRAM-SHA-256, SCRAM-SHA-512", and the connection UI offers these auth methods.
However, the Kafka driver never applies any of it: it opens a plain unauthenticated connection regardless
of the configured authMethod, username, and password. Against a broker whose client listener requires
SASL, the broker rejects the unauthenticated metadata request and DBCode fails with
KafkaJSConnectionClosedError: Closed connection.
Environment
| Item |
Value |
| DBCode |
1.35.7 (also reproduced on 1.35.4-universal in Cursor) |
| VS Code |
Insiders 1.128.0 (2be9624) |
| OS |
macOS 26.5.1 (arm64) |
| Kafka |
apache/kafka:4.1.0, KRaft single node, in Docker |
| Broker listener |
SASL_PLAINTEXT://localhost:9192, sasl.enabled.mechanisms=SCRAM-SHA-512 |
Broker configuration (relevant parts)
listeners=SASL_PLAINTEXT://0.0.0.0:9192,CONTROLLER://127.0.0.1:9193,BROKER://127.0.0.1:9194
advertised.listeners=SASL_PLAINTEXT://localhost:9192,BROKER://localhost:9194
listener.security.protocol.map=CONTROLLER:PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT,BROKER:PLAINTEXT
sasl.enabled.mechanisms=SCRAM-SHA-512
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512
SCRAM user created with:
kafka-configs.sh --bootstrap-server localhost:9194 --alter \
--add-config 'SCRAM-SHA-512=[password=password]' \
--entity-type users --entity-name kafka
DBCode connection configuration (settings.json)
{
"connectionId": "Yrb9d2eyYO4c8GoHfcyF4",
"name": "local-kafka",
"driver": "kafka",
"host": "localhost",
"port": 9192,
"authMethod": "scram512",
"username": "kafka",
"password": "password",
"savePassword": "yes",
"ssl": false,
"connectionType": "host"
}
(kafka is also missing from the driver enum and authMethod from the connection schema in
package.json dbcode.connections contributions, so settings validation flags a UI-created Kafka
connection — a secondary symptom of the same incomplete wiring.)
Steps to reproduce
- Run any Kafka broker with a SASL/SCRAM-SHA-512-only client listener (config above; a stock
apache/kafka:4.1.0 container works) and register the SCRAM user.
- Sanity-check the broker accepts SCRAM (see "Control test" below).
- In DBCode, create a Kafka connection: host
localhost, port 9192, auth SASL/SCRAM-SHA-512,
username/password as above, SSL off.
- Connect.
Expected
DBCode performs SaslHandshake + SaslAuthenticate (SCRAM-SHA-512) and connects.
Actual
Connection fails. DBCode log (exthost/dbcode.dbcode/DBCode.log):
[error] Connection: 'local-kafka' failed: KafkaJSConnectionClosedError: Closed connection
at Socket.a (…/dbcode.dbcode-1.35.7/out/vendor/kafkajs.js:2:171032)
Broker log at the same second — DBCode sent a plain Metadata request without any SASL handshake:
WARN [SocketServer listenerType=BROKER, nodeId=1] Unexpected error from /172.17.0.1 … closing connection
org.apache.kafka.common.errors.InvalidRequestException: Unexpected Kafka request of type METADATA during SASL handshake.
Control test — the bundled client library itself works
The same credentials with plain kafkajs 2.2.4 (the library vendored by DBCode) connect successfully,
so the broker and the underlying client are fine:
const { Kafka } = require('kafkajs');
const kafka = new Kafka({
brokers: ['localhost:9192'],
ssl: false,
sasl: { mechanism: 'scram-sha-512', username: 'kafka', password: 'password' },
});
await kafka.admin().connect(); // ✅ succeeds
await kafka.admin().listTopics(); // ✅ returns topics
Root cause (from bundle inspection)
In out/extension/extension.js (1.35.7), the Kafka driver's connect method constructs the client with
only two options — no sasl, no ssl:
this.kafka = new kafkajs.Kafka({ clientId: …, brokers: [host + ':' + port] })
this.admin = this.kafka.admin()
await this.admin.connect()
The string sasl does not appear anywhere in the extension bundle's driver code, so authMethod,
username, and password from the connection settings are never forwarded to the kafkajs client.
Impact / workaround
Any Kafka broker with an authentication-required listener (the norm outside toy setups) is unusable
from DBCode; no workaround exists within the extension. Please either wire the connection auth settings
into the kafkajs sasl/ssl config, or update the docs/UI to state Kafka auth is not yet supported.
Description
The Kafka documentation page states DBCode supports
"No Auth, SASL/PLAIN, SCRAM-SHA-256, SCRAM-SHA-512", and the connection UI offers these auth methods.
However, the Kafka driver never applies any of it: it opens a plain unauthenticated connection regardless
of the configured
authMethod,username, andpassword. Against a broker whose client listener requiresSASL, the broker rejects the unauthenticated metadata request and DBCode fails with
KafkaJSConnectionClosedError: Closed connection.Environment
apache/kafka:4.1.0, KRaft single node, in DockerSASL_PLAINTEXT://localhost:9192,sasl.enabled.mechanisms=SCRAM-SHA-512Broker configuration (relevant parts)
SCRAM user created with:
kafka-configs.sh --bootstrap-server localhost:9194 --alter \ --add-config 'SCRAM-SHA-512=[password=password]' \ --entity-type users --entity-name kafkaDBCode connection configuration (
settings.json){ "connectionId": "Yrb9d2eyYO4c8GoHfcyF4", "name": "local-kafka", "driver": "kafka", "host": "localhost", "port": 9192, "authMethod": "scram512", "username": "kafka", "password": "password", "savePassword": "yes", "ssl": false, "connectionType": "host" }(
kafkais also missing from thedriverenum andauthMethodfrom the connection schema inpackage.jsondbcode.connectionscontributions, so settings validation flags a UI-created Kafkaconnection — a secondary symptom of the same incomplete wiring.)
Steps to reproduce
apache/kafka:4.1.0container works) and register the SCRAM user.localhost, port9192, authSASL/SCRAM-SHA-512,username/password as above, SSL off.
Expected
DBCode performs
SaslHandshake+SaslAuthenticate(SCRAM-SHA-512) and connects.Actual
Connection fails. DBCode log (
exthost/dbcode.dbcode/DBCode.log):Broker log at the same second — DBCode sent a plain Metadata request without any SASL handshake:
Control test — the bundled client library itself works
The same credentials with plain kafkajs 2.2.4 (the library vendored by DBCode) connect successfully,
so the broker and the underlying client are fine:
Root cause (from bundle inspection)
In
out/extension/extension.js(1.35.7), the Kafka driver's connect method constructs the client withonly two options — no
sasl, nossl:The string
sasldoes not appear anywhere in the extension bundle's driver code, soauthMethod,username, andpasswordfrom the connection settings are never forwarded to the kafkajs client.Impact / workaround
Any Kafka broker with an authentication-required listener (the norm outside toy setups) is unusable
from DBCode; no workaround exists within the extension. Please either wire the connection auth settings
into the kafkajs
sasl/sslconfig, or update the docs/UI to state Kafka auth is not yet supported.