Skip to content

Kafka driver ignores authMethod/SASL settings — always connects unauthenticated, so SASL-only brokers (SCRAM-SHA-512) can never be reached #1152

Description

@ram-ektar

Description

The Kafka documentation page states DBCode supports
"No Auth, SASL/PLAIN, SCRAM-SHA-256, SCRAM-SHA-512", and the connection UI offers these auth methods.
However, the Kafka driver never applies any of it: it opens a plain unauthenticated connection regardless
of the configured authMethod, username, and password. Against a broker whose client listener requires
SASL, the broker rejects the unauthenticated metadata request and DBCode fails with
KafkaJSConnectionClosedError: Closed connection.

Environment

Item Value
DBCode 1.35.7 (also reproduced on 1.35.4-universal in Cursor)
VS Code Insiders 1.128.0 (2be9624)
OS macOS 26.5.1 (arm64)
Kafka apache/kafka:4.1.0, KRaft single node, in Docker
Broker listener SASL_PLAINTEXT://localhost:9192, sasl.enabled.mechanisms=SCRAM-SHA-512

Broker configuration (relevant parts)

listeners=SASL_PLAINTEXT://0.0.0.0:9192,CONTROLLER://127.0.0.1:9193,BROKER://127.0.0.1:9194
advertised.listeners=SASL_PLAINTEXT://localhost:9192,BROKER://localhost:9194
listener.security.protocol.map=CONTROLLER:PLAINTEXT,SASL_PLAINTEXT:SASL_PLAINTEXT,BROKER:PLAINTEXT
sasl.enabled.mechanisms=SCRAM-SHA-512
sasl.mechanism.inter.broker.protocol=SCRAM-SHA-512

SCRAM user created with:

kafka-configs.sh --bootstrap-server localhost:9194 --alter \
  --add-config 'SCRAM-SHA-512=[password=password]' \
  --entity-type users --entity-name kafka

DBCode connection configuration (settings.json)

{
  "connectionId": "Yrb9d2eyYO4c8GoHfcyF4",
  "name": "local-kafka",
  "driver": "kafka",
  "host": "localhost",
  "port": 9192,
  "authMethod": "scram512",
  "username": "kafka",
  "password": "password",
  "savePassword": "yes",
  "ssl": false,
  "connectionType": "host"
}

(kafka is also missing from the driver enum and authMethod from the connection schema in
package.json dbcode.connections contributions, so settings validation flags a UI-created Kafka
connection — a secondary symptom of the same incomplete wiring.)

Steps to reproduce

  1. Run any Kafka broker with a SASL/SCRAM-SHA-512-only client listener (config above; a stock
    apache/kafka:4.1.0 container works) and register the SCRAM user.
  2. Sanity-check the broker accepts SCRAM (see "Control test" below).
  3. In DBCode, create a Kafka connection: host localhost, port 9192, auth SASL/SCRAM-SHA-512,
    username/password as above, SSL off.
  4. Connect.

Expected

DBCode performs SaslHandshake + SaslAuthenticate (SCRAM-SHA-512) and connects.

Actual

Connection fails. DBCode log (exthost/dbcode.dbcode/DBCode.log):

[error] Connection: 'local-kafka' failed:  KafkaJSConnectionClosedError: Closed connection
    at Socket.a (…/dbcode.dbcode-1.35.7/out/vendor/kafkajs.js:2:171032)

Broker log at the same second — DBCode sent a plain Metadata request without any SASL handshake:

WARN [SocketServer listenerType=BROKER, nodeId=1] Unexpected error from /172.17.0.1 … closing connection
org.apache.kafka.common.errors.InvalidRequestException: Unexpected Kafka request of type METADATA during SASL handshake.

Control test — the bundled client library itself works

The same credentials with plain kafkajs 2.2.4 (the library vendored by DBCode) connect successfully,
so the broker and the underlying client are fine:

const { Kafka } = require('kafkajs');
const kafka = new Kafka({
  brokers: ['localhost:9192'],
  ssl: false,
  sasl: { mechanism: 'scram-sha-512', username: 'kafka', password: 'password' },
});
await kafka.admin().connect();          // ✅ succeeds
await kafka.admin().listTopics();       // ✅ returns topics

Root cause (from bundle inspection)

In out/extension/extension.js (1.35.7), the Kafka driver's connect method constructs the client with
only two options — no sasl, no ssl:

this.kafka = new kafkajs.Kafka({ clientId: , brokers: [host + ':' + port] })
this.admin = this.kafka.admin()
await this.admin.connect()

The string sasl does not appear anywhere in the extension bundle's driver code, so authMethod,
username, and password from the connection settings are never forwarded to the kafkajs client.

Impact / workaround

Any Kafka broker with an authentication-required listener (the norm outside toy setups) is unusable
from DBCode; no workaround exists within the extension. Please either wire the connection auth settings
into the kafkajs sasl/ssl config, or update the docs/UI to state Kafka auth is not yet supported.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions