do not validate passwords, just forward them onto postgres

dont get access controls

add a new cleartext authsecret instead

proxy/src/auth/backend/classic.rs

@@ -45,6 +45,10 @@ pub(super) async fn authenticate(
                 server_key: secret.server_key.as_bytes(),
             }
         }
+        AuthSecret::Cleartext => {
+            ctx.set_auth_method(crate::context::AuthMethod::Cleartext);
+            return super::hacks::authenticate_cleartext(ctx, creds, client, secret, config).await;
+        }
     };
 
     Ok(ComputeCredentials {

proxy/src/auth/backend/mod.rs

@@ -174,6 +174,8 @@ impl ComputeUserInfo {
 
 #[cfg_attr(test, derive(Debug))]
 pub(crate) enum ComputeCredentialKeys {
+    /// We don't convert passwords into auth keys, we just pass passwords onto postgres.
+    Password(Vec<u8>),
     AuthKeys(AuthKeys),
     JwtPayload(Vec<u8>),
 }
@@ -244,11 +246,13 @@ async fn auth_quirks(
     let secret = if let Some(secret) = role_access.secret {
         secret
     } else {
-        // If we don't have an authentication secret, we mock one to
-        // prevent malicious probing (possible due to missing protocol steps).
-        // This mocked secret will never lead to successful authentication.
-        info!("authentication info not found, mocking it");
-        AuthSecret::Scram(scram::ServerSecret::mock(rand::random()))
+        // // If we don't have an authentication secret, we mock one to
+        // // prevent malicious probing (possible due to missing protocol steps).
+        // // This mocked secret will never lead to successful authentication.
+        // info!("authentication info not found, mocking it");
+        // AuthSecret::Scram(scram::ServerSecret::mock(rand::random()))
+
+        AuthSecret::Cleartext
     };
 
     match authenticate_with_secret(

proxy/src/auth/flow.rs

@@ -187,5 +187,8 @@ pub(crate) async fn validate_password_and_exchange(
                 postgres_client::config::AuthKeys::ScramSha256(keys),
             )))
         }
+        AuthSecret::Cleartext => Ok(sasl::Outcome::Success(ComputeCredentialKeys::Password(
+            password.to_vec(),
+        ))),
     }
 }

proxy/src/compute/mod.rs

@@ -177,6 +177,7 @@ impl AuthInfo {
                 ComputeCredentialKeys::AuthKeys(AuthKeys::ScramSha256(auth_keys)) => {
                     Some(Auth::Scram(Box::new(auth_keys)))
                 }
+                ComputeCredentialKeys::Password(pw) => Some(Auth::Password(pw)),
                 ComputeCredentialKeys::JwtPayload(_) => None,
             },
             server_params: StartupMessageParams::default(),

proxy/src/control_plane/mod.rs

@@ -43,6 +43,8 @@ pub mod mgmt;
 pub(crate) enum AuthSecret {
     /// [SCRAM](crate::scram) authentication info.
     Scram(scram::ServerSecret),
+    /// Do not authenticate, just take the cleartext password and give it to postgres.
+    Cleartext,
 }
 
 #[derive(Default)]

proxy/src/lib.rs

@@ -76,6 +76,7 @@
 // List of temporarily allowed lints to unblock beta/nightly.
 #![allow(unknown_lints)]
 #![expect(
+    unused_imports,
     dead_code,
     reason = "
     We are making minimal changes to proxy for lakebase-v2 integration. 

proxy/src/serverless/rest.rs

@@ -800,7 +800,7 @@ async fn handle_rest_inner(
                 .map_err(|e| RestError::SubzeroCore(JsonDeserialize { source: e }))?;
             Some(payload)
         }
-        ComputeCredentialKeys::AuthKeys(_) => None,
+        ComputeCredentialKeys::AuthKeys(_) | ComputeCredentialKeys::Password(_) => None,
     };
 
     // read the role from the jwt claims (and set it to the "anon" role if not present)