MotherDuck plugin for DuckDB

[sterlinm]

Overview

Creating a plugin for the DuckDB CLI to allow you to securely store your MotherDuck token using 1password.

Type of change

• Created a new plugin
• Improved an existing plugin
• Fixed a bug in an existing plugin
• Improved contributor utilities or experience

Related Issue(s)

• Resolves: #
• Relates: #

How To Test

The plugin is used when the duckdb CLI is called and the user attempts to connect to MotherDuck without providing a token via environment variable or as part of the connection string.

This would require authentication with 1password: duckdb 'md:'.

From the DuckDB CLI interface, if you run PRAGMA PRINT_MD_TOKEN; it should print out the token that you have stored in 1password.

These would not require authentication with 1password:

• duckdb
• duckdb localdb.ddb
• duckdb 'md:my_db?motherduck_token=<motherduck_token>
• motherduck_token=<motherduck_token> duckdb 'md:'

You can test that it uses the token from the connection string or environment variable (rather than 1password) by running the following commands:

• duckdb 'md:my_db?motherduck_token=<motherduck_token> -c 'PRAGMA print_md_token'
• motherduck_token=<motherduck_token> duckdb 'md:' -c 'PRAGMA print_md_token'

The token that is printed out should match the provided token rather than the one saved in 1password.

Changelog

[sterlinm]

Hi folks! If there's any more information you need from me, please let me know. Thanks!

[sterlinm]

Hi! Just checking in on this again. Thanks!

[sterlinm]

Is it fair to assume that the shell extensions project is dead?

[edif2008]

Thank you for your contribution! 😄

I've left a couple of improvements that I've seen by trying out MotherDuck myself.

[edif2008]

Could you add a comment on what this custom implementation does and why it is needed and can't be built with the existing functions?

That can increase the confidence that this plugin behaves as expected.

[sterlinm]

I replaced this with a more specific helper function. We only use need to authenticate with 1password if the connection string contains 'md:' but motherduck_token is not specified in the connection string and not set as an environment variable.

[sterlinm]

@edif2008 Thanks for the review, and sorry for the delayed response! I'll address your comments soon.

[github-actions]

⚠️ This PR contains unsigned commits. To get your PR merged, please sign those commits (git rebase --exec 'git commit -S --amend --no-edit -n' @{upstream}) and force push them to this branch (git push --force-with-lease).

If you're new to commit signing, there are different ways to set it up:

Sign commits with gpg

Follow the steps below to set up commit signing with gpg:

1. Generate a GPG key
2. Add the GPG key to your GitHub account
3. Configure git to use your GPG key for commit signing

Sign commits with ssh-agent

Follow the steps below to set up commit signing with ssh-agent:

1. Generate an SSH key and add it to ssh-agent
2. Add the SSH key to your GitHub account
3. Configure git to use your SSH key for commit signing

Sign commits with 1Password

You can also sign commits using 1Password, which lets you sign commits with biometrics without the signing key leaving the local 1Password process.

Learn how to use 1Password to sign your commits.

[sterlinm]

@edif2008 This should be ready for another look. Thanks!

[sterlinm]

@edif2008 One design choice I'm not sure how to address that I'd love advice on.

As it is now, if the user has set motherduck_token in their environment variables the plugin will use that value and not prompt the user to authenticate with 1password at all. The idea is that if you've already set the environment variable than you don't want to get prompted for authentication.

Ideally this would be something you could configure when you initialize the plugin, but I'm not sure if there's a good way to do that, but I'm not sure if that's supported.

Other than that I think this is ready to go. Let me know if there's anything else I should address. Thanks!

[sterlinm]

I've been using this locally now and it's been pretty convenient. I'd love to get it officially supported so I could promote it to people. Thanks!