Allow configuring pgaudit.log_parameter

[xEverth]

pgaudit is the recommended method to log according to the docs: https://supabase.com/docs/guides/database/extensions/pgaudit
It's possible to enable logging (for a session, or for specific roles) and to choose the log level: https://supabase.com/docs/guides/platform/logs#configuring-pgauditlog

I'd like to verify the call parameters of the RPCs called via postgREST, but I am not able to alter pgaudit.log_parameter due to a permission error:

ERROR: permission denied to set parameter "pgaudit.log_parameter"

To Reproduce

Connect to the database as postgres or use the SQL Editor from the dashboard and run either of the following:
set pgaudit.log_parameter to 'on';
alter role authenticator set pgaudit.log_parameter to 'on';

Expected behavior

I expect to be able to set log_parameter and audit the parameters sent to the RPC.
https://github.com/pgaudit/pgaudit?tab=readme-ov-file#pgauditlog_parameter

Screenshots

System information

Additional context

Postgres version: 15.1.0.113
PostgREST version: 11.2.0

[xEverth]

I'll note that I found a way to access the (URL Encoded) parameters for the RPCs from the API Edge Network Logs > Request Metadata > Search. It's not exactly what I was looking for, but it's something!

[soedirgo]

Hi @xEverth! Currently configuring pgaudit.log_parameter is not supported, since it renders pgsodium useless (secrets in encrypted columns will be logged unencrypted). This may not be relevant if you're not using pgsodium or Supabase Vault.

One workaround for this is using triggers.

I've converted this issue to a feature request to gauge interest - if enough people want this restriction lifted we may reconsider removing this restriction.

[brandonwheat]

would love this feature for temporary troubleshooting