fix: correct MySQL DSN format, CockroachDB port, and URL encoding

- MySQL: Use DSN format (user:pass@tcp(host:port)/db?parseTime=true)
  instead of URI format (mysql://...) which is incompatible with driver
- CockroachDB: Use correct default port 26257 instead of 5432
- URL encode credentials for Postgres/CockroachDB to handle special chars
- Update tests to use correct MySQL DSN format

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ivanauth

docs/spicedb.md

@@ -87,17 +87,21 @@ spicedb datastore gc [flags]
       --datastore-connect-rate duration                                       rate at which new connections are allowed to the datastore (at a rate of 1/duration) (cockroach driver only) (default 100ms)
       --datastore-connection-balancing                                        enable connection balancing between database nodes (cockroach driver only) (default true)
       --datastore-credentials-provider-name string                            retrieve datastore credentials dynamically using ("aws-iam")
+      --datastore-database string                                             datastore database name (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-disable-watch-support                                       disable watch support (only enable if you absolutely do not need watch)
       --datastore-engine string                                               type of datastore to initialize ("cockroachdb", "mysql", "postgres", "spanner") (default "memory")
       --datastore-experimental-column-optimization                            enable experimental column optimization (default true)
       --datastore-follower-read-delay-duration duration                       amount of time to subtract from non-sync revision timestamps to ensure they are sufficiently in the past to enable follower reads (cockroach and spanner drivers only) or read replicas (postgres and mysql drivers only) (default 4.8s)
       --datastore-gc-interval duration                                        amount of time between passes of garbage collection (postgres driver only) (default 3m0s)
       --datastore-gc-max-operation-time duration                              maximum amount of time a garbage collection pass can operate before timing out (postgres driver only) (default 1m0s)
       --datastore-gc-window duration                                          amount of time before revisions are garbage collected (default 24h0m0s)
+      --datastore-host string                                                 datastore host (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-include-query-parameters-in-traces                          include query parameters in traces (postgres and CRDB drivers only)
       --datastore-max-tx-retries int                                          number of times a retriable transaction should be retried (default 10)
       --datastore-migration-phase string                                      datastore-specific flag that should be used to signal to a datastore which phase of a multi-step migration it is in
       --datastore-mysql-table-prefix string                                   prefix to add to the name of all SpiceDB database tables
+      --datastore-password string                                             datastore password (used to build connection URI if datastore-conn-uri is not provided)
+      --datastore-port string                                                 datastore port (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-prometheus-metrics                                          set to false to disabled metrics from the datastore (do not use for Spanner; setting to false will disable metrics to the configured metrics store in Spanner) (default true)
       --datastore-read-replica-conn-pool-read-healthcheck-interval duration   amount of time between connection health checks in a remote datastore's connection pool (default 30s)
       --datastore-read-replica-conn-pool-read-max-idletime duration           maximum amount of time a connection can idle in a remote datastore's connection pool (default 30m0s)
@@ -125,6 +129,7 @@ spicedb datastore gc [flags]
       --datastore-spanner-min-sessions uint                                   minimum number of sessions across all Spanner gRPC connections the client can have at a given time (default 100)
       --datastore-tx-overlap-key string                                       static key to touch when writing to ensure transactions overlap (only used if --datastore-tx-overlap-strategy=static is set; cockroach driver only) (default "key")
       --datastore-tx-overlap-strategy string                                  strategy to generate transaction overlap keys ("request", "prefix", "static", "insecure") (cockroach driver only - see https://spicedb.dev/d/crdb-overlap for details) (default "static")
+      --datastore-username string                                             datastore username (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-watch-buffer-length uint16                                  how large the watch buffer should be before blocking (default 1024)
       --datastore-watch-buffer-write-timeout duration                         how long the watch buffer should queue before forcefully disconnecting the reader (default 1s)
       --datastore-watch-connect-timeout duration                              how long the watch connection should wait before timing out (cockroachdb driver only) (default 1s)
@@ -256,17 +261,21 @@ spicedb datastore repair [flags]
       --datastore-connect-rate duration                                       rate at which new connections are allowed to the datastore (at a rate of 1/duration) (cockroach driver only) (default 100ms)
       --datastore-connection-balancing                                        enable connection balancing between database nodes (cockroach driver only) (default true)
       --datastore-credentials-provider-name string                            retrieve datastore credentials dynamically using ("aws-iam")
+      --datastore-database string                                             datastore database name (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-disable-watch-support                                       disable watch support (only enable if you absolutely do not need watch)
       --datastore-engine string                                               type of datastore to initialize ("cockroachdb", "mysql", "postgres", "spanner") (default "memory")
       --datastore-experimental-column-optimization                            enable experimental column optimization (default true)
       --datastore-follower-read-delay-duration duration                       amount of time to subtract from non-sync revision timestamps to ensure they are sufficiently in the past to enable follower reads (cockroach and spanner drivers only) or read replicas (postgres and mysql drivers only) (default 4.8s)
       --datastore-gc-interval duration                                        amount of time between passes of garbage collection (postgres driver only) (default 3m0s)
       --datastore-gc-max-operation-time duration                              maximum amount of time a garbage collection pass can operate before timing out (postgres driver only) (default 1m0s)
       --datastore-gc-window duration                                          amount of time before revisions are garbage collected (default 24h0m0s)
+      --datastore-host string                                                 datastore host (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-include-query-parameters-in-traces                          include query parameters in traces (postgres and CRDB drivers only)
       --datastore-max-tx-retries int                                          number of times a retriable transaction should be retried (default 10)
       --datastore-migration-phase string                                      datastore-specific flag that should be used to signal to a datastore which phase of a multi-step migration it is in
       --datastore-mysql-table-prefix string                                   prefix to add to the name of all SpiceDB database tables
+      --datastore-password string                                             datastore password (used to build connection URI if datastore-conn-uri is not provided)
+      --datastore-port string                                                 datastore port (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-prometheus-metrics                                          set to false to disabled metrics from the datastore (do not use for Spanner; setting to false will disable metrics to the configured metrics store in Spanner) (default true)
       --datastore-read-replica-conn-pool-read-healthcheck-interval duration   amount of time between connection health checks in a remote datastore's connection pool (default 30s)
       --datastore-read-replica-conn-pool-read-max-idletime duration           maximum amount of time a connection can idle in a remote datastore's connection pool (default 30m0s)
@@ -294,6 +303,7 @@ spicedb datastore repair [flags]
       --datastore-spanner-min-sessions uint                                   minimum number of sessions across all Spanner gRPC connections the client can have at a given time (default 100)
       --datastore-tx-overlap-key string                                       static key to touch when writing to ensure transactions overlap (only used if --datastore-tx-overlap-strategy=static is set; cockroach driver only) (default "key")
       --datastore-tx-overlap-strategy string                                  strategy to generate transaction overlap keys ("request", "prefix", "static", "insecure") (cockroach driver only - see https://spicedb.dev/d/crdb-overlap for details) (default "static")
+      --datastore-username string                                             datastore username (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-watch-buffer-length uint16                                  how large the watch buffer should be before blocking (default 1024)
       --datastore-watch-buffer-write-timeout duration                         how long the watch buffer should queue before forcefully disconnecting the reader (default 1s)
       --datastore-watch-connect-timeout duration                              how long the watch connection should wait before timing out (cockroachdb driver only) (default 1s)
@@ -417,17 +427,21 @@ spicedb serve [flags]
       --datastore-connect-rate duration                                                 rate at which new connections are allowed to the datastore (at a rate of 1/duration) (cockroach driver only) (default 100ms)
       --datastore-connection-balancing                                                  enable connection balancing between database nodes (cockroach driver only) (default true)
       --datastore-credentials-provider-name string                                      retrieve datastore credentials dynamically using ("aws-iam")
+      --datastore-database string                                                       datastore database name (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-disable-watch-support                                                 disable watch support (only enable if you absolutely do not need watch)
       --datastore-engine string                                                         type of datastore to initialize ("cockroachdb", "mysql", "postgres", "spanner") (default "memory")
       --datastore-experimental-column-optimization                                      enable experimental column optimization (default true)
       --datastore-follower-read-delay-duration duration                                 amount of time to subtract from non-sync revision timestamps to ensure they are sufficiently in the past to enable follower reads (cockroach and spanner drivers only) or read replicas (postgres and mysql drivers only) (default 4.8s)
       --datastore-gc-interval duration                                                  amount of time between passes of garbage collection (postgres driver only) (default 3m0s)
       --datastore-gc-max-operation-time duration                                        maximum amount of time a garbage collection pass can operate before timing out (postgres driver only) (default 1m0s)
       --datastore-gc-window duration                                                    amount of time before revisions are garbage collected (default 24h0m0s)
+      --datastore-host string                                                           datastore host (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-include-query-parameters-in-traces                                    include query parameters in traces (postgres and CRDB drivers only)
       --datastore-max-tx-retries int                                                    number of times a retriable transaction should be retried (default 10)
       --datastore-migration-phase string                                                datastore-specific flag that should be used to signal to a datastore which phase of a multi-step migration it is in
       --datastore-mysql-table-prefix string                                             prefix to add to the name of all SpiceDB database tables
+      --datastore-password string                                                       datastore password (used to build connection URI if datastore-conn-uri is not provided)
+      --datastore-port string                                                           datastore port (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-prometheus-metrics                                                    set to false to disabled metrics from the datastore (do not use for Spanner; setting to false will disable metrics to the configured metrics store in Spanner) (default true)
       --datastore-read-replica-conn-pool-read-healthcheck-interval duration             amount of time between connection health checks in a remote datastore's connection pool (default 30s)
       --datastore-read-replica-conn-pool-read-max-idletime duration                     maximum amount of time a connection can idle in a remote datastore's connection pool (default 30m0s)
@@ -456,6 +470,7 @@ spicedb serve [flags]
       --datastore-spanner-min-sessions uint                                             minimum number of sessions across all Spanner gRPC connections the client can have at a given time (default 100)
       --datastore-tx-overlap-key string                                                 static key to touch when writing to ensure transactions overlap (only used if --datastore-tx-overlap-strategy=static is set; cockroach driver only) (default "key")
       --datastore-tx-overlap-strategy string                                            strategy to generate transaction overlap keys ("request", "prefix", "static", "insecure") (cockroach driver only - see https://spicedb.dev/d/crdb-overlap for details) (default "static")
+      --datastore-username string                                                       datastore username (used to build connection URI if datastore-conn-uri is not provided)
       --datastore-watch-buffer-length uint16                                            how large the watch buffer should be before blocking (default 1024)
       --datastore-watch-buffer-write-timeout duration                                   how long the watch buffer should queue before forcefully disconnecting the reader (default 1s)
       --datastore-watch-connect-timeout duration                                        how long the watch connection should wait before timing out (cockroachdb driver only) (default 1s)

pkg/cmd/datastore/datastore.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -394,19 +395,20 @@ func buildConnectionURI(engine, host, port, username, password, database string)
 	// Set default port based on engine if not provided
 	if port == "" {
 		switch engine {
-		case PostgresEngine, CockroachEngine:
+		case PostgresEngine:
 			port = "5432"
+		case CockroachEngine:
+			port = "26257"
 		case MySQLEngine:
 			port = "3306"
 		}
 	}
 
-	// URL encode credentials to handle special characters
-	encodedUsername := username
+	// URL encode credentials to handle special characters like @, :, /
+	encodedUsername := url.QueryEscape(username)
 	encodedPassword := ""
 	if password != "" {
-		// Note: we don't URL-encode here because the URL parsing libraries handle it
-		encodedPassword = ":" + password
+		encodedPassword = ":" + url.QueryEscape(password)
 	}
 
 	// Build URI based on engine type
@@ -415,16 +417,24 @@ func buildConnectionURI(engine, host, port, username, password, database string)
 		// Format: postgres://username:password@host:port/database
 		uri := fmt.Sprintf("postgres://%s%s@%s:%s", encodedUsername, encodedPassword, host, port)
 		if database != "" {
-			uri += "/" + database
+			uri += "/" + url.PathEscape(database)
 		}
 		return uri
 	case MySQLEngine:
-		// Format: mysql://username:password@host:port/database
-		uri := fmt.Sprintf("mysql://%s%s@%s:%s", encodedUsername, encodedPassword, host, port)
+		// MySQL uses DSN format: username:password@tcp(host:port)/database?parseTime=true
+		// Special characters in username/password must be URL-encoded per go-sql-driver/mysql docs
+		encodedMySQLUsername := url.QueryEscape(username)
+		encodedMySQLPassword := ""
+		if password != "" {
+			encodedMySQLPassword = ":" + url.QueryEscape(password)
+		}
+		dsn := fmt.Sprintf("%s%s@tcp(%s:%s)", encodedMySQLUsername, encodedMySQLPassword, host, port)
 		if database != "" {
-			uri += "/" + database
+			dsn += "/" + database
 		}
-		return uri
+		// parseTime=true is required for MySQL to handle time.Time correctly
+		dsn += "?parseTime=true"
+		return dsn
 	default:
 		return ""
 	}

pkg/cmd/datastore/datastore_test.go

@@ -147,7 +147,7 @@ func TestBuildConnectionURI(t *testing.T) {
 			username: "root",
 			password: "rootpass",
 			database: "mydb",
-			expected: "mysql://root:rootpass@localhost:3306/mydb",
+			expected: "root:rootpass@tcp(localhost:3306)/mydb?parseTime=true",
 		},
 		{
 			name:     "mysql with default port",
@@ -157,7 +157,7 @@ func TestBuildConnectionURI(t *testing.T) {
 			username: "root",
 			password: "rootpass",
 			database: "mydb",
-			expected: "mysql://root:rootpass@localhost:3306/mydb",
+			expected: "root:rootpass@tcp(localhost:3306)/mydb?parseTime=true",
 		},
 		{
 			name:     "empty host returns empty",
@@ -179,6 +179,36 @@ func TestBuildConnectionURI(t *testing.T) {
 			database: "db",
 			expected: "",
 		},
+		{
+			name:     "postgres with special characters in password",
+			engine:   PostgresEngine,
+			host:     "localhost",
+			port:     "5432",
+			username: "testuser",
+			password: "pass@word:with/special",
+			database: "testdb",
+			expected: "postgres://testuser:pass%40word%3Awith%2Fspecial@localhost:5432/testdb",
+		},
+		{
+			name:     "mysql with special characters in password",
+			engine:   MySQLEngine,
+			host:     "localhost",
+			port:     "3306",
+			username: "root",
+			password: "pass@word:with/special",
+			database: "mydb",
+			expected: "root:pass%40word%3Awith%2Fspecial@tcp(localhost:3306)/mydb?parseTime=true",
+		},
+		{
+			name:     "cockroachdb with special characters in username and password",
+			engine:   CockroachEngine,
+			host:     "localhost",
+			port:     "26257",
+			username: "user@domain",
+			password: "p@ss:word",
+			database: "testdb",
+			expected: "postgres://user%40domain:p%40ss%3Aword@localhost:26257/testdb",
+		},
 	}
 
 	for _, tt := range tests {