fix: add TLS secure context to migrate-mongo config for CDP environments (#494)

mokhld · web-flow · commit 873a97b78205 · 2026-04-10T10:09:44.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -33,7 +33,10 @@ USER node
 
 COPY --from=development /home/node/package*.json ./
 COPY --from=development /home/node/.server ./.server/
-COPY --from=development /home/node/migrate-mongo-config.cjs ./
+COPY --from=development /home/node/migrate-mongo-config.js ./
+# config/index.js and secure-context.js are dependencies for migrate-mongo-config.js
+COPY --from=development /home/node/src/secure-context.js ./src/secure-context.js
+COPY --from=development /home/node/src/config/index.js ./src/config/index.js
 COPY --from=development /home/node/migrations ./migrations/
 COPY --from=development /home/node/scripts ./scripts/
 
diff --git a/README.md b/README.md
@@ -261,7 +261,7 @@ npm run migrate:up
 npm run migrate:down
 
 # Create a new migration
-npx migrate-mongo create <migration-name> -f migrate-mongo-config.cjs
+npx migrate-mongo create <migration-name> -f migrate-mongo-config.js
 ```
 
 **Important**: When running migrations manually, ensure your `.env` file contains the correct `MONGO_URI` and `MONGO_DATABASE` values that match your local MongoDB instance.
diff --git a/migrate-mongo-config.js b/migrate-mongo-config.js
@@ -1,15 +1,17 @@
-/* eslint-disable */
-// In this file you can configure migrate-mongo
-require('dotenv/config')
+import 'dotenv/config'
 
-const config = {
-  mongodb: {
-    // Use environment variables to match the app's configuration
-    url: process.env.MONGO_URI || 'mongodb://127.0.0.1:27017/',
+import { config as appConfig } from './src/config/index.js'
+import { prepareSecureContext } from './src/secure-context.js'
 
-    // Use the same database name as the app
-    databaseName: process.env.MONGO_DATABASE || 'forms-submission-api',
+// Prepare secure context for MongoDB TLS connections
+if (appConfig.get('isProduction')) {
+  prepareSecureContext(console.log) // eslint-disable-line no-console
+}
 
+const config = {
+  mongodb: {
+    url: appConfig.get('mongo.uri'),
+    databaseName: appConfig.get('mongo.databaseName'),
     options: {
       //   connectTimeoutMS: 3600000, // increase connection timeout to 1 hour
       //   socketTimeoutMS: 3600000, // increase socket timeout to 1 hour
@@ -29,14 +31,14 @@ const config = {
   lockTtl: 0,
 
   // The file extension to create migrations and search for in migration dir
-  migrationFileExtension: '.cjs',
+  migrationFileExtension: '.js',
 
   // Enable the algorithm to create a checksum of the file contents and use that in the comparison to determine
   // if the file should be run.  Requires that scripts are coded to be run multiple times.
   useFileHash: false,
 
   // Don't change this, unless you know what you're doing
-  moduleSystem: 'commonjs'
+  moduleSystem: 'esm'
 }
 
-module.exports = config
+export default config
diff --git a/package.json b/package.json
@@ -35,9 +35,9 @@
     "prestart": "npm run build",
     "start": "NODE_ENV=${NODE_ENV:-production} node --enable-source-maps ./.server",
     "setup:husky": "node -e \"try { (await import('husky')).default() } catch (e) { if (e.code !== 'ERR_MODULE_NOT_FOUND') throw e }\" --input-type module",
-    "migrate:up": "migrate-mongo up -f migrate-mongo-config.cjs",
-    "migrate:down": "migrate-mongo down -f migrate-mongo-config.cjs",
-    "migrate:status": "migrate-mongo status -f migrate-mongo-config.cjs"
+    "migrate:up": "migrate-mongo up -f migrate-mongo-config.js",
+    "migrate:down": "migrate-mongo down -f migrate-mongo-config.js",
+    "migrate:status": "migrate-mongo status -f migrate-mongo-config.js"
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.679.0",
diff --git a/scripts/run-migrations-and-start.sh b/scripts/run-migrations-and-start.sh
@@ -5,8 +5,8 @@ set -e
 
 echo "Running database migrations..."
 
-# Run migrations with the config file (.cjs extension required for ES module projects)
-npx migrate-mongo up -f migrate-mongo-config.cjs
+# Run migrations with the config file
+npx migrate-mongo up -f migrate-mongo-config.js
 
 echo "Migrations complete. Starting application..."
 
diff --git a/src/api/server.js b/src/api/server.js
@@ -86,7 +86,9 @@ export async function createServer() {
   ])
 
   if (isProduction) {
-    prepareSecureContext(server)
+    prepareSecureContext((message) => {
+      server.logger.info(message)
+    })
   }
 
   await prepareDb(server.logger)
diff --git a/src/helpers/secure-context/get-trust-store-certs.js b/src/helpers/secure-context/get-trust-store-certs.js
diff --git a/src/helpers/secure-context/secure-context.test.js b/src/helpers/secure-context/secure-context.test.js
@@ -1,4 +1,4 @@
-import { getTrustStoreCerts } from '~/src/helpers/secure-context/get-trust-store-certs.js'
+import { getTrustStoreCerts } from '~/src/secure-context.js'
 
 describe('#getTrustStoreCerts', () => {
   const mockProcessEnvWithCerts = {
diff --git a/src/secure-context.js b/src/secure-context.js
@@ -1,25 +1,28 @@
+/*
+  WARNING: this file is imported by migrate-mongo which does not use babel. Avoid importing assets from the wider project as they'll use tilde imports.
+  This file is copied verbatim into the production Docker image at src/secure-context.js. Imports will not be copied.
+  If this grows in complexity and needs external dependencies, it will need to be folded into babel.
+*/
 import tls from 'node:tls'
 
-import { getTrustStoreCerts } from '~/src/helpers/secure-context/get-trust-store-certs.js'
-
 /**
  * @type {SecureContext}
  */
 export let secureContext
 
 /**
  * Prepares the TLS secure context
- * @param {Server} server
  * @returns
+ * @param {(arg: string) => void} loggerFn
  */
-export function prepareSecureContext(server) {
+export function prepareSecureContext(loggerFn) {
   const originalCreateSecureContext = tls.createSecureContext
 
   tls.createSecureContext = function (options = {}) {
     const trustStoreCerts = getTrustStoreCerts(process.env)
 
     if (!trustStoreCerts.length) {
-      server.logger.info('Could not find any TRUSTSTORE_ certificates')
+      loggerFn('Could not find any TRUSTSTORE_ certificates')
     }
 
     const originalSecureContext = originalCreateSecureContext(options)
@@ -37,6 +40,20 @@ export function prepareSecureContext(server) {
 }
 
 /**
- * @import { Server } from '@hapi/hapi'
+ * Get base64 certs from all environment variables starting with TRUSTSTORE_
+ * @param {NodeJS.ProcessEnv} envs
+ * @returns {string[]}
+ */
+export function getTrustStoreCerts(envs) {
+  return Object.entries(envs)
+    .map(([key, value]) => key.startsWith('TRUSTSTORE_') && value)
+    .filter(
+      /** @returns {envValue is string} */
+      (envValue) => Boolean(envValue)
+    )
+    .map((envValue) => Buffer.from(envValue, 'base64').toString().trim())
+}
+
+/**
  * @import { SecureContext } from 'node:tls'
  */

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,9 @@ export async function createServer() {`
`86`	`86`	`])`
`87`	`87`
`88`	`88`	`if (isProduction) {`
`89`		`- prepareSecureContext(server)`
	`89`	`+ prepareSecureContext((message) => {`
	`90`	`+ server.logger.info(message)`
	`91`	`+ })`
`90`	`92`	`}`
`91`	`93`
`92`	`94`	`await prepareDb(server.logger)`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { getTrustStoreCerts } from '~/src/helpers/secure-context/get-trust-store-certs.js'`
	`1`	`+import { getTrustStoreCerts } from '~/src/secure-context.js'`
`2`	`2`
`3`	`3`	`describe('#getTrustStoreCerts', () => {`
`4`	`4`	`const mockProcessEnvWithCerts = {`