fix(postgres): honor user-supplied ssl config in vector store connection#6596
fix(postgres): honor user-supplied ssl config in vector store connection#6596gaurav0107 wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces a new helper function resolvePostgresSSL along with comprehensive unit tests to ensure that user-supplied SSL configurations in the additional settings take precedence over the boolean SSL toggle for Postgres connections. The review feedback suggests simplifying the nullish check in resolvePostgresSSL by using loose equality (!= null) to align with standard JavaScript/TypeScript idioms.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| export function resolvePostgresSSL(additionalConfig: Record<string, any> | undefined, sslToggle: boolean): boolean | Record<string, any> { | ||
| if (additionalConfig && typeof additionalConfig === 'object' && Object.prototype.hasOwnProperty.call(additionalConfig, 'ssl')) { | ||
| return additionalConfig.ssl | ||
| } | ||
| return sslToggle | ||
| } |
There was a problem hiding this comment.
To align with the repository's general rules, use loose equality (!= null) for nullish checks instead of combining truthiness and typeof checks. This simplifies the condition while remaining safe, as Object.prototype.hasOwnProperty.call handles primitive values gracefully without throwing errors.
| export function resolvePostgresSSL(additionalConfig: Record<string, any> | undefined, sslToggle: boolean): boolean | Record<string, any> { | |
| if (additionalConfig && typeof additionalConfig === 'object' && Object.prototype.hasOwnProperty.call(additionalConfig, 'ssl')) { | |
| return additionalConfig.ssl | |
| } | |
| return sslToggle | |
| } | |
| export function resolvePostgresSSL(additionalConfig: Record<string, any> | undefined, sslToggle: boolean): boolean | Record<string, any> { | |
| if (additionalConfig != null && Object.prototype.hasOwnProperty.call(additionalConfig, 'ssl')) { | |
| return additionalConfig.ssl | |
| } | |
| return sslToggle | |
| } |
References
- In JavaScript/TypeScript, use loose equality (
== null) as a standard idiom for a 'nullish' check that covers bothnullandundefined.
There was a problem hiding this comment.
Addressed in 06c2dbd — switched to the != null nullish check. Thanks for the review.
The Postgres vector store always uses the TypeORM driver, which set the connection `ssl` field from the boolean SSL toggle *after* spreading the user's Additional Configuration. Any richer `ssl` object supplied there (a custom CA or `rejectUnauthorized` flag) was silently clobbered, even though the field documents `ssl` as a supported option. This forced operators onto the global `NODE_TLS_REJECT_UNAUTHORIZED=0` workaround to reach AWS RDS or internal-corporate-CA Postgres databases, which disables TLS verification process-wide. Resolve `ssl` via a small helper so a value provided through Additional Configuration takes precedence over the boolean toggle, falling back to the toggle when absent. Default behaviour is unchanged. Adds a unit test for the resolution precedence. Closes FlowiseAI#5292 Closes FlowiseAI#5351
aa49258 to
06c2dbd
Compare
Summary
The Postgres vector store cannot connect to databases that present a custom or self-signed CA chain (AWS RDS, an internal corporate CA). Upserts fail with:
Root cause:
getDriverFromConfigalways selects the TypeORM driver, andTypeORMDriver.getPostgresConnectionOptionsset the connectionsslfield from the boolean SSL toggle after spreading the user's Additional Configuration:So any richer
sslobject a user supplies is silently discarded — even though the Additional Configuration field description explicitly documentssslas a supported TypeORM option ("Optional TypeORM connection options (e.g. ssl, connectTimeout)"). The only remaining workaround is the globalNODE_TLS_REJECT_UNAUTHORIZED=0env var, which disables TLS verification process-wide and is called out as unsafe by users in the linked issue.This PR resolves
sslso that a value supplied via Additional Configuration takes precedence over the boolean toggle, and falls back to the toggle when it is absent. The resolution lives in a small dependency-free helper (sslConfig.ts) so it can be unit tested in isolation, mirroring the existingsanitizeDataSourceOptions.tspattern.Operators can now point Flowise at an RDS / corporate-CA Postgres with a scoped, per-connection SSL config, for example in Additional Configuration:
{ "ssl": { "rejectUnauthorized": true, "ca": "-----BEGIN CERTIFICATE-----\n..." } }or, for a self-signed cert:
{ "ssl": { "rejectUnauthorized": false } }No behaviour changes for existing users: when Additional Configuration does not contain
ssl, the boolean toggle drives the connection exactly as before.Closes #5292
Closes #5351
Verification
resolvePostgresSSLreturns the user-suppliedsslobject/boolean when present, else the toggle — covered by a new unit test (sslConfig.test.ts, 5 cases: toggle passthrough, undefined config, object-wins-over-toggle for both toggle states, explicitssl:false,rejectUnauthorized:false).tsc --noEmitonflowise-components: 0 errors.eslinton the changed files: 0 errors/warnings.prettier --checkon the changed files: clean.jest(sslConfig.test.ts): 5/5 passing.