Skip to content

fix(postgres): honor user-supplied ssl config in vector store connection#6596

Open
gaurav0107 wants to merge 1 commit into
FlowiseAI:mainfrom
gaurav0107:bugfix/5292-postgres-vectorstore-ssl-config
Open

fix(postgres): honor user-supplied ssl config in vector store connection#6596
gaurav0107 wants to merge 1 commit into
FlowiseAI:mainfrom
gaurav0107:bugfix/5292-postgres-vectorstore-ssl-config

Conversation

@gaurav0107

Copy link
Copy Markdown

Summary

The Postgres vector store cannot connect to databases that present a custom or self-signed CA chain (AWS RDS, an internal corporate CA). Upserts fail with:

Error: self-signed certificate in certificate chain
Error: unable to verify the first certificate

Root cause: getDriverFromConfig always selects the TypeORM driver, and TypeORMDriver.getPostgresConnectionOptions set the connection ssl field from the boolean SSL toggle after spreading the user's Additional Configuration:

this._postgresConnectionOptions = {
    ...additionalConfiguration, // may contain ssl: { ca, rejectUnauthorized }
    ...
    ssl: this.getSSL(),         // boolean — clobbers the object above
    ...
}

So any richer ssl object a user supplies is silently discarded — even though the Additional Configuration field description explicitly documents ssl as a supported TypeORM option ("Optional TypeORM connection options (e.g. ssl, connectTimeout)"). The only remaining workaround is the global NODE_TLS_REJECT_UNAUTHORIZED=0 env var, which disables TLS verification process-wide and is called out as unsafe by users in the linked issue.

This PR resolves ssl so that a value supplied via Additional Configuration takes precedence over the boolean toggle, and falls back to the toggle when it is absent. The resolution lives in a small dependency-free helper (sslConfig.ts) so it can be unit tested in isolation, mirroring the existing sanitizeDataSourceOptions.ts pattern.

Operators can now point Flowise at an RDS / corporate-CA Postgres with a scoped, per-connection SSL config, for example in Additional Configuration:

{ "ssl": { "rejectUnauthorized": true, "ca": "-----BEGIN CERTIFICATE-----\n..." } }

or, for a self-signed cert:

{ "ssl": { "rejectUnauthorized": false } }

No behaviour changes for existing users: when Additional Configuration does not contain ssl, the boolean toggle drives the connection exactly as before.

Closes #5292
Closes #5351

Verification

  • resolvePostgresSSL returns the user-supplied ssl object/boolean when present, else the toggle — covered by a new unit test (sslConfig.test.ts, 5 cases: toggle passthrough, undefined config, object-wins-over-toggle for both toggle states, explicit ssl:false, rejectUnauthorized:false).
  • tsc --noEmit on flowise-components: 0 errors.
  • eslint on the changed files: 0 errors/warnings.
  • prettier --check on the changed files: clean.
  • jest (sslConfig.test.ts): 5/5 passing.
  • Scope is confined to the Postgres vector store TypeORM connection path; no defaults changed, and the PGVector driver (currently unreachable) is untouched.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new helper function resolvePostgresSSL along with comprehensive unit tests to ensure that user-supplied SSL configurations in the additional settings take precedence over the boolean SSL toggle for Postgres connections. The review feedback suggests simplifying the nullish check in resolvePostgresSSL by using loose equality (!= null) to align with standard JavaScript/TypeScript idioms.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment on lines +22 to +27
export function resolvePostgresSSL(additionalConfig: Record<string, any> | undefined, sslToggle: boolean): boolean | Record<string, any> {
if (additionalConfig && typeof additionalConfig === 'object' && Object.prototype.hasOwnProperty.call(additionalConfig, 'ssl')) {
return additionalConfig.ssl
}
return sslToggle
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To align with the repository's general rules, use loose equality (!= null) for nullish checks instead of combining truthiness and typeof checks. This simplifies the condition while remaining safe, as Object.prototype.hasOwnProperty.call handles primitive values gracefully without throwing errors.

Suggested change
export function resolvePostgresSSL(additionalConfig: Record<string, any> | undefined, sslToggle: boolean): boolean | Record<string, any> {
if (additionalConfig && typeof additionalConfig === 'object' && Object.prototype.hasOwnProperty.call(additionalConfig, 'ssl')) {
return additionalConfig.ssl
}
return sslToggle
}
export function resolvePostgresSSL(additionalConfig: Record<string, any> | undefined, sslToggle: boolean): boolean | Record<string, any> {
if (additionalConfig != null && Object.prototype.hasOwnProperty.call(additionalConfig, 'ssl')) {
return additionalConfig.ssl
}
return sslToggle
}
References
  1. In JavaScript/TypeScript, use loose equality (== null) as a standard idiom for a 'nullish' check that covers both null and undefined.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 06c2dbd — switched to the != null nullish check. Thanks for the review.

The Postgres vector store always uses the TypeORM driver, which set the
connection `ssl` field from the boolean SSL toggle *after* spreading the
user's Additional Configuration. Any richer `ssl` object supplied there
(a custom CA or `rejectUnauthorized` flag) was silently clobbered, even
though the field documents `ssl` as a supported option. This forced
operators onto the global `NODE_TLS_REJECT_UNAUTHORIZED=0` workaround to
reach AWS RDS or internal-corporate-CA Postgres databases, which disables
TLS verification process-wide.

Resolve `ssl` via a small helper so a value provided through Additional
Configuration takes precedence over the boolean toggle, falling back to
the toggle when absent. Default behaviour is unchanged. Adds a unit test
for the resolution precedence.

Closes FlowiseAI#5292
Closes FlowiseAI#5351
@gaurav0107 gaurav0107 force-pushed the bugfix/5292-postgres-vectorstore-ssl-config branch from aa49258 to 06c2dbd Compare July 3, 2026 21:37
@gaurav0107 gaurav0107 marked this pull request as ready for review July 3, 2026 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant