feat: load connection string from env var#8142
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughconnectRawClient (src/commands/database/db-connection.ts) now first checks process.env.NETLIFY_DB_URL; if present it constructs a pg Client with that connection string, connects immediately, and returns a RawDBConnection whose cleanup closes the client. If the env var is absent, the previous flow remains: read dbConnectionString from LocalState or start/obtain a NetlifyDev local DB and return a connected client whose cleanup also stops NetlifyDev. Separately, src/commands/database/connect.ts adds a redactConnectionString helper that attempts to parse the input as a URL, clears username and password, and returns the redacted string; if parsing fails it returns the fixed string "database". The non-JSON connection log now prints the redacted value instead of the raw connection string. No public signatures were changed. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsTimed out fetching pipeline failures after 30000ms Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/commands/database/db-connection.ts`:
- Around line 32-35: The returned response from connectRawClient currently
includes the raw envConnectionString in the connectionString field which leaks
secrets; add a redactConnectionString helper (e.g., function
redactConnectionString(value: string): string) in this module or a shared util
that masks username/password (or returns '[redacted]' on parse failure) and use
it when building the returned object so connectionString returns the redacted
value instead of envConnectionString; keep the original client and cleanup
behavior unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8d1f1f0f-8815-4444-9b32-a3fbd197c2e9
📒 Files selected for processing (1)
src/commands/database/db-connection.ts
| return { | ||
| client, | ||
| connectionString: envConnectionString, | ||
| cleanup: () => client.end(), |
There was a problem hiding this comment.
Prevent raw NETLIFY_DB_URL credentials from reaching command output
At Line 34, returning envConnectionString as connectionString leaks secrets downstream because connectRawClient callers print this value (see src/commands/database/connect.ts JSON and log paths). Please avoid exposing the raw DSN in returned display fields.
Proposed direction
export async function connectRawClient(buildDir: string): Promise<RawDBConnection> {
const envConnectionString = process.env.NETLIFY_DB_URL
if (envConnectionString) {
const client = new Client({ connectionString: envConnectionString })
await client.connect()
return {
client,
- connectionString: envConnectionString,
+ connectionString: redactConnectionString(envConnectionString),
cleanup: () => client.end(),
}
}// Add near this module (or shared util)
const redactConnectionString = (value: string): string => {
try {
const url = new URL(value)
if (url.password) url.password = '***'
if (url.username) url.username = '***'
return url.toString()
} catch {
return '[redacted]'
}
}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@src/commands/database/db-connection.ts` around lines 32 - 35, The returned
response from connectRawClient currently includes the raw envConnectionString in
the connectionString field which leaks secrets; add a redactConnectionString
helper (e.g., function redactConnectionString(value: string): string) in this
module or a shared util that masks username/password (or returns '[redacted]' on
parse failure) and use it when building the returned object so connectionString
returns the redacted value instead of envConnectionString; keep the original
client and cleanup behavior unchanged.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/commands/database/connect.ts`:
- Around line 14-23: The redactConnectionString helper currently throws on URL
parse failure which can abort later cleanup paths (e.g., the JSON branch that
expects redaction to be non-throwing); change redactConnectionString so it never
throws: wrap the URL parse in a try/catch and on failure return a safe,
non-sensitive fallback (for example the original string with a fixed
“[REDACTED]” or a blank credential mask) instead of throwing, so callers like
the JSON handling path can always proceed to cleanup; keep the function name
redactConnectionString and preserve its string return type.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2ae08848-ece2-49e2-9526-56750c6fc8a3
📒 Files selected for processing (1)
src/commands/database/connect.ts
🤖 I have created a release *beep* *boop* --- ## [24.11.0](v24.10.0...v24.11.0) (2026-04-09) ### Features * load connection string from env var ([#8142](#8142)) ([e522b7e](e522b7e)) * pull DB migrations ([#8139](#8139)) ([2a8f7c0](2a8f7c0)) * re-structure db commands ([#8137](#8137)) ([c28ffa3](c28ffa3)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: token-generator-app[bot] <82042599+token-generator-app[bot]@users.noreply.github.com>
2 participants
When the
NETLIFY_DB_URLenvironment variable is present, thedb connectcommand will use that as the connection string instead of the database.This makes it possible for agent runners to connect to the database of the corresponding deploy preview.