fix: strip sslmode from DATABASE_URL to avoid conflict with explicit ssl option (#2435)

Marfuen · claude · web-flow · commit 335dcd280afa · 2026-04-02T13:31:24.000-04:00
PrismaPg receives both `sslmode=require` in the connection string and an
explicit `ssl` option. This double-SSL configuration can cause intermittent
connection failures on staging (ECS + RDS). Uses the URL API to safely
remove the sslmode param instead of the old buggy regex approach.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/apps/api/prisma/client.ts b/apps/api/prisma/client.ts
@@ -3,13 +3,21 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
 function createPrismaClient(): PrismaClient {
-  const url = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
   // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
   // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
diff --git a/apps/app/prisma/client.ts b/apps/app/prisma/client.ts
@@ -3,13 +3,21 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
 function createPrismaClient(): PrismaClient {
-  const url = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
   // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
   // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
diff --git a/apps/framework-editor/prisma/client.ts b/apps/framework-editor/prisma/client.ts
@@ -3,13 +3,21 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
 function createPrismaClient(): PrismaClient {
-  const url = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
   // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
   // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
diff --git a/apps/portal/prisma/client.ts b/apps/portal/prisma/client.ts
@@ -3,13 +3,21 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
 function createPrismaClient(): PrismaClient {
-  const url = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
   // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
   // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
diff --git a/packages/db/scripts/combine-schemas.js b/packages/db/scripts/combine-schemas.js
@@ -54,11 +54,18 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
 function createPrismaClient(): PrismaClient {
-  const url = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\\.0\\.0\\.1|::1/.test(url);
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\\.0\\.0\\.1|::1/.test(rawUrl);
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
@@ -3,13 +3,21 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
 function createPrismaClient(): PrismaClient {
-  const url = process.env.DATABASE_URL!;
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
   // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
   // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
   const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
   const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
   const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
diff --git a/packages/db/src/strip-ssl-mode.test.ts b/packages/db/src/strip-ssl-mode.test.ts
@@ -0,0 +1,85 @@
+import { describe, it, expect } from 'bun:test';
+
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
+describe('stripSslMode', () => {
+  it('removes sslmode=require from the connection string', () => {
+    const input =
+      'postgresql://user:pass@host.rds.amazonaws.com:5432/mydb?sslmode=require';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:pass@host.rds.amazonaws.com:5432/mydb',
+    );
+  });
+
+  it('removes sslmode when it is one of multiple params', () => {
+    const input =
+      'postgresql://user:pass@host:5432/mydb?sslmode=require&connection_limit=50';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:pass@host:5432/mydb?connection_limit=50',
+    );
+  });
+
+  it('preserves other query params when sslmode is first', () => {
+    const input =
+      'postgresql://user:pass@host:5432/mydb?sslmode=require&pgbouncer=true&connection_limit=10';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:pass@host:5432/mydb?pgbouncer=true&connection_limit=10',
+    );
+  });
+
+  it('preserves other query params when sslmode is in the middle', () => {
+    const input =
+      'postgresql://user:pass@host:5432/mydb?pgbouncer=true&sslmode=require&connection_limit=10';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:pass@host:5432/mydb?pgbouncer=true&connection_limit=10',
+    );
+  });
+
+  it('preserves other query params when sslmode is last', () => {
+    const input =
+      'postgresql://user:pass@host:5432/mydb?connection_limit=10&sslmode=require';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:pass@host:5432/mydb?connection_limit=10',
+    );
+  });
+
+  it('handles different sslmode values', () => {
+    const input =
+      'postgresql://user:pass@host:5432/mydb?sslmode=verify-full';
+    const result = stripSslMode(input);
+    expect(result).toBe('postgresql://user:pass@host:5432/mydb');
+  });
+
+  it('returns url unchanged when no sslmode is present', () => {
+    const input =
+      'postgresql://user:pass@host:5432/mydb?connection_limit=50';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:pass@host:5432/mydb?connection_limit=50',
+    );
+  });
+
+  it('handles url with no query params', () => {
+    const input = 'postgresql://user:pass@host:5432/mydb';
+    const result = stripSslMode(input);
+    expect(result).toBe('postgresql://user:pass@host:5432/mydb');
+  });
+
+  it('preserves password with special characters', () => {
+    const input =
+      'postgresql://user:p%40ss%23word@host:5432/mydb?sslmode=require&connection_limit=50';
+    const result = stripSslMode(input);
+    expect(result).toBe(
+      'postgresql://user:p%40ss%23word@host:5432/mydb?connection_limit=50',
+    );
+  });
+});
