fix: use AWS RDS CA bundle for proper SSL verification, simplify client SSL config (#2432)

Marfuen · web-flow · commit 863f14be9ba0 · 2026-04-02T12:45:14.000-04:00
diff --git a/apps/api/Dockerfile.multistage b/apps/api/Dockerfile.multistage
@@ -83,8 +83,11 @@ RUN groupadd --system nestjs && useradd --system --gid nestjs --create-home nest
 WORKDIR /app
 RUN chown nestjs:nestjs /app
 
-# Install runtime dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends wget && rm -rf /var/lib/apt/lists/*
+# Install runtime dependencies + AWS RDS CA certificate bundle
+RUN apt-get update && apt-get install -y --no-install-recommends wget && rm -rf /var/lib/apt/lists/* \
+  && wget -q -O /usr/local/share/aws-rds-ca-bundle.pem https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
+
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/aws-rds-ca-bundle.pem
 
 # Copy built NestJS app
 COPY --from=builder --chown=nestjs:nestjs /app/apps/api/dist ./dist
diff --git a/apps/api/prisma/client.ts b/apps/api/prisma/client.ts
@@ -3,47 +3,10 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-/**
- * Derive pg SSL config from the DATABASE_URL.
- *
- * pg@8+ defaults rejectUnauthorized to true, which rejects AWS RDS Proxy's
- * certificate (signed by internal AWS CA, not in Node.js root CA store).
- *
- * Per PostgreSQL sslmode spec:
- *   - disable:     no SSL
- *   - require:     encrypt, skip certificate verification
- *   - verify-ca:   encrypt + verify CA
- *   - verify-full: encrypt + verify CA + hostname
- *
- * When no sslmode is set, we default to SSL with rejectUnauthorized: false
- * for non-localhost connections (matches Prisma v6 behavior where the Rust
- * engine silently accepted all certificates).
- */
-function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
-
-  if (sslmodeMatch) {
-    switch (sslmodeMatch[1]) {
-      case 'disable':
-        return undefined;
-      case 'require':
-      case 'no-verify':
-        return { rejectUnauthorized: false };
-      case 'verify-ca':
-      case 'verify-full':
-        return { rejectUnauthorized: true };
-    }
-  }
-
-  // No sslmode specified — enable SSL for non-localhost (production default)
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
-  return isLocalhost ? undefined : { rejectUnauthorized: false };
-}
-
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
-  const ssl = getSslConfig(url);
-  const adapter = new PrismaPg({ connectionString: url, ssl });
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const adapter = new PrismaPg({ connectionString: url, ssl: isLocalhost ? undefined : true });
   return new PrismaClient({ adapter });
 }
 
diff --git a/apps/app/prisma/client.ts b/apps/app/prisma/client.ts
@@ -3,23 +3,10 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
-  if (sslmodeMatch) {
-    switch (sslmodeMatch[1]) {
-      case 'disable': return undefined;
-      case 'require': case 'no-verify': return { rejectUnauthorized: false };
-      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    }
-  }
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
-  return isLocalhost ? undefined : { rejectUnauthorized: false };
-}
-
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
-  const ssl = getSslConfig(url);
-  const adapter = new PrismaPg({ connectionString: url, ssl });
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const adapter = new PrismaPg({ connectionString: url, ssl: isLocalhost ? undefined : true });
   return new PrismaClient({ adapter });
 }
 
diff --git a/apps/framework-editor/prisma/client.ts b/apps/framework-editor/prisma/client.ts
@@ -3,23 +3,10 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
-  if (sslmodeMatch) {
-    switch (sslmodeMatch[1]) {
-      case 'disable': return undefined;
-      case 'require': case 'no-verify': return { rejectUnauthorized: false };
-      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    }
-  }
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
-  return isLocalhost ? undefined : { rejectUnauthorized: false };
-}
-
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
-  const ssl = getSslConfig(url);
-  const adapter = new PrismaPg({ connectionString: url, ssl });
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const adapter = new PrismaPg({ connectionString: url, ssl: isLocalhost ? undefined : true });
   return new PrismaClient({ adapter });
 }
 
diff --git a/apps/portal/prisma/client.ts b/apps/portal/prisma/client.ts
@@ -3,23 +3,10 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
-  if (sslmodeMatch) {
-    switch (sslmodeMatch[1]) {
-      case 'disable': return undefined;
-      case 'require': case 'no-verify': return { rejectUnauthorized: false };
-      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    }
-  }
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
-  return isLocalhost ? undefined : { rejectUnauthorized: false };
-}
-
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
-  const ssl = getSslConfig(url);
-  const adapter = new PrismaPg({ connectionString: url, ssl });
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const adapter = new PrismaPg({ connectionString: url, ssl: isLocalhost ? undefined : true });
   return new PrismaClient({ adapter });
 }
 
diff --git a/packages/db/scripts/combine-schemas.js b/packages/db/scripts/combine-schemas.js
@@ -54,23 +54,10 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-function getSslConfig(url: string) {
-  const sslmodeMatch = url.match(/sslmode=(\\w[\\w-]*)/);
-  if (sslmodeMatch) {
-    switch (sslmodeMatch[1]) {
-      case 'disable': return undefined;
-      case 'require': case 'no-verify': return { rejectUnauthorized: false };
-      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    }
-  }
-  const isLocalhost = /localhost|127\\.0\\.0\\.1|::1/.test(url);
-  return isLocalhost ? undefined : { rejectUnauthorized: false };
-}
-
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
-  const ssl = getSslConfig(url);
-  const adapter = new PrismaPg({ connectionString: url, ssl });
+  const isLocalhost = /localhost|127\\.0\\.0\\.1|::1/.test(url);
+  const adapter = new PrismaPg({ connectionString: url, ssl: isLocalhost ? undefined : true });
   return new PrismaClient({ adapter });
 }
 
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
@@ -3,23 +3,10 @@ import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
-  if (sslmodeMatch) {
-    switch (sslmodeMatch[1]) {
-      case 'disable': return undefined;
-      case 'require': case 'no-verify': return { rejectUnauthorized: false };
-      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    }
-  }
-  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
-  return isLocalhost ? undefined : { rejectUnauthorized: false };
-}
-
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
-  const ssl = getSslConfig(url);
-  const adapter = new PrismaPg({ connectionString: url, ssl });
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  const adapter = new PrismaPg({ connectionString: url, ssl: isLocalhost ? undefined : true });
   return new PrismaClient({ adapter });
 }
 
