fix: default to SSL for non-localhost connections, remove buggy cleanUrl stripping (#2430)

github-actions[bot] · Marfuen · web-flow · commit 98213f81f371 · 2026-04-02T12:29:51.000-04:00
Co-authored-by: Mariano Fuentes &lt;marfuen98@gmail.com&gt;
diff --git a/apps/api/prisma/client.ts b/apps/api/prisma/client.ts
@@ -1,57 +1,49 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
 /**
- * Derive pg SSL config from the DATABASE_URL sslmode parameter.
- *
- * pg-connection-string parses sslmode=require into ssl: {} (empty object),
- * and pg@8+ treats ssl: {} as { rejectUnauthorized: true }, which rejects
- * AWS RDS Proxy's self-signed certificate. This is a known pg@8 breaking
- * change (https://node-postgres.com/announcements#ssl-by-default).
+ * Derive pg SSL config from the DATABASE_URL.
  *
- * Per PostgreSQL spec (https://www.postgresql.org/docs/current/libpq-ssl.html):
- *   - require:     encrypt connection, skip certificate verification
- *   - verify-ca:   encrypt + verify server CA
- *   - verify-full: encrypt + verify CA + verify hostname
+ * pg@8+ defaults rejectUnauthorized to true, which rejects AWS RDS Proxy's
+ * certificate (signed by internal AWS CA, not in Node.js root CA store).
  *
- * Per Prisma v7 migration docs: "SSL certificate defaults have changed.
- * Previously [v6 Rust engine], invalid SSL certificates were ignored."
- * (https://www.prisma.io/docs/orm/more/upgrades/to-v7)
+ * Per PostgreSQL sslmode spec:
+ *   - disable:     no SSL
+ *   - require:     encrypt, skip certificate verification
+ *   - verify-ca:   encrypt + verify CA
+ *   - verify-full: encrypt + verify CA + hostname
  *
- * Our infra enforces sslmode=require with RDS Proxy (requireTls: true).
- * The proxy's certificate is signed by an internal AWS CA not in Node.js's
- * root CA store, so rejectUnauthorized: false is required. The connection
- * is still TLS-encrypted — only identity verification is skipped.
+ * When no sslmode is set, we default to SSL with rejectUnauthorized: false
+ * for non-localhost connections (matches Prisma v6 behavior where the Rust
+ * engine silently accepted all certificates).
  */
 function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const match = url.match(/sslmode=(\w[\w-]*)/);
-  if (!match) return undefined;
+  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
 
-  const mode = match[1];
-  switch (mode) {
-    case 'disable':
-      return undefined;
-    case 'require':
-    case 'no-verify':
-      return { rejectUnauthorized: false };
-    case 'verify-ca':
-    case 'verify-full':
-      return { rejectUnauthorized: true };
-    default:
-      return undefined;
+  if (sslmodeMatch) {
+    switch (sslmodeMatch[1]) {
+      case 'disable':
+        return undefined;
+      case 'require':
+      case 'no-verify':
+        return { rejectUnauthorized: false };
+      case 'verify-ca':
+      case 'verify-full':
+        return { rejectUnauthorized: true };
+    }
   }
+
+  // No sslmode specified — enable SSL for non-localhost (production default)
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  return isLocalhost ? undefined : { rejectUnauthorized: false };
 }
 
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
   const ssl = getSslConfig(url);
-  // Strip sslmode from connection string — pg parses it independently and
-  // can override our explicit ssl config. We handle SSL entirely via the ssl option.
-  const cleanUrl = url.replace(/[?&]sslmode=\w[\w-]*/g, '').replace(/\?&/, '?').replace(/\?$/, '');
-  const adapter = new PrismaPg({ connectionString: cleanUrl, ssl });
+  const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
 
diff --git a/apps/app/prisma/client.ts b/apps/app/prisma/client.ts
@@ -1,30 +1,25 @@
 import { PrismaClient } from '../src/generated/prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-/**
- * Derive pg SSL config from the DATABASE_URL sslmode parameter.
- * See apps/api/prisma/client.ts for detailed documentation.
- */
 function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const match = url.match(/sslmode=(\w[\w-]*)/);
-  if (!match) return undefined;
-  const mode = match[1];
-  switch (mode) {
-    case 'disable': return undefined;
-    case 'require': case 'no-verify': return { rejectUnauthorized: false };
-    case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    default: return undefined;
+  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
+  if (sslmodeMatch) {
+    switch (sslmodeMatch[1]) {
+      case 'disable': return undefined;
+      case 'require': case 'no-verify': return { rejectUnauthorized: false };
+      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
+    }
   }
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  return isLocalhost ? undefined : { rejectUnauthorized: false };
 }
 
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
   const ssl = getSslConfig(url);
-  const cleanUrl = url.replace(/[?&]sslmode=\w[\w-]*/g, '').replace(/\?&/, '?').replace(/\?$/, '');
-  const adapter = new PrismaPg({ connectionString: cleanUrl, ssl });
+  const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
 
diff --git a/apps/framework-editor/prisma/client.ts b/apps/framework-editor/prisma/client.ts
@@ -1,30 +1,25 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-/**
- * Derive pg SSL config from the DATABASE_URL sslmode parameter.
- * See apps/api/prisma/client.ts for detailed documentation.
- */
 function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const match = url.match(/sslmode=(\w[\w-]*)/);
-  if (!match) return undefined;
-  const mode = match[1];
-  switch (mode) {
-    case 'disable': return undefined;
-    case 'require': case 'no-verify': return { rejectUnauthorized: false };
-    case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    default: return undefined;
+  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
+  if (sslmodeMatch) {
+    switch (sslmodeMatch[1]) {
+      case 'disable': return undefined;
+      case 'require': case 'no-verify': return { rejectUnauthorized: false };
+      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
+    }
   }
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  return isLocalhost ? undefined : { rejectUnauthorized: false };
 }
 
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
   const ssl = getSslConfig(url);
-  const cleanUrl = url.replace(/[?&]sslmode=\w[\w-]*/g, '').replace(/\?&/, '?').replace(/\?$/, '');
-  const adapter = new PrismaPg({ connectionString: cleanUrl, ssl });
+  const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
 
diff --git a/apps/portal/prisma/client.ts b/apps/portal/prisma/client.ts
@@ -1,30 +1,25 @@
 import { PrismaClient } from '../src/generated/prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-/**
- * Derive pg SSL config from the DATABASE_URL sslmode parameter.
- * See apps/api/prisma/client.ts for detailed documentation.
- */
 function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const match = url.match(/sslmode=(\w[\w-]*)/);
-  if (!match) return undefined;
-  const mode = match[1];
-  switch (mode) {
-    case 'disable': return undefined;
-    case 'require': case 'no-verify': return { rejectUnauthorized: false };
-    case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    default: return undefined;
+  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
+  if (sslmodeMatch) {
+    switch (sslmodeMatch[1]) {
+      case 'disable': return undefined;
+      case 'require': case 'no-verify': return { rejectUnauthorized: false };
+      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
+    }
   }
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  return isLocalhost ? undefined : { rejectUnauthorized: false };
 }
 
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
   const ssl = getSslConfig(url);
-  const cleanUrl = url.replace(/[?&]sslmode=\w[\w-]*/g, '').replace(/\?&/, '?').replace(/\?$/, '');
-  const adapter = new PrismaPg({ connectionString: cleanUrl, ssl });
+  const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
 
diff --git a/packages/db/scripts/combine-schemas.js b/packages/db/scripts/combine-schemas.js
@@ -55,22 +55,22 @@ import { PrismaPg } from '@prisma/adapter-pg';
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
 function getSslConfig(url: string) {
-  const match = url.match(/sslmode=(\\w[\\w-]*)/);
-  if (!match) return undefined;
-  const mode = match[1];
-  switch (mode) {
-    case 'disable': return undefined;
-    case 'require': case 'no-verify': return { rejectUnauthorized: false };
-    case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    default: return undefined;
+  const sslmodeMatch = url.match(/sslmode=(\\w[\\w-]*)/);
+  if (sslmodeMatch) {
+    switch (sslmodeMatch[1]) {
+      case 'disable': return undefined;
+      case 'require': case 'no-verify': return { rejectUnauthorized: false };
+      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
+    }
   }
+  const isLocalhost = /localhost|127\\.0\\.0\\.1|::1/.test(url);
+  return isLocalhost ? undefined : { rejectUnauthorized: false };
 }
 
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
   const ssl = getSslConfig(url);
-  const cleanUrl = url.replace(/[?&]sslmode=\\w[\\w-]*/g, '').replace(/\\?&/, '?').replace(/\\?$/, '');
-  const adapter = new PrismaPg({ connectionString: cleanUrl, ssl });
+  const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
 
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
@@ -1,30 +1,25 @@
 import { PrismaClient } from '@prisma/client';
 import { PrismaPg } from '@prisma/adapter-pg';
 
-
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-/**
- * Derive pg SSL config from the DATABASE_URL sslmode parameter.
- * See apps/api/prisma/client.ts for detailed documentation.
- */
 function getSslConfig(url: string): boolean | { rejectUnauthorized: boolean } | undefined {
-  const match = url.match(/sslmode=(\w[\w-]*)/);
-  if (!match) return undefined;
-  const mode = match[1];
-  switch (mode) {
-    case 'disable': return undefined;
-    case 'require': case 'no-verify': return { rejectUnauthorized: false };
-    case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
-    default: return undefined;
+  const sslmodeMatch = url.match(/sslmode=(\w[\w-]*)/);
+  if (sslmodeMatch) {
+    switch (sslmodeMatch[1]) {
+      case 'disable': return undefined;
+      case 'require': case 'no-verify': return { rejectUnauthorized: false };
+      case 'verify-ca': case 'verify-full': return { rejectUnauthorized: true };
+    }
   }
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(url);
+  return isLocalhost ? undefined : { rejectUnauthorized: false };
 }
 
 function createPrismaClient(): PrismaClient {
   const url = process.env.DATABASE_URL!;
   const ssl = getSslConfig(url);
-  const cleanUrl = url.replace(/[?&]sslmode=\w[\w-]*/g, '').replace(/\?&/, '?').replace(/\?$/, '');
-  const adapter = new PrismaPg({ connectionString: cleanUrl, ssl });
+  const adapter = new PrismaPg({ connectionString: url, ssl });
   return new PrismaClient({ adapter });
 }
 
