Skip to content

fix(db): validate SSL certificate on production database connections#67

Merged
sg-gs merged 3 commits into
masterfrom
fix/db-ssl-ca-verification
Jul 10, 2026
Merged

fix(db): validate SSL certificate on production database connections#67
sg-gs merged 3 commits into
masterfrom
fix/db-ssl-ca-verification

Conversation

@sg-gs

@sg-gs sg-gs commented Jul 10, 2026

Copy link
Copy Markdown
Member

What

Both database SSL configs now validate the server certificate (rejectUnauthorized: true) instead of disabling verification:

  • src/config/sequelize.js (used by sequelize-cli for migrations)
  • src/app.module.ts (used by the running app, for both the main and drive database connections)

The CA is read from environment variables (base64-encoded PEM), decoded via ConfigService at runtime.

Why

The previous config used rejectUnauthorized: false in both places, disabling certificate verification and exposing the connections to MITM attacks. The main and drive databases are separate instances, each with its own CA, so each connection now validates against its own certificate.

⚠️ Requires new environment variables before deploying to production:

  • DB_CA_CERT — base64-encoded PEM CA certificate for the main database
  • DRIVE_DB_CA_CERT — base64-encoded PEM CA certificate for the drive database

@sg-gs sg-gs requested a review from jzunigax2 as a code owner July 10, 2026 09:43
@sg-gs sg-gs self-assigned this Jul 10, 2026
@sg-gs sg-gs added the enhancement New feature or request label Jul 10, 2026
@sg-gs sg-gs marked this pull request as draft July 10, 2026 09:43
@sg-gs sg-gs requested a review from TamaraFinogina July 10, 2026 09:44
@sg-gs

sg-gs commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

It's still in draft @TamaraFinogina

@TamaraFinogina

Copy link
Copy Markdown
Contributor

Yes, but only due to the missing variable, no?

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

@sg-gs

sg-gs commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

Draft means not ready for review, with independence of the reason haha @TamaraFinogina. In fact, it was not just a value missing. I discovered migrations and server's db connection using independent sequelize configs.

@sg-gs sg-gs marked this pull request as ready for review July 10, 2026 10:14
@sg-gs

sg-gs commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

Now it's ready for review @TamaraFinogina. Tested it locally using OVH's certs.

@sg-gs

sg-gs commented Jul 10, 2026

Copy link
Copy Markdown
Member Author

Environment variables are already configured in production also ✅

@sg-gs sg-gs requested a review from TamaraFinogina July 10, 2026 10:19
@sg-gs sg-gs merged commit 0ded78a into master Jul 10, 2026
5 of 7 checks passed
@sg-gs sg-gs deleted the fix/db-ssl-ca-verification branch July 10, 2026 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants