Support SSL database connections

[BeforeLights]

Summary by CodeRabbit

• Chores
  • Added SSL support for database connections with environment-based configuration.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 2267cba8-f1d3-4646-8476-75613be39ab3

📥 Commits

Reviewing files that changed from the base of the PR and between fa07bea and 14e77e6.

📒 Files selected for processing (1)

• apps/api/src/config/database.ts

---

📝 Walkthrough

Walkthrough

The PR adds SSL support to the database connection by introducing a useSsl constant derived from the DB_SSL environment variable and conditionally including SSL options in the Sequelize configuration when enabled.

Changes

Database SSL Configuration

Layer / File(s)	Summary
Configuration Constants apps/api/src/config/database.ts	New useSsl constant reads from DB_SSL environment variable to determine SSL requirement.
Sequelize Options apps/api/src/config/database.ts	dialectOptions.ssl is conditionally added to Sequelize config with require: true and rejectUnauthorized: true when SSL is enabled; otherwise undefined.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit hops through encrypted doors,
DB_SSL guards the database stores,
With dialectOptions snug and tight,
Our connections dance in cryptographic light! 🔐

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/ssl-support

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Add SSL/TLS support for database connections

✨ Enhancement

Walkthroughs

Description

• Add SSL/TLS support for PostgreSQL database connections
• Introduce DB_SSL environment variable to enable SSL mode
• Configure SSL options with require: true and rejectUnauthorized: false

Diagram

flowchart LR
  env["DB_SSL environment variable"] -- "checked" --> useSsl["useSsl flag"]
  useSsl -- "if true" --> dialectOptions["dialectOptions with SSL config"]
  dialectOptions -- "applied to" --> sequelize["Sequelize instance"]

Loading

File Changes

1. apps/api/src/config/database.ts ✨ Enhancement +12/-0

Enable SSL configuration for PostgreSQL connections

• Added useSsl constant that reads DB_SSL environment variable
• Conditionally set dialectOptions with SSL configuration when DB_SSL is "true"
• SSL options include require: true and rejectUnauthorized: false
• Added formatting with blank lines for improved readability

apps/api/src/config/database.ts

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0)

1. TLS verification disabled 🐞 Bug ⛨ Security

Description

When DB_SSL=true, the DB client is configured with ssl.rejectUnauthorized=false, which disables
TLS server certificate verification and allows MITM against the database connection. This is
especially risky for remote DB deployments (e.g., the Lightsail setup uses a managed PostgreSQL
instance over the network).

Code

apps/api/src/config/database.ts[R17-22]

+        dialectOptions: useSsl
+            ? {
+                  ssl: {
+                      require: true,
+                      rejectUnauthorized: false,
+                  },

Evidence

The Sequelize config explicitly disables certificate verification (rejectUnauthorized: false)
whenever DB_SSL is enabled, and the Lightsail deployment docs indicate the DB is remote/managed
(network hop), where TLS verification matters.

apps/api/src/config/database.ts[17-23]
docs/deploy-lightsail.md[3-9]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`rejectUnauthorized: false` disables TLS server certificate validation for database SSL connections, enabling MITM attacks and silent connections to untrusted endpoints.

### Issue Context
The code enables SSL via `DB_SSL=true`, but hard-codes `rejectUnauthorized: false`.

### Fix Focus Areas
- apps/api/src/config/database.ts[17-23]

### Suggested fix
- Default to `rejectUnauthorized: true`.
- If you need to support custom/managed CAs, add env-based configuration (e.g., `DB_SSL_REJECT_UNAUTHORIZED`, `DB_SSL_CA`/`DB_SSL_CA_PATH`) and pass the CA to the `ssl` options instead of disabling verification.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Undefined optional breaks typing 🐞 Bug ≡ Correctness

Description

dialectOptions is explicitly set to undefined when SSL is off; with exactOptionalPropertyTypes
enabled, this pattern can fail TypeScript typechecking for optional properties that don’t explicitly
include undefined. Omitting the property entirely avoids this class of type errors and keeps the
config idiomatic.

Code

apps/api/src/config/database.ts[R17-24]

+        dialectOptions: useSsl
+            ? {
+                  ssl: {
+                      require: true,
+                      rejectUnauthorized: false,
+                  },
+              }
+            : undefined,

Evidence

The project enables exactOptionalPropertyTypes, and the PR introduces an explicit undefined
assignment for dialectOptions via a ternary; this combination is a known source of TS
build/typecheck failures.

apps/api/src/config/database.ts[17-24]
apps/api/tsconfig.json[29-32]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The Sequelize options object sets `dialectOptions: undefined` when SSL is disabled. With `exactOptionalPropertyTypes: true`, explicitly assigning `undefined` can be rejected by TypeScript for optional properties.

### Issue Context
`apps/api/tsconfig.json` enables `exactOptionalPropertyTypes`.

### Fix Focus Areas
- apps/api/src/config/database.ts[17-24]
- apps/api/tsconfig.json[29-32]

### Suggested fix
Build the options object without `dialectOptions` when SSL is off, e.g.:
```ts
const options: SequelizeOptions = {
 host: ...,
 ...,
 ...(useSsl ? { dialectOptions: { ssl: { ... } } } : {}),
};
```
(or use an `if (useSsl) { options.dialectOptions = ... }` block).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. DB_SSL missing from templates 🐞 Bug ⚙ Maintainability

Description

The PR introduces a new DB_SSL environment toggle, but it is absent from the repo’s .env.example
and deployment env templates, making SSL enablement easy to miss and causing misconfigured
deployments. The Lightsail deployment doc also doesn’t mention the new variable despite using a
managed remote Postgres instance.

Code

apps/api/src/config/database.ts[6]

+const useSsl = process.env.DB_SSL === "true";

Evidence

Only the runtime code references DB_SSL, while the environment templates used for local setup and
Lightsail deployment omit it; the deployment documentation describes a remote managed Postgres setup
but provides no guidance for enabling SSL.

apps/api/src/config/database.ts[6-6]
apps/api/.env.example[1-11]
deploy/lightsail/api.env.example[1-11]
docs/deploy-lightsail.md[5-9]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
A new required/important env toggle (`DB_SSL`) was added in code but not documented in env templates or deployment docs, so operators won’t know to set it.

### Issue Context
Local setup scripts/docs rely on `.env.example`, and Lightsail deploy relies on `deploy/lightsail/api.env.example`.

### Fix Focus Areas
- apps/api/.env.example[1-11]
- deploy/lightsail/api.env.example[1-11]
- docs/deploy-lightsail.md[17-27]
- apps/api/src/config/database.ts[6-6]

### Suggested fix
- Add `DB_SSL=false` (and any related SSL vars you introduce, e.g. CA/rejectUnauthorized) to env examples.
- Update deployment docs to mention when/why to set `DB_SSL=true` for managed/remote Postgres.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---