fix(db): add more options for SSL connection, add envvar for base64 db cert #1533
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Overview
Summary
This PR significantly enhances PostgreSQL SSL connection configuration across the entire database layer. The key change transforms the binary `DATABASE_SSL` boolean environment variable into a comprehensive enum supporting PostgreSQL's standard SSL modes: `'disable'`, `'prefer'`, `'require'`, `'verify-ca'`, and `'verify-full'`. Additionally, a new `DATABASE_SSL_CA` environment variable is introduced to support base64-encoded CA certificates for SSL verification.The implementation spans multiple files including the main database configuration (packages/db/index.ts), socket server operations (apps/sim/socket-server/database/operations.ts), migration scripts, and administrative tools. Each file implements a consistent getSSLConfig() function that handles the different SSL modes appropriately:
'disable'returns false (no SSL)'prefer'returns 'prefer' string (attempt SSL, fallback to no SSL)'require'setsrejectUnauthorized = false(encrypted but doesn't verify certificates)'verify-ca'and'verify-full'setrejectUnauthorized = truewith optional CA certificate support
The changes maintain strict backward compatibility - users without DATABASE_SSL configured will experience no behavioral changes, while those who set it gain granular control over SSL security levels. The base64 encoding approach for CA certificates enables easy deployment in containerized environments where certificate files are difficult to mount.
Additionally, the PR includes some unrelated UI improvements: preloading data on navigation hover in the settings modal and refactoring the billing notifications toggle to use centralized state management via useGeneralStore.
Important Files Changed
Changed Files
| Filename | Score | Overview |
|---|---|---|
| apps/sim/lib/env.ts | 5/5 | Enhanced DATABASE_SSL from boolean to enum with proper PostgreSQL SSL modes and added DATABASE_SSL_CA validation |
| packages/db/index.ts | 3/5 | Implemented SSL configuration with getSSLConfig function but uses 'any' type which bypasses TypeScript safety |
| packages/db/scripts/migrate-deployment-versions.ts | 4/5 | Added comprehensive SSL configuration support with proper error handling and backward compatibility |
| apps/sim/socket-server/database/operations.ts | 4/5 | Consistent SSL configuration implementation replacing isTruthy function with proper mode handling |
| apps/sim/socket-server/rooms/manager.ts | 3/5 | SSL configuration added but 'require' mode sets rejectUnauthorized=false which may be insecure |
| packages/db/scripts/register-sso-provider.ts | 4/5 | Proper SSL configuration implementation with comprehensive mode support and error handling |
| packages/db/scripts/deregister-sso-provider.ts | 4/5 | New script with consistent SSL configuration patterns and both targeted and bulk deletion capabilities |
| apps/sim/.env.example | 4/5 | Updated documentation with clear SSL mode options and base64 certificate generation instructions |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/settings-navigation/settings-navigation.tsx | 3/5 | Added data preloading on hover but seems unrelated to SSL database changes |
| apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/subscription.tsx | 4/5 | Refactored to use centralized state management with proper loading states and error handling |
Confidence score: 4/5
- This PR is generally safe to merge with some minor concerns around type safety and security configuration
- Score reflects comprehensive SSL implementation but points deducted for
anytype usage and potentially insecure 'require' mode configuration - Pay close attention to packages/db/index.ts and socket-server files for type safety and SSL security configurations
10 files reviewed, 9 comments
...nts/sidebar/components/settings-modal/components/settings-navigation/settings-navigation.tsx
Show resolved
Hide resolved
Sg312
pushed a commit
that referenced
this pull request
Oct 3, 2025
icecrasher321
added a commit
that referenced
this pull request
Oct 4, 2025
* Add get ops examples * input format incorrectly created by copilot should not crash workflow * fix tool edits triggering overall delta * fix(db): add more options for SSL connection, add envvar for base64 db cert (#1533) * fix trigger additions * fix nested outputs for triggers * add condition subblock sanitization * fix custom tools json * Model selector * fix response format sanitization * remove dead code * fix export sanitization * Update migration * fix import race cond * Copilot settings * fix response format * stop loops/parallels copilot generation from breaking diff view * fix lint * Apply suggestion from @greptile-apps[bot] Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * fix tests * fix lint --------- Co-authored-by: Siddharth Ganesan <[email protected]> Co-authored-by: Waleed <[email protected]> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
add more options for SSL connection, add envvar for base64 db cert. for users who don't set anything, nothing changes but for those who set DATABASE_SSL to non-nil value, we respect their option
Type of Change
Testing
Manually.
Checklist