no more pg-native; new config flag for DATABASE_SSL (#1831)

docs/configuration.md

@@ -104,6 +104,7 @@ If you are deploying to a custom domain (not `pol.is`) then you need to update b
 
 - **`BACKFILL_COMMENT_LANG_DETECTION`** Set to `true`, if Comment Translation was enabled, to instruct the server upon the next initialization (reboot) to backfill detected language of stored comments. Default `false`.
 - **`CACHE_MATH_RESULTS`** Set this to `true` to instruct the API server to use LRU caching for results from the math service. Default is `true` if left blank.
+- **`DATABASE_SSL`** Set this to `true` for some production environments. Default is `false`.
 - **`DEV_MODE`** Set this to `true` in development and `false` otherwise. Used by API Server to make a variety of assumptions about HTTPS, logging, notifications, etc.
 - **`RUN_PERIODIC_EXPORT_TESTS`** Set this to `true` to run periodic export tests, sent to the **`ADMIN_EMAIL_DATA_EXPORT_TEST`** address.
 - **`SERVER_LOG_TO_FILE`** Set this to `true` to tell Winston.js to also write log files to server/logs/. Defaults to `false`. *Note that if using docker compose, server/logs is mounted as a persistent volume.*

example.env

@@ -62,6 +62,8 @@ POLIS_FROM_ADDRESS="Example <[email protected]>"
 CACHE_MATH_RESULTS=
 # The following flags will all default to false if not set.
 BACKFILL_COMMENT_LANG_DETECTION=
+# Set to `true` for some production environments:
+DATABASE_SSL=
 # Set to `false` for production:
 DEV_MODE=true
 RUN_PERIODIC_EXPORT_TESTS=

server/src/config.ts

@@ -76,6 +76,7 @@ export default {
   ) as boolean,
   cacheMathResults: isTrueOrBlank(process.env.CACHE_MATH_RESULTS) as boolean,
   databaseURL: process.env.DATABASE_URL as string,
+  databaseSSL: isTrue(process.env.DATABASE_SSL) as boolean,
   emailTransportTypes:
     process.env.EMAIL_TRANSPORT_TYPES || (null as string | null),
   encryptionPassword: process.env.ENCRYPTION_PASSWORD_00001 as string,

server/src/db/pg-query.ts

@@ -1,5 +1,5 @@
 import { isFunction, isString, isUndefined } from "underscore";
-import { native as pgnative, Pool, PoolConfig, QueryResult } from "pg";
+import { Pool, PoolConfig, QueryResult } from "pg";
 import { parse as parsePgConnectionString } from "pg-connection-string";
 import QueryStream from "pg-query-stream";
 
@@ -16,8 +16,6 @@ import { MPromise } from "../utils/metered";
 // round up to 20
 // so we can have 25 connections per server, of of which is the preprod server
 // so we can have 1 preprod/3 prod servers, or 2 preprod / 2 prod.
-//
-// Note we use native
 const usingReplica = Config.databaseURL !== Config.readOnlyDatabaseURL;
 const poolSize = Config.isDevMode ? 2 : usingReplica ? 3 : 12;
 
@@ -27,6 +25,11 @@ const pgConnection = Object.assign(
   {
     max: poolSize,
     isReadOnly: false,
+    ssl: Config.databaseSSL
+      ? {
+          rejectUnauthorized: false,
+        }
+      : undefined,
     poolLog: function (str: string, level: string) {
       if (pgPoolLevelRanks.indexOf(level) <= pgPoolLoggingLevel) {
         logger.info("pool.primary." + level + " " + str);
@@ -39,6 +42,11 @@ const readsPgConnection = Object.assign(
   {
     max: poolSize,
     isReadOnly: true,
+    ssl: Config.databaseSSL
+      ? {
+          rejectUnauthorized: false,
+        }
+      : undefined,
     poolLog: function (str: string, level: string) {
       if (pgPoolLevelRanks.indexOf(level) <= pgPoolLoggingLevel) {
         logger.info("pool.readonly." + level + " " + str);
@@ -50,9 +58,9 @@ const readsPgConnection = Object.assign(
 // split requests into centralized read/write transactor pool vs read pool for scalability concerns in keeping
 // pressure down on the transactor (read+write) server
 
-const PoolConstructor = pgnative?.Pool ?? Pool;
-const readWritePool: Pool = new PoolConstructor(pgConnection as PoolConfig);
-const readPool: Pool = new PoolConstructor(readsPgConnection as PoolConfig);
+// const PoolConstructor = pgnative?.Pool ?? Pool;
+const readWritePool: Pool = new Pool(pgConnection as PoolConfig);
+const readPool: Pool = new Pool(readsPgConnection as PoolConfig);
 
 // Same syntax as pg.client.query, but uses connection pool
 // Also takes care of calling 'done'.