fix: respect PG_META_DB_PORT when encrypted connection header uses internal 'db' alias#1061
Open
nancysangani wants to merge 1 commit intosupabase:masterfrom
Open
Conversation
nancysangani
requested review from
a team,
avallete and
soedirgo
as code owners
Contributor
Author
|
/cc @avallete |
There was a problem hiding this comment.
Pull request overview
Fixes self-hosted setups where the upstream x-connection-encrypted header decrypts to an internal host=db connection string, causing postgres-meta to ignore the configured DB host/port and attempt to connect to the internal Docker alias/default port.
Changes:
- Decrypt
x-connection-encryptedto a UTF-8 connection string and, when hostname isdb, substitute host/port fromPG_CONNECTION. - Keep non-
db(multi-tenant/external) encrypted connection strings unchanged. - Add a regression test for encrypted connection strings using the internal
dbhostname.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/server/routes/index.ts |
Decrypts and conditionally rewrites encrypted connection strings when the hostname is db. |
test/server/ssl.ts |
Adds a test covering the encrypted db hostname scenario. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+41
to
+46
| const decryptedUrl = new URL(decrypted) | ||
| if (decryptedUrl.hostname === 'db') { | ||
| const configuredUrl = new URL(PG_CONNECTION) | ||
| decryptedUrl.hostname = configuredUrl.hostname | ||
| decryptedUrl.port = configuredUrl.port | ||
| } |
Comment on lines
+130
to
+138
| test('query with encrypted connection string using internal "db" host respects PG_META_DB_PORT', async () => { | ||
| const res = await app.inject({ | ||
| method: 'POST', | ||
| path: '/query', | ||
| headers: { | ||
| 'x-connection-encrypted': CryptoJS.AES.encrypt( | ||
| 'postgresql://postgres:postgres@db:5432/postgres', | ||
| CRYPTO_KEY | ||
| ).toString(), |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #1020
In self-hosted Supabase setups, the upstream proxy (Studio/Kong) sends an
x-connection-encryptedheader that decodes to a connection string withhost=db, port=5432— the default internal Docker service name. This header was used as-is, completely ignoringPG_META_DB_URL/PG_META_DB_PORT, causing eitherENOTFOUND dbor connections to the wrong port.When the decrypted connection string uses hostname
db, this fix substitutes the host and port fromPG_CONNECTION(built from env vars). The multi-tenant case (encrypted header pointing to an arbitrary external DB) is unaffected.