From d2dfa41acdfbdb8b98122d6a73ecb354d18263ce Mon Sep 17 00:00:00 2001
From: Gunnar Smith <gunnar@jslabs.io>
Date: Fri, 19 Sep 2025 23:11:22 -0500
Subject: [PATCH] POSTGRES_SSL_ENABLED environment variable

---
 README.md                  | 3 ++-
 backend/create_database.js | 4 +++-
 backend/db.js              | 4 +++-
 backend/migrations.js      | 8 ++++++--
 backend/routes/backup.js   | 4 +++-
 5 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 9591ba0..b08fb97 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,8 @@
 | POSTGRES_PASSWORD `REQUIRED`        | `null`   | `postgres`                      | Password that will be used in postgres database                                                                                          |
 | POSTGRES_IP `REQUIRED`              | `null`   | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance                                                                                                         |
 | POSTGRES_PORT `REQUIRED`            | `null`   | `5432`                          | Port Postgres is running on                                                                                                              |
-| POSTGRES_SSL_REJECT_UNAUTHORIZED    | `true`   | `false`                         | Verify SSL certificates on postgres server
+| POSTGRES_SSL_ENABLED                | `false`  | `true`                          | Enable SSL connections to Postgres
+| POSTGRES_SSL_REJECT_UNAUTHORIZED    | `true`   | `false`                         | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true
 | JS_LISTEN_IP                        | `0.0.0.0`| `0.0.0.0` or `::`               | Enable listening on specific IP or `::` for IPv6 |
 | JWT_SECRET `REQUIRED`               | `null`   | `my-secret-jwt-key`             | JWT Key to be used to encrypt JWT tokens for authentication                                                                              |
 | TZ `REQUIRED`                       | `null`   | `Etc/UTC`                       | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List)                                      |
diff --git a/backend/create_database.js b/backend/create_database.js
index 2001a03..a72b317 100644
--- a/backend/create_database.js
+++ b/backend/create_database.js
@@ -12,7 +12,9 @@ const client = new Client({
   user: _POSTGRES_USER,
   password: _POSTGRES_PASSWORD,
   port: _POSTGRES_PORT,
-  ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED }
+  ...(process.env.POSTGRES_SSL_ENABLED === "true"
+    ? { ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } }
+    : {})
 });
 
 const createDatabase = async () => {
diff --git a/backend/db.js b/backend/db.js
index d6af617..a41c2b2 100644
--- a/backend/db.js
+++ b/backend/db.js
@@ -23,7 +23,9 @@ const pool = new Pool({
   max: 20, // Maximum number of connections in the pool
   idleTimeoutMillis: 30000, // Close idle clients after 30 seconds
   connectionTimeoutMillis: 2000, // Return an error after 2 seconds if connection could not be established
-  ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED }  // Enable SSL without strict cert validation
+  ...(process.env.POSTGRES_SSL_ENABLED === "true"
+    ? { ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } }
+    : {})
 });
 
 pool.on("error", (err, client) => {
diff --git a/backend/migrations.js b/backend/migrations.js
index 6d1ffd7..a53993a 100644
--- a/backend/migrations.js
+++ b/backend/migrations.js
@@ -12,7 +12,9 @@ module.exports = {
         port:process.env.POSTGRES_PORT,
         database: process.env.POSTGRES_DB || 'jfstat',
         createDatabase: true,
-        ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" }
+        ...(process.env.POSTGRES_SSL_ENABLED === "true"
+          ? { ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } }
+          : {})
       },
       migrations: {
         directory: __dirname + '/migrations',
@@ -40,7 +42,9 @@ module.exports = {
         port:process.env.POSTGRES_PORT,
         database: process.env.POSTGRES_DB || 'jfstat',
         createDatabase: true,
-        ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" }
+        ...(process.env.POSTGRES_SSL_ENABLED === "true"
+          ? { ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } }
+          : {})
       },
       migrations: {
         directory: __dirname + '/migrations',
diff --git a/backend/routes/backup.js b/backend/routes/backup.js
index f756c02..f98bf82 100644
--- a/backend/routes/backup.js
+++ b/backend/routes/backup.js
@@ -54,7 +54,9 @@ async function restore(file, refLog) {
     host: postgresIp,
     port: postgresPort,
     database: postgresDatabase,
-    ssl: { rejectUnauthorized: postgresSslRejectUnauthorized },
+    ...(process.env.POSTGRES_SSL_ENABLED === "true"
+      ? { ssl: { rejectUnauthorized: postgresSslRejectUnauthorized } }
+      : {}),
   });
 
   const backupPath = file;