From bc7571dab4d76440bd0f6d5c78c6f0e66c44c910 Mon Sep 17 00:00:00 2001 From: Gunnar Smith Date: Fri, 19 Sep 2025 22:21:41 -0500 Subject: [PATCH 1/6] user configurable validation of psql ssl --- backend/create_database.js | 2 ++ backend/db.js | 2 ++ backend/migrations.js | 2 ++ backend/routes/backup.js | 3 +++ 4 files changed, 9 insertions(+) diff --git a/backend/create_database.js b/backend/create_database.js index 700d243..2001a03 100644 --- a/backend/create_database.js +++ b/backend/create_database.js @@ -5,12 +5,14 @@ const _POSTGRES_PASSWORD = process.env.POSTGRES_PASSWORD; const _POSTGRES_IP = process.env.POSTGRES_IP; const _POSTGRES_PORT = process.env.POSTGRES_PORT; const _POSTGRES_DATABASE = process.env.POSTGRES_DB || 'jfstat'; +const _POSTGRES_SSL_REJECT_UNAUTHORIZED = process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true"; const client = new Client({ host: _POSTGRES_IP, user: _POSTGRES_USER, password: _POSTGRES_PASSWORD, port: _POSTGRES_PORT, + ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } }); const createDatabase = async () => { diff --git a/backend/db.js b/backend/db.js index bebde95..d6af617 100644 --- a/backend/db.js +++ b/backend/db.js @@ -7,6 +7,7 @@ const _POSTGRES_PASSWORD = process.env.POSTGRES_PASSWORD; const _POSTGRES_IP = process.env.POSTGRES_IP; const _POSTGRES_PORT = process.env.POSTGRES_PORT; const _POSTGRES_DATABASE = process.env.POSTGRES_DB || "jfstat"; +const _POSTGRES_SSL_REJECT_UNAUTHORIZED = process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true"; if ([_POSTGRES_USER, _POSTGRES_PASSWORD, _POSTGRES_IP, _POSTGRES_PORT].includes(undefined)) { console.log("Error: Postgres details not defined"); @@ -22,6 +23,7 @@ const pool = new Pool({ max: 20, // Maximum number of connections in the pool idleTimeoutMillis: 30000, // Close idle clients after 30 seconds connectionTimeoutMillis: 2000, // Return an error after 2 seconds if connection could not be established + ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } // Enable SSL without strict cert validation }); pool.on("error", (err, client) => { diff --git a/backend/migrations.js b/backend/migrations.js index 0240694..6d1ffd7 100644 --- a/backend/migrations.js +++ b/backend/migrations.js @@ -12,6 +12,7 @@ module.exports = { port:process.env.POSTGRES_PORT, database: process.env.POSTGRES_DB || 'jfstat', createDatabase: true, + ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } }, migrations: { directory: __dirname + '/migrations', @@ -39,6 +40,7 @@ module.exports = { port:process.env.POSTGRES_PORT, database: process.env.POSTGRES_DB || 'jfstat', createDatabase: true, + ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } }, migrations: { directory: __dirname + '/migrations', diff --git a/backend/routes/backup.js b/backend/routes/backup.js index 6e768ce..f756c02 100644 --- a/backend/routes/backup.js +++ b/backend/routes/backup.js @@ -23,6 +23,8 @@ const postgresPassword = process.env.POSTGRES_PASSWORD; const postgresIp = process.env.POSTGRES_IP; const postgresPort = process.env.POSTGRES_PORT; const postgresDatabase = process.env.POSTGRES_DB || "jfstat"; +const postgresSslRejectUnauthorized = process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true"; + const backupfolder = "backup-data"; // Restore function @@ -52,6 +54,7 @@ async function restore(file, refLog) { host: postgresIp, port: postgresPort, database: postgresDatabase, + ssl: { rejectUnauthorized: postgresSslRejectUnauthorized }, }); const backupPath = file; From b4e43c5008b869c1828334dd6a751aa8fdec4163 Mon Sep 17 00:00:00 2001 From: Gunnar Smith Date: Fri, 19 Sep 2025 22:39:11 -0500 Subject: [PATCH 2/6] readme update --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index cbe2db0..9591ba0 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,7 @@ | POSTGRES_PASSWORD `REQUIRED` | `null` | `postgres` | Password that will be used in postgres database | | POSTGRES_IP `REQUIRED` | `null` | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance | | POSTGRES_PORT `REQUIRED` | `null` | `5432` | Port Postgres is running on | +| POSTGRES_SSL_REJECT_UNAUTHORIZED | `true` | `false` | Verify SSL certificates on postgres server | JS_LISTEN_IP | `0.0.0.0`| `0.0.0.0` or `::` | Enable listening on specific IP or `::` for IPv6 | | JWT_SECRET `REQUIRED` | `null` | `my-secret-jwt-key` | JWT Key to be used to encrypt JWT tokens for authentication | | TZ `REQUIRED` | `null` | `Etc/UTC` | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) | From d2dfa41acdfbdb8b98122d6a73ecb354d18263ce Mon Sep 17 00:00:00 2001 From: Gunnar Smith Date: Fri, 19 Sep 2025 23:11:22 -0500 Subject: [PATCH 3/6] POSTGRES_SSL_ENABLED environment variable --- README.md | 3 ++- backend/create_database.js | 4 +++- backend/db.js | 4 +++- backend/migrations.js | 8 ++++++-- backend/routes/backup.js | 4 +++- 5 files changed, 17 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 9591ba0..b08fb97 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,8 @@ | POSTGRES_PASSWORD `REQUIRED` | `null` | `postgres` | Password that will be used in postgres database | | POSTGRES_IP `REQUIRED` | `null` | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance | | POSTGRES_PORT `REQUIRED` | `null` | `5432` | Port Postgres is running on | -| POSTGRES_SSL_REJECT_UNAUTHORIZED | `true` | `false` | Verify SSL certificates on postgres server +| POSTGRES_SSL_ENABLED | `false` | `true` | Enable SSL connections to Postgres +| POSTGRES_SSL_REJECT_UNAUTHORIZED | `true` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true | JS_LISTEN_IP | `0.0.0.0`| `0.0.0.0` or `::` | Enable listening on specific IP or `::` for IPv6 | | JWT_SECRET `REQUIRED` | `null` | `my-secret-jwt-key` | JWT Key to be used to encrypt JWT tokens for authentication | | TZ `REQUIRED` | `null` | `Etc/UTC` | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) | diff --git a/backend/create_database.js b/backend/create_database.js index 2001a03..a72b317 100644 --- a/backend/create_database.js +++ b/backend/create_database.js @@ -12,7 +12,9 @@ const client = new Client({ user: _POSTGRES_USER, password: _POSTGRES_PASSWORD, port: _POSTGRES_PORT, - ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } + ...(process.env.POSTGRES_SSL_ENABLED === "true" + ? { ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } } + : {}) }); const createDatabase = async () => { diff --git a/backend/db.js b/backend/db.js index d6af617..a41c2b2 100644 --- a/backend/db.js +++ b/backend/db.js @@ -23,7 +23,9 @@ const pool = new Pool({ max: 20, // Maximum number of connections in the pool idleTimeoutMillis: 30000, // Close idle clients after 30 seconds connectionTimeoutMillis: 2000, // Return an error after 2 seconds if connection could not be established - ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } // Enable SSL without strict cert validation + ...(process.env.POSTGRES_SSL_ENABLED === "true" + ? { ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } } + : {}) }); pool.on("error", (err, client) => { diff --git a/backend/migrations.js b/backend/migrations.js index 6d1ffd7..a53993a 100644 --- a/backend/migrations.js +++ b/backend/migrations.js @@ -12,7 +12,9 @@ module.exports = { port:process.env.POSTGRES_PORT, database: process.env.POSTGRES_DB || 'jfstat', createDatabase: true, - ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } + ...(process.env.POSTGRES_SSL_ENABLED === "true" + ? { ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } } + : {}) }, migrations: { directory: __dirname + '/migrations', @@ -40,7 +42,9 @@ module.exports = { port:process.env.POSTGRES_PORT, database: process.env.POSTGRES_DB || 'jfstat', createDatabase: true, - ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } + ...(process.env.POSTGRES_SSL_ENABLED === "true" + ? { ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } } + : {}) }, migrations: { directory: __dirname + '/migrations', diff --git a/backend/routes/backup.js b/backend/routes/backup.js index f756c02..f98bf82 100644 --- a/backend/routes/backup.js +++ b/backend/routes/backup.js @@ -54,7 +54,9 @@ async function restore(file, refLog) { host: postgresIp, port: postgresPort, database: postgresDatabase, - ssl: { rejectUnauthorized: postgresSslRejectUnauthorized }, + ...(process.env.POSTGRES_SSL_ENABLED === "true" + ? { ssl: { rejectUnauthorized: postgresSslRejectUnauthorized } } + : {}), }); const backupPath = file; From 9181b95fb98ea4a0bcbc872757600cca149cf97d Mon Sep 17 00:00:00 2001 From: Gunnar Smith Date: Fri, 19 Sep 2025 23:16:23 -0500 Subject: [PATCH 4/6] update readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b08fb97..166da3b 100644 --- a/README.md +++ b/README.md @@ -30,8 +30,8 @@ | POSTGRES_PASSWORD `REQUIRED` | `null` | `postgres` | Password that will be used in postgres database | | POSTGRES_IP `REQUIRED` | `null` | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance | | POSTGRES_PORT `REQUIRED` | `null` | `5432` | Port Postgres is running on | -| POSTGRES_SSL_ENABLED | `false` | `true` | Enable SSL connections to Postgres -| POSTGRES_SSL_REJECT_UNAUTHORIZED | `true` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true +| POSTGRES_SSL_ENABLED | `null` | `true` | Enable SSL connections to Postgres +| POSTGRES_SSL_REJECT_UNAUTHORIZED | `null` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true | JS_LISTEN_IP | `0.0.0.0`| `0.0.0.0` or `::` | Enable listening on specific IP or `::` for IPv6 | | JWT_SECRET `REQUIRED` | `null` | `my-secret-jwt-key` | JWT Key to be used to encrypt JWT tokens for authentication | | TZ `REQUIRED` | `null` | `Etc/UTC` | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) | From dfe0e3098a7075cc94d5ad9d58a70697d5589ce2 Mon Sep 17 00:00:00 2001 From: Gunnar Smith Date: Fri, 19 Sep 2025 23:18:27 -0500 Subject: [PATCH 5/6] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 166da3b..3f70adc 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ | POSTGRES_IP `REQUIRED` | `null` | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance | | POSTGRES_PORT `REQUIRED` | `null` | `5432` | Port Postgres is running on | | POSTGRES_SSL_ENABLED | `null` | `true` | Enable SSL connections to Postgres -| POSTGRES_SSL_REJECT_UNAUTHORIZED | `null` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true +| POSTGRES_SSL_REJECT_UNAUTHORIZED | `true` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true | JS_LISTEN_IP | `0.0.0.0`| `0.0.0.0` or `::` | Enable listening on specific IP or `::` for IPv6 | | JWT_SECRET `REQUIRED` | `null` | `my-secret-jwt-key` | JWT Key to be used to encrypt JWT tokens for authentication | | TZ `REQUIRED` | `null` | `Etc/UTC` | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) | From 5b293d55bfe893cdd4e67836fe962cd6a864e9d1 Mon Sep 17 00:00:00 2001 From: Gunnar Smith Date: Fri, 19 Sep 2025 23:20:11 -0500 Subject: [PATCH 6/6] update readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f70adc..166da3b 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ | POSTGRES_IP `REQUIRED` | `null` | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance | | POSTGRES_PORT `REQUIRED` | `null` | `5432` | Port Postgres is running on | | POSTGRES_SSL_ENABLED | `null` | `true` | Enable SSL connections to Postgres -| POSTGRES_SSL_REJECT_UNAUTHORIZED | `true` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true +| POSTGRES_SSL_REJECT_UNAUTHORIZED | `null` | `false` | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true | JS_LISTEN_IP | `0.0.0.0`| `0.0.0.0` or `::` | Enable listening on specific IP or `::` for IPv6 | | JWT_SECRET `REQUIRED` | `null` | `my-secret-jwt-key` | JWT Key to be used to encrypt JWT tokens for authentication | | TZ `REQUIRED` | `null` | `Etc/UTC` | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) |