fix(server): sslmode not working

[mertalev]

Description

Postgres.js has its own connection parsing logic that is not as robust as the previous driver. This PR uses the pg-connection-string library to do the parsing and passes the results to the Postgres.js driver.

Fixes #15566

[jrasm91]

Please write some tests for this

[jrasm91]

Looks good. Can you add an error for an invalid ssl value as well?

[mertalev]

Looks good. Can you add an error for an invalid ssl value as well?

There's an error for it already

[jrasm91]

Looks good. Can you add an error for an invalid ssl value as well?

There's an error for it already

Sorry, I meant add a test for the error case.

[mertalev]

Oh, there is a test for it at the bottom

[dotlambda]

Afaict this doesn't deal with sockets, the option path is never set.

[mertalev]

Afaict this doesn't deal with sockets, the option path is never set.

pg-connection-stringdoes support sockets, see this code.

[dotlambda]

I know, but it never sets path:

> parse('socket:/run/postgresql?db=immich')
{
  db: 'immich',
  user: '',
  password: '',
  host: '/run/postgresql',
  database: 'immich',
  client_encoding: null
}

What I was missing though is that the postgres library checks for a slash in host: https://github.com/porsager/postgres/blob/089214e85c23c90cf142d47fb30bd03f42874984/src/index.js#L466
Do you mind if I add two test cases for socket connections?

[mertalev]

I know, but it never sets path:

> parse('socket:/run/postgresql?db=immich')
{
  db: 'immich',
  user: '',
  password: '',
  host: '/run/postgresql',
  database: 'immich',
  client_encoding: null
}

What I was missing though is that the postgres library checks for a slash in host: porsager/postgres@089214e/src/index.js#L466 Do you mind if I add two test cases for socket connections?

Go for it! I'm also happy to review any changes needed to support sockets if they still don't work.

[voc0der]

Where is it expecting your ssl certificates ? (fullchain / and or cert + pem / privkey) to be?

Mine fails when I set verify-ca for the obvious reason that I have not figured out where to mount the cert?

[mmomjian]

Where is it expecting your ssl certificates ? (fullchain / and or cert + pem / privkey) to be?

Mine fails when I set verify-ca for the obvious reason that I have not figured out where to mount the cert?

I don't think that we have ever supported verification even before kysely.

[voc0der]

Where is it expecting your ssl certificates ? (fullchain / and or cert + pem / privkey) to be?
Mine fails when I set verify-ca for the obvious reason that I have not figured out where to mount the cert?

I don't think that we have ever supported verification even before kysely.

Good to know I'm not crazy. In the docs, it's a bit ambiguous, made me feel like I was doing it wrong.

DB_URL must be in the format postgresql://immichdbusername:immichdbpassword@postgreshost:postgresport/immichdatabasename. You can require SSL by adding ?sslmode=require to the end of the DB_URL string, or require SSL and skip certificate verification by adding ?sslmode=require&sslmode=no-verify.

[mertalev]

I believe you have to set sslcert, sslkey, and/or sslrootcert to the file path within the container. The library reads the files at these paths when parsing if specified.

[voc0der]

I believe you have to set sslcert, sslkey, and/or sslrootcert to the file path within the container. The library reads the files at these paths when parsing if specified.

Environment variables which correspond to the mounting? That sounds like the solution, although I'm not seeing it when I search the code in github so I'm still skeptical?

[mertalev]

I believe you have to set sslcert, sslkey, and/or sslrootcert to the file path within the container. The library reads the files at these paths when parsing if specified.

Environment variables which correspond to the mounting? That sounds like the solution, although I'm not seeing it when I search the code in github so I'm still skeptical?

No, these are query parameters in the DB_URL

[voc0der]

That makes sense. And thanks, that fixed my issue on top of this.