Update SSL settings for Cloud SQL (kriasoft#239)

Author: koistya

.vscode/settings.json

@@ -23,6 +23,8 @@
     "envalid",
     "jsonb",
     "knexfile",
+    "kriasoft",
+    "pgappname",
     "pgdatabase",
     "pgdebug",
     "pghost",

README.md

@@ -16,10 +16,10 @@ infrastructure, using code-first **GraphQL API** and **PostgreSQL** backend.
 
 ---
 
-This monorepo was bootstrapped with [Node.js API Starter Kit](https://github.com/kriasoft/nodejs-api-starter).
+This project was bootstrapped with [Node.js API Starter Kit](https://github.com/kriasoft/nodejs-api-starter).
 Be sure to join our [Discord channel](https://discord.com/invite/bSsv7XM) for assistance.
 
-## Monorepo Structure
+## Directory Structure
 
 `├──`[`.github`](.github) — GitHub configuration including CI/CD<br>
 `├──`[`.vscode`](.vscode) — VSCode settings including code snippets, recommended extensions etc.<br>

api/README.md

@@ -6,8 +6,8 @@ environment such as [Google Cloud Functions](https://cloud.google.com/functions)
 or [Google Cloud Run](https://cloud.google.com/run).
 
 This project was bootstrapped with [Node.js API Starter Kit](https://github.com/kriasoft/nodejs-api-starter).
-Be sure to join our [Discord channel](https://discord.com/invite/bSsv7XM) if you
-need some help.
+Be sure to join our [Discord channel](https://discord.com/invite/bSsv7XM) for
+assistance.
 
 ## Tech Stack
 

api/scripts/deploy.ts

@@ -14,11 +14,9 @@ import spawn from "cross-spawn";
 import minimist from "minimist";
 
 import env from "../src/env";
-import pkg from "../package.json";
+import { name } from "../package.json";
 
 const args = minimist(process.argv.slice(3));
-const project = process.env.GOOGLE_CLOUD_PROJECT;
-const region = process.env.GOOGLE_CLOUD_REGION;
 const version = args.version ?? os.userInfo().username;
 
 const envVars = [
@@ -27,11 +25,11 @@ const envVars = [
   `APP_VERSION=${version}`,
   `APP_ENV=${env.APP_ENV}`,
   `JWT_SECRET=${env.JWT_SECRET}`,
-  `JWT_EXPIRES=${env.JWT_EXPIRES}`,
-  `PGHOST=/cloudsql/${project}:${region}:db`,
+  `PGHOST=/cloudsql/${env.GOOGLE_CLOUD_SQL}`,
   `PGUSER=${env.PGUSER}`,
   `PGPASSWORD=${env.PGPASSWORD}`,
   `PGDATABASE=${env.PGDATABASE}`,
+  `PGAPPNAME=${name}_${version}`,
 ];
 
 spawn.sync(
@@ -40,13 +38,13 @@ spawn.sync(
     `--project=${process.env.GOOGLE_CLOUD_PROJECT}`,
     `functions`,
     `deploy`,
-    pkg.name,
+    name,
     `--region=${process.env.GOOGLE_CLOUD_REGION}`,
     `--allow-unauthenticated`,
-    `--entry-point=${pkg.name}`,
+    `--entry-point=${name}`,
     `--memory=2GB`,
     `--runtime=nodejs12`,
-    `--source=gs://${process.env.PKG_BUCKET}/api_${version}.zip`,
+    `--source=gs://${process.env.PKG_BUCKET}/${name}_${version}.zip`,
     `--timeout=30`,
     `--set-env-vars=${envVars.join(",")}`,
     `--trigger-http`,

api/src/db.ts

@@ -13,11 +13,11 @@ const db = knex({
   client: "pg",
 
   connection: {
-    ssl: env.PGSSLMODE !== "disable" && {
-      rejectUnauthorized: false,
-      cert: fs.readFileSync(env.PGSSLCERT, "utf8"),
-      key: fs.readFileSync(env.PGSSLKEY, "utf8"),
-      ca: fs.readFileSync(env.PGSSLROOTCERT, "utf8"),
+    ssl: env.PGSSLMODE === "verify-ca" && {
+      cert: fs.readFileSync(env.PGSSLCERT, "ascii"),
+      key: fs.readFileSync(env.PGSSLKEY, "ascii"),
+      ca: fs.readFileSync(env.PGSSLROOTCERT, "ascii"),
+      servername: ((x) => `${x[0]}:${x[2]}`)(env.GOOGLE_CLOUD_SQL.split(":")),
     },
   },
 

api/src/env.ts

@@ -23,6 +23,7 @@ export default cleanEnv(
     JWT_SECRET: str(),
     JWT_EXPIRES: num({ default: 60 * 60 * 24 * 14 /* 2 weeks */ }),
 
+    GOOGLE_CLOUD_SQL: str({ default: "" }),
     PGHOST: str(),
     PGPORT: num({ default: 5432 }),
     PGUSER: str(),

api/src/index.ts

@@ -46,7 +46,8 @@ if (!env.isProduction) {
   });
 
   app.listen(env.PORT, () => {
-    console.log(`API listening on http://localhost:${env.PORT}/`);
+    const meta = `env: ${env.APP_ENV}, db: ${env.PGDATABASE}`;
+    console.log(`API listening on http://localhost:${env.PORT}/ (${meta})`);
     require("../scripts/update-schema");
   });
 }

db/README.md

@@ -4,8 +4,8 @@ Migration and seed files plus some administration scripts that help to design
 a PostgreSQL database.
 
 This project was bootstrapped with [Node.js API Starter Kit](https://github.com/kriasoft/nodejs-api-starter).
-Be sure to join our [Discord channel](https://discord.com/invite/bSsv7XM) if you
-need some help.
+Be sure to join our [Discord channel](https://discord.com/invite/bSsv7XM) for
+assistance.
 
 ## Directory Layout
 

db/knexfile.js

@@ -5,6 +5,8 @@
  * @copyright 2016-present Kriasoft (https://git.io/vMINh)
  */
 
+const fs = require("fs");
+
 // Load environment variables (PGHOST, PGUSER, etc.)
 require("env");
 
@@ -14,7 +16,16 @@ require("env");
 module.exports = {
   client: "pg",
 
-  connection: {},
+  connection: {
+    ssl: process.env.PGSSLMODE === "verify-ca" && {
+      cert: fs.readFileSync(process.env.PGSSLCERT, "ascii"),
+      key: fs.readFileSync(process.env.PGSSLKEY, "ascii"),
+      ca: fs.readFileSync(process.env.PGSSLROOTCERT, "ascii"),
+      servername: ((x) => `${x[0]}:${x[2]}`)(
+        process.env.GOOGLE_CLOUD_SQL.split(":"),
+      ),
+    },
+  },
 
   pool: { min: 0, max: 1 },
 

env/.env

@@ -6,12 +6,8 @@ APP_NAME=example
 APP_VERSION=latest
 
 # Google Cloud Platform (GCP) defaults
-GOOGLE_CLOUD_PROJECT=
 GOOGLE_CLOUD_REGION=us-central1
 
 # Cloud storage bucket that is used for saving
 # application bundles (build articacts) during CI/CD workflows
 PKG_BUCKET=pkg.example.com
-
-# Cloud storage bucket for user uploaded content and other assets
-STORAGE_BUCKET=s.example.com