Skip to content

Fix Medusa Railway startup#80

Merged
dwene merged 1 commit into
mainfrom
codex/fix-medusa-railway-startup
Jul 1, 2026
Merged

Fix Medusa Railway startup#80
dwene merged 1 commit into
mainfrom
codex/fix-medusa-railway-startup

Conversation

@dwene

@dwene dwene commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • stop running Medusa migrations as part of the Railway app startup command
  • allow production database SSL when the Railway/Neon connection string requires it
  • repaired existing production tax regions that were missing the system tax provider

Verification

  • corepack yarn workspace medusa typecheck
  • docker build -f apps/medusa/Dockerfile .
  • one-off production DB update: 2 tax regions updated, 0 remaining with null provider

Summary by CodeRabbit

  • New Features

    • Added automatic detection of secure database connections, enabling SSL when required.
  • Bug Fixes

    • Improved container startup by removing the database migration step and starting the service directly.
    • Updated database connection settings to handle SSL-enabled environments more reliably.

@medusajs

medusajs Bot commented Jul 1, 2026

Copy link
Copy Markdown
Name Backend Status Storefront Status Preview Link Last Updated
Medusa Starter 🟡 Provisioning - - / - Wed, 01 Jul 2026 04:06:39 GMT

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 807691bf-37ec-4216-9334-70c62667be98

📥 Commits

Reviewing files that changed from the base of the PR and between bbaf1c4 and d929df9.

📒 Files selected for processing (2)
  • apps/medusa/Dockerfile
  • apps/medusa/medusa-config.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • apps/medusa/Dockerfile
  • apps/medusa/medusa-config.ts

Walkthrough

The Dockerfile startup command now runs yarn start:prod directly, and Medusa config now derives DATABASE_URL and DATABASE_USES_SSL to conditionally enable SSL settings for the database connection.

Changes

Database Connectivity and Startup

Layer / File(s) Summary
Conditional SSL database configuration
apps/medusa/medusa-config.ts
Derives DATABASE_URL and DATABASE_USES_SSL from environment variables, then conditionally sets databaseDriverOptions.ssl to { rejectUnauthorized: false } or false based on detected SSL usage.
Container startup command update
apps/medusa/Dockerfile
Replaces the shell command that ran yarn migrate:prod before startup with a direct yarn start:prod CMD.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: fixing Medusa startup behavior on Railway.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-medusa-railway-startup

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Comment @coderabbitai help to get the list of available commands.

@dwene dwene force-pushed the codex/fix-medusa-railway-startup branch from bbaf1c4 to d929df9 Compare July 1, 2026 04:08

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/medusa/medusa-config.ts`:
- Around line 8-10: Update the startup config in medusa-config.ts so
DATABASE_URL and DATABASE_SSL are parsed into an explicit SSL mode instead of a
single boolean flag. Validate the env values early, then map the mode in the DB
config path that currently feeds rejectUnauthorized so only the intended SSL
setting disables certificate verification, while modes like require and
verify-full remain distinct.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f8821f65-172d-4556-a036-23ce7bd3d926

📥 Commits

Reviewing files that changed from the base of the PR and between 9bf5888 and bbaf1c4.

📒 Files selected for processing (2)
  • apps/medusa/Dockerfile
  • apps/medusa/medusa-config.ts

Comment thread apps/medusa/medusa-config.ts Outdated
Comment on lines +8 to +10
const DATABASE_URL = process.env.DATABASE_URL;
const DATABASE_USES_SSL =
DATABASE_URL?.includes('sslmode=require') || process.env.DATABASE_SSL === 'true';

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Medusa 2.17.1 databaseDriverOptions ssl rejectUnauthorized PostgreSQL sslmode require verify-full

💡 Result:

In Medusa 2.17.1, configuring database SSL through databaseDriverOptions is handled within your medusa-config.ts file under the projectConfig object [1][2]. To configure SSL, you can define the ssl property inside databaseDriverOptions.connection [2][3]. Example configuration for requiring SSL while disabling certificate verification (e.g., for self-signed certificates or specific cloud environments): module.exports = defineConfig({ projectConfig: { databaseDriverOptions: { connection: { ssl: { rejectUnauthorized: false, }, }, }, //... }, }) Key Considerations: 1. SSL/TLS Modes: While Medusa historically prioritized ssl_mode in connection strings, it has moved to support standard PostgreSQL sslmode parameters (e.g., require, verify-ca, verify-full) [4][5]. 2. Hardcoded Defaults: Medusa's internal utility getDefaultDriverOptions uses regex to decide whether to enable SSL by default [6][7]. If your DATABASE_URL host is not localhost or 127.0.0.1, it often defaults to an object that forces SSL ({ ssl: { rejectUnauthorized: false } }) [6][7]. 3. Troubleshooting: If you encounter issues (such as "The server does not support SSL connections" or connection timeouts), you can explicitly disable SSL by setting databaseDriverOptions: { connection: { ssl: false } } [8][7]. This overrides the automatic regex-based detection [7]. 4. Connection Strings: If you prefer using connection string parameters, verify that your environment correctly passes ?sslmode=... [4][5]. Note that some internal path re-constructions can sometimes strip query parameters from the DATABASE_URL, making the explicit databaseDriverOptions object in medusa-config.ts the more reliable configuration method [7]. For strictly enforcing SSL (verify-full), ensure your database driver options align with the standard Node.js tls documentation, as Medusa passes these options directly to the underlying PostgreSQL client [2][9].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== apps/medusa/medusa-config.ts =="
wc -l apps/medusa/medusa-config.ts
cat -n apps/medusa/medusa-config.ts | sed -n '1,220p'

echo
echo "== Search for env validation / Zod in the config =="
rg -n "zod|safeParse|process\.env|DATABASE_URL|DATABASE_SSL|databaseDriverOptions|rejectUnauthorized|sslmode|ssl" apps/medusa/medusa-config.ts apps/medusa -g '!**/node_modules/**' || true

echo
echo "== Related Medusa config docs / code references in repo =="
rg -n "databaseDriverOptions|rejectUnauthorized|sslmode|ssl:|ssl false|projectConfig" . -g '!**/node_modules/**' | sed -n '1,220p'

Repository: lambda-curry/medusa2-starter

Length of output: 6499


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Search repo for DATABASE_SSL / DATABASE_URL docs and examples =="
rg -n "DATABASE_SSL|DATABASE_URL|sslmode=require|rejectUnauthorized|DATABASE_SSL" . \
  -g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' | sed -n '1,260p'

Repository: lambda-curry/medusa2-starter

Length of output: 809


Parse the DB SSL mode instead of collapsing every SSL path to rejectUnauthorized: false.
DATABASE_URL/DATABASE_SSL are read as raw strings, and the current mapping makes require and verify-full behave the same. Validate the env shape at startup and map the SSL mode explicitly so certificate verification is only disabled when that’s intended.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/medusa/medusa-config.ts` around lines 8 - 10, Update the startup config
in medusa-config.ts so DATABASE_URL and DATABASE_SSL are parsed into an explicit
SSL mode instead of a single boolean flag. Validate the env values early, then
map the mode in the DB config path that currently feeds rejectUnauthorized so
only the intended SSL setting disables certificate verification, while modes
like require and verify-full remain distinct.

Source: Coding guidelines

@dwene dwene merged commit dd6857b into main Jul 1, 2026
4 checks passed
@dwene dwene deleted the codex/fix-medusa-railway-startup branch July 1, 2026 04:12

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bbaf1c4294

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

databaseUrl: DATABASE_URL,
databaseDriverOptions: {
ssl: false,
ssl: DATABASE_USES_SSL ? { rejectUnauthorized: false } : false,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Nest the SSL option under connection

Medusa 2.x expects PostgreSQL driver SSL options under databaseDriverOptions.connection.ssl (the official example uses { connection: { ssl: ... } }, not a top-level ssl: https://docs.medusajs.com/learn/configurations/medusa-config#databasedriveroptions). With this option left at the top level, DATABASE_SSL=true or a Railway URL that trips DATABASE_USES_SSL still won't apply rejectUnauthorized: false, so deployments against SSL-required/self-signed Postgres can continue to fail during startup. Please nest both the enabled and disabled cases under connection so the pg driver receives them.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant