Fix Medusa Railway startup#80
Conversation
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
WalkthroughThe Dockerfile startup command now runs ChangesDatabase Connectivity and Startup
Estimated code review effort: 2 (Simple) | ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Comment |
bbaf1c4 to
d929df9
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/medusa/medusa-config.ts`:
- Around line 8-10: Update the startup config in medusa-config.ts so
DATABASE_URL and DATABASE_SSL are parsed into an explicit SSL mode instead of a
single boolean flag. Validate the env values early, then map the mode in the DB
config path that currently feeds rejectUnauthorized so only the intended SSL
setting disables certificate verification, while modes like require and
verify-full remain distinct.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f8821f65-172d-4556-a036-23ce7bd3d926
📒 Files selected for processing (2)
apps/medusa/Dockerfileapps/medusa/medusa-config.ts
| const DATABASE_URL = process.env.DATABASE_URL; | ||
| const DATABASE_USES_SSL = | ||
| DATABASE_URL?.includes('sslmode=require') || process.env.DATABASE_SSL === 'true'; |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
Medusa 2.17.1 databaseDriverOptions ssl rejectUnauthorized PostgreSQL sslmode require verify-full
💡 Result:
In Medusa 2.17.1, configuring database SSL through databaseDriverOptions is handled within your medusa-config.ts file under the projectConfig object [1][2]. To configure SSL, you can define the ssl property inside databaseDriverOptions.connection [2][3]. Example configuration for requiring SSL while disabling certificate verification (e.g., for self-signed certificates or specific cloud environments): module.exports = defineConfig({ projectConfig: { databaseDriverOptions: { connection: { ssl: { rejectUnauthorized: false, }, }, }, //... }, }) Key Considerations: 1. SSL/TLS Modes: While Medusa historically prioritized ssl_mode in connection strings, it has moved to support standard PostgreSQL sslmode parameters (e.g., require, verify-ca, verify-full) [4][5]. 2. Hardcoded Defaults: Medusa's internal utility getDefaultDriverOptions uses regex to decide whether to enable SSL by default [6][7]. If your DATABASE_URL host is not localhost or 127.0.0.1, it often defaults to an object that forces SSL ({ ssl: { rejectUnauthorized: false } }) [6][7]. 3. Troubleshooting: If you encounter issues (such as "The server does not support SSL connections" or connection timeouts), you can explicitly disable SSL by setting databaseDriverOptions: { connection: { ssl: false } } [8][7]. This overrides the automatic regex-based detection [7]. 4. Connection Strings: If you prefer using connection string parameters, verify that your environment correctly passes ?sslmode=... [4][5]. Note that some internal path re-constructions can sometimes strip query parameters from the DATABASE_URL, making the explicit databaseDriverOptions object in medusa-config.ts the more reliable configuration method [7]. For strictly enforcing SSL (verify-full), ensure your database driver options align with the standard Node.js tls documentation, as Medusa passes these options directly to the underlying PostgreSQL client [2][9].
Citations:
- 1: https://docs.medusajs.com/learn/configurations/medusa-config
- 2: https://docs.medusajs.com/learn/configurations/medusa-config/index.html.md
- 3: [Bug]: I can't run db:migrate command - Failed with error The server does not support SSL connections medusajs/medusa#10162
- 4: https://medusajs-medusa.mintlify.app/deployment/database
- 5: MedusaJS DB connection string parsing for SSL uses
ssl_modeinstead ofsslmodemedusajs/medusa#13498 - 6: https://github.com/medusajs/medusa/blob/develop/packages/core/utils/src/modules-sdk/load-module-database-config.ts
- 7: [Bug]: Module DB connections force SSL for any non-localhost host (breaks Docker Compose); regresses to silent db:migrate hang in 2.15.x medusajs/medusa#15658
- 8: [Bug]: use Vercel postgress show - error: connection is insecure (try using
sslmode=require) medusajs/medusa#9985 - 9: Postgres SSL connection options aren't valid types medusajs/medusa#11341
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== apps/medusa/medusa-config.ts =="
wc -l apps/medusa/medusa-config.ts
cat -n apps/medusa/medusa-config.ts | sed -n '1,220p'
echo
echo "== Search for env validation / Zod in the config =="
rg -n "zod|safeParse|process\.env|DATABASE_URL|DATABASE_SSL|databaseDriverOptions|rejectUnauthorized|sslmode|ssl" apps/medusa/medusa-config.ts apps/medusa -g '!**/node_modules/**' || true
echo
echo "== Related Medusa config docs / code references in repo =="
rg -n "databaseDriverOptions|rejectUnauthorized|sslmode|ssl:|ssl false|projectConfig" . -g '!**/node_modules/**' | sed -n '1,220p'Repository: lambda-curry/medusa2-starter
Length of output: 6499
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Search repo for DATABASE_SSL / DATABASE_URL docs and examples =="
rg -n "DATABASE_SSL|DATABASE_URL|sslmode=require|rejectUnauthorized|DATABASE_SSL" . \
-g '!**/node_modules/**' -g '!**/dist/**' -g '!**/build/**' | sed -n '1,260p'Repository: lambda-curry/medusa2-starter
Length of output: 809
Parse the DB SSL mode instead of collapsing every SSL path to rejectUnauthorized: false.
DATABASE_URL/DATABASE_SSL are read as raw strings, and the current mapping makes require and verify-full behave the same. Validate the env shape at startup and map the SSL mode explicitly so certificate verification is only disabled when that’s intended.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@apps/medusa/medusa-config.ts` around lines 8 - 10, Update the startup config
in medusa-config.ts so DATABASE_URL and DATABASE_SSL are parsed into an explicit
SSL mode instead of a single boolean flag. Validate the env values early, then
map the mode in the DB config path that currently feeds rejectUnauthorized so
only the intended SSL setting disables certificate verification, while modes
like require and verify-full remain distinct.
Source: Coding guidelines
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bbaf1c4294
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| databaseUrl: DATABASE_URL, | ||
| databaseDriverOptions: { | ||
| ssl: false, | ||
| ssl: DATABASE_USES_SSL ? { rejectUnauthorized: false } : false, |
There was a problem hiding this comment.
Nest the SSL option under connection
Medusa 2.x expects PostgreSQL driver SSL options under databaseDriverOptions.connection.ssl (the official example uses { connection: { ssl: ... } }, not a top-level ssl: https://docs.medusajs.com/learn/configurations/medusa-config#databasedriveroptions). With this option left at the top level, DATABASE_SSL=true or a Railway URL that trips DATABASE_USES_SSL still won't apply rejectUnauthorized: false, so deployments against SSL-required/self-signed Postgres can continue to fail during startup. Please nest both the enabled and disabled cases under connection so the pg driver receives them.
Useful? React with 👍 / 👎.
Summary
Verification
Summary by CodeRabbit
New Features
Bug Fixes