npm - @ingram-tech/nk-auth - Versions diffs - 0.2.0 → 0.2.1 - Mend

@ingram-tech/nk-auth 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/pool.d.ts CHANGED Viewed

@@ -1,9 +1,16 @@
 import { Pool } from "pg";
 /**
- * A `pg` Pool for Better Auth's direct database connection, with optional
- * SSL CA verification (equivalent to `sslmode=verify-full`). Keep `sslmode` out
- * of the connection string — `pg` discards the `ssl` object when the URL
- * carries SSL settings.
+ * A `pg` Pool for Better Auth's direct database connection, with the right TLS
+ * for each kind of host:
+ *
+ *   - `caCert` set → verify the server cert + hostname against it
+ *     (equivalent to `sslmode=verify-full`).
+ *   - local (`127.0.0.1`/`localhost`) → no TLS.
+ *   - otherwise (managed Postgres like Supabase) → TLS **without** chain
+ *     verification. Supabase's cert chain isn't in Node's trust store, so plain
+ *     verification fails with "self-signed certificate in certificate chain";
+ *     the connection is still encrypted. `sslmode` is stripped from the URL
+ *     because `pg` ignores the `ssl` object when the URL carries SSL settings.
  */
 export declare const createAuthPool: (config: {
     connectionString: string;

package/dist/pool.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;~~AAE1B;;;;;GAKG~~;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,~~IAMD~~,CAAC"}
1	+ {"version":3,"file":"pool.d.ts","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAK1B;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB,KAAG,IAgBH,CAAC"}

package/dist/pool.js CHANGED Viewed

@@ -1,14 +1,33 @@
 import { Pool } from "pg";
+const isLocal = (connectionString) => connectionString.includes("127.0.0.1") || connectionString.includes("localhost");
 /**
- * A `pg` Pool for Better Auth's direct database connection, with optional
- * SSL CA verification (equivalent to `sslmode=verify-full`). Keep `sslmode` out
- * of the connection string — `pg` discards the `ssl` object when the URL
- * carries SSL settings.
+ * A `pg` Pool for Better Auth's direct database connection, with the right TLS
+ * for each kind of host:
+ *
+ *   - `caCert` set → verify the server cert + hostname against it
+ *     (equivalent to `sslmode=verify-full`).
+ *   - local (`127.0.0.1`/`localhost`) → no TLS.
+ *   - otherwise (managed Postgres like Supabase) → TLS **without** chain
+ *     verification. Supabase's cert chain isn't in Node's trust store, so plain
+ *     verification fails with "self-signed certificate in certificate chain";
+ *     the connection is still encrypted. `sslmode` is stripped from the URL
+ *     because `pg` ignores the `ssl` object when the URL carries SSL settings.
  */
-export const createAuthPool = (config) => new Pool({
-    connectionString: config.connectionString,
-    ssl: config.caCert
-        ? { ca: config.caCert, rejectUnauthorized: true }
-        : undefined,
-});
+export const createAuthPool = (config) => {
+    if (config.caCert) {
+        return new Pool({
+            connectionString: config.connectionString,
+            ssl: { ca: config.caCert, rejectUnauthorized: true },
+        });
+    }
+    if (isLocal(config.connectionString)) {
+        return new Pool({ connectionString: config.connectionString });
+    }
+    const url = new URL(config.connectionString);
+    url.searchParams.delete("sslmode");
+    return new Pool({
+        connectionString: url.toString(),
+        ssl: { rejectUnauthorized: false },
+    });
+};
 //# sourceMappingURL=pool.js.map

package/dist/pool.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B~~;;;;;GAKG~~;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE,~~CACV~~,IAAI,IAAI,CAAC;~~IACR~~,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;~~IACzC~~,GAAG,EAAE,MAAM,CAAC,MAAM;~~QACjB~~,CAAC,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,~~IAAI~~,EAAE;~~QACjD~~,CAAC,CAAC~~,SAAS~~;~~CACZ~~,CAAC,CAAC"}
1	+ {"version":3,"file":"pool.js","sourceRoot":"","sources":["../src/pool.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAE1B,MAAM,OAAO,GAAG,CAAC,gBAAwB,EAAW,EAAE,CACrD,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAElF;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,MAI9B,EAAQ,EAAE;IACV,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,IAAI,IAAI,CAAC;YACf,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,GAAG,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE;SACpD,CAAC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,IAAI,CAAC,EAAE,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IAC7C,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,IAAI,IAAI,CAAC;QACf,gBAAgB,EAAE,GAAG,CAAC,QAAQ,EAAE;QAChC,GAAG,EAAE,EAAE,kBAAkB,EAAE,KAAK,EAAE;KAClC,CAAC,CAAC;AACJ,CAAC,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@ingram-tech/nk-auth",
-	"version": "0.2.0",
+	"version": "0.2.1",
 	"description": "The Ingram Better Auth foundation: composable presets (org, dual-shape JWT, Supabase RLS bridge, active-org hooks, pg pool) for Next.js sites.",
 	"license": "MIT",
 	"type": "module",