@powersync/service-core 1.13.3 → 1.14.0

package/src/api/diagnostics.ts

@@ -105,7 +105,7 @@ export async function getSyncRulesStatus(
         const source: SourceTableInterface = {
           connectionTag: tag,
           schema: pattern.schema,
-          table: pattern.tablePattern
+          name: pattern.tablePattern
         };
         const syncData = rules.tableSyncsData(source);
         const syncParameters = rules.tableSyncsParameters(source);
@@ -134,6 +134,38 @@ export async function getSyncRulesStatus(
     })
   );
 
+  if (live_status && status?.active && sourceConfig.type != 'mysql') {
+    // Check replication lag for active sync rules.
+    // Right now we exclude mysql, since it we don't have consistent keepalives for it.
+    if (sync_rules.last_checkpoint_ts == null && sync_rules.last_keepalive_ts == null) {
+      errors.push({
+        level: 'warning',
+        message: 'No checkpoint found, cannot calculate replication lag'
+      });
+    } else {
+      const lastTime = Math.max(
+        sync_rules.last_checkpoint_ts?.getTime() ?? 0,
+        sync_rules.last_keepalive_ts?.getTime() ?? 0
+      );
+      const lagSeconds = Math.round((Date.now() - lastTime) / 1000);
+      // On idle instances, keepalive messages are only persisted every 60 seconds.
+      // So we use 5 minutes as a threshold for warnings, and 15 minutes for critical.
+      // The replication lag metric should give a more granular value, but that is not available directly
+      // in the API containers used for diagnostics, and this should give a good enough indication.
+      if (lagSeconds > 15 * 60) {
+        errors.push({
+          level: 'fatal',
+          message: `No replicated commit in more than ${lagSeconds}s`
+        });
+      } else if (lagSeconds > 5 * 60) {
+        errors.push({
+          level: 'warning',
+          message: `No replicated commit in more than ${lagSeconds}s`
+        });
+      }
+    }
+  }
+
   return {
     content: include_content ? sync_rules.sync_rules_content : undefined,
     connections: [

package/src/auth/CachedKeyCollector.ts

@@ -3,7 +3,7 @@ import timers from 'timers/promises';
 import { KeySpec } from './KeySpec.js';
 import { LeakyBucket } from './LeakyBucket.js';
 import { KeyCollector, KeyResult } from './KeyCollector.js';
-import { AuthorizationError } from '@powersync/lib-services-framework';
+import { AuthorizationError, ErrorCode, logger } from '@powersync/lib-services-framework';
 import { mapAuthConfigError } from './utils.js';
 
 /**
@@ -70,8 +70,21 @@ export class CachedKeyCollector implements KeyCollector {
       // e.g. in the case of waiting for error retries.
       // In the case of very slow requests, we don't wait for it to complete, but the
       // request can still complete in the background.
-      const timeout = timers.setTimeout(3000);
-      await Promise.race([this.refreshPromise, timeout]);
+      const WAIT_TIMEOUT_SECONDS = 3;
+      const timeout = timers.setTimeout(WAIT_TIMEOUT_SECONDS * 1000).then(() => {
+        throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed`, {
+          cause: { message: `Key request timed out in ${WAIT_TIMEOUT_SECONDS}s`, name: 'AbortError' }
+        });
+      });
+      try {
+        await Promise.race([this.refreshPromise, timeout]);
+      } catch (e) {
+        if (e instanceof AuthorizationError) {
+          return { keys: this.currentKeys, errors: [...this.currentErrors, e] };
+        } else {
+          throw e;
+        }
+      }
     }
 
     return { keys: this.currentKeys, errors: this.currentErrors };
@@ -102,7 +115,16 @@ export class CachedKeyCollector implements KeyCollector {
       this.currentErrors = errors;
       this.keyTimestamp = Date.now();
       this.error = false;
+
+      // Due to caching and background refresh behavior, errors are not always propagated to the request handler,
+      // so we log them here.
+      for (let error of errors) {
+        logger.error(`Soft key refresh error`, error);
+      }
     } catch (e) {
+      // Due to caching and background refresh behavior, errors are not always propagated to the request handler,
+      // so we log them here.
+      logger.error(`Hard key refresh error`, e);
       this.error = true;
       // No result - keep previous keys
       this.currentErrors = [mapAuthConfigError(e)];

package/src/auth/KeySpec.ts

@@ -40,6 +40,20 @@ export class KeySpec {
     return this.source.kid;
   }
 
+  get description(): string {
+    let details: string[] = [];
+    details.push(`kid: ${this.kid ?? '*'}`);
+    details.push(`kty: ${this.source.kty}`);
+    if (this.source.alg != null) {
+      details.push(`alg: ${this.source.alg}`);
+    }
+    if (this.options.requiresAudience != null) {
+      details.push(`aud: ${this.options.requiresAudience.join(', ')}`);
+    }
+
+    return `<${details.filter((x) => x != null).join(', ')}>`;
+  }
+
   matchesAlgorithm(jwtAlg: string): boolean {
     if (this.source.alg) {
       return jwtAlg === this.source.alg;

package/src/auth/KeyStore.ts

@@ -1,10 +1,10 @@
-import { logger, errors, AuthorizationError, ErrorCode } from '@powersync/lib-services-framework';
+import { AuthorizationError, ErrorCode, logger } from '@powersync/lib-services-framework';
 import * as jose from 'jose';
 import secs from '../util/secs.js';
 import { JwtPayload } from './JwtPayload.js';
 import { KeyCollector } from './KeyCollector.js';
 import { KeyOptions, KeySpec, SUPPORTED_ALGORITHMS } from './KeySpec.js';
-import { mapAuthError } from './utils.js';
+import { debugKeyNotFound, mapAuthError, SupabaseAuthDetails, tokenDebugDetails } from './utils.js';
 
 /**
  * KeyStore to get keys and verify tokens.
@@ -39,6 +39,29 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
    */
   collector: Collector;
 
+  /**
+   * For debug purposes only.
+   *
+   * This is very Supabase-specific, but we need the info on this level. For example,
+   * we want to detect cases where a Supabase token is used, but Supabase auth is not enabled
+   * (no Supabase collector configured).
+   */
+  supabaseAuthDebug: {
+    /**
+     * This can be populated without jwksEnabled, but not the other way around.
+     */
+    jwksDetails: SupabaseAuthDetails | null;
+    jwksEnabled: boolean;
+    /**
+     * This can be enabled without jwksDetails populated.
+     */
+    sharedSecretEnabled: boolean;
+  } = {
+    jwksDetails: null,
+    jwksEnabled: false,
+    sharedSecretEnabled: false
+  };
+
   constructor(collector: Collector) {
     this.collector = collector;
   }
@@ -131,7 +154,7 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
           if (!key.matchesAlgorithm(header.alg)) {
             throw new AuthorizationError(ErrorCode.PSYNC_S2101, `Unexpected token algorithm ${header.alg}`, {
               configurationDetails: `Key kid: ${key.source.kid}, alg: ${key.source.alg}, kty: ${key.source.kty}`
-              // Token details automatically populated elsewhere
+              // tokenDetails automatically populated higher up the stack
             });
           }
           return key;
@@ -165,12 +188,13 @@ export class KeyStore<Collector extends KeyCollector = KeyCollector> {
         logger.error(`Failed to refresh keys`, e);
       });
 
+      const details = debugKeyNotFound(this, keys, token);
+
       throw new AuthorizationError(
         ErrorCode.PSYNC_S2101,
         'Could not find an appropriate key in the keystore. The key is missing or no key matched the token KID',
         {
-          configurationDetails: `Known kid values: ${keys.map((key) => key.kid ?? '*').join(', ')}`
-          // tokenDetails automatically populated later
+          ...details
         }
       );
     }

package/src/auth/RemoteJWKSCollector.ts

@@ -12,10 +12,11 @@ import {
   ServiceError
 } from '@powersync/lib-services-framework';
 import { KeyCollector, KeyResult } from './KeyCollector.js';
-import { KeySpec } from './KeySpec.js';
+import { KeyOptions, KeySpec } from './KeySpec.js';
 
 export type RemoteJWKSCollectorOptions = {
   lookupOptions?: LookupOptions;
+  keyOptions?: KeyOptions;
 };
 
 /**
@@ -24,6 +25,7 @@ export type RemoteJWKSCollectorOptions = {
 export class RemoteJWKSCollector implements KeyCollector {
   private url: URL;
   private agent: http.Agent;
+  private keyOptions: KeyOptions;
 
   constructor(
     url: string,
@@ -34,6 +36,7 @@ export class RemoteJWKSCollector implements KeyCollector {
     } catch (e: any) {
       throw new ServiceError(ErrorCode.PSYNC_S3102, `Invalid jwks_uri: ${JSON.stringify(url)} Details: ${e.message}`);
     }
+    this.keyOptions = options?.keyOptions ?? {};
 
     // We do support http here for self-hosting use cases.
     // Management service restricts this to https for hosted versions.
@@ -49,9 +52,10 @@ export class RemoteJWKSCollector implements KeyCollector {
 
   private async getJwksData(): Promise<any> {
     const abortController = new AbortController();
+    const REQUEST_TIMEOUT_SECONDS = 30;
     const timeout = setTimeout(() => {
       abortController.abort();
-    }, 30_000);
+    }, REQUEST_TIMEOUT_SECONDS * 1000);
 
     try {
       const res = await fetch(this.url, {
@@ -71,11 +75,14 @@ export class RemoteJWKSCollector implements KeyCollector {
 
       return (await res.json()) as any;
     } catch (e) {
+      if (e instanceof Error && e.name === 'AbortError') {
+        e = { message: `Request timed out in ${REQUEST_TIMEOUT_SECONDS}s`, name: 'AbortError' };
+      }
       throw new AuthorizationError(ErrorCode.PSYNC_S2204, `JWKS request failed`, {
         configurationDetails: `JWKS URL: ${this.url}`,
         // This covers most cases of FetchError
         // `cause: e` could lose the error message
-        cause: { message: e.message, code: e.code }
+        cause: { message: e.message, code: e.code, name: e.name }
       });
     } finally {
       clearTimeout(timeout);
@@ -119,7 +126,7 @@ export class RemoteJWKSCollector implements KeyCollector {
         }
       }
 
-      const key = await KeySpec.importKey(keyData);
+      const key = await KeySpec.importKey(keyData, this.keyOptions);
       keys.push(key);
     }
 

package/src/auth/StaticSupabaseKeyCollector.ts

@@ -2,7 +2,7 @@ import * as jose from 'jose';
 import { KeySpec, KeyOptions } from './KeySpec.js';
 import { KeyCollector, KeyResult } from './KeyCollector.js';
 
-const SUPABASE_KEY_OPTIONS: KeyOptions = {
+export const SUPABASE_KEY_OPTIONS: KeyOptions = {
   requiresAudience: ['authenticated'],
   maxLifetimeSeconds: 86400 * 7 + 1200 // 1 week + 20 minutes margin
 };

package/src/auth/utils.ts

@@ -1,5 +1,9 @@
 import { AuthorizationError, ErrorCode } from '@powersync/lib-services-framework';
 import * as jose from 'jose';
+import * as urijs from 'uri-js';
+import * as uuid from 'uuid';
+import { KeySpec } from './KeySpec.js';
+import { KeyStore } from './KeyStore.js';
 
 export function mapJoseError(error: jose.errors.JOSEError, token: string): AuthorizationError {
   const tokenDetails = tokenDebugDetails(token);
@@ -61,15 +65,28 @@ export function mapAuthConfigError(error: any): AuthorizationError {
  * We use this to add details to our logs. We don't log the entire token, since it may for example
  * a password incorrectly used as a token.
  */
-function tokenDebugDetails(token: string): string {
+export function tokenDebugDetails(token: string): string {
+  return parseTokenDebug(token).description;
+}
+
+function parseTokenDebug(token: string) {
   try {
     // For valid tokens, we return the header and payload
     const header = jose.decodeProtectedHeader(token);
     const payload = jose.decodeJwt(token);
-    return `<header: ${JSON.stringify(header)} payload: ${JSON.stringify(payload)}>`;
+    const isSupabase = typeof payload.iss == 'string' && payload.iss.includes('supabase.co');
+    const isSharedSecret = isSupabase && header.alg === 'HS256';
+
+    return {
+      header,
+      payload,
+      isSupabase,
+      isSharedSecret: isSharedSecret,
+      description: `<header: ${JSON.stringify(header)} payload: ${JSON.stringify(payload)}>`
+    };
   } catch (e) {
     // Token fails to parse. Return some details.
-    return invalidTokenDetails(token);
+    return { description: invalidTokenDetails(token) };
   }
 }
 
@@ -100,3 +117,106 @@ function invalidTokenDetails(token: string): string {
 
   return `<invalid JWT, length=${token.length}>`;
 }
+
+export interface SupabaseAuthDetails {
+  projectId: string;
+  url: string;
+  hostname: string;
+}
+
+export function getSupabaseJwksUrl(connection: any): SupabaseAuthDetails | null {
+  if (connection == null) {
+    return null;
+  } else if (connection.type != 'postgresql') {
+    return null;
+  }
+
+  let hostname: string | undefined = connection.hostname;
+  if (hostname == null && typeof connection.uri == 'string') {
+    hostname = urijs.parse(connection.uri).host;
+  }
+  if (hostname == null) {
+    return null;
+  }
+
+  const match = /db.(\w+).supabase.co/.exec(hostname);
+  if (match == null) {
+    return null;
+  }
+  const projectId = match[1];
+
+  return { projectId, hostname, url: `https://${projectId}.supabase.co/auth/v1/.well-known/jwks.json` };
+}
+
+export function debugKeyNotFound(
+  keyStore: KeyStore,
+  keys: KeySpec[],
+  token: string
+): { configurationDetails: string; tokenDetails: string } {
+  const knownKeys = keys.map((key) => key.description).join(', ');
+  const td = parseTokenDebug(token);
+  const tokenDetails = td.description;
+  const configuredSupabase = keyStore.supabaseAuthDebug;
+
+  // Cases to check:
+  // 1. Is Supabase token, but supabase auth not enabled.
+  // 2. Is Supabase HS256 token, but no secret configured.
+  // 3. Is Supabase singing key token, but no Supabase signing keys configured.
+  // 4. Supabase project id mismatch.
+
+  if (td.isSharedSecret) {
+    // Supabase HS256 token
+    // UUID: HS256 (Shared Secret)
+    // Other: Legacy HS256 (Shared Secret)
+    // Not a big difference between the two other than terminology used on Supabase.
+    const isLegacy = uuid.validate(td.header.kid) ? false : true;
+    const addMessage =
+      configuredSupabase.jwksEnabled && !isLegacy
+        ? ' Use asymmetric keys on Supabase (RSA or ECC) to allow automatic key retrieval.'
+        : '';
+    if (!configuredSupabase.sharedSecretEnabled) {
+      return {
+        configurationDetails: `Token is a Supabase ${isLegacy ? 'Legacy ' : ''}HS256 (Shared Secret) token, but Supabase JWT secret is not configured.${addMessage}`,
+        tokenDetails
+      };
+    } else {
+      return {
+        // This is an educated guess
+        configurationDetails: `Token is a Supabase ${isLegacy ? 'Legacy ' : ''}HS256 (Shared Secret) token, but configured Supabase JWT secret does not match.${addMessage}`,
+        tokenDetails
+      };
+    }
+  } else if (td.isSupabase) {
+    // Supabase JWT Signing Keys
+    if (!configuredSupabase.jwksEnabled) {
+      if (configuredSupabase.jwksDetails != null) {
+        return {
+          configurationDetails: `Token uses Supabase JWT Signing Keys, but Supabase Auth is not enabled`,
+          tokenDetails
+        };
+      } else {
+        return {
+          configurationDetails: `Token uses Supabase JWT Signing Keys, but no Supabase connection is configured`,
+          tokenDetails
+        };
+      }
+    } else if (configuredSupabase.jwksDetails != null) {
+      const configuredProjectId = configuredSupabase.jwksDetails.projectId;
+      const issuer = td.payload.iss as string; // Is a string since since isSupabase is true
+      if (!issuer.includes(configuredProjectId)) {
+        return {
+          configurationDetails: `Supabase project id mismatch. Expected project: ${configuredProjectId}, got issuer: ${issuer}`,
+          tokenDetails
+        };
+      } else {
+        // Project id matches, but no matching keys found
+        return {
+          configurationDetails: `Supabase signing keys configured, but no matching keys found. Known keys: ${knownKeys}`,
+          tokenDetails
+        };
+      }
+    }
+  }
+
+  return { configurationDetails: `Known keys: ${knownKeys}`, tokenDetails: tokenDebugDetails(token) };
+}

package/src/entry/commands/compact-action.ts

@@ -59,7 +59,15 @@ export function registerCompactAction(program: Command) {
         return;
       }
       logger.info('Performing compaction...');
-      await active.compact({ memoryLimitMB: COMPACT_MEMORY_LIMIT_MB, compactBuckets: buckets });
+      if (buckets != null) {
+        await active.compact({
+          memoryLimitMB: COMPACT_MEMORY_LIMIT_MB,
+          compactBuckets: buckets,
+          compactParameterData: false
+        });
+      } else {
+        await active.compact({ memoryLimitMB: COMPACT_MEMORY_LIMIT_MB, compactParameterData: true });
+      }
       logger.info('Successfully compacted storage.');
     } catch (e) {
       logger.error(`Failed to compact: ${e.toString()}`);

package/src/metrics/open-telemetry/util.ts

@@ -7,6 +7,8 @@ import { OpenTelemetryMetricsFactory } from './OpenTelemetryMetricsFactory.js';
 import { MetricsFactory } from '../metrics-interfaces.js';
 import { logger } from '@powersync/lib-services-framework';
 
+import pkg from '../../../package.json' with { type: 'json' };
+
 export interface RuntimeMetadata {
   [key: string]: string | number | undefined;
 }
@@ -61,7 +63,8 @@ export function createOpenTelemetryMetricsFactory(context: ServiceContext): Metr
   const meterProvider = new MeterProvider({
     resource: new Resource(
       {
-        ['service']: 'PowerSync'
+        ['service']: 'PowerSync',
+        ['service.version']: pkg.version
       },
       runtimeMetadata
     ),

package/src/replication/AbstractReplicator.ts

@@ -10,8 +10,8 @@ import { AbstractReplicationJob } from './AbstractReplicationJob.js';
 import { ErrorRateLimiter } from './ErrorRateLimiter.js';
 import { ConnectionTestResult } from './ReplicationModule.js';
 
-// 5 minutes
-const PING_INTERVAL = 1_000_000_000n * 300n;
+// 1 minute
+const PING_INTERVAL = 1_000_000_000n * 60n;
 
 export interface CreateJobOptions {
   lock: storage.ReplicationLock;

package/src/routes/auth.ts

@@ -1,10 +1,7 @@
-import * as jose from 'jose';
-
+import { AuthorizationError, AuthorizationResponse, ErrorCode } from '@powersync/lib-services-framework';
 import * as auth from '../auth/auth-index.js';
 import { ServiceContext } from '../system/ServiceContext.js';
-import * as util from '../util/util-index.js';
 import { BasicRouterRequest, Context, RequestEndpointHandlerPayload } from './router.js';
-import { AuthorizationError, AuthorizationResponse, ErrorCode, ServiceError } from '@powersync/lib-services-framework';
 
 export function endpoint(req: BasicRouterRequest) {
   const protocol = req.headers['x-forwarded-proto'] ?? req.protocol;
@@ -12,81 +9,6 @@ export function endpoint(req: BasicRouterRequest) {
   return `${protocol}://${host}`;
 }
 
-function devAudience(req: BasicRouterRequest): string {
-  return `${endpoint(req)}/dev`;
-}
-
-/**
- * @deprecated
- *
- * Will be replaced by temporary tokens issued by PowerSync Management service.
- */
-export async function issueDevToken(req: BasicRouterRequest, user_id: string, config: util.ResolvedPowerSyncConfig) {
-  const iss = devAudience(req);
-  const aud = devAudience(req);
-
-  const key = config.dev.dev_key;
-  if (key == null) {
-    throw new Error('Auth disabled');
-  }
-
-  return await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('30d')
-    .sign(key.key);
-}
-
-/** @deprecated */
-export async function issueLegacyDevToken(
-  req: BasicRouterRequest,
-  user_id: string,
-  config: util.ResolvedPowerSyncConfig
-) {
-  const iss = devAudience(req);
-  const aud = config.jwt_audiences[0];
-
-  const key = config.dev.dev_key;
-  if (key == null || aud == null) {
-    throw new Error('Auth disabled');
-  }
-
-  return await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('60m')
-    .sign(key.key);
-}
-
-export async function issuePowerSyncToken(
-  req: BasicRouterRequest,
-  user_id: string,
-  config: util.ResolvedPowerSyncConfig
-) {
-  const iss = devAudience(req);
-  const aud = config.jwt_audiences[0];
-  const key = config.dev.dev_key;
-  if (key == null || aud == null) {
-    throw new Error('Auth disabled');
-  }
-
-  const jwt = await new jose.SignJWT({})
-    .setProtectedHeader({ alg: key.source.alg!, kid: key.kid })
-    .setSubject(user_id)
-    .setIssuedAt()
-    .setIssuer(iss)
-    .setAudience(aud)
-    .setExpirationTime('5m')
-    .sign(key.key);
-  return jwt;
-}
-
 export function getTokenFromHeader(authHeader: string = ''): string | null {
   const tokenMatch = /^(Token|Bearer) (\S+)$/.exec(authHeader);
   if (!tokenMatch) {
@@ -146,51 +68,6 @@ export async function generateContext(serviceContext: ServiceContext, token: str
   }
 }
 
-/**
- * @deprecated
- */
-export const authDevUser = async (payload: RequestEndpointHandlerPayload) => {
-  const {
-    context: {
-      service_context: { configuration }
-    }
-  } = payload;
-
-  const token = getTokenFromHeader(payload.request.headers.authorization as string);
-  if (!configuration.dev.demo_auth) {
-    return {
-      authorized: false,
-      errors: ['Authentication disabled']
-    };
-  }
-  if (token == null) {
-    return {
-      authorized: false,
-      errors: ['Authentication required']
-    };
-  }
-
-  // Different from the configured audience.
-  // Should also not be changed by keys
-  const audience = [devAudience(payload.request)];
-
-  let tokenPayload: auth.JwtPayload;
-  try {
-    tokenPayload = await configuration.dev_client_keystore.verifyJwt(token, {
-      defaultAudiences: audience,
-      maxAge: '31d'
-    });
-  } catch (err) {
-    return {
-      authorized: false,
-      errors: [err.message]
-    };
-  }
-
-  payload.context.user_id = tokenPayload.sub;
-  return { authorized: true };
-};
-
 export const authApi = (payload: RequestEndpointHandlerPayload) => {
   const {
     context: {

package/src/routes/configure-fastify.ts

@@ -1,7 +1,7 @@
 import type fastify from 'fastify';
 import * as uuid from 'uuid';
 
-import { registerFastifyRoutes } from './route-register.js';
+import { registerFastifyNotFoundHandler, registerFastifyRoutes } from './route-register.js';
 
 import * as system from '../system/system-index.js';
 
@@ -76,6 +76,8 @@ export function configureFastifyServer(server: fastify.FastifyInstance, options:
    */
   server.register(async function (childContext) {
     registerFastifyRoutes(childContext, generateContext, routes.api?.routes ?? DEFAULT_ROUTE_OPTIONS.api.routes);
+    registerFastifyNotFoundHandler(childContext);
+
     // Limit the active concurrent requests
     childContext.addHook(
       'onRequest',

package/src/routes/endpoints/socket-route.ts

@@ -1,6 +1,5 @@
 import { ErrorCode, errors, schema } from '@powersync/lib-services-framework';
 import { RequestParameters } from '@powersync/service-sync-rules';
-import { serialize } from 'bson';
 
 import * as sync from '../../sync/sync-index.js';
 import * as util from '../../util/util-index.js';
@@ -110,16 +109,11 @@ export const syncStreamReactive: SocketRouteGenerator = (router) =>
             break;
           }
           if (data == null) {
-            // Empty value just to flush iterator memory
             continue;
-          } else if (typeof data == 'string') {
-            // Should not happen with binary_data: true
-            throw new Error(`Unexpected string data: ${data}`);
           }
 
           {
-            // On NodeJS, serialize always returns a Buffer
-            const serialized = serialize(data) as Buffer;
+            const serialized = sync.syncLineToBson(data);
             responder.onNext({ data: serialized }, false);
             requestedN--;
             tracker.addDataSynced(serialized.length);