|
1 | 1 | 'use strict' |
2 | 2 |
|
| 3 | +const { emitWarning } = require('node:process') |
| 4 | + |
3 | 5 | //Parse method copied from https://github.com/brianc/node-postgres |
4 | 6 | //Copyright (c) 2010-2014 Brian Carlson (brian.m.carlson@gmail.com) |
5 | 7 | //MIT License |
@@ -138,6 +140,9 @@ function parse(str, options = {}) { |
138 | 140 | case 'require': |
139 | 141 | case 'verify-ca': |
140 | 142 | case 'verify-full': { |
| 143 | + if (config.sslmode !== 'verify-full') { |
| 144 | + deprecatedSslModeWarning(config.sslmode) |
| 145 | + } |
141 | 146 | break |
142 | 147 | } |
143 | 148 | case 'no-verify': { |
@@ -206,6 +211,20 @@ function parseIntoClientConfig(str) { |
206 | 211 | return toClientConfig(parse(str)) |
207 | 212 | } |
208 | 213 |
|
| 214 | +function deprecatedSslModeWarning(sslmode) { |
| 215 | + if (!deprecatedSslModeWarning.warned) { |
| 216 | + deprecatedSslModeWarning.warned = true |
| 217 | + emitWarning(`SECURITY WARNING: The SSL modes 'prefer', 'require', and 'verify-ca' are treated as aliases for 'verify-full'. |
| 218 | +In the next major version (pg-connection-string v3.0.0 and pg v9.0.0), these modes will adopt standard libpq semantics, which have weaker security guarantees. |
| 219 | + |
| 220 | +To prepare for this change: |
| 221 | +- If you want the current behavior, explicitly use 'sslmode=verify-full' |
| 222 | +- If you want libpq compatibility now, use 'uselibpqcompat=true&sslmode=${sslmode}' |
| 223 | + |
| 224 | +See https://www.postgresql.org/docs/current/libpq-ssl.html for libpq SSL mode definitions.`) |
| 225 | + } |
| 226 | +} |
| 227 | + |
209 | 228 | module.exports = parse |
210 | 229 |
|
211 | 230 | parse.parse = parse |
|
0 commit comments