TLS/SSL settings when using the MongoDriver #10972
Description
What was unclear or otherwise insufficient?
I am using nestjs with nestjs/typeorm, obviously in combination with typeorm itself. The Api is hosted on an AWS cluster and it has to connect to a document db. From AWS we get the rds-combined-ca-bundle.pem, which has to be used to securely connect with the database using TLS/SSL.
@nestjs/typeorm 10.0.2
typeorm 0.3.20
In advance this is the settings I have to do to make it work:
TypeOrmModule.forRootAsync({
imports: [ConfigModule],
inject: [ConfigService],
useFactory: (config: ConfigService) => ({
... // Your host, port, database, etc.
tls: 'true' === config.get('DATABASE_SSL', 'false').toLowerCase(),
sslValidate: 'true' === config.get('DATABASE_SSL_VALIDATE', 'false').toLowerCase(),
checkServerIdentity: 'true' === config.get('DATABASE_SSL_CHECK_IDENTITY', 'false')
.toLowerCase()
? (host, cert) => {
// your logic here
return true;
}
: undefined,
sslCA: __dirname + '/shared/assets/rds-combined-ca-bundle.pem', // Or your file path
})
And here is the confusing part:
I have to set tls to true which doesnt actually exist on the type "TypeOrmModuleOptions", instead of ssl. As that is used here: https://github.com/typeorm/typeorm/blob/master/src/driver/mongodb/MongoDriver.ts in the second last function to configure the db connector url with "tls=true".
But as you can see above the other parameters are not tlsValidate, tlsCaFile or anything with tls in front but sslValidate, sslCA. And this has to be like this due to also in the MongoDriver in line 157 validOptionNames, there is no tls option. So when in the last function of that file the options get mapped, all the "tls" starting options get filtered out. Yet actually when you use the ssl options on some of them it tells you they are deprecated and that you should use the tls ones.
Recommended Fix
There can be different ways to fix this IMO.
I would suggest, for now as long as the new "tls" starting values don't work yet to not suggest them in the deprecated message. Also, as long as there are ssl attributes (specially as long as they and not the tls ones are configured in the type interface) the MongoDriver should also add "tls=true" or what ever is needed for ssl to the db connector url when "ssl" is set to true in the options, not just tls.
Because this way it was so counterintuitive with the wrong deprecation suggestion and the tls needing to be active whilst the options for it have to be ssl options and the "tls" option not even being in the type.
Additional Context
No response
Are you willing to resolve this issue by submitting a Pull Request?
No, I don’t have the time and I’m okay to wait for the community / maintainers to resolve this issue.