fix: raise connection string error early on request processing

Author: avallete

src/server/routes/index.ts

@@ -26,24 +26,39 @@ import { PG_CONNECTION, CRYPTO_KEY } from '../constants.js'
 export default async (fastify: FastifyInstance) => {
   // Adds a "pg" object to the request if it doesn't exist
   fastify.addHook('onRequest', (request, _reply, done) => {
-    // Node converts headers to lowercase
-    const encryptedHeader = request.headers['x-connection-encrypted']?.toString()
-    if (encryptedHeader) {
+    try {
+      // Node converts headers to lowercase
+      const encryptedHeader = request.headers['x-connection-encrypted']?.toString()
+      if (encryptedHeader) {
+        try {
+          request.headers.pg = CryptoJS.AES.decrypt(encryptedHeader, CRYPTO_KEY)
+            .toString(CryptoJS.enc.Utf8)
+            .trim()
+        } catch (e: any) {
+          request.log.warn({
+            message: 'failed to parse encrypted connstring',
+            error: e.toString(),
+          })
+          throw new Error('failed to process upstream connection details')
+        }
+      } else {
+        request.headers.pg = PG_CONNECTION
+      }
+      if (!request.headers.pg) {
+        request.log.error({ message: 'failed to get connection string' })
+        throw new Error('failed to get upstream connection details')
+      }
+      // Ensure the resulting connection string is a valid URL
       try {
-        request.headers.pg = CryptoJS.AES.decrypt(encryptedHeader, CRYPTO_KEY).toString(
-          CryptoJS.enc.Utf8
-        )
-      } catch (e: any) {
-        request.log.warn({
-          message: 'failed to parse encrypted connstring',
-          error: e.toString(),
-        })
+        new URL(request.headers.pg)
+      } catch (error) {
+        request.log.error({ message: 'pg connection string is invalid url' })
         throw new Error('failed to process upstream connection details')
       }
-    } else {
-      request.headers.pg = PG_CONNECTION
+      done()
+    } catch (err) {
+      return done(err as Error)
     }
-    done()
   })
 
   fastify.register(ColumnPrivilegesRoute, { prefix: '/column-privileges' })

test/server/ssl.ts

@@ -82,9 +82,10 @@ test('query with invalid space empty encrypted connection string', async () => {
     },
     payload: { query: 'select 1;' },
   })
+  expect(res.statusCode).toBe(500)
   expect(res.json()).toMatchInlineSnapshot(`
     {
-      "error": "Invalid URL",
+      "error": "failed to get upstream connection details",
     }
   `)
 })
@@ -98,10 +99,10 @@ test('query with invalid empty encrypted connection string', async () => {
     },
     payload: { query: 'select 1;' },
   })
+  expect(res.statusCode).toBe(500)
   expect(res.json()).toMatchInlineSnapshot(`
     {
-      "error": "SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a string",
-      "message": "SASL: SCRAM-SERVER-FIRST-MESSAGE: client password must be a string",
+      "error": "failed to get upstream connection details",
     }
   `)
 })
@@ -118,9 +119,10 @@ test('query with missing host connection string encrypted connection string', as
     },
     payload: { query: 'select 1;' },
   })
+  expect(res.statusCode).toBe(500)
   expect(res.json()).toMatchInlineSnapshot(`
     {
-      "error": "Invalid URL",
+      "error": "failed to process upstream connection details",
     }
   `)
 })