feat: validate supabase direct connections

Author: Xetera

src/server/http.ts

@@ -22,11 +22,24 @@ async function onSync(req: Request) {
   try {
     body = SyncRequest.parse(JSON.parse(bodyString));
   } catch (e: unknown) {
-    console.log(e);
     if (e instanceof ZodError) {
-      return new Response(e.message, { status: 400 });
+      return Response.json(
+        {
+          kind: "error",
+          type: "invalid_body",
+          error: e.issues.map((issue) => issue.message).join("\n"),
+        },
+        { status: 400 }
+      );
     }
-    return new Response("Invalid body", { status: 400 });
+    return Response.json(
+      {
+        kind: "error",
+        type: "unknown_error",
+        error: String(e),
+      },
+      { status: 400 }
+    );
   }
   const { seed, schema, requiredRows, maxRows } = body;
   const span = trace.getActiveSpan();
@@ -45,21 +58,21 @@ async function onSync(req: Request) {
   span?.setAttribute("requiredRows", requiredRows);
   span?.setAttribute("db.host", url.hostname);
   let dbUrl: URL;
-  try {
-    dbUrl = new URL(body.db);
-  } catch (e: unknown) {
-    span?.setStatus({ code: SpanStatusCode.ERROR, message: "invalid_db_url" });
-    if (e instanceof Error) {
-      return Response.json(
-        { kind: "error", type: "invalid_db_url", error: e.message },
-        { status: 400 }
-      );
-    }
-    return new Response("Invalid db url", { status: 400 });
-  }
+  // try {
+  //   dbUrl = new URL(body.db);
+  // } catch (e: unknown) {
+  //   span?.setStatus({ code: SpanStatusCode.ERROR, message: "invalid_db_url" });
+  //   if (e instanceof Error) {
+  //     return Response.json(
+  //       { kind: "error", type: "invalid_db_url", error: e.message },
+  //       { status: 400 }
+  //     );
+  //   }
+  //   return new Response("Invalid db url", { status: 400 });
+  // }
   let result: SyncResult;
   try {
-    result = await syncer.syncWithUrl(dbUrl, schema, {
+    result = await syncer.syncWithUrl(body.db, schema, {
       requiredRows,
       maxRows,
       seed,

src/server/sync.dto.ts

@@ -1,15 +1,8 @@
 import { z } from "zod/v4";
+import { Connectable } from "../sync/connectable.ts";
 
 export const SyncRequest = z.object({
-  // We shouldn't be doing separate validations on both the front end and here? Should probably consolidate
-  db: z
-    .string()
-    .refine(
-      (val) => val.startsWith("postgres://") || val.startsWith("postgresql://"),
-      {
-        message: "Must start with 'postgres://' or 'postgresql://'",
-      }
-    ),
+  db: z.string().transform(Connectable.transform),
   seed: z.coerce.number().min(0).max(1).default(0),
   schema: z.coerce.string().default("public"),
   requiredRows: z.coerce.number().positive().default(2),

src/sync/syncer.ts

@@ -13,7 +13,7 @@ import {
 import { PostgresSchemaLink } from "./schema.ts";
 import { withSpan } from "../otel.ts";
 import { SpanStatusCode } from "@opentelemetry/api";
-import { env } from "../env.ts";
+import { Connectable } from "./connectable.ts";
 
 type SyncOptions = DependencyAnalyzerOptions;
 
@@ -72,29 +72,11 @@ export class PostgresSyncer {
   constructor() {}
 
   async syncWithUrl(
-    url: URL,
+    connectable: Connectable,
     schemaName: string,
     options: SyncOptions
   ): Promise<SyncResult> {
-    // we don't want to allow localhost access for hosted sync instances
-    // to prevent users from connecting to our hosted db
-    // (even though all our dbs should should be password protected)
-    const isLocalhost =
-      url.hostname === "localhost" ||
-      // ipv4 localhost
-      /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(url.hostname) ||
-      // ipv6 localhost
-      url.hostname === "[::1]";
-    if (isLocalhost && env.HOSTED) {
-      return {
-        kind: "error",
-        type: "postgres_connection_error",
-        error: new Error(
-          "Syncing to localhost is not allowed. Run the sync server locally to access your local database"
-        ),
-      };
-    }
-    const urlString = url.toString();
+    const urlString = connectable.toString();
     let sql = this.connections.get(urlString);
     if (!sql) {
       sql = postgres(urlString);