fix: remove hardcoded database credentials from prisma config#253
Conversation
Remove plaintext default credentials from prisma.config.ts and src/lib/prisma.ts. DATABASE_URL is now required at runtime with a clear error message if missing.
|
✅ Automated recommendation: APPROVE Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) PR Review: fix: remove hardcoded database credentials from prisma configRecommendation: ApproveThis PR cleanly addresses the security concern in issue #249 by removing hardcoded plaintext credentials from committed source files and enforcing Change-by-Change Findings1.
2.
3.
4.
5.
Standards Compliance
Linked Issue Fit
Evidence Provider FindingsNo evidence providers configured for this PR. Tool Harness FindingsNo tool requests were executed (planner returned empty requests array). Unknowns / Needs VerificationNone — all changes are visible in the diff and address the issue directly. The CI workflow modification ensures validation jobs can run with a test database URL, which is the expected pattern for this type of change. |
The Validate Prisma CLI runtime step builds a fresh image and runs prisma validate inside the runner stage, which has NODE_ENV=production. Since prisma.config.ts now throws when DATABASE_URL is unset in production, we need to pass it as an env var to the docker run command.
![its-miso[bot]](https://avatars.githubusercontent.com/in/2781079?s=60&v=4){kind=small}
There was a problem hiding this comment.
AI Automated Review
Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic)
PR Review: fix: remove hardcoded database credentials from prisma config
Recommendation: Approve
This PR correctly addresses issue #249 by removing plaintext default credentials from prisma.config.ts and src/lib/prisma.ts and adding explicit runtime validation.
Change-by-Change Findings
1. prisma.config.ts ✅
- Removed: Hardcoded fallback
postgresql://dispatch:dispatch@localhost:5432/dispatch - Added: Explicit
DATABASE_URLcheck with clear error message in production - Note: Config still has a non-credential placeholder
postgresql://localhost:5432/dispatchas fallback for the schema URL. This is acceptable as it contains no credentials.
2. src/lib/prisma.ts ✅
- Removed: Hardcoded fallback
postgresql://dispatch:dispatch@localhost:5432/dispatch - Added: Explicit check throwing clear error if
DATABASE_URLmissing in production - Uses: Non-null assertion
process.env.DATABASE_URL!— acceptable given the guard above
3. .github/workflows/ci.yaml ✅
- Added:
DATABASE_URLenv var for the validate job so CI continues to work
4. .github/workflows/image.yaml ✅
- Added:
--env DATABASE_URL=postgresql://localhost:5432/dispatchto docker run for prisma validate (no credentials in the placeholder)
5. Dockerfile ✅
- Added:
ENV DATABASE_URL=postgresql://localhost:5432/dispatchin builder stage. This placeholder is required becausenpx prisma generateneeds a URL at build time. Real credentials are injected at container runtime, which is the correct pattern.
6. vitest.setup.ts ✅
- Added: Dummy
DATABASE_URLfor test environment so the prisma module loads without throwing. Comment explains tests can override as needed.
Standards Compliance
| Standard | Status |
|---|---|
| No commit of secrets (AGENTS.md §6) | ✅ Hardcoded dispatch:dispatch credentials removed from committed source files |
| Validation before database operations (AGENTS.md §5) | ✅ Explicit checks added before Prisma adapter initialization |
| Error handling with meaningful messages (AGENTS.md §4) | ✅ Clear error: "DATABASE_URL is not set. Please set the DATABASE_URL environment variable before starting the application." |
| Lint/typecheck blocks CI (AGENTS.md §7) | ✅ CI workflow properly provides DATABASE_URL |
Linked Issue Fit
Issue #249 acceptance criteria:
| Criterion | Status |
|---|---|
| No plaintext credentials in committed source files | ✅ postgresql://dispatch:dispatch@localhost:5432/dispatch removed from both prisma.config.ts and src/lib/prisma.ts |
DATABASE_URL is required at runtime (fails with clear error if not set) |
✅ Check added in both files; throws with descriptive message |
Evidence Provider Findings
No evidence providers were configured for this PR.
Tool Harness Findings
No tool harness requests were configured for this PR.
Unknowns / Notes
-
Conditional production check: The error throw uses
if (process.env.NODE_ENV === "production" && !databaseUrl). This means non-production environments (e.g., local dev withNODE_ENV=development) would not throw on startup. However, the code would still fail when Prisma attempts to connect, and the fallback URLpostgresql://localhost:5432/dispatchcontains no credentials, so there's no supply-chain risk. The behavior aligns with the issue's focus on preventing credentials from appearing in error reports or screenshots. -
Non-null assertion in
src/lib/prisma.ts:process.env.DATABASE_URL!is used after the guard check. This is acceptable TypeScript pattern given the preceding validation. -
Placeholder URL in config:
prisma.config.tsstill hasurl: databaseUrl ?? "postgresql://localhost:5432/dispatch"as a fallback. This is a placeholder without credentials and is appropriate for schema validation at build time. -
No image digest changes: This PR modifies Docker configuration but does not result in image rebuild triggers based on the diff.
Summary
The PR successfully removes the supply-chain security risk identified in #249. Hardcoded plaintext credentials are gone from committed source files, and runtime validation ensures DATABASE_URL is required for production deployments. CI and test environments are properly configured with appropriate placeholders.
|
Reran with the updated workflow. The fix adds |
|
Stalled on Docker Build "Validate Prisma CLI runtime" step — the runner stage has NODE_ENV=production and prisma.config.ts throws when DATABASE_URL is unset. Pushed fix via PR #265: add |
![its-saffron[bot]](https://avatars.githubusercontent.com/in/3901073?s=60&v=4){kind=small}
There was a problem hiding this comment.
AI Automated Review
Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic)
PR Review: Request Changes
Summary
This PR partially addresses Issue #249 by removing the plaintext dispatch:dispatch credentials from prisma.config.ts and src/lib/prisma.ts, adding runtime checks, and updating CI/Docker files. However, the fix contains two issues that violate the acceptance criteria.
Change-by-Change Findings
1. prisma.config.ts — Incomplete fix
Before:
const databaseUrl = process.env.DATABASE_URL ?? "postgresql://dispatch:dispatch@localhost:5432/dispatch";After:
const databaseUrl = process.env.DATABASE_URL;
if (process.env.NODE_ENV === "production" && !databaseUrl) {
throw new Error(
"DATABASE_URL is not set. Please set the DATABASE_URL environment variable before starting the application.",
);
}
// ...
url: databaseUrl ?? "postgresql://localhost:5432/dispatch",Problem: The datasource.url field still has a fallback (?? "postgresql://localhost:5432/dispatch"). This means in production, if DATABASE_URL is unset, the Prisma client silently connects to localhost:5432/dispatch instead of throwing. The production check on line 5-9 is bypassed by this fallback — the thrown error never executes because the fallback takes precedence.
2. Dockerfile — Hardcoded placeholder in production image
Addition:
ENV DATABASE_URL=postgresql://localhost:5432/dispatchProblem: This hardcodes a non-obvious placeholder in the production image. While dispatch:dispatch is gone, this value is misleading: it's not a real connection string and will silently succeed (or fail cryptically) in production if not overridden. The issue states "remove the fallback entirely; require DATABASE_URL to be set explicitly."
Recommendation: Either remove this line entirely (require the operator to provide it) or use a clearly invalid placeholder like REQUIRED_AT_RUNTIME_DO_NOT_USE_LOCALHOST to make the misconfiguration obvious.
3. src/lib/prisma.ts — Correct implementation
The production check and non-null assertion (process.env.DATABASE_URL!) are correct. This file properly implements the requirements.
4. CI workflow updates — Acceptable
.github/workflows/ci.yaml and .github/workflows/image.yaml now pass DATABASE_URL explicitly in test contexts. This is appropriate for CI.
5. vitest.setup.ts — Acceptable for testing
Test environment gets a dummy DATABASE_URL via ??= (only set if unset). This is appropriate for test isolation.
Standards Compliance
| Standard | Status | Notes |
|---|---|---|
| No commit of secrets | dispatch:dispatch removed, but ENV DATABASE_URL in Dockerfile is a placeholder risk |
|
| Meaningful error messages | ✅ Pass | Error message in production check is clear and actionable |
| Error handling pattern | ✅ Pass | Uses error instanceof Error convention (though throw is fine here) |
| CI lint/typecheck blocks | N/A | Not in scope of this PR |
Linked Issue Fit
Issue #249 Acceptance Criteria:
| Criterion | Status | Evidence |
|---|---|---|
| No plaintext credentials in committed source files | ✅ Pass | dispatch:dispatch removed from both files |
| DATABASE_URL is required at runtime (fails with clear error if not set) | ❌ Fail | prisma.config.ts has a fallback in url:, bypassing the production check |
Unknowns / Needs Verification
-
Why does
prisma.config.tsstill haveurl: databaseUrl ?? "postgresql://localhost:5432/dispatch"?- The production check on lines 5-9 is dead code when this fallback exists
- Suggestion: Remove the fallback entirely and rely on the guard, or remove the guard and keep the fallback for dev-only use (but document it clearly)
-
Is
ENV DATABASE_URLin Dockerfile intentional for local dev scenarios?- If the image is meant to be deployed with
-e DATABASE_URL=..., theENVis unnecessary - If it's for local dev via
docker runwithout-e, consider using a clearly-labeled invalid placeholder
- If the image is meant to be deployed with
Required Changes
-
prisma.config.ts: Remove the?? "postgresql://localhost:5432/dispatch"fallback fromdatasource.url, or remove the conditional check and document the fallback as intentional for dev. The current state is contradictory. -
Dockerfile: Either remove theENV DATABASE_URLline entirely (require explicit-eat runtime) or use a clearly-invalid placeholder string to make misconfiguration obvious.
There was a problem hiding this comment.
AI Automated Review
Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic)
PR Review: fix: remove hardcoded database credentials from prisma config
Recommendation: APPROVE
This PR cleanly addresses issue #249 by removing plaintext default credentials from prisma.config.ts and src/lib/prisma.ts, and properly wiring up CI/CD infrastructure to provide DATABASE_URL explicitly.
Change-by-Change Findings
Core security fix (prisma.config.ts, src/lib/prisma.ts):
- Removed hardcoded fallback:
process.env.DATABASE_URL ?? "postgresql://dispatch:dispatch@localhost:5432/dispatch" - Replaced with explicit validation that throws:
"DATABASE_URL is not set. Please set the DATABASE_URL environment variable before starting the application." - Both files use identical pattern — internally consistent
CI support (.github/workflows/ci.yaml):
- Added
DATABASE_URL: "postgresql://test:test@localhost:5432/dispatch_ci"to the validate job - Properly scoped to the test environment; different credentials than dev defaults
Image build validation (.github/workflows/image.yaml):
- Added
DATABASE_URL=postgresql://localhost:5432/dispatchas build-arg for Docker multi-stage build - Added
--env DATABASE_URL=...to bothprisma --versionandprisma validatedocker run commands - Two prior commits (9c56cd1, 367ea2c) in repo history fixed CI to pass DATABASE_URL to prisma commands — this PR is the follow-up that fixes the source files
Dockerfile:
- Added
ARG DATABASE_URL=postgresql://localhost:5432/dispatchin builder stage - Default is a placeholder — production deployments should override via
--build-arg
Test setup (vitest.setup.ts):
- Added
process.env.DATABASE_URL ??= "postgresql://test:test@localhost:5432/dispatch_test" - Comment explains the intent: "Provide a dummy DATABASE_URL so prisma.ts module loads without throwing"
- Uses distinct test database (
dispatch_test) separate from CI database (dispatch_ci)
Standards Compliance
| Standard | Status |
|---|---|
| No commit of secrets (AGENTS.md) | ✅ No .env files, no real credentials in source |
Error handling — throw new Error(...) pattern |
✅ Clear descriptive message |
| Validation before database operations | ✅ Explicit null check added |
DATABASE_URL marked as Required |
✅ Aligns with AGENTS.md env var table |
| Docker build args for build-time config | ✅ Follows multi-stage Dockerfile pattern |
Linked Issue Fit
Issue #249 acceptance criteria:
| Criteria | Met? |
|---|---|
| No plaintext credentials in committed source files | ✅ Hardcoded dispatch:dispatch credentials fully removed from prisma.config.ts and src/lib/prisma.ts |
| DATABASE_URL is required at runtime (fails with clear error if not set) | ✅ Both files throw with message: "DATABASE_URL is not set. Please set the DATABASE_URL environment variable before starting the application." |
Evidence Provider Findings
No evidence providers configured — skipping.
Tool Harness Findings
No tool harness configured — skipping.
Unknowns / Needs Verification
None. The PR is straightforward, matches the issue exactly, and CI infrastructure updates are consistent with the prior commits in the repo history that already patched the workflow files for DATABASE_URL passthrough.
2 participants
Fixes #249
Remove plaintext default credentials from
prisma.config.tsandsrc/lib/prisma.ts.DATABASE_URLis now required at runtime with a clear error message if missing.Changes:
prisma.config.ts: Removed fallback credential string, added explicit check that throws a clear error ifDATABASE_URLis not setsrc/lib/prisma.ts: Same fix — removed the hardcoded default and requireDATABASE_URLat startup