generalize certificate edge function

Author: jgoux

.vscode/settings.json

@@ -1,5 +1,20 @@
 {
   "deno.enablePaths": ["supabase/functions"],
   "deno.lint": true,
-  "deno.unstable": true
+  "deno.unstable": true,
+  "[javascript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[json]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[jsonc]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  },
+  "[typescriptreact]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  }
 }

apps/browser-proxy/Dockerfile

@@ -0,0 +1,13 @@
+FROM node:22-alpine
+
+WORKDIR /app
+
+COPY --link package.json ./
+COPY --link src/ ./src/
+
+RUN npm install
+
+EXPOSE 443
+EXPOSE 5432
+
+CMD ["node", "--experimental-strip-types", "src/index.ts"]

apps/browser-proxy/fly.toml

@@ -0,0 +1,24 @@
+app = "postgres-new-browser-proxy"
+
+primary_region = 'iad'
+
+[[services]]
+internal_port = 5432
+protocol = "tcp"
+[[services.ports]]
+port = 5432
+
+[[services]]
+internal_port = 443
+protocol = "tcp"
+[[services.ports]]
+port = 443
+
+[[restart]]
+policy = "always"
+retries = 10
+
+[[vm]]
+memory = '512mb'
+cpu_kind = 'shared'
+cpus = 1

supabase/functions/.env.example

@@ -0,0 +1,9 @@
+ACME_DIRECTORY_URL=https://acme-staging-v02.api.letsencrypt.org/directory
+ACME_DOMAIN=db.example.com
+ACME_EMAIL="<acme-email>"
+AWS_ACCESS_KEY_ID="<aws-access-key-id>"
+AWS_ENDPOINT_URL_S3=http://172.17.0.1:54321/storage/v1/s3
+AWS_S3_BUCKET=s3fs
+AWS_SECRET_ACCESS_KEY="<aws-secret-access-key>"
+AWS_REGION=local
+CLOUDFLARE_API_TOKEN="<cloudflare-api-token>"

supabase/functions/certificate/README.md

@@ -0,0 +1,48 @@
+# Certificate function
+
+This function manages the SSL certificates for the various services. The certificate is delivered by Let's Encrypt and stored in Supabase Storage under the `tls/<domain>` directory.
+
+When the certificate is about to expire (less than 30 days), the function will renew it.
+
+## Setup
+
+This function requires all these extensions to be enabled:
+
+- `pg_cron`
+- `pg_net`
+- `vault`
+
+The cron job relies on two secrets being present in Supabase Vault:
+
+```sql
+select vault.create_secret('<supabase_url>', 'supabase_url', 'Supabase API URL');
+select vault.create_secret(encode(gen_random_bytes(24), 'base64'), 'supabase_functions_certificate_secret', 'Shared secret to trigger the "certificate" Supabase Edge Function');
+```
+
+Now you can schedule a new weekly cron job with `pg_cron`:
+
+```sql
+select cron.schedule (
+  'certificates',
+  -- every Sunday at 00:00
+  '0 0 * * 0',
+  $$
+  -- certificate for the browser proxy
+  select net.http_post(
+    url:=(select supabase_url() || '/functions/v1/certificate'),
+    headers:=('{"Content-Type": "application/json", "Authorization": "Bearer ' || (select supabase_functions_certificate_secret()) || '"}')::jsonb,
+    body:='{"domainName": "db.browser.db.build"}'::jsonb
+  ) as request_id
+  $$
+);
+```
+
+If you immediately want a certificate, you can call the Edge Function manually:
+
+```sql
+select net.http_post(
+  url:=(select supabase_url() || '/functions/v1/certificate'),
+  headers:=('{"Content-Type": "application/json", "Authorization": "Bearer ' || (select supabase_functions_certificate_secret()) || '"}')::jsonb,
+  body:='{"domainName": "db.browser.db.build"}'::jsonb
+) as request_id;
+```

supabase/functions/certificate/env.ts

@@ -0,0 +1,16 @@
+import { z } from 'https://deno.land/x/[email protected]/mod.ts'
+
+export const env = z
+  .object({
+    ACME_DIRECTORY_URL: z.string(),
+    ACME_EMAIL: z.string(),
+    AWS_ACCESS_KEY_ID: z.string(),
+    AWS_ENDPOINT_URL_S3: z.string(),
+    AWS_S3_BUCKET: z.string(),
+    AWS_SECRET_ACCESS_KEY: z.string(),
+    AWS_REGION: z.string(),
+    CLOUDFLARE_API_TOKEN: z.string(),
+    SUPABASE_SERVICE_ROLE_KEY: z.string(),
+    SUPABASE_URL: z.string(),
+  })
+  .parse(Deno.env.toObject())

supabase/functions/certificate/index.ts

@@ -0,0 +1,155 @@
+import 'jsr:@supabase/functions-js/edge-runtime.d.ts'
+import { X509Certificate } from 'node:crypto'
+import { NoSuchKey, S3 } from 'npm:@aws-sdk/client-s3'
+import { createClient } from 'jsr:@supabase/supabase-js@2'
+import * as ACME from 'https://deno.land/x/[email protected]/acme.ts'
+import { env } from './env.ts'
+
+const supabaseClient = createClient(env.SUPABASE_URL, env.SUPABASE_SERVICE_ROLE_KEY)
+
+const s3Client = new S3({
+  forcePathStyle: true,
+})
+
+Deno.serve(async (req) => {
+  // Check if the request is authorized
+  if (!(await isAuthorized(req))) {
+    return Response.json(
+      {
+        status: 'error',
+        message: 'Unauthorized',
+      },
+      { status: 401 }
+    )
+  }
+
+  const { domainName } = await req.json()
+
+  if (!domainName) {
+    return Response.json(
+      {
+        status: 'error',
+        message: 'Domain name is required',
+      },
+      { status: 400 }
+    )
+  }
+
+  // Check if we need to renew the certificate
+  const certificate = await getObject('tls/cert.pem')
+  if (certificate) {
+    const { validTo } = new X509Certificate(certificate)
+    // if the validity is more than 30 days, no need to renew
+    const day = 24 * 60 * 60 * 1000
+    if (new Date(validTo) > new Date(Date.now() + 30 * day)) {
+      return new Response(null, { status: 304 })
+    }
+  }
+
+  // Load account keys if they exist
+  const [publicKey, privateKey] = await Promise.all([
+    getObject('tls/account/publicKey.pem'),
+    getObject('tls/account/privateKey.pem'),
+  ])
+  let accountKeys: { privateKeyPEM: string; publicKeyPEM: string } | undefined
+  if (publicKey && privateKey) {
+    accountKeys = {
+      privateKeyPEM: privateKey,
+      publicKeyPEM: publicKey,
+    }
+  }
+
+  const { domainCertificates, pemAccountKeys } = await ACME.getCertificatesWithCloudflare(
+    env.CLOUDFLARE_API_TOKEN,
+    [
+      {
+        domainName,
+        subdomains: ['*'],
+      },
+    ],
+    {
+      acmeDirectoryUrl: env.ACME_DIRECTORY_URL,
+      yourEmail: env.ACME_EMAIL,
+      pemAccountKeys: accountKeys,
+    }
+  )
+
+  const persistOperations = [
+    s3Client.putObject({
+      Bucket: env.AWS_S3_BUCKET,
+      Key: `tls/${domainName}/key.pem`,
+      Body: domainCertificates[0].pemPrivateKey,
+    }),
+    s3Client.putObject({
+      Bucket: env.AWS_S3_BUCKET,
+      Key: `tls/${domainName}/cert.pem`,
+      Body: domainCertificates[0].pemCertificate,
+    }),
+  ]
+
+  if (!accountKeys) {
+    persistOperations.push(
+      s3Client.putObject({
+        Bucket: env.AWS_S3_BUCKET,
+        Key: 'tls/account/publicKey.pem',
+        Body: pemAccountKeys.publicKeyPEM,
+      }),
+      s3Client.putObject({
+        Bucket: env.AWS_S3_BUCKET,
+        Key: 'tls/account/privateKey.pem',
+        Body: pemAccountKeys.privateKeyPEM,
+      })
+    )
+  }
+
+  await Promise.all(persistOperations)
+
+  if (certificate) {
+    return Response.json({
+      status: 'renewed',
+      message: `Certificate renewed successfully for domain ${domainName}`,
+    })
+  }
+
+  return Response.json(
+    {
+      status: 'created',
+      message: `New certificate created successfully for domain ${domainName}`,
+    },
+    { status: 201 }
+  )
+})
+
+async function isAuthorized(req: Request) {
+  const authHeader = req.headers.get('Authorization')
+
+  if (!authHeader) {
+    return false
+  }
+
+  const bearerToken = authHeader.split(' ')[1]
+
+  const { data: sharedSecret } = await supabaseClient.rpc('supabase_functions_certificate_secret')
+
+  if (sharedSecret !== bearerToken) {
+    return false
+  }
+
+  return true
+}
+
+async function getObject(key: string) {
+  const response = await s3Client
+    .getObject({
+      Bucket: env.AWS_S3_BUCKET,
+      Key: key,
+    })
+    .catch((e) => {
+      if (e instanceof NoSuchKey) {
+        return undefined
+      }
+      throw e
+    })
+
+  return await response?.Body?.transformToString()
+}

supabase/functions/deno.json

@@ -0,0 +1,3 @@
+{
+  "name": "@postgres-new/supabase-functions"
+}

supabase/migrations/20240909155000_expose_functions_certificate_secrets.sql

@@ -0,0 +1,25 @@
+create function supabase_url()
+returns text
+language plpgsql
+security definer
+as $$
+declare
+  secret_value text;
+begin
+  select decrypted_secret into secret_value from vault.decrypted_secrets where name = 'supabase_url';
+  return secret_value;
+end;
+$$;
+
+create function supabase_functions_certificate_secret()
+returns text
+language plpgsql
+security definer
+as $$
+declare
+  secret_value text;
+begin
+  select decrypted_secret into secret_value from vault.decrypted_secrets where name = 'supabase_functions_certificate_secret';
+  return secret_value;
+end;
+$$;

supabase/migrations/20240909160000_pg_cron.sql

@@ -0,0 +1,3 @@
+create extension pg_cron with schema extensions;
+grant usage on schema cron to postgres;
+grant all privileges on all tables in schema cron to postgres;