Description
In backend/src/config/database.ts, the PostgreSQL connection pool is configured with a fallback for DB_PASSWORD that defaults to an empty string:
const pool = new Pool({
host: process.env.DB_HOST || 'localhost',
port: parseInt(process.env.DB_PORT || '5432'),
database: process.env.DB_NAME || 'pulsartrack',
user: process.env.DB_USER || 'pulsartrack',
password: process.env.DB_PASSWORD || '', // ← Empty password fallback
max: parseInt(process.env.DB_POOL_SIZE || '10'),
});Problem
- If
DB_PASSWORD is not set, the pool connects with an empty password
- No warning is logged when using the fallback
- In production, this could silently connect without authentication
- The docker-compose.yml sets
POSTGRES_PASSWORD: pulsartrack_dev_password, but the backend config doesn't enforce this — it falls back to empty
Impact
- Security vulnerability if deployed to an environment where PostgreSQL accepts empty passwords
- Silent misconfiguration in production
- Inconsistent with docker-compose which requires a password
Suggested Fix
const password = process.env.DB_PASSWORD;
if (!password && process.env.NODE_ENV === 'production') {
throw new Error('DB_PASSWORD is required in production');
}
if (!password) {
logger.warn('DB_PASSWORD not set — using empty password (development only)');
}
const pool = new Pool({
// ...
password: password || '',
});File
backend/src/config/database.ts — Line ~8
Description
In
backend/src/config/database.ts, the PostgreSQL connection pool is configured with a fallback forDB_PASSWORDthat defaults to an empty string:Problem
DB_PASSWORDis not set, the pool connects with an empty passwordPOSTGRES_PASSWORD: pulsartrack_dev_password, but the backend config doesn't enforce this — it falls back to emptyImpact
Suggested Fix
File
backend/src/config/database.ts— Line ~8