Review use of NODE_TLS_REJECT_UNAUTHORIZED for postgres connections

[adamalton]

Currently, in packages/cron/package.json we're using NODE_TLS_REJECT_UNAUTHORIZED to work around an SSL problem with the direct postgres (not postgREST) connection to the DB, which is hosted on Heroku. If we remove this flag then we get this:

Error: self signed certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1532:34)
    at TLSSocket.emit (node:events:527:28)
    at TLSSocket._finishInit (node:_tls_wrap:946:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:727:12) {
  code: 'DEPTH_ZERO_SELF_SIGNED_CERT'

So it appears that our connection to Heroku is using SSL, but Heroku is supplying a self-signed certificate.

The question is: are we ok with bypassing this security check?

My thoughts are:

• Presumably the connection is still encrypted, it's just the identity of who we're connecting to which is unverified?
• Does that still leave it open to a man-in-the-middle attack? I think it probably does. So the fact that it's encrypted is useless.
• Given that the crons are running on GH actions, how likely is it that someone is going to manage to exploit this flaw? Should we worry about it?
• Do Heroku provide the public key of their self-signed certs which we could add to our trusted certs list, rather than just disabling certificate checks entirely?

[dchoi27]

@vasco-santos thoughts here?