Enhancement: Add support to TLS authentication on remote MongoDB

[badcom]

What features would you like to see added?

I am reaching out to propose an enhancement to the MongoDB connection functionality with regard to supporting TLS authentication, especially for remote MongoDB instances such as Amazon DocumentDB.

Currently, the codebase establishes a MongoDB connection using Mongoose without the option to configure TLS. This setup works fine for non-TLS connections but doesn't support scenarios where enhanced security is required, particularly when connecting to managed MongoDB services that often enforce TLS for data-in-transit encryption.

To address this, I propose we make these changes:

    const USE_TLS = process.env.MONGO_TLS === 'true'; // Check if TLS should be used
    const MONGO_CA_FILE = process.env.MONGO_CA_FILE; // CA file name

    const opts = {
      useNewUrlParser: true,
      useUnifiedTopology: true,
      bufferCommands: false,
      tls: USE_TLS,
    };

    if (USE_TLS) {
      // If using TLS, configure the SSL settings
      opts.tlsCAFile = path.join(__dirname, '..', '..', '..', MONGO_CA_FILE);
    }

The key changes include:

1. Adding a new environment variable MONGO_TLS to flag the use of TLS.
2. Introducing MONGO_CA_FILE for specifying the CA file name. I've defined the file path as the project root, but that may not be the right approach. What would you recommend here?
3. Modifying the connectDb function to include these TLS options in the Mongoose connection settings.

These enhancements enable secure connections to services like Amazon DocumentDB, which require TLS, and do so in a way that maintains backward compatibility and simplicity of configuration.

Let me know what you think.

More details

All details are described above.

Which components are impacted by your request?

Other

Pictures

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[danny-avila]

Thanks for your suggestion! Enhanced security is always welcome.

If you would like to put in the PR for this along with documentation, I would be more than happy to test it and merge it.

I can also work on it myself when I get around to it!

[psjd23]

Thanks for your suggestion! Enhanced security is always welcome.

If you would like to put in the PR for this along with documentation, I would be more than happy to test it and merge it.

I can also work on it myself when I get around to it!

I am interested in this as well. As MongoDB community edition does not support database level encryption, having the support of DocumentDB is a much more affordable way to reach those requirements.

Using the code mentioned in this issue, if you could give me some basic instructions for implementation I could attempt a PR/Doc for it if I can get it running. Would these changes be added to connectDb.js?

[danny-avila]

Thanks for your suggestion! Enhanced security is always welcome.
If you would like to put in the PR for this along with documentation, I would be more than happy to test it and merge it.
I can also work on it myself when I get around to it!

I am interested in this as well. As MongoDB community edition does not support database level encryption, having the support of DocumentDB is a much more affordable way to reach those requirements.

Using the code mentioned in this issue, if you could give me some basic instructions for implementation I could attempt a PR/Doc for it if I can get it running. Would these changes be added to connectDb.js?

The following files are the only ones really making mongodb connections:

• api/cache/keyvMongo.js
• api/lib/db/connectDb.js