DigitalOcean App Platform is unable to secure managed database. Now what?

So I’ve only just found out that after all the trials of getting Strapi set up on DigitalOcean with the App Platform and a Postgres DB, that it’s pretty much unusable right now.

Since at least last October (based on their forums), there’s been an issue with securing the managed database. There’s no way to add the Strapi app (or any other app) as a trusted source, meaning that your database is left completely open which is not only a huge no no, but is also against GDPR.

This is a glaring oversight and I’m shocked that there’s been no updates on this, despite so many people asking about it.

I wanted to use the app platform as it’s more simple than other offerings like Droplets and I don’t want to have another headache using something like tike the 1 click Strapi install on a droplet because then I’d need to update everything to the latest version of Strapi (Internationalisation is required), not to mention having to figure out how I can create a local copy of Strapi and have it deploy on pushes to git.

Sorry, I don’t mean to be so doom and gloom but I’ve been stressing over getting my clients login details to the back end so that they can start adding data (project is already behind schedule) and I’ve now been awake over 30 hours and seeing double/triple :sleeping:

Is it simple to host the database somewhere else and configure my DO Strapi App to use that one instead? What are the chances that I just run into a similar problem with adding trusted sources? I’m still pretty new to Strapi and hosting node apps so sorry if that’s a dumb question.

Thanks in advance for any potential suggestions. I’m simply way too tired right now to do the research so figured I’d throw a line before going to bed :innocent:

1 Like

To clarify - because I’d be hosting user data.

Can you provide a link to the forum thread to provide some additional context?

I agree, I’m entirely unaware of what you are referring to, but we (Strapi) have some pretty strong connections with DigitalOcean and if I am able, I would like to get some answers about this.

(Can you provide context about the issue among any other context?)

I’ve found the relevant information

I am engaging with our DigitalOcean contacts and will be drafting a PR to put a notice on our documentation about it. I’ll give the DigitalOcean team 7 days to respond to our internal convo with them before I’ll have the PR merged into the docs to make others aware.

In the meantime until this is patched (they see it as a feature request, security is not a feature :slight_smile: ) I would advise against using DO Apps + Managed databases and instead opt for a custom droplet.

Edit, draft documentation PR: Add warning about DigitalOcean MDB + App Platform by derrickmehaffy · Pull Request #331 · strapi/documentation · GitHub

1 Like

Thanks for jumping on this so quick.

By the looks of it, you’ve understood what’s going on but just to clarify again:

Apps on the DO app platform can not be added as a trusted source for the managed database, resulting in the DB being accessible by anybody. This is obviously terrible, but also against GDPR assuming your app is storing any user data, which you are if you’re managing user accounts.

Providing the DO contacts get back to you, could you please provide an update? It’s a real shame this has came to light as I was starting to like the App platform.

Yes, if they respond I’ll try offer what information I can. As of yet they have not responded.

FYI as we have not had a response from DigitalOcean we have merged my PR so the notice now exists.

1 Like

That’s good to hear. Not the bit about them not responding! I noticed they just changed the status of the feature suggestion though, so at least they’re making some progress on it.

Small update to this, they have implemented the trusted sources on SQL databases (not yet on MongoDB, though not really a concern for us since we dropping MongoDB support in v4).

I’ve tested it myself and it works fine.