feat: Connect db to Supabase

[ryansoe]

Changes

What changes did you make? Include screenshots if applicable, or explain how to view the changes.

• Migrated backend database connection from local PostgreSQL to Supabase
• Updated backend/src/db/db.ts to use DATABASE_URL
• Updated backend/src/util/validateEnv.ts to validate the new DATABASE_URL
• Added DATABASE_URL to .env (check Credentials on Notion)

Testing

How did you confirm your changes work? (Automated tests, manual verification, etc.)

• Started backend server and confirmed successful connection to Supabase
• Tested Google OAuth login flow with @ucsd.edu email
• Verified user creation in Supabase Table Editor (users table)
• Verified adding transactions and goals

Tracking

Add your issue number below.

Resolves #

[Copilot]

Pull request overview

This PR migrates the backend database connection from local PostgreSQL to Supabase by updating the connection configuration to use a single DATABASE_URL environment variable instead of multiple individual database parameters. The changes include updates to the database client initialization, environment variable validation, and dependency upgrades.

Changes:

• Replaced individual PostgreSQL connection parameters (host, port, user, password, database) with a single DATABASE_URL connection string in backend/src/db/db.ts
• Added DATABASE_URL validation to backend/src/util/validateEnv.ts
• Updated pg package from 8.13.1 to 8.17.1 and added @supabase/supabase-js package with its dependencies

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.

File	Description
backend/src/db/db.ts	Refactored database connection from individual parameters to connection string, enabled SSL for Supabase
backend/src/util/validateEnv.ts	Added DATABASE_URL environment variable validation
backend/package.json	Added @supabase/supabase-js and updated pg package version, moved @types/pg to dependencies
backend/package-lock.json	Updated lockfile with new dependencies and version changes

Files not reviewed (1)

• backend/package-lock.json: Language not supported

Comments suppressed due to low confidence (1)

backend/src/db/db.ts:22

• The database connection error is logged but the application continues to run even if the connection fails. This means the client is exported and could be used for queries even when disconnected, leading to runtime errors later. Consider either: 1) Rethrowing the error or calling process.exit(1) to prevent the application from starting with a failed database connection, or 2) Implementing a connection retry mechanism with exponential backoff for better resilience.

  .catch((err: Error) => {
    console.error("Connection error", err.stack);
  });

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The added Supabase packages (@supabase/supabase-js and its dependencies) require Node.js version >=20.0.0 as specified in their engine requirements. However, this repository doesn't specify a Node.js version constraint in package.json. This could lead to runtime errors if the project is run on Node.js versions below 20. Consider either: 1) Adding an "engines" field to package.json specifying the minimum Node.js version, or 2) If you need to support older Node.js versions, remove the unused @supabase/supabase-js dependency since you're only using the pg client directly.

[Copilot]

Setting rejectUnauthorized to false disables SSL certificate verification, which creates a security vulnerability by allowing man-in-the-middle attacks. While this might work for development, it should not be used in production. Supabase provides valid SSL certificates, so this should be set to true. If you're having certificate issues, ensure your Node.js environment has up-to-date root certificates, or consider using the connection pooler endpoint that Supabase provides.

Suggested change

	rejectUnauthorized: false, // Required for Supabase
	rejectUnauthorized: true, // Enable SSL certificate verification (Supabase provides valid certificates)

[Copilot]

@types/pg was moved from devDependencies to dependencies. Type definition packages should typically remain in devDependencies since they're only needed during development and compilation, not at runtime. Unless there's a specific reason this needs to be a runtime dependency, consider moving it back to devDependencies for consistency with standard TypeScript practices.

[Copilot]

The DATABASE_URL is accessed directly via process.env.DATABASE_URL instead of importing it from the validateEnv module. This is inconsistent with how other environment variables are used in the codebase (see backend/src/googleAuth.ts:4 and backend/src/server.ts:8). For consistency and to ensure proper validation at startup, consider importing env from "src/util/validateEnv" and using env.DATABASE_URL instead.

[Copilot]

The @supabase/supabase-js package is added as a dependency but is never imported or used anywhere in the codebase. Since you're connecting directly to PostgreSQL using the pg Client with a connection string, you don't need the Supabase SDK. Consider removing this unused dependency to reduce bundle size and avoid confusion.

Suggested change

	"@supabase/supabase-js": "^2.90.1",
	"@types/pg": "^8.16.0",
	"cors": "^2.8.5",
	"dotenv": "^16.3.1",
	"@types/pg": "^8.16.0",
	"cors": "^2.8.5",
	"dotenv": "^16.3.1",
	"dotenv": "^16.3.1",

[himansig7]

Looking at the supabase dashboard, RLS is not currently enabled. This is definitely a concern we will have to look at moving forward for security reasons.