🚀 release: v1.0.0-beta.4 - Merge pull request #26 from wgtechlabs/dev

Author: warengonzaga

CONTRIBUTING.md

@@ -285,6 +285,46 @@ DATABASE_SSL_VALIDATE=false
 - **Production**: Set `NODE_ENV=production` and use secure connection strings
 - **Enterprise**: The same `.env` file works seamlessly across all deployment methods
 
+#### **Railway SSL Configuration**
+
+Railway's managed PostgreSQL uses self-signed SSL certificates. The bot automatically handles this:
+
+**Automatic Detection:**
+
+- The bot detects Railway environment by checking for `railway.internal` in service URLs (`PLATFORM_REDIS_URL`, `WEBHOOK_REDIS_URL`, or `POSTGRES_URL`)
+- When Railway is detected, SSL encryption is maintained but certificate validation is relaxed
+- No manual configuration needed - works out-of-the-box
+
+**SSL Priority Logic:**
+
+```typescript
+// 1. Railway environment (highest priority)
+if (isRailwayEnvironment()) {
+    return { rejectUnauthorized: false }; // Accept Railway's self-signed certs
+}
+
+// 2. Production environment  
+if (isProduction) {
+    return { rejectUnauthorized: true }; // Strict SSL validation
+}
+
+// 3. Development environment
+// Uses DATABASE_SSL_VALIDATE environment variable
+```
+
+**Railway SSL Behavior:**
+
+- ✅ SSL encryption always enabled for secure data transmission
+- ✅ Accepts Railway's self-signed certificates automatically
+- ✅ Railway detection overrides `DATABASE_SSL_VALIDATE` environment variable
+- ✅ Maintains security while working with Railway's infrastructure
+
+**Environment Variable Impact:**
+
+- `DATABASE_SSL_VALIDATE=false` is **ignored** on Railway (Railway-specific SSL is used)
+- `DATABASE_SSL_VALIDATE=true` is **ignored** on Railway (Railway-specific SSL is used)
+- Only affects non-Railway environments (local, other cloud providers)
+
 ### 🔗 Webhook Server Integration
 
 This bot works in conjunction with the [`wgtechlabs/unthread-webhook-server`](https://github.com/wgtechlabs/unthread-webhook-server) to enable real-time bidirectional communication.

README.md

@@ -145,12 +145,13 @@ PLATFORM_REDIS_URL=redis://redis-platform:6379
 
 > **💡 Pro Tip**: The Docker setup includes PostgreSQL and Redis automatically - no separate installation needed!
 
-### **🔧 Need Help?**
+### **🛤️ Railway Deployment**
 
-- **Quick Questions**: Check our [Community Discussions](https://github.com/wgtechlabs/unthread-telegram-bot/discussions)
-- **Technical Setup**: See our detailed [Contributing Guide](./CONTRIBUTING.md)
-- **Issues**: Report bugs in our [Issue Tracker](https://github.com/wgtechlabs/unthread-telegram-bot/issues)
-- No manual migration scripts needed
+For detailed information about Railway's managed PostgreSQL and SSL handling, please refer to the [Railway Deployment section in the README](README.md#🛤️-railway-deployment).
+- ✅ **Environment Override**: Railway detection takes precedence over all other SSL settings
+- ✅ **No Configuration**: Works out-of-the-box without manual SSL setup
+
+> **🔒 Security Note**: Railway's self-signed certificates are secure within their managed infrastructure. The bot maintains SSL encryption while accommodating Railway's certificate setup.
 
 ## 🕹️ Usage
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "unthread-telegram-bot",
-  "version": "1.0.0-beta.3",
+  "version": "1.0.0-beta.4",
   "description": "Turn private Telegram groups into real-time support ticket hubs — powered by Unthread.io.",
   "keywords": [
     "telegram",

src/database/connection.ts

@@ -84,12 +84,14 @@ export class DatabaseConnection {
         });        LogEngine.info('Database connection pool initialized', {
             maxConnections: 10,
             sslEnabled: sslConfig !== false,
-            sslValidation: isProduction ? 'enabled' : (
-                process.env.DATABASE_SSL_VALIDATE === 'false' ? 'disabled' :
-                process.env.DATABASE_SSL_VALIDATE === 'true' ? 'enabled' : 'enabled-no-validation'
+            sslValidation: this.isRailwayEnvironment() ? 'railway-compatible' : (
+                isProduction ? 'enabled' : (
+                    process.env.DATABASE_SSL_VALIDATE === 'false' ? 'disabled' :
+                    process.env.DATABASE_SSL_VALIDATE === 'true' ? 'enabled' : 'enabled-no-validation'
+                )
             ),
             environment: process.env.NODE_ENV || 'development',
-            provider: 'Railway'
+            provider: this.isRailwayEnvironment() ? 'Railway' : 'Unknown'
         });
     }
 
@@ -254,11 +256,47 @@ export class DatabaseConnection {
             throw error;
         }
     }    /**
+     * Check if running on Railway platform
+     * @returns True if detected Railway environment
+     */
+    private isRailwayEnvironment(): boolean {
+        // Check Redis URLs and PostgreSQL URL that are available to this service
+        const platformRedis = process.env.PLATFORM_REDIS_URL;
+        const webhookRedis = process.env.WEBHOOK_REDIS_URL;
+        const postgresUrl = process.env.POSTGRES_URL;
+          // Railway internal services use 'railway.internal' in their hostnames
+        const isRailwayHost = (url: string | undefined): boolean => {
+            if (!url || url.trim() === '') return false;
+            try {
+                const parsedUrl = new URL(url);
+                return parsedUrl.hostname.toLowerCase().includes('railway.internal');
+            } catch {
+                return false; // Invalid URL
+            }
+        };
+        
+        return (
+            isRailwayHost(platformRedis) ||
+            isRailwayHost(webhookRedis) ||
+            isRailwayHost(postgresUrl)
+        );
+    }
+
+    /**
      * Configure SSL settings based on environment
      * @param isProduction - Whether running in production environment
      * @returns SSL configuration object, or false to disable SSL entirely
      */
     private getSSLConfig(isProduction: boolean): any {
+        // Check if we're on Railway first - they use self-signed certificates
+        if (this.isRailwayEnvironment()) {
+            return {
+                rejectUnauthorized: false, // Accept Railway's self-signed certificates
+                // SSL encryption is still enabled for secure data transmission
+                ca: process.env.DATABASE_SSL_CA || undefined
+            };
+        }
+
         // In production, always validate SSL certificates for security
         if (isProduction) {
             return {