QueryGlow

Architecture

QueryGlow is architected for total data sovereignty. It runs as a self-contained Node.js process inside Docker, with zero external dependencies for its core functionality.

The Tech Stack

  • Next.jsHandles the React frontend (Monaco Editor, Data Grid) and the API backend in a single unified process.
  • DriversDirect native connections using pg (PostgreSQL, CockroachDB, TimescaleDB), mysql2 (MySQL, MariaDB), and better-sqlite3 (SQLite).
  • AI EngineStateless integration with OpenAI, Anthropic, or Google APIs. Schema context (table names, columns, types) is injected into prompts on-the-fly. No row data is sent. Rate limited to 30 requests/minute.

Request Lifecycle

  1. Authentication (Nginx Layer)

    Request hits Nginx first. Basic Auth validates credentials against bcrypt-hashed passwords (10 rounds). Rate limited to 10 attempts/minute. If valid, Nginx proxies to 127.0.0.1:3000.

  2. CSRF Validation (API Layer)

    For state-changing requests (POST, PUT, DELETE), the API validates the Origin header matches the Host. Cross-origin requests are blocked.

  3. Decryption

    The API route reads connections.json. It uses your SESSION_SECRET to decrypt the stored database password via AES-256-GCM authenticated encryption. Tampered ciphertext fails to decrypt.

  4. Safe Mode Check (Query Editor Only)

    If Safe Mode is enabled (default), destructive queries are blocked: DROP TABLE, TRUNCATE, DELETE/UPDATE without WHERE clause. Data Browser buttons bypass this check.

  5. Tunneling (Optional)

    If SSH Tunneling is enabled, the app spins up an ephemeral TCP server on 127.0.0.1 with a random port. It establishes an SSH connection to your bastion and pipes traffic through it.

  6. Execution

    The driver connects (either directly or via the local tunnel port) and executes the SQL. Results are streamed back to the UI as JSON.

Security Layers

QueryGlow uses defense-in-depth with multiple independent security layers:

Internet → HTTPS/SSL → Nginx → Basic Auth → CSRF Check → Safe Mode → QueryGlow (localhost) → SSH Tunnel → Remote DB
  • Network Isolation: QueryGlow binds to 127.0.0.1:3000 only. Not accessible from external network.
  • Credential Encryption: AES-256-GCM with scrypt key derivation. Unique salt per installation.
  • SQL Injection Prevention: Identifier escaping + parameterized queries for all user input.
  • SQLite Sandboxing: File paths restricted to /app/data directory only.
  • CSV Export Protection: Formula injection characters are sanitized to prevent Excel/Sheets exploits.

File-System Persistence

QueryGlow does not use an external database for its own state. It uses atomic file writes to JSON files located in the mounted Docker volume. This makes backups trivial: just copy the /app/data folder.

/app/data/connections.json

Stores connection profiles. Passwords and SSH private keys are AES-256-GCM encrypted.

/app/data/query-history.json

Rolling log of the last 1,000 executed queries per connection.

/app/data/saved-queries.json

User-saved SQL snippets with names for quick reuse.

Important: The SESSION_SECRET in your .env file is the encryption key. Without it, you cannot decrypt saved connection passwords. Back up both the data folder and .env together.