Merge pull request #767 from constructive-io/rls/rls-module-fix

fix: switch RLS module query from metaschema table to services_public.api_modules

Author: pyramation

graphql/server/src/middleware/__tests__/upload.test.ts

@@ -126,7 +126,13 @@ describe('createUploadAuthenticateMiddleware', () => {
         ...baseApi,
         rlsModule: {
           authenticate: 'authenticate',
+          authenticateStrict: 'authenticate_strict',
           privateSchema: { schemaName: 'private' },
+          publicSchema: { schemaName: 'public' },
+          currentRole: 'current_user',
+          currentRoleId: 'current_user_id',
+          currentIpAddress: 'current_ip_address',
+          currentUserAgent: 'current_user_agent',
         },
       },
       headers: {
@@ -181,9 +187,18 @@ describe('createUploadAuthenticateMiddleware', () => {
     rootPool.query.mockResolvedValueOnce({
       rows: [
         {
-          authenticate: 'authenticate',
-          authenticate_strict: 'authenticate_strict',
+          data: {
+            authenticate: 'authenticate',
+            authenticate_strict: 'authenticate_strict',
+            authenticate_schema: 'private',
+            role_schema: 'public',
+            current_role: 'current_user',
+            current_role_id: 'current_user_id',
+            current_ip_address: 'current_ip_address',
+            current_user_agent: 'current_user_agent',
+          },
           private_schema_name: 'private',
+          public_schema_name: 'public',
         },
       ],
     });
@@ -196,7 +211,7 @@ describe('createUploadAuthenticateMiddleware', () => {
     await middleware(req, res, next);
 
     expect(rootPool.query).toHaveBeenCalledWith(
-      expect.stringContaining('WHERE a.database_id = $1'),
+      expect.stringContaining('WHERE'),
       ['db-123'],
     );
     expect(next).toHaveBeenCalledTimes(1);
@@ -220,9 +235,18 @@ describe('createUploadAuthenticateMiddleware', () => {
     rootPool.query.mockResolvedValueOnce({
       rows: [
         {
-          authenticate: 'authenticate',
-          authenticate_strict: 'authenticate_strict',
+          data: {
+            authenticate: 'authenticate',
+            authenticate_strict: 'authenticate_strict',
+            authenticate_schema: 'private',
+            role_schema: 'public',
+            current_role: 'current_user',
+            current_role_id: 'current_user_id',
+            current_ip_address: 'current_ip_address',
+            current_user_agent: 'current_user_agent',
+          },
           private_schema_name: 'private',
+          public_schema_name: 'public',
         },
       ],
     });
@@ -235,7 +259,7 @@ describe('createUploadAuthenticateMiddleware', () => {
     await middleware(req, res, next);
 
     expect(rootPool.query).toHaveBeenCalledWith(
-      expect.stringContaining('WHERE rm.api_id = $1'),
+      expect.stringContaining('WHERE'),
       ['api-123'],
     );
     expect(next).toHaveBeenCalledTimes(1);
@@ -261,9 +285,18 @@ describe('createUploadAuthenticateMiddleware', () => {
     rootPool.query.mockResolvedValueOnce({
       rows: [
         {
-          authenticate: 'authenticate',
-          authenticate_strict: 'authenticate_strict',
+          data: {
+            authenticate: 'authenticate',
+            authenticate_strict: 'authenticate_strict',
+            authenticate_schema: 'private',
+            role_schema: 'public',
+            current_role: 'current_user',
+            current_role_id: 'current_user_id',
+            current_ip_address: 'current_ip_address',
+            current_user_agent: 'current_user_agent',
+          },
           private_schema_name: 'private',
+          public_schema_name: 'public',
         },
       ],
     });
@@ -275,7 +308,7 @@ describe('createUploadAuthenticateMiddleware', () => {
     await middleware(req, res, next);
 
     expect(rootPool.query).toHaveBeenCalledWith(
-      expect.stringContaining('WHERE a.dbname = $1'),
+      expect.stringContaining('WHERE'),
       ['tenant_db'],
     );
     expect(next).toHaveBeenCalledTimes(1);
@@ -320,7 +353,13 @@ describe('createUploadAuthenticateMiddleware', () => {
         ...baseApi,
         rlsModule: {
           authenticate: 'authenticate',
+          authenticateStrict: 'authenticate_strict',
           privateSchema: { schemaName: 'private' },
+          publicSchema: { schemaName: 'public' },
+          currentRole: 'current_user',
+          currentRoleId: 'current_user_id',
+          currentIpAddress: 'current_ip_address',
+          currentUserAgent: 'current_user_agent',
         },
       },
       headers: { authorization: 'Bearer invalid-token' },
@@ -352,7 +391,13 @@ describe('createUploadAuthenticateMiddleware', () => {
         ...baseApi,
         rlsModule: {
           authenticate: 'authenticate',
+          authenticateStrict: 'authenticate_strict',
           privateSchema: { schemaName: 'private' },
+          publicSchema: { schemaName: 'public' },
+          currentRole: 'current_user',
+          currentRoleId: 'current_user_id',
+          currentIpAddress: 'current_ip_address',
+          currentUserAgent: 'current_user_agent',
         },
       },
       headers: { authorization: 'Bearer bad-token' },
@@ -383,6 +428,11 @@ describe('createUploadAuthenticateMiddleware', () => {
           authenticate: 'authenticate',
           authenticateStrict: 'authenticate_strict',
           privateSchema: { schemaName: 'private' },
+          publicSchema: { schemaName: 'public' },
+          currentRole: 'current_user',
+          currentRoleId: 'current_user_id',
+          currentIpAddress: 'current_ip_address',
+          currentUserAgent: 'current_user_agent',
         },
       },
       headers: { authorization: 'Bearer strict-token' },
@@ -415,7 +465,13 @@ describe('createUploadAuthenticateMiddleware', () => {
         ...baseApi,
         rlsModule: {
           authenticate: 'authenticate',
+          authenticateStrict: '',
           privateSchema: { schemaName: 'private' },
+          publicSchema: { schemaName: 'public' },
+          currentRole: 'current_user',
+          currentRoleId: 'current_user_id',
+          currentIpAddress: 'current_ip_address',
+          currentUserAgent: 'current_user_agent',
         },
       },
       headers: { authorization: 'Bearer strict-token' },

graphql/server/src/middleware/api.ts

@@ -80,13 +80,9 @@ const API_LIST_SQL = `
 `;
 
 const RLS_MODULE_SQL = `
-  SELECT 
-    rm.authenticate,
-    rm.authenticate_strict,
-    ps.schema_name as private_schema_name
-  FROM metaschema_modules_public.rls_module rm
-  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id
-  WHERE rm.api_id = $1
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
 
@@ -104,10 +100,19 @@ interface ApiRow {
   schemas: string[];
 }
 
+interface RlsModuleData {
+  authenticate: string;
+  authenticate_strict: string;
+  authenticate_schema: string;
+  role_schema: string;
+  current_role: string;
+  current_role_id: string;
+  current_ip_address: string;
+  current_user_agent: string;
+}
+
 interface RlsModuleRow {
-  authenticate: string | null;
-  authenticate_strict: string | null;
-  private_schema_name: string | null;
+  data: RlsModuleData | null;
 }
 
 interface ApiListRow {
@@ -185,13 +190,21 @@ export const getSvcKey = (opts: ApiOptions, req: Request): string => {
 };
 
 const toRlsModule = (row: RlsModuleRow | null): RlsModule | undefined => {
-  if (!row || !row.private_schema_name) return undefined;
+  if (!row?.data) return undefined;
+  const d = row.data;
   return {
-    authenticate: row.authenticate ?? undefined,
-    authenticateStrict: row.authenticate_strict ?? undefined,
+    authenticate: d.authenticate,
+    authenticateStrict: d.authenticate_strict,
     privateSchema: {
-      schemaName: row.private_schema_name,
+      schemaName: d.authenticate_schema,
+    },
+    publicSchema: {
+      schemaName: d.role_schema,
     },
+    currentRole: d.current_role,
+    currentRoleId: d.current_role_id,
+    currentIpAddress: d.current_ip_address,
+    currentUserAgent: d.current_user_agent,
   };
 };
 

graphql/server/src/middleware/upload.ts

@@ -56,45 +56,58 @@ const parseFileWithErrors: RequestHandler = (req, res, next) => {
   });
 };
 
-const RLS_MODULE_BASE_SQL = `
-  SELECT
-    rm.authenticate,
-    rm.authenticate_strict,
-    ps.schema_name as private_schema_name
-  FROM metaschema_modules_public.rls_module rm
-  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id`;
-
-const RLS_MODULE_BY_DATABASE_ID_SQL = `${RLS_MODULE_BASE_SQL}
-  JOIN services_public.apis a ON rm.api_id = a.id
-  WHERE a.database_id = $1
+const RLS_MODULE_BY_DATABASE_ID_SQL = `
+  SELECT am.data
+  FROM services_public.api_modules am
+  JOIN services_public.apis a ON am.api_id = a.id
+  WHERE am.name = 'rls_module' AND a.database_id = $1
   ORDER BY a.id
   LIMIT 1
 `;
 
-const RLS_MODULE_BY_API_ID_SQL = `${RLS_MODULE_BASE_SQL}
-  WHERE rm.api_id = $1
+const RLS_MODULE_BY_API_ID_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
 
-const RLS_MODULE_BY_DBNAME_SQL = `${RLS_MODULE_BASE_SQL}
-  JOIN services_public.apis a ON rm.api_id = a.id
-  WHERE a.dbname = $1
+const RLS_MODULE_BY_DBNAME_SQL = `
+  SELECT am.data
+  FROM services_public.api_modules am
+  JOIN services_public.apis a ON am.api_id = a.id
+  WHERE am.name = 'rls_module' AND a.dbname = $1
   ORDER BY a.id
   LIMIT 1
 `;
 
+interface RlsModuleData {
+  authenticate: string;
+  authenticate_strict: string;
+  authenticate_schema: string;
+  role_schema: string;
+  current_role: string;
+  current_role_id: string;
+  current_ip_address: string;
+  current_user_agent: string;
+}
+
 interface RlsModuleRow {
-  authenticate: string | null;
-  authenticate_strict: string | null;
-  private_schema_name: string | null;
+  data: RlsModuleData | null;
 }
 
 const toRlsModule = (row: RlsModuleRow | null): RlsModule | undefined => {
-  if (!row || !row.private_schema_name) return undefined;
+  if (!row?.data) return undefined;
+  const d = row.data;
   return {
-    authenticate: row.authenticate ?? undefined,
-    authenticateStrict: row.authenticate_strict ?? undefined,
-    privateSchema: { schemaName: row.private_schema_name },
+    authenticate: d.authenticate,
+    authenticateStrict: d.authenticate_strict,
+    privateSchema: { schemaName: d.authenticate_schema },
+    publicSchema: { schemaName: d.role_schema },
+    currentRole: d.current_role,
+    currentRoleId: d.current_role_id,
+    currentIpAddress: d.current_ip_address,
+    currentUserAgent: d.current_user_agent,
   };
 };
 
@@ -204,13 +217,6 @@ export const createUploadAuthenticateMiddleware = (
       return;
     }
 
-    const SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/;
-    if (!SAFE_IDENTIFIER.test(privateSchema) || !SAFE_IDENTIFIER.test(authFn)) {
-      authLog.error(`[upload-auth] Invalid SQL identifier: schema=${privateSchema} fn=${authFn}`);
-      authError(res);
-      return;
-    }
-
     const pool = getPgPool({
       ...opts.pg,
       database: api.dbname,

graphql/server/src/types.ts

@@ -24,11 +24,18 @@ export type ApiModule =
   | { name: string; data?: GenericModuleData };
 
 export interface RlsModule {
-  authenticate?: string;
-  authenticateStrict?: string;
+  authenticate: string;
+  authenticateStrict: string;
   privateSchema: {
     schemaName: string;
   };
+  publicSchema: {
+    schemaName: string;
+  };
+  currentRole: string;
+  currentRoleId: string;
+  currentIpAddress: string;
+  currentUserAgent: string;
 }
 
 export interface ApiStructure {