dbviewer 0.3.3 → 0.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8e6fcb0f5760c3daa24b0bbcd6f7f39d308890386eb7bae0e99b59c5027c0853
-  data.tar.gz: 486266a6f7d882f28b2411860466cb271b7e5d32ca65a25f04bf27601a6fb4c7
+  metadata.gz: 648be97f775ec9c5d18dabf9ebe90e164d760fde2b1e3c9c9ff2442eb6dba9fe
+  data.tar.gz: f0510fd50eabd5ba176d99e9dd3b66d074d1ccaf6cf15aa43a82beec0e45e923
 SHA512:
-  metadata.gz: 362be7d7fed295db73faad72e0b339d7b1f824d945e7c141c2cb43305d9d31c109526c05fe612135c6cfafc74e618621125a03bab3127ac52ec57a58bfcabbf0
-  data.tar.gz: 0a7289d157e0911d0e5e932c7ebbd964536ade2b125d4de7308fb518516793a6162f690a6d7c0dbc3cb88087754a3b2593265c5c6fa48c9980bb6ca0375cf91c
+  metadata.gz: 84bdca42e27ed6dbcf2dfdcdb2756558796b0e2ecc727fa46ffe7fd734bf66d21d5fd76c47d9ae632a003292048c78151a412fcc98c6b33954d2f23cd7b71c19
+  data.tar.gz: 9f1204704614413b211b1814c96660656e03579712015152b3323f9dff0d64caaff5b96017cbbe203ed9a77ce15bc23e0e1d9473143edca14824f1380b925a25

data/README.md

@@ -87,13 +87,24 @@ Rails.application.routes.draw do
   # Your application routes...
 
   # Mount the DBViewer engine
-  if Rails.env.development?
-    mount Dbviewer::Engine, at: "/dbviewer"
-  end
+  mount Dbviewer::Engine, at: "/dbviewer"
+  # The engine can be mounted in any environment when using Basic Authentication
+end
+```
+
+Configure Basic Authentication in an initializer to secure access (strongly recommended):
+
+```ruby
+# config/initializers/dbviewer.rb
+Dbviewer.configure do |config|
+  config.admin_credentials = {
+    username: "your_username",
+    password: "your_secure_password"
+  }
 end
 ```
 
-Then, visit `/dbviewer` in your browser to access the database viewer.
+Then, visit `/dbviewer` in your browser to access the database viewer. You'll be prompted for your username and password.
 
 ### Rails API-only Applications
 
@@ -171,6 +182,9 @@ Dbviewer.configure do |config|
   config.query_logging_mode = :memory                # Storage mode for SQL queries (:memory or :file)
   config.query_log_path = "log/dbviewer.log"         # Path for query log file when in :file mode
   config.max_memory_queries = 1000                   # Maximum number of queries to store in memory
+
+  # Authentication options
+  config.admin_credentials = { username: "admin", password: "your_secure_password" } # Basic HTTP auth credentials
 end
 ```
 
@@ -209,37 +223,60 @@ DBViewer includes several security features to protect your database:
 - **Query Limits**: Automatic LIMIT clause added to prevent excessive data retrieval
 - **Pattern Detection**: Detection of SQL injection patterns and suspicious constructs
 - **Error Handling**: Informative error messages without exposing sensitive information
+- **HTTP Basic Authentication**: Protect access with username and password authentication
 
-## 🌱 Production Access (Not Recommended)
+### Basic Authentication
 
-By default, DBViewer only runs in development or test environments for security reasons. If you need to access it in production (not recommended):
+You can enable HTTP Basic Authentication to secure access to DBViewer:
 
-1. Set an environment variable with a secure random key:
+```ruby
+Dbviewer.configure do |config|
+  config.admin_credentials = {
+    username: "your_username",
+    password: "your_secure_password"
+  }
+end
+```
 
-   ```
-   DBVIEWER_PRODUCTION_ACCESS_KEY=your_secure_random_key
-   ```
+When credentials are provided, all DBViewer routes will be protected by HTTP Basic Authentication.
+Without valid credentials, users will be prompted for a username and password before they can access any DBViewer page.
 
-2. Add an additional constraint in your routes:
+## 🌱 Production Access
+
+With the addition of Basic Authentication, DBViewer can now be used in any environment including production. We recommend the following for production deployments:
+
+1. **Always** enable HTTP Basic Authentication with strong credentials:
 
    ```ruby
-   if Rails.env.production?
-     constraints ->(req) { req.params[:access_key] == ENV["DBVIEWER_PRODUCTION_ACCESS_KEY"] } do
-       mount Dbviewer::Engine, at: "/dbviewer"
-     end
-   else
-     mount Dbviewer::Engine, at: "/dbviewer"
+   Dbviewer.configure do |config|
+     config.admin_credentials = {
+       username: "unique_username",
+       password: SecureRandom.hex(16)  # Generate a strong random password
+     }
    end
    ```
 
-3. Access the tool with the override parameter:
+2. Mount the engine in your routes file:
+
+   ```ruby
+   # In any environment, with Basic Auth protection
+   mount Dbviewer::Engine, at: "/dbviewer"
+   ```
+
+3. Access the tool through your regular application URL:
    ```
    https://yourdomain.com/dbviewer?override_env_check=your_secure_random_key
    ```
 
 ## 📝 Security Note
 
-⚠️ **Warning**: This engine is designed for development purposes. It's not recommended to use it in production as it provides direct access to your database contents. If you must use it in production, ensure it's protected behind authentication and use the production access key mechanism with a strong random key.
+⚠️ **Warning**: This engine provides direct access to your database contents, which contains sensitive information. Always protect it with HTTP Basic Authentication by configuring strong credentials as shown above.
+
+When used in production, ensure:
+
+- You use long, randomly generated passwords (e.g., with `SecureRandom.hex(16)`)
+- You access DBViewer over HTTPS connections only
+- Access is limited to trusted administrators only
 
 ## 🤌🏻 Contributing
 

data/app/controllers/concerns/dbviewer/database_operations.rb

@@ -139,15 +139,25 @@ module Dbviewer
 
     # Fetch records for a table with pagination and sorting
     def fetch_table_records(table_name)
+      column_filters = params[:column_filters] || {}
+      # Clean up blank filters
+      column_filters.reject! { |_, v| v.blank? }
+
       database_manager.table_records(
         table_name,
         @current_page,
         @order_by,
         @order_direction,
-        @per_page
+        @per_page,
+        column_filters || {}
       )
     end
 
+    # Get filtered record count for a table
+    def fetch_filtered_record_count(table_name, column_filters)
+      database_manager.filtered_record_count(table_name, column_filters)
+    end
+
     # Safely quote a table name, with fallback
     def safe_quote_table_name(table_name)
       database_manager.connection.quote_table_name(table_name)

data/app/controllers/dbviewer/application_controller.rb

@@ -3,14 +3,18 @@ module Dbviewer
     include Dbviewer::DatabaseOperations
     include Dbviewer::ErrorHandling
 
-    before_action :ensure_development_environment
+    before_action :authenticate_with_basic_auth
     before_action :set_tables
 
     private
 
-    def ensure_development_environment
-      unless Rails.env.development? || Rails.env.test? || params[:override_env_check] == ENV["DBVIEWER_PRODUCTION_ACCESS_KEY"]
-        render plain: "DBViewer is only available in development and test environments for security reasons.", status: :forbidden
+    def authenticate_with_basic_auth
+      return unless Dbviewer.configuration.admin_credentials.present?
+
+      credentials = Dbviewer.configuration.admin_credentials
+      authenticate_or_request_with_http_basic("DBViewer Authentication") do |username, password|
+        ActiveSupport::SecurityUtils.secure_compare(username, credentials[:username]) &
+        ActiveSupport::SecurityUtils.secure_compare(password, credentials[:password])
       end
     end
 

data/app/controllers/dbviewer/tables_controller.rb

@@ -15,7 +15,15 @@ module Dbviewer
       set_pagination_params
       set_sorting_params
 
-      @total_count = fetch_table_record_count(@table_name)
+      # Extract column filters from params
+      @column_filters = params[:column_filters].presence ? params[:column_filters].to_enum.to_h : {}
+
+      if @column_filters.present? && @column_filters.values.any?(&:present?)
+        @total_count = fetch_filtered_record_count(@table_name, @column_filters)
+      else
+        @total_count = fetch_table_record_count(@table_name)
+      end
+
       @total_pages = calculate_total_pages(@total_count, @per_page)
       @records = fetch_table_records(@table_name)
 

data/app/views/dbviewer/tables/show.html.erb

@@ -66,51 +66,73 @@
     <div class="d-flex align-items-center">
       <div class="me-3">
         <label for="per-page-select" class="me-2">Per page:</label>
-        <select id="per-page-select" class="form-select form-select-sm" onchange="window.location.href='<%= table_path(@table_name) %>?per_page=' + this.value + '&page=1&order_by=<%= @order_by %>&order_direction=<%= @order_direction %>'">
+        <select id="per-page-select" class="form-select form-select-sm" onchange="window.location.href='<%= table_path(@table_name) %>?per_page=' + this.value + '&page=1&order_by=<%= @order_by %>&order_direction=<%= @order_direction %><%= @column_filters.reject { |_, v| v.blank? }.any? ? "&" + @column_filters.reject { |_, v| v.blank? }.map { |k, v| "column_filters[#{k}]=#{CGI.escape(v.to_s)}" }.join("&") : "" %>'">
           <% Dbviewer::TablesController.per_page_options.each do |option| %>
             <option value="<%= option %>" <%= 'selected' if @per_page == option %>><%= option %></option>
           <% end %>
         </select>
       </div>
       <span class="badge bg-secondary">Total: <%= @total_count %> records</span>
+      <% active_filters = @column_filters.reject { |_, v| v.blank? }.size %>
+      <% if active_filters > 0 %>
+        <span class="badge bg-info ms-2" title="Active filters"><i class="bi bi-funnel-fill me-1"></i><%= active_filters %></span>
+      <% end %>
     </div>
   </div>
     <div class="card-body p-0">
       <div class="table-responsive dbviewer-scrollable">
-        <table class="table table-bordered table-striped rounded-none">
-          <% if @records.present? && @records.columns.any? %>
-            <thead class="dbviewer-table-header">
-              <tr>
-                <% @records.columns.each do |column_name| %>
-                  <th>
-                    <%= column_name %>
-                  </th>
-                <% end %>
-              </tr>
-            </thead>
-            <tbody>
-              <% @records.rows.each do |row| %>
+        <%= form_with(url: table_path(@table_name), method: :get, local: true, id: "column-filters-form", class: "mb-0") do |form| %>
+          <% # Hidden fields to preserve current parameters %>
+          <%= form.hidden_field :per_page, value: @per_page %>
+          <%= form.hidden_field :order_by, value: @order_by %>
+          <%= form.hidden_field :order_direction, value: @order_direction %>
+          <%= form.hidden_field :page, value: 1 %> <!-- Reset to first page on filter -->
+          
+          <table class="table table-bordered table-striped rounded-none">
+              <thead class="dbviewer-table-header">
                 <tr>
-                  <% row.each do |cell| %>
-                    <% cell_value = format_cell_value(cell) %>
-                    <td title="<%= cell_value %>"><%= cell_value %></td>
+                  <% @records.columns.each do |column_name| %>
+                    <th class="pe-4">
+                      <%= column_name %>
+                    </th>
                   <% end %>
                 </tr>
-              <% end %>
+                <tr class="column-filters">
+                  <% @records.columns.each do |column_name| %>
+                    <th class="p-0">
+                      <%= form.text_field "column_filters[#{column_name}]", 
+                          value: @column_filters[column_name], 
+                          placeholder: "",
+                          class: "form-control form-control-sm column-filter rounded-0",
+                          data: { column: column_name } %>
+                    </th>
+                  <% end %>
+                </tr>
+              </thead>
+              <tbody>
+                <% if @records.empty? %>
+                  <tr>
+                    <td colspan="100%" class="text-center">No records found or table is empty.</td>
+                  </tr>
+                <% end %>
+                <% @records.rows.each do |row| %>
+                  <tr>
+                      <% row.each do |cell| %>
+                        <% cell_value = format_cell_value(cell) %>
+                        <td title="<%= cell_value %>"><%= cell_value %></td>
+                    <% end %>
+                  </tr>
+                <% end %>
             </tbody>
-          <% else %>
-            <tr>
-              <td colspan="100%">No records found or table is empty.</td>
-            </tr>
-          <% end %>
         </table>
+        <% end %> <!-- End of form_with -->
       </div>
       
       <% if @total_pages > 1 %>
         <nav aria-label="Page navigation">
           <ul class="pagination justify-content-center">
             <li class="page-item <%= 'disabled' if @current_page == 1 %>">
-              <%= link_to '«', table_path(@table_name, page: [@current_page - 1, 1].max, order_by: @order_by, order_direction: @order_direction, per_page: @per_page), class: 'page-link' %>
+              <%= link_to '«', table_path(@table_name, page: [@current_page - 1, 1].max, order_by: @order_by, order_direction: @order_direction, per_page: @per_page, column_filters: @column_filters), class: 'page-link' %>
             </li>
             
             <% start_page = [1, @current_page - 2].max %>
@@ -119,12 +141,12 @@
             
             <% (start_page..end_page).each do |page_num| %>
               <li class="page-item <%= 'active' if page_num == @current_page %>">
-                <%= link_to page_num, table_path(@table_name, page: page_num, order_by: @order_by, order_direction: @order_direction, per_page: @per_page), class: 'page-link' %>
+                <%= link_to page_num, table_path(@table_name, page: page_num, order_by: @order_by, order_direction: @order_direction, per_page: @per_page, column_filters: @column_filters), class: 'page-link' %>
               </li>
             <% end %>
             
             <li class="page-item <%= 'disabled' if @current_page == @total_pages %>">
-              <%= link_to '»', table_path(@table_name, page: [@current_page + 1, @total_pages].min, order_by: @order_by, order_direction: @order_direction, per_page: @per_page), class: 'page-link' %>
+              <%= link_to '»', table_path(@table_name, page: [@current_page + 1, @total_pages].min, order_by: @order_by, order_direction: @order_direction, per_page: @per_page, column_filters: @column_filters), class: 'page-link' %>
             </li>
           </ul>
         </nav>
@@ -190,6 +212,85 @@
   </div>
 </div>
 
+<script>
+  document.addEventListener('DOMContentLoaded', function() {
+    // Column filter functionality
+    const columnFilters = document.querySelectorAll('.column-filter');
+    const filterForm = document.getElementById('column-filters-form');
+    
+    // Add debounce function to reduce form submissions
+    function debounce(func, wait) {
+      let timeout;
+      return function() {
+        const context = this;
+        const args = arguments;
+        clearTimeout(timeout);
+        timeout = setTimeout(function() {
+          func.apply(context, args);
+        }, wait);
+      };
+    }
+    
+    // Function to submit the form
+    const submitForm = debounce(function() {
+      filterForm.submit();
+    }, 500);
+    
+    // Add event listeners to all filter inputs
+    columnFilters.forEach(function(filter) {
+      filter.addEventListener('input', submitForm);
+    });
+    
+    // Add clear button functionality if there are any filters applied
+    const hasActiveFilters = Array.from(columnFilters).some(input => input.value);
+    
+    if (hasActiveFilters) {
+      // Add a clear filters button
+      const paginationContainer = document.querySelector('nav[aria-label="Page navigation"]') || 
+                                   document.querySelector('.table-responsive');
+      
+      if (paginationContainer) {
+        const clearButton = document.createElement('div');
+        clearButton.className = 'text-center mt-3';
+        clearButton.innerHTML = '<button type="button" class="btn btn-sm btn-outline-secondary" id="clear-filters">' +
+                               '<i class="bi bi-x-circle me-1"></i>Clear All Filters</button>';
+        
+        paginationContainer.insertAdjacentHTML('afterend', clearButton.outerHTML);
+        
+        document.getElementById('clear-filters').addEventListener('click', function() {
+          columnFilters.forEach(filter => filter.value = '');
+          submitForm();
+        });
+      }
+    }
+  });
+</script>
+
+<style>
+  /* Column filter styling */
+  .column-filters td {
+    padding: 0.5rem;
+    background-color: var(--bs-tertiary-bg, #f8f9fa);
+  }
+  
+  .column-filter {
+    width: 100%;
+    border: 1px solid rgba(0,0,0,0.1);
+    padding: 0.3rem 0.5rem;
+    font-size: 0.85rem;
+  }
+  
+  [data-bs-theme="dark"] .column-filters td {
+    background-color: rgba(255,255,255,0.05);
+  }
+  
+  [data-bs-theme="dark"] .column-filter {
+    background-color: rgba(255,255,255,0.1);
+    color: rgba(255,255,255,0.9);
+    border-color: rgba(255,255,255,0.15);
+  }
+</style>
+
 <% if @timestamp_data.present? %>
 <script>
   document.addEventListener('DOMContentLoaded', function() {

data/app/views/layouts/dbviewer/application.html.erb

@@ -211,7 +211,8 @@
       border: 1px solid #495057;
     }
     
-    .dbviewer-scrollable { max-height: 500px; overflow-y: auto; }
+    .dbviewer-scrollable { max-height: 700px; overflow-y: auto; }
+    .dbviewer-scrollable thead { position: sticky; top: 0; z-index: 1; }
     
     /* Badge styling for dark mode */
     [data-bs-theme="dark"] .bg-secondary-subtle {

data/lib/dbviewer/configuration.rb

@@ -31,7 +31,8 @@ module Dbviewer
     # Maximum number of queries to keep in memory
     attr_accessor :max_memory_queries
 
-    # Admin access credentials (username, password)
+    # Admin access credentials hash with :username and :password keys
+    # @example { username: 'admin', password: 'secret' }
     attr_accessor :admin_credentials
 
     def initialize

data/lib/dbviewer/database_manager.rb

@@ -75,9 +75,10 @@ module Dbviewer
     # @param direction [String] Sort direction ('ASC' or 'DESC')
     # @param per_page [Integer] Number of records per page
     # @return [ActiveRecord::Result] Result set with columns and rows
-    def table_records(table_name, page = 1, order_by = nil, direction = "ASC", per_page = nil)
+    def table_records(table_name, page = 1, order_by = nil, direction = "ASC", per_page = nil, column_filters = nil)
       page = [ 1, page.to_i ].max
       default_per_page = self.class.default_per_page
+      column_filters ||= {}
       max_records = self.class.max_records
       per_page = (per_page || default_per_page).to_i
 
@@ -87,6 +88,32 @@ module Dbviewer
       model = get_model_for(table_name)
       query = model.all
 
+      # Apply column filters if provided
+      if column_filters.present?
+        column_filters.each do |column, value|
+          next if value.blank?
+          next unless column_exists?(table_name, column)
+
+          # Use LIKE for string-based searches, = for exact matches on other types
+          column_info = table_columns(table_name).find { |c| c[:name] == column }
+          if column_info
+            column_type = column_info[:type].to_s
+
+            if column_type =~ /char|text|string|uuid|enum/i
+              query = query.where("#{connection.quote_column_name(column)} LIKE ?", "%#{value}%")
+            else
+              # For numeric types, try exact match if value looks like a number
+              if value =~ /\A[+-]?\d+(\.\d+)?\z/
+                query = query.where(column => value)
+              else
+                # Otherwise, try string comparison for non-string fields
+                query = query.where("CAST(#{connection.quote_column_name(column)} AS CHAR) LIKE ?", "%#{value}%")
+              end
+            end
+          end
+        end
+      end
+
       # Apply sorting if provided
       if order_by.present? && column_exists?(table_name, order_by)
         direction = %w[ASC DESC].include?(direction.to_s.upcase) ? direction.to_s.upcase : "ASC"
@@ -110,6 +137,43 @@ module Dbviewer
       table_count(table_name)
     end
 
+    # Get the number of records in a table with filters applied
+    # @param table_name [String] Name of the table
+    # @param column_filters [Hash] Hash of column_name => filter_value for filtering
+    # @return [Integer] Number of filtered records
+    def filtered_record_count(table_name, column_filters = {})
+      model = get_model_for(table_name)
+      query = model.all
+
+      # Apply column filters if provided
+      if column_filters.present?
+        column_filters.each do |column, value|
+          next if value.blank?
+          next unless column_exists?(table_name, column)
+
+          # Use LIKE for string-based searches, = for exact matches on other types
+          column_info = table_columns(table_name).find { |c| c[:name] == column }
+          if column_info
+            column_type = column_info[:type].to_s
+
+            if column_type =~ /char|text|string|uuid|enum/i
+              query = query.where("#{connection.quote_column_name(column)} LIKE ?", "%#{value}%")
+            else
+              # For numeric types, try exact match if value looks like a number
+              if value =~ /\A[+-]?\d+(\.\d+)?\z/
+                query = query.where(column => value)
+              else
+                # Otherwise, try string comparison for non-string fields
+                query = query.where("CAST(#{connection.quote_column_name(column)} AS CHAR) LIKE ?", "%#{value}%")
+              end
+            end
+          end
+        end
+      end
+
+      query.count
+    end
+
     # Get the number of columns in a table
     # @param table_name [String] Name of the table
     # @return [Integer] Number of columns

data/lib/dbviewer/version.rb

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.3.3"
+  VERSION = "0.3.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dbviewer
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.3.5
 platform: ruby
 authors:
 - Wailan Tirajoh