dbviewer 0.3.4 → 0.3.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c368abfe3b3131b1df3b3234e1e560c2cb5f715c035680d3848ff5ff07d99cc3
-  data.tar.gz: 7f9b27e43d86b0181f14d9deceebcb1d6624b22cb51885ab5c3b929814cb97f9
+  metadata.gz: 151a189372c94a737108969cd768ab9dbc4e16a2abc608f07026d1a6b7ee65a5
+  data.tar.gz: a5fa3a4f4aa8e1acd606f60c2264412a261beec6b6889675ef941d05d1e593cb
 SHA512:
-  metadata.gz: 05f35000d4c57ec2e17e0c0fe56d49520add9f0c061debc25f5f6407ec1e52ece7a1d4361c0b92d283135492bc78d86890083e9781a30705ebcddc0fce2e58df
-  data.tar.gz: a76035a207c87105f9331dc4246a133da9941a5a9e435133b80254fc0037578bc69b5dbb17cb40113049ba50625d3a81816df118015446af8e9c368127e481c9
+  metadata.gz: e8345197920cf8c6a006d3faecd9a0b9f2a6ef4c972226707203ba43b121e05c3a02195eec4d38a699231ae488741802a9dff5c7317ddc576f4e27381ad897e7
+  data.tar.gz: b9a8ff1804963de25e85f9a288c198ee4aaa23cf25253ff99f0ce84f3e470e2e35a47c304ff24b2cbd962d9c913fb69b08f11d6bbd2d213af52113ce4d048e18

data/README.md

@@ -24,6 +24,7 @@ It's designed for development, debugging, and database analysis, offering a clea
   - Navigate through large datasets with an intuitive pagination interface
   - Scrollable table with fixed headers for improved navigation
   - Single-line cell display with ellipsis for wide content (tooltips on hover)
+  - Export table data to CSV format (configurable via `enable_data_export` option)
 - **SQL Queries**:
   - Run custom SELECT queries against your database in a secure, read-only environment
   - View table structure reference while writing queries
@@ -87,13 +88,24 @@ Rails.application.routes.draw do
   # Your application routes...
 
   # Mount the DBViewer engine
-  if Rails.env.development?
-    mount Dbviewer::Engine, at: "/dbviewer"
-  end
+  mount Dbviewer::Engine, at: "/dbviewer"
+  # The engine can be mounted in any environment when using Basic Authentication
+end
+```
+
+Configure Basic Authentication in an initializer to secure access (strongly recommended):
+
+```ruby
+# config/initializers/dbviewer.rb
+Dbviewer.configure do |config|
+  config.admin_credentials = {
+    username: "your_username",
+    password: "your_secure_password"
+  }
 end
 ```
 
-Then, visit `/dbviewer` in your browser to access the database viewer.
+Then, visit `/dbviewer` in your browser to access the database viewer. You'll be prompted for your username and password.
 
 ### Rails API-only Applications
 
@@ -168,9 +180,13 @@ Dbviewer.configure do |config|
   config.query_timeout = 30                          # SQL query timeout in seconds
 
   # Query logging options
+  config.enable_query_logging = true                 # Enable or disable query logging completely (default: true)
   config.query_logging_mode = :memory                # Storage mode for SQL queries (:memory or :file)
   config.query_log_path = "log/dbviewer.log"         # Path for query log file when in :file mode
   config.max_memory_queries = 1000                   # Maximum number of queries to store in memory
+
+  # Authentication options
+  config.admin_credentials = { username: "admin", password: "your_secure_password" } # Basic HTTP auth credentials
 end
 ```
 
@@ -180,6 +196,14 @@ The configuration is accessed through `Dbviewer.configuration` throughout the co
 
 DBViewer includes a powerful SQL query logging system that captures and analyzes database queries. You can access this log through the `/dbviewer/logs` endpoint. The logging system offers two storage backends:
 
+### Disabling Query Logging
+
+You can completely disable query logging if you don't need this feature:
+
+```ruby
+config.enable_query_logging = false       # Disable query logging completely
+```
+
 ### In-Memory Storage (Default)
 
 By default, queries are stored in memory. This provides fast access but queries are lost when the application restarts:
@@ -209,37 +233,60 @@ DBViewer includes several security features to protect your database:
 - **Query Limits**: Automatic LIMIT clause added to prevent excessive data retrieval
 - **Pattern Detection**: Detection of SQL injection patterns and suspicious constructs
 - **Error Handling**: Informative error messages without exposing sensitive information
+- **HTTP Basic Authentication**: Protect access with username and password authentication
 
-## 🌱 Production Access (Not Recommended)
+### Basic Authentication
 
-By default, DBViewer only runs in development or test environments for security reasons. If you need to access it in production (not recommended):
+You can enable HTTP Basic Authentication to secure access to DBViewer:
 
-1. Set an environment variable with a secure random key:
+```ruby
+Dbviewer.configure do |config|
+  config.admin_credentials = {
+    username: "your_username",
+    password: "your_secure_password"
+  }
+end
+```
 
-   ```
-   DBVIEWER_PRODUCTION_ACCESS_KEY=your_secure_random_key
-   ```
+When credentials are provided, all DBViewer routes will be protected by HTTP Basic Authentication.
+Without valid credentials, users will be prompted for a username and password before they can access any DBViewer page.
+
+## 🌱 Production Access
 
-2. Add an additional constraint in your routes:
+With the addition of Basic Authentication, DBViewer can now be used in any environment including production. We recommend the following for production deployments:
+
+1. **Always** enable HTTP Basic Authentication with strong credentials:
 
    ```ruby
-   if Rails.env.production?
-     constraints ->(req) { req.params[:access_key] == ENV["DBVIEWER_PRODUCTION_ACCESS_KEY"] } do
-       mount Dbviewer::Engine, at: "/dbviewer"
-     end
-   else
-     mount Dbviewer::Engine, at: "/dbviewer"
+   Dbviewer.configure do |config|
+     config.admin_credentials = {
+       username: "unique_username",
+       password: SecureRandom.hex(16)  # Generate a strong random password
+     }
    end
    ```
 
-3. Access the tool with the override parameter:
+2. Mount the engine in your routes file:
+
+   ```ruby
+   # In any environment, with Basic Auth protection
+   mount Dbviewer::Engine, at: "/dbviewer"
+   ```
+
+3. Access the tool through your regular application URL:
    ```
    https://yourdomain.com/dbviewer?override_env_check=your_secure_random_key
    ```
 
 ## 📝 Security Note
 
-⚠️ **Warning**: This engine is designed for development purposes. It's not recommended to use it in production as it provides direct access to your database contents. If you must use it in production, ensure it's protected behind authentication and use the production access key mechanism with a strong random key.
+⚠️ **Warning**: This engine provides direct access to your database contents, which contains sensitive information. Always protect it with HTTP Basic Authentication by configuring strong credentials as shown above.
+
+When used in production, ensure:
+
+- You use long, randomly generated passwords (e.g., with `SecureRandom.hex(16)`)
+- You access DBViewer over HTTPS connections only
+- Access is limited to trusted administrators only
 
 ## 🤌🏻 Contributing
 

data/app/controllers/dbviewer/application_controller.rb

@@ -3,14 +3,18 @@ module Dbviewer
     include Dbviewer::DatabaseOperations
     include Dbviewer::ErrorHandling
 
-    before_action :ensure_development_environment
+    before_action :authenticate_with_basic_auth
     before_action :set_tables
 
     private
 
-    def ensure_development_environment
-      unless Rails.env.development? || Rails.env.test? || params[:override_env_check] == ENV["DBVIEWER_PRODUCTION_ACCESS_KEY"]
-        render plain: "DBViewer is only available in development and test environments for security reasons.", status: :forbidden
+    def authenticate_with_basic_auth
+      return unless Dbviewer.configuration.admin_credentials.present?
+
+      credentials = Dbviewer.configuration.admin_credentials
+      authenticate_or_request_with_http_basic("DBViewer Authentication") do |username, password|
+        ActiveSupport::SecurityUtils.secure_compare(username, credentials[:username]) &
+        ActiveSupport::SecurityUtils.secure_compare(password, credentials[:password])
       end
     end
 

data/app/controllers/dbviewer/logs_controller.rb

@@ -1,6 +1,7 @@
 module Dbviewer
   class LogsController < ApplicationController
     before_action :set_filters, only: [ :index ]
+    before_action :check_logging_enabled
 
     def index
       @queries = dbviewer_logger.recent_queries(
@@ -28,6 +29,13 @@ module Dbviewer
 
     private
 
+    def check_logging_enabled
+      unless Dbviewer.configuration.enable_query_logging
+        flash[:warning] = "Query logging is disabled. Enable it in the configuration to use this feature."
+        redirect_to root_path
+      end
+    end
+
     def set_filters
       @table_filter = params[:table_filter]
       @request_id = params[:request_id]

data/app/controllers/dbviewer/tables_controller.rb

@@ -62,6 +62,12 @@ module Dbviewer
     end
 
     def export_csv
+      unless Dbviewer.configuration.enable_data_export
+        flash[:alert] = "Data export is disabled in the configuration"
+        redirect_to table_path(params[:id])
+        return
+      end
+
       table_name = params[:id]
       limit = (params[:limit] || 10000).to_i
       include_headers = params[:include_headers] != "0"

data/app/views/dbviewer/home/index.html.erb

@@ -94,46 +94,55 @@
       <div class="card shadow-sm">
         <div class="card-header d-flex justify-content-between align-items-center">
           <h5 class="card-title mb-0">Recent SQL Queries</h5>
-          <a href="<%= dbviewer.logs_path %>" class="btn btn-sm btn-primary">View All Logs</a>
+          <% if Dbviewer.configuration.enable_query_logging %>
+            <a href="<%= dbviewer.logs_path %>" class="btn btn-sm btn-primary">View All Logs</a>
+          <% end %>
         </div>
         <div class="card-body p-0">
           <% begin %>
             <% require_dependency "dbviewer/logger" %>
-            <% queries = Dbviewer::Logger.instance.recent_queries(limit: 10) %>
-            
-            <% if queries.any? %>
-              <div class="table-responsive">
-                <table class="table table-sm table-hover mb-0">
+            <% if Dbviewer.configuration.enable_query_logging %>
+              <% queries = Dbviewer::Logger.instance.recent_queries(limit: 10) %>
+              
+              <% if queries.any? %>
+                <div class="table-responsive">
+                  <table class="table table-sm table-hover mb-0">
 
-                <thead>
-                  <tr>
-                    <th>Query</th>
-                    <th class="text-end" style="width: 120px">Duration</th>
-                    <th class="text-end" style="width: 180px">Time</th>
-                  </tr>
-                </thead>
-                <tbody>
-                  <% queries.each do |query| %>
+                  <thead>
                     <tr>
-                      <td class="text-truncate" style="max-width: 500px;">
-                        <code class="sql-query-code"><%= query[:sql] %></code>
-                      </td>
-                      <td class="text-end">
-                        <span class="<%= query[:duration_ms] > 100 ? 'query-duration-slow' : 'query-duration' %>">
-                          <%= query[:duration_ms] %> ms
-                        </span>
-                      </td>
-                      <td class="text-end query-timestamp">
-                        <small><%= query[:timestamp].strftime("%H:%M:%S") %></small>
-                      </td>
+                      <th>Query</th>
+                      <th class="text-end" style="width: 120px">Duration</th>
+                      <th class="text-end" style="width: 180px">Time</th>
                     </tr>
-                  <% end %>
-                </tbody>
-              </table>
-            </div>
+                  </thead>
+                  <tbody>
+                    <% queries.each do |query| %>
+                      <tr>
+                        <td class="text-truncate" style="max-width: 500px;">
+                          <code class="sql-query-code"><%= query[:sql] %></code>
+                        </td>
+                        <td class="text-end">
+                          <span class="<%= query[:duration_ms] > 100 ? 'query-duration-slow' : 'query-duration' %>">
+                            <%= query[:duration_ms] %> ms
+                          </span>
+                        </td>
+                        <td class="text-end query-timestamp">
+                          <small><%= query[:timestamp].strftime("%H:%M:%S") %></small>
+                        </td>
+                      </tr>
+                    <% end %>
+                  </tbody>
+                </table>
+              </div>
+              <% else %>
+                <div class="text-center my-4 empty-data-message">
+                  <p>No queries recorded yet</p>
+                </div>
+              <% end %>
             <% else %>
               <div class="text-center my-4 empty-data-message">
-                <p>No queries recorded yet</p>
+                <p>Query logging is disabled</p>
+                <small class="text-muted">Enable it in the configuration to see SQL queries here</small>
               </div>
             <% end %>
           <% rescue => e %>

data/app/views/dbviewer/tables/show.html.erb

@@ -11,53 +11,57 @@
 <div class="d-flex justify-content-between align-items-center mb-4">
   <h1>Table: <%= @table_name %></h1>
   <div class="d-flex gap-2">
-    <button type="button" class="btn btn-success" data-bs-toggle="modal" data-bs-target="#csvExportModal">
-      <i class="bi bi-file-earmark-spreadsheet me-1"></i> Export CSV
-    </button>
+    <% if Dbviewer.configuration.enable_data_export %>
+        <button type="button" class="btn btn-success" data-bs-toggle="modal" data-bs-target="#csvExportModal">
+          <i class="bi bi-file-earmark-spreadsheet me-1"></i> Export CSV
+        </button>
+    <% end %>
     <%= link_to query_table_path(@table_name), class: "btn btn-primary" do %>
       <i class="bi bi-code-square me-1"></i> Run SQL Query
     <% end %>
   </div>
 </div>
 
-<!-- CSV Export Modal -->
-<div class="modal fade" id="csvExportModal" tabindex="-1" aria-labelledby="csvExportModalLabel" aria-hidden="true">
-  <div class="modal-dialog">
-    <div class="modal-content">
-      <div class="modal-header">
-        <h5 class="modal-title" id="csvExportModalLabel">Export <strong><%= @table_name %></strong> to CSV</h5>
-        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
-      </div>
-      <div class="modal-body">
-        <%= form_with url: export_csv_table_path(@table_name), method: :get, id: "csvExportForm" do |form| %>
-          <div class="mb-3">
-            <label for="limit" class="form-label">Maximum number of records</label>
-            <input type="number" class="form-control" id="limit" name="limit" value="10000" min="1" max="100000">
-            <div class="form-text">Limit the number of records to export. Large exports may take some time.</div>
-          </div>
-          
-          <% if @total_count > 10000 %>
-            <div class="alert alert-warning">
-              <i class="bi bi-exclamation-triangle-fill me-2"></i>
-              This table has <%= number_with_delimiter(@total_count) %> records. Exporting all records may be slow.
+<% if Dbviewer.configuration.enable_data_export %>
+  <!-- CSV Export Modal -->
+  <div class="modal fade" id="csvExportModal" tabindex="-1" aria-labelledby="csvExportModalLabel" aria-hidden="true">
+    <div class="modal-dialog">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title" id="csvExportModalLabel">Export <strong><%= @table_name %></strong> to CSV</h5>
+          <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+        </div>
+        <div class="modal-body">
+          <%= form_with url: export_csv_table_path(@table_name), method: :get, id: "csvExportForm" do |form| %>
+            <div class="mb-3">
+              <label for="limit" class="form-label">Maximum number of records</label>
+              <input type="number" class="form-control" id="limit" name="limit" value="10000" min="1" max="100000">
+              <div class="form-text">Limit the number of records to export. Large exports may take some time.</div>
+            </div>
+            
+            <% if @total_count > 10000 %>
+              <div class="alert alert-warning">
+                <i class="bi bi-exclamation-triangle-fill me-2"></i>
+                This table has <%= number_with_delimiter(@total_count) %> records. Exporting all records may be slow.
+              </div>
+            <% end %>
+            
+            <div class="mb-3 form-check">
+              <input type="checkbox" class="form-check-input" id="includeHeaders" name="include_headers" checked>
+              <label class="form-check-label" for="includeHeaders">Include column headers</label>
             </div>
           <% end %>
-          
-          <div class="mb-3 form-check">
-            <input type="checkbox" class="form-check-input" id="includeHeaders" name="include_headers" checked>
-            <label class="form-check-label" for="includeHeaders">Include column headers</label>
-          </div>
-        <% end %>
-      </div>
-      <div class="modal-footer">
-        <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
-        <button type="submit" form="csvExportForm" class="btn btn-success">
-          <i class="bi bi-download me-1"></i> Export CSV
-        </button>
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+          <button type="submit" form="csvExportForm" class="btn btn-success">
+            <i class="bi bi-download me-1"></i> Export CSV
+          </button>
+        </div>
       </div>
     </div>
   </div>
-</div>
+<% end %>
 
 <!-- Records Section -->
 <div class="dbviewer-card card mb-4">

data/app/views/layouts/dbviewer/application.html.erb

@@ -571,9 +571,11 @@
             <li class="nav-item">
               <%= link_to raw('<i class="bi bi-diagram-3"></i> ERD'), dbviewer.entity_relationship_diagrams_path, class: "nav-link #{erd_nav_class}" %>
             </li>
-            <li class="nav-item">
-              <%= link_to raw('<i class="bi bi-journal-code"></i> SQL Logs'), dbviewer.logs_path, class: "nav-link #{logs_nav_class}" %>
-            </li>
+            <% if Dbviewer.configuration.enable_query_logging %>
+              <li class="nav-item">
+                <%= link_to raw('<i class="bi bi-journal-code"></i> SQL Logs'), dbviewer.logs_path, class: "nav-link #{logs_nav_class}" %>
+              </li>
+            <% end %>
           </ul>
           <ul class="navbar-nav ms-auto">
             <li class="nav-item">
@@ -603,6 +605,17 @@
       <!-- Main Content Area -->
       <div class="dbviewer-main">
         <div class="dbviewer-main-content">
+          <!-- Flash Messages -->
+          <% if flash.any? %>
+            <% flash.each do |type, message| %>
+              <% alert_class = type.to_s == 'notice' ? 'alert-info' : 'alert-danger' %>
+              <div class="alert <%= alert_class %> alert-dismissible fade show mb-3" role="alert">
+                <%= message %>
+                <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+              </div>
+            <% end %>
+          <% end %>
+          
           <div class="d-flex d-lg-none align-items-center mb-3">
             <button class="btn btn-sm btn-outline-primary dbviewer-sidebar-toggle" type="button">
               <i class="bi bi-list me-1"></i> Tables

data/lib/dbviewer/configuration.rb

@@ -31,7 +31,11 @@ module Dbviewer
     # Maximum number of queries to keep in memory
     attr_accessor :max_memory_queries
 
-    # Admin access credentials (username, password)
+    # Enable or disable query logging completely
+    attr_accessor :enable_query_logging
+
+    # Admin access credentials hash with :username and :password keys
+    # @example { username: 'admin', password: 'secret' }
     attr_accessor :admin_credentials
 
     def initialize
@@ -45,6 +49,7 @@ module Dbviewer
       @query_logging_mode = :memory
       @query_log_path = "log/dbviewer.log"
       @max_memory_queries = 1000
+      @enable_query_logging = true
       @admin_credentials = nil
     end
   end

data/lib/dbviewer/logger.rb

@@ -10,6 +10,8 @@ module Dbviewer
 
     # Add a new SQL event query to the logger
     def add(event)
+      # Return early if query logging is disabled
+      return unless Dbviewer.configuration.enable_query_logging
       return if QueryParser.should_skip_query?(event)
 
       current_time = Time.now

data/lib/dbviewer/version.rb

@@ -1,3 +1,3 @@
 module Dbviewer
-  VERSION = "0.3.4"
+  VERSION = "0.3.6"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dbviewer
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.3.6
 platform: ruby
 authors:
 - Wailan Tirajoh
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-05-19 00:00:00.000000000 Z
+date: 2025-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails