@cfast/db 0.0.1

package/dist/index.js

@@ -0,0 +1,628 @@
+// src/query-builder.ts
+import { count } from "drizzle-orm";
+import { drizzle } from "drizzle-orm/d1";
+
+// src/permissions.ts
+import {
+  ForbiddenError,
+  getTableName
+} from "@cfast/permissions";
+import { CRUD_ACTIONS } from "@cfast/permissions";
+function resolvePermissionFilters(grants, action, table) {
+  const matching = grants.filter((g) => {
+    const actionMatch = g.action === action || g.action === "manage";
+    const tableMatch = g.subject === "all" || g.subject === table || typeof g.subject === "object" && getTableName(g.subject) === getTableName(table);
+    return actionMatch && tableMatch;
+  });
+  if (matching.length === 0) return [];
+  if (matching.some((g) => !g.where)) return [];
+  return matching.filter((g) => !!g.where).map((g) => g.where);
+}
+function grantMatchesAction(grantAction, requiredAction) {
+  if (grantAction === requiredAction) return true;
+  if (grantAction === "manage") return true;
+  return false;
+}
+function grantMatchesTable(grantSubject, requiredTable) {
+  if (grantSubject === "all") return true;
+  if (grantSubject === requiredTable) return true;
+  return getTableName(grantSubject) === getTableName(requiredTable);
+}
+function hasGrantFor(grants, action, table) {
+  return grants.some(
+    (g) => grantMatchesAction(g.action, action) && grantMatchesTable(g.subject, table)
+  );
+}
+function hasManagePermission(grants, table) {
+  if (hasGrantFor(grants, "manage", table)) return true;
+  return CRUD_ACTIONS.every((action) => hasGrantFor(grants, action, table));
+}
+function checkOperationPermissions(grants, descriptors) {
+  if (descriptors.length === 0) return;
+  for (const descriptor of descriptors) {
+    let permitted;
+    if (descriptor.action === "manage") {
+      permitted = hasManagePermission(grants, descriptor.table);
+    } else {
+      permitted = hasGrantFor(grants, descriptor.action, descriptor.table);
+    }
+    if (!permitted) {
+      throw new ForbiddenError({
+        action: descriptor.action,
+        table: descriptor.table,
+        descriptors: [descriptor]
+      });
+    }
+  }
+}
+
+// src/utils.ts
+import { and, or } from "drizzle-orm";
+import { getTableName as getTableName2 } from "@cfast/permissions";
+function deduplicateDescriptors(descriptors) {
+  const seen = /* @__PURE__ */ new Set();
+  const result = [];
+  for (const d of descriptors) {
+    const key = `${d.action}:${getTableName2(d.table)}`;
+    if (!seen.has(key)) {
+      seen.add(key);
+      result.push(d);
+    }
+  }
+  return result;
+}
+function buildPermissionFilter(grants, action, table, user, unsafe) {
+  if (unsafe || !user) return void 0;
+  const filters = resolvePermissionFilters(grants, action, table);
+  if (filters.length === 0) return void 0;
+  const columns = table;
+  const clauses = filters.map(
+    (fn) => fn(columns, user)
+  );
+  return or(...clauses);
+}
+function combineWhere(userCondition, permFilter) {
+  if (permFilter && userCondition) return and(userCondition, permFilter);
+  if (permFilter) return permFilter.getSQL();
+  if (userCondition) return userCondition.getSQL();
+  return void 0;
+}
+function makePermissions(unsafe, action, table) {
+  return unsafe ? [] : [{ action, table }];
+}
+
+// src/paginate.ts
+import { and as and2, or as or2, lt, gt, eq } from "drizzle-orm";
+function parseIntParam(raw, fallback) {
+  if (raw == null) return fallback;
+  const n = Number(raw);
+  return Number.isNaN(n) ? fallback : n;
+}
+function clamp(value, min, max) {
+  return Math.min(Math.max(value, min), max);
+}
+function parseCursorParams(request, options) {
+  const defaultLimit = options?.defaultLimit ?? 20;
+  const maxLimit = options?.maxLimit ?? 100;
+  const url = new URL(request.url);
+  const cursor = url.searchParams.get("cursor");
+  const limit = clamp(parseIntParam(url.searchParams.get("limit"), defaultLimit), 1, maxLimit);
+  return { type: "cursor", cursor, limit };
+}
+function parseOffsetParams(request, options) {
+  const defaultLimit = options?.defaultLimit ?? 20;
+  const maxLimit = options?.maxLimit ?? 100;
+  const url = new URL(request.url);
+  const page = Math.max(parseIntParam(url.searchParams.get("page"), 1), 1);
+  const limit = clamp(parseIntParam(url.searchParams.get("limit"), defaultLimit), 1, maxLimit);
+  return { type: "offset", page, limit };
+}
+function encodeCursor(values) {
+  return btoa(JSON.stringify({ v: values }));
+}
+function decodeCursor(cursor) {
+  if (cursor === null) return null;
+  try {
+    const parsed = JSON.parse(atob(cursor));
+    if (typeof parsed === "object" && parsed !== null && "v" in parsed) {
+      const record = parsed;
+      if (Array.isArray(record["v"])) {
+        return record["v"];
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function buildCursorWhere(cursorColumns, cursorValues, direction = "desc") {
+  const compare = direction === "desc" ? lt : gt;
+  if (cursorColumns.length === 1) {
+    return compare(cursorColumns[0], cursorValues[0]);
+  }
+  const conditions = [];
+  for (let i = 0; i < cursorColumns.length; i++) {
+    const eqParts = [];
+    for (let j = 0; j < i; j++) {
+      eqParts.push(eq(cursorColumns[j], cursorValues[j]));
+    }
+    eqParts.push(compare(cursorColumns[i], cursorValues[i]));
+    conditions.push(and2(...eqParts));
+  }
+  return or2(...conditions);
+}
+
+// src/query-builder.ts
+function getTableKey(schema, table) {
+  for (const [key, val] of Object.entries(schema)) {
+    if (val === table) return key;
+  }
+  return void 0;
+}
+function getQueryTable(db, key) {
+  return db.query[key];
+}
+function buildQueryOperation(config, db, tableKey, method, options) {
+  const permissions = makePermissions(config.unsafe, "read", config.table);
+  return {
+    permissions,
+    async run(_params) {
+      if (!config.unsafe) {
+        checkOperationPermissions(config.grants, permissions);
+      }
+      const permFilter = buildPermissionFilter(
+        config.grants,
+        "read",
+        config.table,
+        config.user,
+        config.unsafe
+      );
+      const userWhere = options?.where;
+      const combinedWhere = combineWhere(userWhere, permFilter);
+      const queryOptions = { ...options };
+      if (combinedWhere) {
+        queryOptions.where = combinedWhere;
+      }
+      delete queryOptions.cache;
+      const queryTable = getQueryTable(db, tableKey);
+      const result = await queryTable[method](queryOptions);
+      return method === "findFirst" ? result ?? void 0 : result;
+    }
+  };
+}
+function createQueryBuilder(config) {
+  const db = drizzle(config.d1, { schema: config.schema });
+  const tableKey = getTableKey(config.schema, config.table);
+  return {
+    findMany(options) {
+      if (!tableKey) {
+        return {
+          permissions: makePermissions(config.unsafe, "read", config.table),
+          async run() {
+            throw new Error("Table not found in schema");
+          }
+        };
+      }
+      return buildQueryOperation(config, db, tableKey, "findMany", options);
+    },
+    findFirst(options) {
+      if (!tableKey) {
+        return {
+          permissions: makePermissions(config.unsafe, "read", config.table),
+          async run() {
+            throw new Error("Table not found in schema");
+          }
+        };
+      }
+      return buildQueryOperation(config, db, tableKey, "findFirst", options);
+    },
+    paginate(params, options) {
+      const permissions = makePermissions(config.unsafe, "read", config.table);
+      function ensureTableKey() {
+        if (!tableKey) throw new Error("Table not found in schema");
+        return tableKey;
+      }
+      function checkAndBuildWhere(extraWhere) {
+        if (!config.unsafe) {
+          checkOperationPermissions(config.grants, permissions);
+        }
+        const permFilter = buildPermissionFilter(
+          config.grants,
+          "read",
+          config.table,
+          config.user,
+          config.unsafe
+        );
+        return combineWhere(
+          combineWhere(options?.where, permFilter),
+          extraWhere
+        );
+      }
+      function buildBaseQueryOptions(where) {
+        const qo = {};
+        if (options?.columns) qo.columns = options.columns;
+        if (options?.orderBy) qo.orderBy = options.orderBy;
+        if (options?.with) qo.with = options.with;
+        if (where) qo.where = where;
+        return qo;
+      }
+      if (params.type === "cursor") {
+        const cursorColumns = options?.cursorColumns ?? [];
+        return {
+          permissions,
+          async run(_params) {
+            const key = ensureTableKey();
+            const cursorValues = decodeCursor(params.cursor);
+            const direction = options?.orderDirection ?? "desc";
+            const cursorWhere = cursorValues ? buildCursorWhere(cursorColumns, cursorValues, direction) : void 0;
+            const combinedWhere = checkAndBuildWhere(cursorWhere);
+            const queryOptions = buildBaseQueryOptions(combinedWhere);
+            queryOptions.limit = params.limit + 1;
+            const queryTable = getQueryTable(db, key);
+            const rows = await queryTable.findMany(queryOptions);
+            const hasMore = rows.length > params.limit;
+            const items = hasMore ? rows.slice(0, params.limit) : rows;
+            let nextCursor = null;
+            if (hasMore && items.length > 0) {
+              const lastItem = items[items.length - 1];
+              const values = cursorColumns.map((col) => lastItem[col.name]);
+              nextCursor = encodeCursor(values);
+            }
+            return { items, nextCursor };
+          }
+        };
+      }
+      return {
+        permissions,
+        async run(_params) {
+          const key = ensureTableKey();
+          const combinedWhere = checkAndBuildWhere();
+          const queryOptions = buildBaseQueryOptions(combinedWhere);
+          queryOptions.limit = params.limit;
+          queryOptions.offset = (params.page - 1) * params.limit;
+          const countQuery = db.select({ count: count() }).from(config.table).$dynamic();
+          if (combinedWhere) countQuery.where(combinedWhere);
+          const queryTable = getQueryTable(db, key);
+          const [items, countResult] = await Promise.all([
+            queryTable.findMany(queryOptions),
+            countQuery
+          ]);
+          const total = countResult[0]?.count ?? 0;
+          return {
+            items,
+            total,
+            page: params.page,
+            totalPages: Math.ceil(total / params.limit)
+          };
+        }
+      };
+    }
+  };
+}
+
+// src/mutate-builder.ts
+import { drizzle as drizzle2 } from "drizzle-orm/d1";
+function checkIfNeeded(config, grants, permissions) {
+  if (!config.unsafe) {
+    checkOperationPermissions(grants, permissions);
+  }
+}
+function buildMutationWithReturning(config, permissions, tableName, execute) {
+  return {
+    permissions,
+    async run(_params) {
+      checkIfNeeded(config, config.grants, permissions);
+      await execute(false);
+      config.onMutate?.(tableName);
+    },
+    returning() {
+      return {
+        permissions,
+        async run(_params) {
+          checkIfNeeded(config, config.grants, permissions);
+          const result = await execute(true);
+          config.onMutate?.(tableName);
+          return result;
+        }
+      };
+    }
+  };
+}
+function createInsertBuilder(config) {
+  const db = drizzle2(config.d1, { schema: config.schema });
+  const permissions = makePermissions(config.unsafe, "create", config.table);
+  const tableName = getTableName2(config.table);
+  return {
+    values(values) {
+      return buildMutationWithReturning(config, permissions, tableName, async (returning) => {
+        const query = db.insert(config.table).values(values);
+        if (returning) {
+          return query.returning().get();
+        }
+        await query.run();
+      });
+    }
+  };
+}
+function createUpdateBuilder(config) {
+  const db = drizzle2(config.d1, { schema: config.schema });
+  const permissions = makePermissions(config.unsafe, "update", config.table);
+  const tableName = getTableName2(config.table);
+  return {
+    set(values) {
+      return {
+        where(condition) {
+          const permFilter = buildPermissionFilter(
+            config.grants,
+            "update",
+            config.table,
+            config.user,
+            config.unsafe
+          );
+          const combinedWhere = combineWhere(condition, permFilter);
+          return buildMutationWithReturning(config, permissions, tableName, async (returning) => {
+            const query = db.update(config.table).set(values);
+            if (combinedWhere) query.where(combinedWhere);
+            if (returning) {
+              return query.returning().get();
+            }
+            await query.run();
+          });
+        }
+      };
+    }
+  };
+}
+function createDeleteBuilder(config) {
+  const db = drizzle2(config.d1, { schema: config.schema });
+  const permissions = makePermissions(config.unsafe, "delete", config.table);
+  const tableName = getTableName2(config.table);
+  return {
+    where(condition) {
+      const permFilter = buildPermissionFilter(
+        config.grants,
+        "delete",
+        config.table,
+        config.user,
+        config.unsafe
+      );
+      const combinedWhere = combineWhere(condition, permFilter);
+      return buildMutationWithReturning(config, permissions, tableName, async (returning) => {
+        const query = db.delete(config.table);
+        if (combinedWhere) query.where(combinedWhere);
+        if (returning) {
+          return query.returning().get();
+        }
+        await query.run();
+      });
+    }
+  };
+}
+
+// src/cache.ts
+function parseTtl(ttl) {
+  const match = ttl.match(/^(\d+)(s|m|h)$/);
+  if (!match) return 60;
+  const value = parseInt(match[1], 10);
+  switch (match[2]) {
+    case "s":
+      return value;
+    case "m":
+      return value * 60;
+    case "h":
+      return value * 3600;
+    default:
+      return 60;
+  }
+}
+function simpleHash(str) {
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i);
+    hash = (hash << 5) - hash + char | 0;
+  }
+  return (hash >>> 0).toString(36);
+}
+function createCacheManager(config) {
+  const tableVersions = /* @__PURE__ */ new Map();
+  const tagToKeys = /* @__PURE__ */ new Map();
+  const defaultTtl = config.ttl ?? "60s";
+  const excludedTables = new Set(config.exclude ?? []);
+  return {
+    generateKey(sql, role, tableVersion) {
+      return `cfast:${role}:v${tableVersion}:${simpleHash(sql)}`;
+    },
+    getTableVersion(table) {
+      return tableVersions.get(table) ?? 0;
+    },
+    invalidateTable(table) {
+      const current = tableVersions.get(table) ?? 0;
+      tableVersions.set(table, current + 1);
+      config.onInvalidate?.([table]);
+    },
+    async invalidateTags(tags) {
+      if (config.backend === "kv" && config.kv) {
+        for (const tag of tags) {
+          const keys = tagToKeys.get(tag);
+          if (keys) {
+            for (const key of keys) {
+              await config.kv.delete(key);
+            }
+            tagToKeys.delete(tag);
+          }
+        }
+      }
+    },
+    isExcluded(table) {
+      return excludedTables.has(table);
+    },
+    getTtlSeconds(override) {
+      return parseTtl(override ?? defaultTtl);
+    },
+    async get(key, tableName) {
+      if (config.backend === "cache-api") {
+        const cache = await caches.open("cfast-db");
+        const response = await cache.match(
+          new Request(`https://cfast-cache/${key}`)
+        );
+        if (response) {
+          config.onHit?.(key, tableName);
+          return response.json();
+        }
+        config.onMiss?.(key, tableName);
+        return void 0;
+      }
+      if (config.backend === "kv" && config.kv) {
+        const value = await config.kv.get(key, "json");
+        if (value !== null) {
+          config.onHit?.(key, tableName);
+          return value;
+        }
+        config.onMiss?.(key, tableName);
+        return void 0;
+      }
+      return void 0;
+    },
+    async set(key, value, _tableName, options) {
+      if (options === false) return;
+      const ttl = this.getTtlSeconds(
+        typeof options === "object" ? options?.ttl : void 0
+      );
+      if (config.backend === "cache-api") {
+        const cache = await caches.open("cfast-db");
+        let cacheControl = `max-age=${ttl}`;
+        if (typeof options === "object" && options?.staleWhileRevalidate) {
+          const swr = parseTtl(options.staleWhileRevalidate);
+          cacheControl = `max-age=${ttl}, stale-while-revalidate=${swr}`;
+        }
+        await cache.put(
+          new Request(`https://cfast-cache/${key}`),
+          new Response(JSON.stringify(value), {
+            headers: {
+              "Content-Type": "application/json",
+              "Cache-Control": cacheControl
+            }
+          })
+        );
+      }
+      if (config.backend === "kv" && config.kv) {
+        await config.kv.put(key, JSON.stringify(value), {
+          expirationTtl: ttl
+        });
+      }
+      if (typeof options === "object" && options?.tags) {
+        for (const tag of options.tags) {
+          if (!tagToKeys.has(tag)) tagToKeys.set(tag, /* @__PURE__ */ new Set());
+          tagToKeys.get(tag).add(key);
+        }
+      }
+    }
+  };
+}
+
+// src/create-db.ts
+function createDb(config) {
+  return buildDb(config, false);
+}
+function buildDb(config, isUnsafe) {
+  const cacheManager = config.cache === false ? null : createCacheManager(config.cache ?? { backend: "cache-api" });
+  const onMutate = (tableName) => {
+    cacheManager?.invalidateTable(tableName);
+  };
+  return {
+    query(table) {
+      return createQueryBuilder({
+        d1: config.d1,
+        schema: config.schema,
+        grants: config.grants,
+        user: config.user,
+        table,
+        unsafe: isUnsafe
+      });
+    },
+    insert(table) {
+      return createInsertBuilder({
+        d1: config.d1,
+        schema: config.schema,
+        grants: config.grants,
+        user: config.user,
+        table,
+        unsafe: isUnsafe,
+        onMutate
+      });
+    },
+    update(table) {
+      return createUpdateBuilder({
+        d1: config.d1,
+        schema: config.schema,
+        grants: config.grants,
+        user: config.user,
+        table,
+        unsafe: isUnsafe,
+        onMutate
+      });
+    },
+    delete(table) {
+      return createDeleteBuilder({
+        d1: config.d1,
+        schema: config.schema,
+        grants: config.grants,
+        user: config.user,
+        table,
+        unsafe: isUnsafe,
+        onMutate
+      });
+    },
+    unsafe() {
+      return buildDb(config, true);
+    },
+    batch(operations) {
+      const allPermissions = deduplicateDescriptors(
+        operations.flatMap((op) => op.permissions)
+      );
+      return {
+        permissions: allPermissions,
+        async run(params) {
+          const results = [];
+          for (const op of operations) {
+            results.push(await op.run(params));
+          }
+          return results;
+        }
+      };
+    },
+    cache: {
+      async invalidate(options) {
+        if (!cacheManager) return;
+        if (options.tags) {
+          await cacheManager.invalidateTags(options.tags);
+        }
+        if (options.tables) {
+          for (const table of options.tables) {
+            cacheManager.invalidateTable(table);
+          }
+        }
+      }
+    }
+  };
+}
+
+// src/compose.ts
+function compose(operations, executor) {
+  const allPermissions = deduplicateDescriptors(
+    operations.flatMap((op) => op.permissions)
+  );
+  return {
+    permissions: allPermissions,
+    async run(_params) {
+      const runs = operations.map((op) => op.run);
+      return executor(...runs);
+    }
+  };
+}
+export {
+  compose,
+  createDb,
+  parseCursorParams,
+  parseOffsetParams
+};

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@cfast/db",
+  "version": "0.0.1",
+  "description": "Permission-aware Drizzle queries for Cloudflare D1",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/DanielMSchmidt/cfast.git",
+    "directory": "packages/db"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "drizzle-orm": ">=0.35"
+  },
+  "dependencies": {
+    "@cfast/permissions": "0.0.1"
+  },
+  "peerDependenciesMeta": {
+    "@cloudflare/workers-types": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260305.1",
+    "drizzle-orm": "^0.45.1",
+    "tsup": "^8",
+    "typescript": "^5.7",
+    "vitest": "^4.1.0"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --dts",
+    "dev": "tsup src/index.ts --format esm --dts --watch",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/",
+    "test": "vitest run"
+  }
+}