@constructive-io/graphql-server 2.10.5

package/esm/middleware/flush.js

@@ -0,0 +1,49 @@
+import { Logger } from '@pgpmjs/logger';
+import { svcCache } from '@pgpmjs/server-utils';
+import { graphileCache } from 'graphile-cache';
+import { getPgPool } from 'pg-cache';
+import './types'; // for Request type
+const log = new Logger('flush');
+export const flush = async (req, res, next) => {
+    if (req.url === '/flush') {
+        // TODO: check bearer for a flush / special key
+        graphileCache.delete(req.svc_key);
+        svcCache.delete(req.svc_key);
+        res.status(200).send('OK');
+        return;
+    }
+    return next();
+};
+export const flushService = async (opts, databaseId) => {
+    const pgPool = getPgPool(opts.pg);
+    log.info('flushing db ' + databaseId);
+    const api = new RegExp(`^api:${databaseId}:.*`);
+    const schemata = new RegExp(`^schemata:${databaseId}:.*`);
+    const meta = new RegExp(`^metaschema:api:${databaseId}`);
+    if (!opts.api.isPublic) {
+        graphileCache.forEach((_, k) => {
+            if (api.test(k) || schemata.test(k) || meta.test(k)) {
+                graphileCache.delete(k);
+                svcCache.delete(k);
+            }
+        });
+    }
+    const svc = await pgPool.query(`SELECT *
+     FROM meta_public.domains
+     WHERE database_id = $1`, [databaseId]);
+    if (svc.rowCount === 0)
+        return;
+    for (const row of svc.rows) {
+        let key;
+        if (row.domain && !row.subdomain) {
+            key = row.domain;
+        }
+        else if (row.domain && row.subdomain) {
+            key = `${row.subdomain}.${row.domain}`;
+        }
+        if (key) {
+            graphileCache.delete(key);
+            svcCache.delete(key);
+        }
+    }
+};

package/esm/middleware/gql.js

@@ -0,0 +1,125 @@
+import gql from 'graphql-tag';
+// DO NOT CHANGE TO domainBySubdomainAndDomain(domain: $domain, subdomain: $subdomain)
+// condition is the way to handle since it will pass in null properly
+// e.g. subdomain.domain or domain both work
+export const ApiQuery = gql `
+  query ApiRoot($domain: String!, $subdomain: String) {
+    domains(condition: { domain: $domain, subdomain: $subdomain }) {
+      nodes {
+        api {
+          databaseId
+          dbname
+          roleName
+          anonRole
+          isPublic
+          schemaNamesFromExt: apiExtensions {
+            nodes {
+              schemaName
+            }
+          }
+          schemaNames: schemataByApiSchemaApiIdAndSchemaId {
+            nodes {
+              schemaName
+            }
+          }
+          rlsModule {
+            privateSchema {
+              schemaName
+            }
+            authenticateStrict
+            authenticate
+            currentRole
+            currentRoleId
+          }
+          database {
+            sites {
+              nodes {
+                domains {
+                  nodes {
+                    subdomain
+                    domain
+                  }
+                }
+              }
+            }
+          } # for now keep this for patches
+          apiModules {
+            nodes {
+              name
+              data
+            }
+          }
+        }
+      }
+    }
+  }
+`;
+export const ApiByNameQuery = gql `
+  query ApiByName($name: String!, $databaseId: UUID!) {
+    api: apiByDatabaseIdAndName(name: $name, databaseId: $databaseId) {
+      databaseId
+      dbname
+      roleName
+      anonRole
+      isPublic
+      schemaNamesFromExt: apiExtensions {
+        nodes {
+          schemaName
+        }
+      }
+      schemaNames: schemataByApiSchemaApiIdAndSchemaId {
+        nodes {
+          schemaName
+        }
+      }
+      rlsModule {
+        privateSchema {
+          schemaName
+        }
+        authenticate
+        authenticateStrict
+        currentRole
+        currentRoleId
+      }
+      database {
+        sites {
+          nodes {
+            domains {
+              nodes {
+                subdomain
+                domain
+              }
+            }
+          }
+        }
+      } # for now keep this for patches
+      apiModules {
+        nodes {
+          name
+          data
+        }
+      }
+    }
+  }
+`;
+export const ListOfAllDomainsOfDb = gql `
+  query ListApisByDatabaseId {
+    apis {
+      nodes {
+        id
+        databaseId
+        name
+        dbname
+        roleName
+        anonRole
+        isPublic
+        domains {
+          nodes {
+            domain
+            subdomain
+          }
+        }
+      }
+    }
+  }
+`;

package/esm/middleware/graphile.js

@@ -0,0 +1,84 @@
+import { graphileCache } from 'graphile-cache';
+import { getGraphileSettings as getSettings } from 'graphile-settings';
+import { getPgPool } from 'pg-cache';
+import { postgraphile } from 'postgraphile';
+import './types'; // for Request type
+import PublicKeySignature from '../plugins/PublicKeySignature';
+export const graphile = (opts) => {
+    return async (req, res, next) => {
+        try {
+            const api = req.api;
+            if (!api) {
+                return res.status(500).send('Missing API info');
+            }
+            const key = req.svc_key;
+            if (!key) {
+                return res.status(500).send('Missing service cache key');
+            }
+            const { dbname, anonRole, roleName, schema } = api;
+            if (graphileCache.has(key)) {
+                const { handler } = graphileCache.get(key);
+                return handler(req, res, next);
+            }
+            const options = getSettings({
+                ...opts,
+                graphile: {
+                    ...opts.graphile,
+                    schema: schema,
+                },
+            });
+            const pubkey_challenge = api.apiModules.find((mod) => mod.name === 'pubkey_challenge');
+            if (pubkey_challenge && pubkey_challenge.data) {
+                options.appendPlugins.push(PublicKeySignature(pubkey_challenge.data));
+            }
+            options.appendPlugins = options.appendPlugins ?? [];
+            options.appendPlugins.push(...opts.graphile.appendPlugins);
+            options.pgSettings = async function pgSettings(request) {
+                const gqlReq = request;
+                const context = {
+                    [`jwt.claims.database_id`]: gqlReq.databaseId,
+                    [`jwt.claims.ip_address`]: gqlReq.clientIp,
+                };
+                if (gqlReq.get('origin')) {
+                    context['jwt.claims.origin'] = gqlReq.get('origin');
+                }
+                if (gqlReq.get('User-Agent')) {
+                    context['jwt.claims.user_agent'] = gqlReq.get('User-Agent');
+                }
+                if (gqlReq?.token?.user_id) {
+                    return {
+                        role: roleName,
+                        [`jwt.claims.token_id`]: gqlReq.token.id,
+                        [`jwt.claims.user_id`]: gqlReq.token.user_id,
+                        ...context,
+                    };
+                }
+                return { role: anonRole, ...context };
+            };
+            options.graphqlRoute = '/graphql';
+            options.graphiqlRoute = '/graphiql';
+            options.graphileBuildOptions = {
+                ...options.graphileBuildOptions,
+                ...opts.graphile.graphileBuildOptions,
+            };
+            const graphileOpts = {
+                ...options,
+                ...opts.graphile.overrideSettings,
+            };
+            const pgPool = getPgPool({
+                ...opts.pg,
+                database: dbname,
+            });
+            const handler = postgraphile(pgPool, schema, graphileOpts);
+            graphileCache.set(key, {
+                pgPool,
+                pgPoolKey: dbname,
+                handler,
+            });
+            return handler(req, res, next);
+        }
+        catch (e) {
+            return res.status(500).send(e.message);
+        }
+    };
+};

package/esm/middleware/types.js

@@ -0,0 +1 @@
+export {};

package/esm/plugins/PublicKeySignature.js

@@ -0,0 +1,114 @@
+import { gql, makeExtendSchemaPlugin } from 'graphile-utils';
+import pgQueryWithContext from 'pg-query-context';
+export const PublicKeySignature = (pubkey_challenge) => {
+    const { schema, crypto_network, sign_up_with_key, sign_in_request_challenge, sign_in_record_failure, sign_in_with_challenge } = pubkey_challenge;
+    return makeExtendSchemaPlugin(() => ({
+        typeDefs: gql `
+      input CreateUserAccountWithPublicKeyInput {
+        publicKey: String!
+      }
+
+      input GetMessageForSigningInput {
+        publicKey: String!
+      }
+
+      input VerifyMessageForSigningInput {
+        publicKey: String!
+        message: String!
+        signature: String!
+      }
+
+      type createUserAccountWithPublicKeyPayload {
+        message: String!
+      }
+
+      type getMessageForSigningPayload {
+        message: String!
+      }
+
+      type verifyMessageForSigningPayload {
+        access_token: String!
+        access_token_expires_at: Datetime!
+      }
+
+      extend type Mutation {
+        createUserAccountWithPublicKey(
+          input: CreateUserAccountWithPublicKeyInput
+        ): createUserAccountWithPublicKeyPayload
+
+        getMessageForSigning(
+          input: GetMessageForSigningInput
+        ): getMessageForSigningPayload
+
+        verifyMessageForSigning(
+          input: VerifyMessageForSigningInput
+        ): verifyMessageForSigningPayload
+      }
+    `,
+        resolvers: {
+            Mutation: {
+                async createUserAccountWithPublicKey(_parent, args, context) {
+                    const { pgClient } = context;
+                    const { publicKey } = args.input;
+                    await pgQueryWithContext({
+                        client: pgClient,
+                        context: { role: 'anonymous' },
+                        query: `SELECT * FROM "${schema}".${sign_up_with_key}($1)`,
+                        variables: [publicKey]
+                    });
+                    const { rows: [{ [sign_in_request_challenge]: message }] } = await pgQueryWithContext({
+                        client: pgClient,
+                        context: { role: 'anonymous' },
+                        query: `SELECT * FROM "${schema}".${sign_in_request_challenge}($1)`,
+                        variables: [publicKey]
+                    });
+                    return { message };
+                },
+                async getMessageForSigning(_parent, args, context) {
+                    const { pgClient } = context;
+                    const { publicKey } = args.input;
+                    const { rows: [{ [sign_in_request_challenge]: message }] } = await pgQueryWithContext({
+                        client: pgClient,
+                        context: { role: 'anonymous' },
+                        query: `SELECT * FROM "${schema}".${sign_in_request_challenge}($1)`,
+                        variables: [publicKey]
+                    });
+                    if (!message)
+                        throw new Error('NO_ACCOUNT_EXISTS');
+                    return { message };
+                },
+                async verifyMessageForSigning(_parent, args, context) {
+                    const { pgClient } = context;
+                    const { publicKey, message, signature } = args.input;
+                    //   const network = Networks[crypto_network];
+                    const network = 'btc';
+                    //   const result = verifyMessage(message, publicKey, signature, network);
+                    // TODO implement using interchainJS?
+                    const result = false;
+                    if (!result) {
+                        await pgQueryWithContext({
+                            client: pgClient,
+                            context: { role: 'anonymous' },
+                            query: `SELECT * FROM "${schema}".${sign_in_record_failure}($1)`,
+                            variables: [publicKey]
+                        });
+                        throw new Error('BAD_SIGNIN');
+                    }
+                    const { rows: [token] } = await pgQueryWithContext({
+                        client: pgClient,
+                        context: { role: 'anonymous' },
+                        query: `SELECT * FROM "${schema}".${sign_in_with_challenge}($1, $2)`,
+                        variables: [publicKey, message]
+                    });
+                    if (!token?.access_token)
+                        throw new Error('BAD_SIGNIN');
+                    return {
+                        access_token: token.access_token,
+                        access_token_expires_at: token.access_token_expires_at
+                    };
+                }
+            }
+        }
+    }));
+};
+export default PublicKeySignature;

package/esm/run.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+import { getEnvOptions } from '@constructive-io/graphql-env';
+import { GraphQLServer as server } from './server';
+server(getEnvOptions({
+    pg: {
+        database: process.env.PGDATABASE,
+    },
+}));

package/esm/schema.js

@@ -0,0 +1,86 @@
+import { printSchema, getIntrospectionQuery, buildClientSchema } from 'graphql';
+import { getGraphileSettings } from 'graphile-settings';
+import { getPgPool } from 'pg-cache';
+import { createPostGraphileSchema } from 'postgraphile';
+import * as http from 'node:http';
+import * as https from 'node:https';
+// Build GraphQL Schema SDL directly from Postgres using PostGraphile, without HTTP.
+export async function buildSchemaSDL(opts) {
+    const database = opts.database ?? 'constructive';
+    const schemas = Array.isArray(opts.schemas) ? opts.schemas : [];
+    const settings = getGraphileSettings({
+        graphile: {
+            schema: schemas,
+            ...(opts.graphile ?? {})
+        }
+    });
+    const pgPool = getPgPool({ database });
+    const schema = await createPostGraphileSchema(pgPool, schemas, settings);
+    return printSchema(schema);
+}
+// Fetch GraphQL Schema SDL from a running GraphQL endpoint via introspection.
+// This centralizes GraphQL client usage in the server package to avoid duplicating deps in the CLI.
+export async function fetchEndpointSchemaSDL(endpoint, opts) {
+    const url = new URL(endpoint);
+    const requestUrl = url;
+    const introspectionQuery = getIntrospectionQuery({ descriptions: true });
+    const postData = JSON.stringify({
+        query: introspectionQuery,
+        variables: null,
+        operationName: 'IntrospectionQuery',
+    });
+    const headers = {
+        'Content-Type': 'application/json',
+        'Content-Length': String(Buffer.byteLength(postData)),
+    };
+    if (opts?.headerHost) {
+        headers['Host'] = opts.headerHost;
+    }
+    if (opts?.auth) {
+        headers['Authorization'] = opts.auth;
+    }
+    if (opts?.headers) {
+        for (const [key, value] of Object.entries(opts.headers)) {
+            headers[key] = value;
+        }
+    }
+    const isHttps = requestUrl.protocol === 'https:';
+    const lib = isHttps ? https : http;
+    const responseData = await new Promise((resolve, reject) => {
+        const req = lib.request({
+            hostname: requestUrl.hostname,
+            port: (requestUrl.port ? Number(requestUrl.port) : (isHttps ? 443 : 80)),
+            path: requestUrl.pathname,
+            method: 'POST',
+            headers,
+        }, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => {
+                if (res.statusCode && res.statusCode >= 400) {
+                    reject(new Error(`HTTP ${res.statusCode} – ${data}`));
+                    return;
+                }
+                resolve(data);
+            });
+        });
+        req.on('error', (err) => reject(err));
+        req.write(postData);
+        req.end();
+    });
+    let json;
+    try {
+        json = JSON.parse(responseData);
+    }
+    catch (e) {
+        throw new Error(`Failed to parse response: ${responseData}`);
+    }
+    if (json.errors) {
+        throw new Error('Introspection returned errors');
+    }
+    if (!json.data) {
+        throw new Error('No data in introspection response');
+    }
+    const schema = buildClientSchema(json.data);
+    return printSchema(schema);
+}

package/esm/scripts/create-bucket.js

@@ -0,0 +1,32 @@
+// Minimal script to create a bucket in MinIO using @constructive-io/s3-utils
+// Avoid strict type coupling between different @aws-sdk/client-s3 versions
+// Loads graphql/server/.env by default when running via ts-node from this workspace
+import 'dotenv/config';
+import { S3Client } from '@aws-sdk/client-s3';
+import { createS3Bucket } from '@constructive-io/s3-utils';
+const BUCKET = process.env.BUCKET_NAME || 'test-bucket';
+const REGION = process.env.AWS_REGION || 'us-east-1';
+const ACCESS_KEY = process.env.AWS_ACCESS_KEY || process.env.AWS_ACCESS_KEY_ID || 'minioadmin';
+const SECRET_KEY = process.env.AWS_SECRET_KEY ||
+    process.env.AWS_SECRET_ACCESS_KEY ||
+    'minioadmin';
+const ENDPOINT = process.env.MINIO_ENDPOINT || 'http://localhost:9000';
+(async () => {
+    try {
+        const client = new S3Client({
+            region: REGION,
+            credentials: { accessKeyId: ACCESS_KEY, secretAccessKey: SECRET_KEY },
+            endpoint: ENDPOINT,
+            forcePathStyle: true,
+        });
+        // Hint downstream to apply MinIO policies
+        process.env.IS_MINIO = 'true';
+        const res = await createS3Bucket(client, BUCKET);
+        console.log(`[create-bucket] ${BUCKET}:`, res);
+        client.destroy();
+    }
+    catch (e) {
+        console.error('[create-bucket] error', e);
+        process.exitCode = 1;
+    }
+})();

package/esm/server.js

@@ -0,0 +1,95 @@
+import 'dotenv/config';
+import { getEnvOptions } from '@constructive-io/graphql-env';
+import { Logger } from '@pgpmjs/logger';
+import { healthz, poweredBy, trustProxy } from '@pgpmjs/server-utils';
+import { middleware as parseDomains } from '@constructive-io/url-domains';
+import express from 'express';
+// @ts-ignore
+import graphqlUpload from 'graphql-upload';
+import { getPgPool } from 'pg-cache';
+import requestIp from 'request-ip';
+import { createApiMiddleware } from './middleware/api';
+import { createAuthenticateMiddleware } from './middleware/auth';
+import { cors } from './middleware/cors';
+import { flush, flushService } from './middleware/flush';
+import { graphile } from './middleware/graphile';
+const log = new Logger('server');
+export const GraphQLServer = (rawOpts = {}) => {
+    const envOptions = getEnvOptions(rawOpts);
+    const app = new Server(envOptions);
+    app.addEventListener();
+    app.listen();
+};
+class Server {
+    app;
+    opts;
+    constructor(opts) {
+        this.opts = getEnvOptions(opts);
+        const app = express();
+        const api = createApiMiddleware(opts);
+        const authenticate = createAuthenticateMiddleware(opts);
+        healthz(app);
+        trustProxy(app, opts.server.trustProxy);
+        // Warn if a global CORS override is set in production
+        const fallbackOrigin = opts.server?.origin?.trim();
+        if (fallbackOrigin && process.env.NODE_ENV === 'production') {
+            if (fallbackOrigin === '*') {
+                log.warn('CORS wildcard ("*") is enabled in production; this effectively disables CORS and is not recommended. Prefer per-API CORS via meta schema.');
+            }
+            else {
+                log.warn(`CORS override origin set to ${fallbackOrigin} in production. Prefer per-API CORS via meta schema.`);
+            }
+        }
+        app.use(poweredBy('constructive'));
+        app.use(cors(fallbackOrigin));
+        app.use(graphqlUpload.graphqlUploadExpress());
+        app.use(parseDomains());
+        app.use(requestIp.mw());
+        app.use(api);
+        app.use(authenticate);
+        app.use(graphile(opts));
+        app.use(flush);
+        this.app = app;
+    }
+    listen() {
+        const { server } = this.opts;
+        this.app.listen(server?.port, server?.host, () => log.info(`listening at http://${server?.host}:${server?.port}`));
+    }
+    async flush(databaseId) {
+        await flushService(this.opts, databaseId);
+    }
+    getPool() {
+        return getPgPool(this.opts.pg);
+    }
+    addEventListener() {
+        const pgPool = this.getPool();
+        pgPool.connect(this.listenForChanges.bind(this));
+    }
+    listenForChanges(err, client, release) {
+        if (err) {
+            this.error('Error connecting with notify listener', err);
+            setTimeout(() => this.addEventListener(), 5000);
+            return;
+        }
+        client.on('notification', ({ channel, payload }) => {
+            if (channel === 'schema:update' && payload) {
+                log.info('schema:update', payload);
+                this.flush(payload);
+            }
+        });
+        client.query('LISTEN "schema:update"');
+        client.on('error', (e) => {
+            this.error('Error with database notify listener', e);
+            release();
+            this.addEventListener();
+        });
+        this.log('connected and listening for changes...');
+    }
+    log(text) {
+        log.info(text);
+    }
+    error(text, err) {
+        log.error(text, err);
+    }
+}
+export { Server };

package/esm/types.js

@@ -0,0 +1 @@
+export {};

package/index.d.ts

@@ -0,0 +1,2 @@
+export * from './server';
+export * from './schema';

package/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./server"), exports);
+__exportStar(require("./schema"), exports);

package/middleware/api.d.ts

@@ -0,0 +1,6 @@
+import { PgpmOptions } from '@pgpmjs/types';
+import { NextFunction, Request, Response } from 'express';
+import './types';
+export declare const getSubdomain: (reqDomains: string[]) => string | null;
+export declare const createApiMiddleware: (opts: any) => (req: Request, res: Response, next: NextFunction) => Promise<void>;
+export declare const getApiConfig: (opts: PgpmOptions, req: Request) => Promise<any>;