@constructive-io/graphql-server 2.10.5

package/middleware/api.js

@@ -0,0 +1,346 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getApiConfig = exports.createApiMiddleware = exports.getSubdomain = void 0;
+const graphql_env_1 = require("@constructive-io/graphql-env");
+const server_utils_1 = require("@pgpmjs/server-utils");
+const graphile_query_1 = require("graphile-query");
+const graphile_settings_1 = require("graphile-settings");
+const pg_cache_1 = require("pg-cache");
+const _50x_1 = __importDefault(require("../errors/50x"));
+const _404_message_1 = __importDefault(require("../errors/404-message"));
+const gql_1 = require("./gql");
+require("./types"); // for Request type
+const transformServiceToApi = (svc) => {
+    const api = svc.data.api;
+    const schemaNames = api.schemaNamesFromExt?.nodes?.map((n) => n.schemaName) || [];
+    const additionalSchemas = api.schemaNames?.nodes?.map((n) => n.schemaName) || [];
+    let domains = [];
+    if (api.database?.sites?.nodes) {
+        domains = api.database.sites.nodes.reduce((acc, site) => {
+            if (site.domains?.nodes && site.domains.nodes.length) {
+                const siteUrls = site.domains.nodes.map((domain) => {
+                    const hostname = domain.subdomain
+                        ? `${domain.subdomain}.${domain.domain}`
+                        : domain.domain;
+                    const protocol = domain.domain === 'localhost' ? 'http://' : 'https://';
+                    return protocol + hostname;
+                });
+                return [...acc, ...siteUrls];
+            }
+            return acc;
+        }, []);
+    }
+    return {
+        dbname: api.dbname,
+        anonRole: api.anonRole,
+        roleName: api.roleName,
+        schema: [...schemaNames, ...additionalSchemas],
+        apiModules: api.apiModules?.nodes?.map((node) => ({
+            name: node.name,
+            data: node.data,
+        })) || [],
+        rlsModule: api.rlsModule,
+        domains,
+        databaseId: api.databaseId,
+        isPublic: api.isPublic,
+    };
+};
+const getPortFromRequest = (req) => {
+    const host = req.headers.host;
+    if (!host)
+        return null;
+    const parts = host.split(':');
+    return parts.length === 2 ? `:${parts[1]}` : null;
+};
+const getSubdomain = (reqDomains) => {
+    const names = reqDomains.filter((name) => !['www'].includes(name));
+    return !names.length ? null : names.join('.');
+};
+exports.getSubdomain = getSubdomain;
+const createApiMiddleware = (opts) => {
+    return async (req, res, next) => {
+        if (opts.api?.enableMetaApi === false) {
+            const schemas = opts.api.exposedSchemas;
+            const anonRole = opts.api.anonRole;
+            const roleName = opts.api.roleName;
+            const databaseId = opts.api.defaultDatabaseId;
+            const api = {
+                dbname: opts.pg?.database ?? '',
+                anonRole,
+                roleName,
+                schema: schemas,
+                apiModules: [],
+                domains: [],
+                databaseId,
+                isPublic: false,
+            };
+            req.api = api;
+            req.databaseId = databaseId;
+            return next();
+        }
+        try {
+            const svc = await (0, exports.getApiConfig)(opts, req);
+            if (svc?.errorHtml) {
+                res
+                    .status(404)
+                    .send((0, _404_message_1.default)('API not found', svc.errorHtml));
+                return;
+            }
+            else if (!svc) {
+                res
+                    .status(404)
+                    .send((0, _404_message_1.default)('API service not found for the given domain/subdomain.'));
+                return;
+            }
+            const api = transformServiceToApi(svc);
+            req.api = api;
+            req.databaseId = api.databaseId;
+            next();
+        }
+        catch (e) {
+            if (e.code === 'NO_VALID_SCHEMAS') {
+                res.status(404).send((0, _404_message_1.default)(e.message));
+            }
+            else if (e.message.match(/does not exist/)) {
+                res
+                    .status(404)
+                    .send((0, _404_message_1.default)("The resource you're looking for does not exist."));
+            }
+            else {
+                console.error(e);
+                res.status(500).send(_50x_1.default);
+            }
+        }
+    };
+};
+exports.createApiMiddleware = createApiMiddleware;
+const getHardCodedSchemata = ({ opts, schemata, databaseId, key, }) => {
+    const svc = {
+        data: {
+            api: {
+                databaseId,
+                isPublic: false,
+                dbname: opts.pg.database,
+                anonRole: 'administrator',
+                roleName: 'administrator',
+                schemaNamesFromExt: {
+                    nodes: schemata
+                        .split(',')
+                        .map((schema) => schema.trim())
+                        .map((schemaName) => ({ schemaName })),
+                },
+                schemaNames: { nodes: [] },
+                apiModules: [],
+            },
+        },
+    };
+    server_utils_1.svcCache.set(key, svc);
+    return svc;
+};
+const getMetaSchema = ({ opts, key, databaseId, }) => {
+    const apiOpts = opts.api || {};
+    const schemata = apiOpts.metaSchemas || [];
+    const svc = {
+        data: {
+            api: {
+                databaseId,
+                isPublic: false,
+                dbname: opts.pg.database,
+                anonRole: 'administrator',
+                roleName: 'administrator',
+                schemaNamesFromExt: {
+                    nodes: schemata.map((schemaName) => ({ schemaName })),
+                },
+                schemaNames: { nodes: [] },
+                apiModules: [],
+            },
+        },
+    };
+    server_utils_1.svcCache.set(key, svc);
+    return svc;
+};
+const queryServiceByDomainAndSubdomain = async ({ opts, key, client, domain, subdomain, }) => {
+    const result = await client.query({
+        role: 'administrator',
+        query: gql_1.ApiQuery,
+        variables: { domain, subdomain },
+    });
+    if (result.errors?.length) {
+        console.error(result.errors);
+        return null;
+    }
+    const nodes = result?.data?.domains?.nodes;
+    if (nodes?.length) {
+        const data = nodes[0];
+        const apiPublic = opts.api?.isPublic;
+        if (!data.api || data.api.isPublic !== apiPublic)
+            return null;
+        const svc = { data };
+        server_utils_1.svcCache.set(key, svc);
+        return svc;
+    }
+    return null;
+};
+const queryServiceByApiName = async ({ opts, key, client, databaseId, name, }) => {
+    const result = await client.query({
+        role: 'administrator',
+        query: gql_1.ApiByNameQuery,
+        variables: { databaseId, name },
+    });
+    if (result.errors?.length) {
+        console.error(result.errors);
+        return null;
+    }
+    const data = result?.data;
+    const apiPublic = opts.api?.isPublic;
+    if (data?.api && data.api.isPublic === apiPublic) {
+        const svc = { data };
+        server_utils_1.svcCache.set(key, svc);
+        return svc;
+    }
+    return null;
+};
+const getSvcKey = (opts, req) => {
+    const domain = req.urlDomains.domain;
+    const key = req.urlDomains.subdomains
+        .filter((name) => !['www'].includes(name))
+        .concat(domain)
+        .join('.');
+    const apiPublic = opts.api?.isPublic;
+    if (apiPublic === false) {
+        if (req.get('X-Api-Name')) {
+            return 'api:' + req.get('X-Database-Id') + ':' + req.get('X-Api-Name');
+        }
+        if (req.get('X-Schemata')) {
+            return ('schemata:' + req.get('X-Database-Id') + ':' + req.get('X-Schemata'));
+        }
+        if (req.get('X-Meta-Schema')) {
+            return 'metaschema:api:' + req.get('X-Database-Id');
+        }
+    }
+    return key;
+};
+const validateSchemata = async (pool, schemata) => {
+    const result = await pool.query(`SELECT schema_name FROM information_schema.schemata WHERE schema_name = ANY($1::text[])`, [schemata]);
+    return result.rows.map((row) => row.schema_name);
+};
+const getApiConfig = async (opts, req) => {
+    const rootPgPool = (0, pg_cache_1.getPgPool)(opts.pg);
+    // @ts-ignore
+    const subdomain = (0, exports.getSubdomain)(req.urlDomains.subdomains);
+    const domain = req.urlDomains.domain;
+    const key = getSvcKey(opts, req);
+    req.svc_key = key;
+    let svc;
+    if (server_utils_1.svcCache.has(key)) {
+        svc = server_utils_1.svcCache.get(key);
+    }
+    else {
+        const apiOpts = opts.api || {};
+        const allSchemata = apiOpts.metaSchemas || [];
+        const validatedSchemata = await validateSchemata(rootPgPool, allSchemata);
+        if (validatedSchemata.length === 0) {
+            const message = `No valid schemas found for domain: ${domain}, subdomain: ${subdomain}`;
+            const error = new Error(message);
+            error.code = 'NO_VALID_SCHEMAS';
+            throw error;
+        }
+        const settings = (0, graphile_settings_1.getGraphileSettings)({
+            graphile: {
+                schema: validatedSchemata,
+            },
+        });
+        // @ts-ignore
+        const schema = await (0, graphile_query_1.getSchema)(rootPgPool, settings);
+        // @ts-ignore
+        const client = new graphile_query_1.GraphileQuery({ schema, pool: rootPgPool, settings });
+        const apiPublic = opts.api?.isPublic;
+        if (apiPublic === false) {
+            if (req.get('X-Schemata')) {
+                svc = getHardCodedSchemata({
+                    opts,
+                    key,
+                    schemata: req.get('X-Schemata'),
+                    databaseId: req.get('X-Database-Id'),
+                });
+            }
+            else if (req.get('X-Api-Name')) {
+                svc = await queryServiceByApiName({
+                    opts,
+                    key,
+                    client,
+                    name: req.get('X-Api-Name'),
+                    databaseId: req.get('X-Database-Id'),
+                });
+            }
+            else if (req.get('X-Meta-Schema')) {
+                svc = getMetaSchema({
+                    opts,
+                    key,
+                    databaseId: req.get('X-Database-Id'),
+                });
+            }
+            else {
+                svc = await queryServiceByDomainAndSubdomain({
+                    opts,
+                    key,
+                    client,
+                    domain,
+                    subdomain,
+                });
+            }
+        }
+        else {
+            svc = await queryServiceByDomainAndSubdomain({
+                opts,
+                key,
+                client,
+                domain,
+                subdomain,
+            });
+            if (!svc) {
+                if ((0, graphql_env_1.getNodeEnv)() === 'development') {
+                    // TODO ONLY DO THIS IN DEV MODE
+                    const fallbackResult = await client.query({
+                        role: 'administrator',
+                        // @ts-ignore
+                        query: gql_1.ListOfAllDomainsOfDb,
+                        // variables: { databaseId }
+                    });
+                    if (!fallbackResult.errors?.length &&
+                        fallbackResult.data?.apis?.nodes?.length) {
+                        const port = getPortFromRequest(req);
+                        const allDomains = fallbackResult.data.apis.nodes.flatMap((api) => api.domains.nodes.map((d) => ({
+                            domain: d.domain,
+                            subdomain: d.subdomain,
+                            href: d.subdomain
+                                ? `http://${d.subdomain}.${d.domain}${port}/graphiql`
+                                : `http://${d.domain}${port}/graphiql`,
+                        })));
+                        const linksHtml = allDomains.length
+                            ? `<ul class="mt-4 pl-5 list-disc space-y-1">` +
+                                allDomains
+                                    .map((d) => `<li><a href="${d.href}" class="text-brand hover:underline">${d.href}</a></li>`)
+                                    .join('') +
+                                `</ul>`
+                            : `<p class="text-gray-600">No APIs are currently registered for this database.</p>`;
+                        const errorHtml = `
+          <p class="text-sm text-gray-700">Try some of these:</p>
+          <div class="mt-4">
+            ${linksHtml}
+          </div>
+        `.trim();
+                        return {
+                            errorHtml,
+                        };
+                    }
+                }
+            }
+        }
+    }
+    return svc;
+};
+exports.getApiConfig = getApiConfig;

package/middleware/auth.d.ts

@@ -0,0 +1,4 @@
+import { PgpmOptions } from '@pgpmjs/types';
+import { RequestHandler } from 'express';
+import './types';
+export declare const createAuthenticateMiddleware: (opts: PgpmOptions) => RequestHandler;

package/middleware/auth.js

@@ -0,0 +1,75 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthenticateMiddleware = void 0;
+const pg_cache_1 = require("pg-cache");
+const pg_query_context_1 = __importDefault(require("pg-query-context"));
+require("./types"); // for Request type
+const createAuthenticateMiddleware = (opts) => {
+    return async (req, res, next) => {
+        const api = req.api;
+        if (!api) {
+            res.status(500).send('Missing API info');
+            return;
+        }
+        const pool = (0, pg_cache_1.getPgPool)({
+            ...opts.pg,
+            database: api.dbname,
+        });
+        const rlsModule = api.rlsModule;
+        if (!rlsModule)
+            return next();
+        const authFn = opts.server.strictAuth
+            ? rlsModule.authenticateStrict
+            : rlsModule.authenticate;
+        if (authFn && rlsModule.privateSchema.schemaName) {
+            const { authorization = '' } = req.headers;
+            const [authType, authToken] = authorization.split(' ');
+            let token = {};
+            if (authType?.toLowerCase() === 'bearer' && authToken) {
+                const context = {
+                    'jwt.claims.ip_address': req.clientIp,
+                };
+                if (req.get('origin')) {
+                    context['jwt.claims.origin'] = req.get('origin');
+                }
+                if (req.get('User-Agent')) {
+                    context['jwt.claims.user_agent'] = req.get('User-Agent');
+                }
+                try {
+                    const result = await (0, pg_query_context_1.default)({
+                        client: pool,
+                        context,
+                        query: `SELECT * FROM "${rlsModule.privateSchema.schemaName}"."${authFn}"($1)`,
+                        variables: [authToken],
+                    });
+                    if (result?.rowCount === 0) {
+                        res.status(200).json({
+                            errors: [{ extensions: { code: 'UNAUTHENTICATED' } }],
+                        });
+                        return;
+                    }
+                    token = result.rows[0];
+                }
+                catch (e) {
+                    res.status(200).json({
+                        errors: [
+                            {
+                                extensions: {
+                                    code: 'BAD_TOKEN_DEFINITION',
+                                    message: e.message,
+                                },
+                            },
+                        ],
+                    });
+                    return;
+                }
+            }
+            req.token = token;
+        }
+        next();
+    };
+};
+exports.createAuthenticateMiddleware = createAuthenticateMiddleware;

package/middleware/cors.d.ts

@@ -0,0 +1,14 @@
+import type { RequestHandler } from 'express';
+import './types';
+/**
+ * Unified CORS middleware for Constructive API
+ *
+ * Feature parity + compatibility:
+ *  - Respects a global fallback origin (e.g. from env/CLI) for quick overrides.
+ *  - Preserves multi-tenant, per-API CORS via meta schema ('cors' module + domains).
+ *  - Always allows localhost to ease development.
+ *
+ * Usage:
+ *  app.use(cors(fallbackOrigin));
+ */
+export declare const cors: (fallbackOrigin?: string) => RequestHandler;

package/middleware/cors.js

@@ -0,0 +1,70 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cors = void 0;
+const url_domains_1 = require("@constructive-io/url-domains");
+const cors_1 = __importDefault(require("cors"));
+require("./types"); // for Request type
+/**
+ * Unified CORS middleware for Constructive API
+ *
+ * Feature parity + compatibility:
+ *  - Respects a global fallback origin (e.g. from env/CLI) for quick overrides.
+ *  - Preserves multi-tenant, per-API CORS via meta schema ('cors' module + domains).
+ *  - Always allows localhost to ease development.
+ *
+ * Usage:
+ *  app.use(cors(fallbackOrigin));
+ */
+const cors = (fallbackOrigin) => {
+    // Use the cors library's dynamic origin function to decide per request
+    const dynamicOrigin = (origin, callback, req) => {
+        // 1) Global fallback (fast path)
+        if (fallbackOrigin && fallbackOrigin.trim().length) {
+            if (fallbackOrigin.trim() === '*') {
+                // Reflect whatever Origin the caller sent
+                return callback(null, true);
+            }
+            if (origin && origin.trim() === fallbackOrigin.trim()) {
+                return callback(null, true);
+            }
+            // If a strict fallback origin is provided and does not match,
+            // continue to per-API checks below (do not immediately deny).
+        }
+        // 2) Per-API allowlist sourced from req.api (if available)
+        //    createApiMiddleware runs before this in server.ts, so req.api should be set
+        const api = req.api;
+        if (api) {
+            const corsModules = (api.apiModules || []).filter((m) => m.name === 'cors');
+            const siteUrls = api.domains || [];
+            const listOfDomains = corsModules.reduce((m, mod) => [...mod.data.urls, ...m], siteUrls);
+            if (origin && listOfDomains.includes(origin)) {
+                return callback(null, true);
+            }
+        }
+        // 3) Localhost is always allowed
+        if (origin) {
+            try {
+                const parsed = (0, url_domains_1.parseUrl)(new URL(origin));
+                if (parsed.domain === 'localhost') {
+                    return callback(null, true);
+                }
+            }
+            catch {
+                // ignore invalid origin
+            }
+        }
+        // Default: not allowed
+        return callback(null, false);
+    };
+    // Wrap in the cors plugin with our dynamic origin resolver
+    const handler = (req, res, next) => (0, cors_1.default)({
+        origin: (reqOrigin, cb) => dynamicOrigin(reqOrigin, cb, req),
+        credentials: true,
+        optionsSuccessStatus: 200,
+    })(req, res, next);
+    return handler;
+};
+exports.cors = cors;

package/middleware/flush.d.ts

@@ -0,0 +1,5 @@
+import { ConstructiveOptions } from '@constructive-io/graphql-types';
+import { NextFunction, Request, Response } from 'express';
+import './types';
+export declare const flush: (req: Request, res: Response, next: NextFunction) => Promise<void>;
+export declare const flushService: (opts: ConstructiveOptions, databaseId: string) => Promise<void>;

package/middleware/flush.js

@@ -0,0 +1,54 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.flushService = exports.flush = void 0;
+const logger_1 = require("@pgpmjs/logger");
+const server_utils_1 = require("@pgpmjs/server-utils");
+const graphile_cache_1 = require("graphile-cache");
+const pg_cache_1 = require("pg-cache");
+require("./types"); // for Request type
+const log = new logger_1.Logger('flush');
+const flush = async (req, res, next) => {
+    if (req.url === '/flush') {
+        // TODO: check bearer for a flush / special key
+        graphile_cache_1.graphileCache.delete(req.svc_key);
+        server_utils_1.svcCache.delete(req.svc_key);
+        res.status(200).send('OK');
+        return;
+    }
+    return next();
+};
+exports.flush = flush;
+const flushService = async (opts, databaseId) => {
+    const pgPool = (0, pg_cache_1.getPgPool)(opts.pg);
+    log.info('flushing db ' + databaseId);
+    const api = new RegExp(`^api:${databaseId}:.*`);
+    const schemata = new RegExp(`^schemata:${databaseId}:.*`);
+    const meta = new RegExp(`^metaschema:api:${databaseId}`);
+    if (!opts.api.isPublic) {
+        graphile_cache_1.graphileCache.forEach((_, k) => {
+            if (api.test(k) || schemata.test(k) || meta.test(k)) {
+                graphile_cache_1.graphileCache.delete(k);
+                server_utils_1.svcCache.delete(k);
+            }
+        });
+    }
+    const svc = await pgPool.query(`SELECT *
+     FROM meta_public.domains
+     WHERE database_id = $1`, [databaseId]);
+    if (svc.rowCount === 0)
+        return;
+    for (const row of svc.rows) {
+        let key;
+        if (row.domain && !row.subdomain) {
+            key = row.domain;
+        }
+        else if (row.domain && row.subdomain) {
+            key = `${row.subdomain}.${row.domain}`;
+        }
+        if (key) {
+            graphile_cache_1.graphileCache.delete(key);
+            server_utils_1.svcCache.delete(key);
+        }
+    }
+};
+exports.flushService = flushService;

package/middleware/gql.d.ts

@@ -0,0 +1,6 @@
+import gql from 'graphql-tag';
+type GraphQLDocument = ReturnType<typeof gql>;
+export declare const ApiQuery: GraphQLDocument;
+export declare const ApiByNameQuery: GraphQLDocument;
+export declare const ListOfAllDomainsOfDb: GraphQLDocument;
+export {};