@constructive-io/graphql-server 4.1.1 → 4.3.0

package/esm/index.js

@@ -4,6 +4,7 @@ export * from './options';
 // Export middleware for use in testing packages
 export { createApiMiddleware, getSubdomain, getApiConfig } from './middleware/api';
 export { createAuthenticateMiddleware } from './middleware/auth';
+export { createUploadAuthenticateMiddleware } from './middleware/upload';
 export { cors } from './middleware/cors';
 export { graphile } from './middleware/graphile';
 export { flush, flushService } from './middleware/flush';

package/esm/middleware/api.js

@@ -124,6 +124,7 @@ const toRlsModule = (row) => {
     };
 };
 const toApiStructure = (row, opts, rlsModuleRow) => ({
+    apiId: row.api_id,
     dbname: row.dbname || opts.pg?.database || '',
     anonRole: row.anon_role || 'anon',
     roleName: row.role_name || 'authenticated',

package/esm/middleware/error-handler.js

@@ -75,12 +75,11 @@ export const errorHandler = (err, req, res, _next) => {
     sendResponse(req, res, response);
 };
 export const notFoundHandler = (req, res, _next) => {
-    const message = `Route not found: ${req.method} ${req.path}`;
     log.warn({ event: 'route_not_found', path: req.path, method: req.method, requestId: req.requestId });
     if (wantsJson(req)) {
-        res.status(404).json({ error: { code: 'NOT_FOUND', message, requestId: req.requestId } });
+        res.status(404).json({ error: { code: 'NOT_FOUND', message: 'Not found', requestId: req.requestId } });
     }
     else {
-        res.status(404).send(errorPage404Message(message));
+        res.status(404).send(errorPage404Message('The requested page was not found'));
     }
 };

package/esm/middleware/graphile.js

@@ -1,3 +1,5 @@
+import crypto from 'node:crypto';
+import { getNodeEnv } from '@constructive-io/graphql-env';
 import { Logger } from '@pgpmjs/logger';
 import { createGraphileInstance, graphileCache } from 'graphile-cache';
 import { ConstructivePreset, makePgService } from 'graphile-settings';
@@ -5,24 +7,71 @@ import { buildConnectionString } from 'pg-cache';
 import { getPgEnvOptions } from 'pg-env';
 import './types'; // for Request type
 import { HandlerCreationError } from '../errors/api-errors';
+const maskErrorLog = new Logger('graphile:maskError');
+const SAFE_ERROR_CODES = new Set([
+    // GraphQL standard
+    'GRAPHQL_VALIDATION_FAILED',
+    'GRAPHQL_PARSE_FAILED',
+    'PERSISTED_QUERY_NOT_FOUND',
+    'PERSISTED_QUERY_NOT_SUPPORTED',
+    // Auth
+    'UNAUTHENTICATED',
+    'FORBIDDEN',
+    'BAD_USER_INPUT',
+    'INCORRECT_PASSWORD',
+    'PASSWORD_INSECURE',
+    'ACCOUNT_LOCKED_EXCEED_ATTEMPTS',
+    'ACCOUNT_DISABLED',
+    'ACCOUNT_EXISTS',
+    'PASSWORD_LEN',
+    'INVITE_NOT_FOUND',
+    'INVITE_LIMIT',
+    'INVITE_EMAIL_NOT_FOUND',
+    'INVALID_CREDENTIALS',
+    // PublicKeySignature
+    'FEATURE_DISABLED',
+    'INVALID_PUBLIC_KEY',
+    'INVALID_MESSAGE',
+    'INVALID_SIGNATURE',
+    'NO_ACCOUNT_EXISTS',
+    'BAD_SIGNIN',
+    // Upload
+    'UPLOAD_MIMETYPE',
+    // PostgreSQL constraint violations (surfaced by PostGraphile)
+    '23505', // unique_violation
+    '23503', // foreign_key_violation
+    '23502', // not_null_violation
+    '23514', // check_violation
+    '23P01', // exclusion_violation
+]);
 /**
- * Custom maskError function that always returns the original error.
+ * Production-aware error masking function.
  *
- * By default, grafserv masks errors for security (hiding sensitive database errors
- * from clients). We disable this masking to show full error messages.
- *
- * Upstream reference:
- * - grafserv defaultMaskError: node_modules/grafserv/dist/options.js
- * - SafeError interface: grafast isSafeError() - errors implementing SafeError
- *   are shown as-is even with default masking
- *
- * If you need to restore masking behavior, see the upstream implementation which:
- * 1. Returns GraphQLError instances as-is
- * 2. Returns SafeError instances with their message exposed
- * 3. Masks other errors with a hash/ID and logs the original
+ * In development: returns errors as-is for debugging.
+ * In production: returns errors with explicit codes from the SAFE_ERROR_CODES
+ * allowlist as-is, but masks unexpected/database errors with a reference ID
+ * and logs the original.
  */
 const maskError = (error) => {
-    return error;
+    if (getNodeEnv() === 'development') {
+        return error;
+    }
+    // Only expose errors with codes on the safe allowlist.
+    // Note: grafserv strips originalError and internal extensions before
+    // serializing to the client, so returning the full error object is safe here.
+    if (error.extensions?.code && SAFE_ERROR_CODES.has(error.extensions.code)) {
+        return error;
+    }
+    // Mask unexpected/database errors with a reference ID
+    const errorId = crypto.randomBytes(8).toString('hex');
+    maskErrorLog.error(`[masked-error:${errorId}]`, error);
+    return {
+        message: `An unexpected error occurred. Reference: ${errorId}`,
+        extensions: {
+            code: 'INTERNAL_SERVER_ERROR',
+            errorId,
+        },
+    };
 };
 // =============================================================================
 // Single-Flight Pattern: In-Flight Tracking
@@ -54,7 +103,7 @@ export function clearInFlightMap() {
     creating.clear();
 }
 const log = new Logger('graphile');
-const reqLabel = (req) => req.requestId ? `[${req.requestId}]` : '[req]';
+const reqLabel = (req) => (req.requestId ? `[${req.requestId}]` : '[req]');
 /**
  * Build a PostGraphile v5 preset for a tenant
  */
@@ -70,6 +119,7 @@ const buildPreset = (connectionString, schemas, anonRole, roleName) => ({
         graphqlPath: '/graphql',
         graphiqlPath: '/graphiql',
         graphiql: true,
+        graphiqlOnGraphQLGET: false,
         maskError,
     },
     grafast: {
@@ -147,13 +197,26 @@ export const graphile = (opts) => {
                     return instance.handler(req, res, next);
                 }
                 catch (error) {
-                    // Re-throw to be caught by outer try-catch
-                    throw error;
+                    log.warn(`${label} Coalesced request failed for PostGraphile[${key}], retrying`);
+                    // Fall through to Phase C to retry creation
                 }
             }
             // =========================================================================
             // Phase C: Create New Handler (first request for this key)
             // =========================================================================
+            // Re-check cache after coalesced request failure (another retry may have succeeded)
+            const recheckedCache = graphileCache.get(key);
+            if (recheckedCache) {
+                log.debug(`${label} PostGraphile cache hit on re-check key=${key}`);
+                return recheckedCache.handler(req, res, next);
+            }
+            // Re-check in-flight map (another retry may have started creation)
+            const retryInFlight = creating.get(key);
+            if (retryInFlight) {
+                log.debug(`${label} Re-coalescing request for PostGraphile[${key}]`);
+                const retryInstance = await retryInFlight;
+                return retryInstance.handler(req, res, next);
+            }
             log.info(`${label} Building PostGraphile v5 handler key=${key} db=${dbname} schemas=${schemaLabel} role=${roleName} anon=${anonRole}`);
             const pgConfig = getPgEnvOptions({
                 ...opts.pg,
@@ -172,7 +235,10 @@ export const graphile = (opts) => {
             }
             catch (error) {
                 log.error(`${label} Failed to create PostGraphile[${key}]:`, error);
-                throw new HandlerCreationError(`Failed to create handler for ${key}: ${error instanceof Error ? error.message : String(error)}`, { cacheKey: key, cause: error instanceof Error ? error.message : String(error) });
+                throw new HandlerCreationError(`Failed to create handler for ${key}: ${error instanceof Error ? error.message : String(error)}`, {
+                    cacheKey: key,
+                    cause: error instanceof Error ? error.message : String(error),
+                });
             }
             finally {
                 // Always clean up in-flight tracker
@@ -181,7 +247,12 @@ export const graphile = (opts) => {
         }
         catch (e) {
             log.error(`${label} PostGraphile middleware error`, e);
-            return res.status(500).send(e.message);
+            if (!res.headersSent) {
+                return res.status(500).json({
+                    error: { code: 'INTERNAL_ERROR', message: 'An unexpected error occurred' }
+                });
+            }
+            next(e);
         }
     };
 };

package/esm/middleware/multipart-bridge.js

@@ -0,0 +1,30 @@
+/**
+ * Bridge middleware between graphql-upload and grafserv (PostGraphile v5).
+ *
+ * graphql-upload's `graphqlUploadExpress()` parses multipart/form-data requests
+ * and sets `req.body` to a standard GraphQL operation object, but leaves the
+ * original Content-Type header unchanged. grafserv rejects any Content-Type it
+ * doesn't recognize (415 Unsupported Media Type) because its allowlist only
+ * includes `application/json` and `application/graphql`.
+ *
+ * This middleware rewrites the Content-Type header to `application/json` after
+ * graphql-upload has finished parsing, so grafserv accepts the request.
+ *
+ * This is the standard bridge pattern for grafserv + graphql-upload.
+ * See: https://github.com/graphql/graphql-http/discussions/36
+ *
+ * Must be registered immediately after `graphqlUploadExpress()` in the
+ * middleware chain — it relies on graphql-upload having already parsed the
+ * multipart body into `req.body`.
+ *
+ * Security note: multipart/form-data is a CORS "simple request" content type,
+ * which means browsers send it without a preflight OPTIONS check. The CSRF risk
+ * is mitigated by the CORS middleware that runs before this middleware in the
+ * Express pipeline.
+ */
+export const multipartBridge = (req, _res, next) => {
+    if (req.body != null && req.headers['content-type']?.startsWith('multipart/form-data')) {
+        req.headers['content-type'] = 'application/json';
+    }
+    next();
+};

package/esm/middleware/upload.js

@@ -0,0 +1,259 @@
+import { Logger } from '@pgpmjs/logger';
+import fs from 'fs';
+import multer from 'multer';
+import os from 'os';
+import { escapeIdentifier } from 'pg';
+import { getPgPool } from 'pg-cache';
+import pgQueryContext from 'pg-query-context';
+import { streamToStorage } from 'graphile-settings';
+import './types';
+const uploadLog = new Logger('upload');
+const authLog = new Logger('upload-auth');
+const envFileSize = process.env.MAX_UPLOAD_FILE_SIZE
+    ? parseInt(process.env.MAX_UPLOAD_FILE_SIZE, 10)
+    : NaN;
+const MAX_FILE_SIZE = envFileSize > 0 ? envFileSize : 10 * 1024 * 1024;
+const BLOCKED_MIME_TYPES = new Set([
+    'application/x-executable',
+    'application/x-sharedlib',
+    'application/x-mach-binary',
+    'application/x-dosexec',
+    'text/html',
+    'application/xhtml+xml',
+    'application/javascript',
+    'text/javascript'
+]);
+const parseFile = multer({
+    storage: multer.diskStorage({
+        destination: os.tmpdir(),
+        filename: (_req, _file, cb) => {
+            const uniqueSuffix = `${Date.now()}-${Math.round(Math.random() * 1e9)}`;
+            cb(null, `upload-${uniqueSuffix}.tmp`);
+        },
+    }),
+    limits: { fileSize: MAX_FILE_SIZE },
+}).single('file');
+const parseFileWithErrors = (req, res, next) => {
+    parseFile(req, res, (err) => {
+        if (!err)
+            return next();
+        if (err.code === 'LIMIT_FILE_SIZE') {
+            return res.status(413).json({ error: `File exceeds maximum size of ${MAX_FILE_SIZE / (1024 * 1024)} MB` });
+        }
+        if (err.code === 'LIMIT_UNEXPECTED_FILE') {
+            return res.status(400).json({ error: 'Unexpected file field. Send a single file as "file".' });
+        }
+        return res.status(400).json({ error: 'File upload failed' });
+    });
+};
+const RLS_MODULE_BASE_SQL = `
+  SELECT
+    rm.authenticate,
+    rm.authenticate_strict,
+    ps.schema_name as private_schema_name
+  FROM metaschema_modules_public.rls_module rm
+  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id`;
+const RLS_MODULE_BY_DATABASE_ID_SQL = `${RLS_MODULE_BASE_SQL}
+  JOIN services_public.apis a ON rm.api_id = a.id
+  WHERE a.database_id = $1
+  ORDER BY a.id
+  LIMIT 1
+`;
+const RLS_MODULE_BY_API_ID_SQL = `${RLS_MODULE_BASE_SQL}
+  WHERE rm.api_id = $1
+  LIMIT 1
+`;
+const RLS_MODULE_BY_DBNAME_SQL = `${RLS_MODULE_BASE_SQL}
+  JOIN services_public.apis a ON rm.api_id = a.id
+  WHERE a.dbname = $1
+  ORDER BY a.id
+  LIMIT 1
+`;
+const toRlsModule = (row) => {
+    if (!row || !row.private_schema_name)
+        return undefined;
+    return {
+        authenticate: row.authenticate ?? undefined,
+        authenticateStrict: row.authenticate_strict ?? undefined,
+        privateSchema: { schemaName: row.private_schema_name },
+    };
+};
+const getBearerToken = (authorization) => {
+    if (!authorization)
+        return null;
+    const [authType, authToken] = authorization.split(' ');
+    if (authType?.toLowerCase() !== 'bearer' || !authToken) {
+        return null;
+    }
+    return authToken;
+};
+const queryRlsModuleByDatabaseId = async (pool, databaseId) => {
+    const result = await pool.query(RLS_MODULE_BY_DATABASE_ID_SQL, [databaseId]);
+    return toRlsModule(result.rows[0] ?? null);
+};
+const queryRlsModuleByApiId = async (pool, apiId) => {
+    const result = await pool.query(RLS_MODULE_BY_API_ID_SQL, [apiId]);
+    return toRlsModule(result.rows[0] ?? null);
+};
+const queryRlsModuleByDbname = async (pool, dbname) => {
+    const result = await pool.query(RLS_MODULE_BY_DBNAME_SQL, [dbname]);
+    return toRlsModule(result.rows[0] ?? null);
+};
+const resolveUploadRlsModule = async (opts, req) => {
+    const api = req.api;
+    if (!api)
+        return undefined;
+    // Use API-scoped RLS module when available (e.g., meta API).
+    if (api.rlsModule) {
+        return api.rlsModule;
+    }
+    const pool = getPgPool(opts.pg);
+    if (api.apiId) {
+        const byApiId = await queryRlsModuleByApiId(pool, api.apiId);
+        if (byApiId)
+            return byApiId;
+    }
+    if (api.databaseId) {
+        const byDatabaseId = await queryRlsModuleByDatabaseId(pool, api.databaseId);
+        if (byDatabaseId)
+            return byDatabaseId;
+    }
+    if (api.dbname) {
+        return queryRlsModuleByDbname(pool, api.dbname);
+    }
+    return undefined;
+};
+const authError = (res) => res.status(401).json({ error: 'Authentication required' });
+/**
+ * Upload-specific authentication middleware.
+ *
+ * This middleware enforces strict auth semantics for `POST /upload` while
+ * preserving existing GraphQL auth behavior for other routes.
+ */
+export const createUploadAuthenticateMiddleware = (opts) => {
+    return async (req, res, next) => {
+        const api = req.api;
+        if (!api) {
+            res.status(500).send('Missing API info');
+            return;
+        }
+        if (req.token?.user_id) {
+            next();
+            return;
+        }
+        const authToken = getBearerToken(req.headers.authorization);
+        if (!authToken) {
+            authError(res);
+            return;
+        }
+        let rlsModule;
+        try {
+            rlsModule = await resolveUploadRlsModule(opts, req);
+        }
+        catch (error) {
+            authLog.error('[upload-auth] Failed to resolve RLS module for upload route', error);
+            authError(res);
+            return;
+        }
+        if (!rlsModule) {
+            authLog.info(`[upload-auth] No RLS module found for db=${api.dbname} databaseId=${api.databaseId ?? 'none'}`);
+            authError(res);
+            return;
+        }
+        const authFn = opts.server?.strictAuth ? rlsModule.authenticateStrict : rlsModule.authenticate;
+        const privateSchema = rlsModule.privateSchema?.schemaName;
+        if (!authFn || !privateSchema) {
+            authLog.warn(`[upload-auth] Missing auth function or private schema for db=${api.dbname}; strictAuth=${opts.server?.strictAuth ?? false}`);
+            authError(res);
+            return;
+        }
+        const SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/;
+        if (!SAFE_IDENTIFIER.test(privateSchema) || !SAFE_IDENTIFIER.test(authFn)) {
+            authLog.error(`[upload-auth] Invalid SQL identifier: schema=${privateSchema} fn=${authFn}`);
+            authError(res);
+            return;
+        }
+        const pool = getPgPool({
+            ...opts.pg,
+            database: api.dbname,
+        });
+        const context = {};
+        if (req.clientIp) {
+            context['jwt.claims.ip_address'] = req.clientIp;
+        }
+        if (req.get('origin')) {
+            context['jwt.claims.origin'] = req.get('origin');
+        }
+        if (req.get('User-Agent')) {
+            context['jwt.claims.user_agent'] = req.get('User-Agent');
+        }
+        try {
+            const result = await pgQueryContext({
+                client: pool,
+                context,
+                query: `SELECT * FROM ${escapeIdentifier(privateSchema)}.${escapeIdentifier(authFn)}($1)`,
+                variables: [authToken],
+            });
+            if (!result?.rowCount) {
+                authError(res);
+                return;
+            }
+            req.token = result.rows[0];
+            if (!req.token?.user_id) {
+                authError(res);
+                return;
+            }
+            next();
+        }
+        catch (error) {
+            authLog.warn('[upload-auth] Upload authentication failed', error);
+            authError(res);
+        }
+    };
+};
+/**
+ * REST file upload endpoint.
+ *
+ * Accepts a single file via multipart/form-data, streams it to S3/MinIO,
+ * and returns file metadata. The frontend uses this in a two-step flow:
+ *
+ * 1. POST /upload  -> { url, filename, mime, size }
+ * 2. GraphQL mutation -> patch row with the returned metadata
+ */
+export const uploadRoute = [
+    parseFileWithErrors,
+    (async (req, res, next) => {
+        if (!req.token?.user_id) {
+            return res.status(401).json({ error: 'Authentication required' });
+        }
+        if (!req.file) {
+            return res.status(400).json({ error: 'No file provided. Send a "file" field.' });
+        }
+        if (req.file.mimetype && BLOCKED_MIME_TYPES.has(req.file.mimetype)) {
+            fs.unlink(req.file.path, () => { });
+            return res.status(415).json({ error: 'File type not allowed' });
+        }
+        try {
+            const readStream = fs.createReadStream(req.file.path);
+            const result = await streamToStorage(readStream, req.file.originalname);
+            uploadLog.debug(`[upload] Uploaded file for user=${req.token.user_id} filename=${req.file.originalname} mime=${result.mime} size=${req.file.size}`);
+            res.json({
+                url: result.url,
+                filename: result.filename,
+                mime: result.mime,
+                size: req.file.size,
+            });
+        }
+        catch (error) {
+            uploadLog.error('[upload] Upload processing failed', error);
+            if (!res.headersSent) {
+                res.status(500).json({ error: 'Upload processing failed' });
+            }
+        }
+        finally {
+            if (req.file?.path) {
+                fs.unlink(req.file.path, () => { });
+            }
+        }
+    }),
+];

package/esm/server.js

@@ -1,10 +1,9 @@
-import { getEnvOptions, getNodeEnv } from '@constructive-io/graphql-env';
+import { getEnvOptions } from '@constructive-io/graphql-env';
 import { Logger } from '@pgpmjs/logger';
 import { healthz, poweredBy, svcCache, trustProxy } from '@pgpmjs/server-utils';
 import { middleware as parseDomains } from '@constructive-io/url-domains';
 import { randomUUID } from 'crypto';
 import express from 'express';
-// @ts-ignore
 import graphqlUpload from 'graphql-upload';
 import { graphileCache, closeAllCaches } from 'graphile-cache';
 import { getPgPool } from 'pg-cache';
@@ -16,9 +15,10 @@ import { errorHandler, notFoundHandler } from './middleware/error-handler';
 import { favicon } from './middleware/favicon';
 import { flush, flushService } from './middleware/flush';
 import { graphile } from './middleware/graphile';
+import { multipartBridge } from './middleware/multipart-bridge';
+import { createUploadAuthenticateMiddleware, uploadRoute } from './middleware/upload';
 import { normalizeServerOptions } from './options';
 const log = new Logger('server');
-const isDev = () => getNodeEnv() === 'development';
 /**
  * Creates and starts a GraphQL server instance
  *
@@ -64,9 +64,13 @@ class Server {
         const app = express();
         const api = createApiMiddleware(effectiveOpts);
         const authenticate = createAuthenticateMiddleware(effectiveOpts);
+        const uploadAuthenticate = createUploadAuthenticateMiddleware(effectiveOpts);
+        const SAFE_REQUEST_ID = /^[a-zA-Z0-9\-_]{1,128}$/;
         const requestLogger = (req, res, next) => {
             const headerRequestId = req.header('x-request-id');
-            const reqId = headerRequestId || randomUUID();
+            const reqId = (headerRequestId && SAFE_REQUEST_ID.test(headerRequestId))
+                ? headerRequestId
+                : randomUUID();
             const start = process.hrtime.bigint();
             req.requestId = reqId;
             const host = req.hostname || req.headers.host || 'unknown';
@@ -96,7 +100,7 @@ class Server {
             metaSchemas: apiOpts.metaSchemas?.join(',') || 'default',
             exposedSchemas: apiOpts.exposedSchemas?.join(',') || 'none',
             anonRole: apiOpts.anonRole,
-            roleName: apiOpts.roleName
+            roleName: apiOpts.roleName,
         });
         healthz(app);
         app.use(favicon);
@@ -113,11 +117,17 @@ class Server {
         }
         app.use(poweredBy('constructive'));
         app.use(cors(fallbackOrigin));
-        app.use(graphqlUpload.graphqlUploadExpress());
+        app.use('/graphql', graphqlUpload.graphqlUploadExpress({
+            maxFileSize: 10 * 1024 * 1024, // 10 MB
+            maxFiles: 10,
+        }));
+        // Rewrite Content-Type after graphql-upload so grafserv accepts the request
+        app.use('/graphql', multipartBridge);
         app.use(parseDomains());
         app.use(requestIp.mw());
         app.use(requestLogger);
         app.use(api);
+        app.post('/upload', uploadAuthenticate, ...uploadRoute);
         app.use(authenticate);
         app.use(graphile(effectiveOpts));
         app.use(flush);

package/index.d.ts

@@ -2,6 +2,7 @@ export * from './server';
 export * from './options';
 export { createApiMiddleware, getSubdomain, getApiConfig } from './middleware/api';
 export { createAuthenticateMiddleware } from './middleware/auth';
+export { createUploadAuthenticateMiddleware } from './middleware/upload';
 export { cors } from './middleware/cors';
 export { graphile } from './middleware/graphile';
 export { flush, flushService } from './middleware/flush';

package/index.js

@@ -14,7 +14,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.flushService = exports.flush = exports.graphile = exports.cors = exports.createAuthenticateMiddleware = exports.getApiConfig = exports.getSubdomain = exports.createApiMiddleware = void 0;
+exports.flushService = exports.flush = exports.graphile = exports.cors = exports.createUploadAuthenticateMiddleware = exports.createAuthenticateMiddleware = exports.getApiConfig = exports.getSubdomain = exports.createApiMiddleware = void 0;
 __exportStar(require("./server"), exports);
 // Export options module - types, defaults, type guards, and utility functions
 __exportStar(require("./options"), exports);
@@ -25,6 +25,8 @@ Object.defineProperty(exports, "getSubdomain", { enumerable: true, get: function
 Object.defineProperty(exports, "getApiConfig", { enumerable: true, get: function () { return api_1.getApiConfig; } });
 var auth_1 = require("./middleware/auth");
 Object.defineProperty(exports, "createAuthenticateMiddleware", { enumerable: true, get: function () { return auth_1.createAuthenticateMiddleware; } });
+var upload_1 = require("./middleware/upload");
+Object.defineProperty(exports, "createUploadAuthenticateMiddleware", { enumerable: true, get: function () { return upload_1.createUploadAuthenticateMiddleware; } });
 var cors_1 = require("./middleware/cors");
 Object.defineProperty(exports, "cors", { enumerable: true, get: function () { return cors_1.cors; } });
 var graphile_1 = require("./middleware/graphile");

package/middleware/api.js

@@ -132,6 +132,7 @@ const toRlsModule = (row) => {
     };
 };
 const toApiStructure = (row, opts, rlsModuleRow) => ({
+    apiId: row.api_id,
     dbname: row.dbname || opts.pg?.database || '',
     anonRole: row.anon_role || 'anon',
     roleName: row.role_name || 'authenticated',

package/middleware/error-handler.js

@@ -82,13 +82,12 @@ const errorHandler = (err, req, res, _next) => {
 };
 exports.errorHandler = errorHandler;
 const notFoundHandler = (req, res, _next) => {
-    const message = `Route not found: ${req.method} ${req.path}`;
     log.warn({ event: 'route_not_found', path: req.path, method: req.method, requestId: req.requestId });
     if (wantsJson(req)) {
-        res.status(404).json({ error: { code: 'NOT_FOUND', message, requestId: req.requestId } });
+        res.status(404).json({ error: { code: 'NOT_FOUND', message: 'Not found', requestId: req.requestId } });
     }
     else {
-        res.status(404).send((0, _404_message_1.default)(message));
+        res.status(404).send((0, _404_message_1.default)('The requested page was not found'));
     }
 };
 exports.notFoundHandler = notFoundHandler;

package/middleware/graphile.d.ts

@@ -1,5 +1,5 @@
-import { ConstructiveOptions } from '@constructive-io/graphql-types';
-import { RequestHandler } from 'express';
+import type { ConstructiveOptions } from '@constructive-io/graphql-types';
+import type { RequestHandler } from 'express';
 import './types';
 /**
  * Returns the number of currently in-flight handler creation operations.

package/middleware/graphile.js

@@ -1,9 +1,14 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.graphile = void 0;
 exports.getInFlightCount = getInFlightCount;
 exports.getInFlightKeys = getInFlightKeys;
 exports.clearInFlightMap = clearInFlightMap;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const graphql_env_1 = require("@constructive-io/graphql-env");
 const logger_1 = require("@pgpmjs/logger");
 const graphile_cache_1 = require("graphile-cache");
 const graphile_settings_1 = require("graphile-settings");
@@ -11,24 +16,71 @@ const pg_cache_1 = require("pg-cache");
 const pg_env_1 = require("pg-env");
 require("./types"); // for Request type
 const api_errors_1 = require("../errors/api-errors");
+const maskErrorLog = new logger_1.Logger('graphile:maskError');
+const SAFE_ERROR_CODES = new Set([
+    // GraphQL standard
+    'GRAPHQL_VALIDATION_FAILED',
+    'GRAPHQL_PARSE_FAILED',
+    'PERSISTED_QUERY_NOT_FOUND',
+    'PERSISTED_QUERY_NOT_SUPPORTED',
+    // Auth
+    'UNAUTHENTICATED',
+    'FORBIDDEN',
+    'BAD_USER_INPUT',
+    'INCORRECT_PASSWORD',
+    'PASSWORD_INSECURE',
+    'ACCOUNT_LOCKED_EXCEED_ATTEMPTS',
+    'ACCOUNT_DISABLED',
+    'ACCOUNT_EXISTS',
+    'PASSWORD_LEN',
+    'INVITE_NOT_FOUND',
+    'INVITE_LIMIT',
+    'INVITE_EMAIL_NOT_FOUND',
+    'INVALID_CREDENTIALS',
+    // PublicKeySignature
+    'FEATURE_DISABLED',
+    'INVALID_PUBLIC_KEY',
+    'INVALID_MESSAGE',
+    'INVALID_SIGNATURE',
+    'NO_ACCOUNT_EXISTS',
+    'BAD_SIGNIN',
+    // Upload
+    'UPLOAD_MIMETYPE',
+    // PostgreSQL constraint violations (surfaced by PostGraphile)
+    '23505', // unique_violation
+    '23503', // foreign_key_violation
+    '23502', // not_null_violation
+    '23514', // check_violation
+    '23P01', // exclusion_violation
+]);
 /**
- * Custom maskError function that always returns the original error.
- *
- * By default, grafserv masks errors for security (hiding sensitive database errors
- * from clients). We disable this masking to show full error messages.
+ * Production-aware error masking function.
  *
- * Upstream reference:
- * - grafserv defaultMaskError: node_modules/grafserv/dist/options.js
- * - SafeError interface: grafast isSafeError() - errors implementing SafeError
- *   are shown as-is even with default masking
- *
- * If you need to restore masking behavior, see the upstream implementation which:
- * 1. Returns GraphQLError instances as-is
- * 2. Returns SafeError instances with their message exposed
- * 3. Masks other errors with a hash/ID and logs the original
+ * In development: returns errors as-is for debugging.
+ * In production: returns errors with explicit codes from the SAFE_ERROR_CODES
+ * allowlist as-is, but masks unexpected/database errors with a reference ID
+ * and logs the original.
  */
 const maskError = (error) => {
-    return error;
+    if ((0, graphql_env_1.getNodeEnv)() === 'development') {
+        return error;
+    }
+    // Only expose errors with codes on the safe allowlist.
+    // Note: grafserv strips originalError and internal extensions before
+    // serializing to the client, so returning the full error object is safe here.
+    if (error.extensions?.code && SAFE_ERROR_CODES.has(error.extensions.code)) {
+        return error;
+    }
+    // Mask unexpected/database errors with a reference ID
+    const errorId = node_crypto_1.default.randomBytes(8).toString('hex');
+    maskErrorLog.error(`[masked-error:${errorId}]`, error);
+    return {
+        message: `An unexpected error occurred. Reference: ${errorId}`,
+        extensions: {
+            code: 'INTERNAL_SERVER_ERROR',
+            errorId,
+        },
+    };
 };
 // =============================================================================
 // Single-Flight Pattern: In-Flight Tracking
@@ -60,7 +112,7 @@ function clearInFlightMap() {
     creating.clear();
 }
 const log = new logger_1.Logger('graphile');
-const reqLabel = (req) => req.requestId ? `[${req.requestId}]` : '[req]';
+const reqLabel = (req) => (req.requestId ? `[${req.requestId}]` : '[req]');
 /**
  * Build a PostGraphile v5 preset for a tenant
  */
@@ -76,6 +128,7 @@ const buildPreset = (connectionString, schemas, anonRole, roleName) => ({
         graphqlPath: '/graphql',
         graphiqlPath: '/graphiql',
         graphiql: true,
+        graphiqlOnGraphQLGET: false,
         maskError,
     },
     grafast: {
@@ -153,13 +206,26 @@ const graphile = (opts) => {
                     return instance.handler(req, res, next);
                 }
                 catch (error) {
-                    // Re-throw to be caught by outer try-catch
-                    throw error;
+                    log.warn(`${label} Coalesced request failed for PostGraphile[${key}], retrying`);
+                    // Fall through to Phase C to retry creation
                 }
             }
             // =========================================================================
             // Phase C: Create New Handler (first request for this key)
             // =========================================================================
+            // Re-check cache after coalesced request failure (another retry may have succeeded)
+            const recheckedCache = graphile_cache_1.graphileCache.get(key);
+            if (recheckedCache) {
+                log.debug(`${label} PostGraphile cache hit on re-check key=${key}`);
+                return recheckedCache.handler(req, res, next);
+            }
+            // Re-check in-flight map (another retry may have started creation)
+            const retryInFlight = creating.get(key);
+            if (retryInFlight) {
+                log.debug(`${label} Re-coalescing request for PostGraphile[${key}]`);
+                const retryInstance = await retryInFlight;
+                return retryInstance.handler(req, res, next);
+            }
             log.info(`${label} Building PostGraphile v5 handler key=${key} db=${dbname} schemas=${schemaLabel} role=${roleName} anon=${anonRole}`);
             const pgConfig = (0, pg_env_1.getPgEnvOptions)({
                 ...opts.pg,
@@ -178,7 +244,10 @@ const graphile = (opts) => {
             }
             catch (error) {
                 log.error(`${label} Failed to create PostGraphile[${key}]:`, error);
-                throw new api_errors_1.HandlerCreationError(`Failed to create handler for ${key}: ${error instanceof Error ? error.message : String(error)}`, { cacheKey: key, cause: error instanceof Error ? error.message : String(error) });
+                throw new api_errors_1.HandlerCreationError(`Failed to create handler for ${key}: ${error instanceof Error ? error.message : String(error)}`, {
+                    cacheKey: key,
+                    cause: error instanceof Error ? error.message : String(error),
+                });
             }
             finally {
                 // Always clean up in-flight tracker
@@ -187,7 +256,12 @@ const graphile = (opts) => {
         }
         catch (e) {
             log.error(`${label} PostGraphile middleware error`, e);
-            return res.status(500).send(e.message);
+            if (!res.headersSent) {
+                return res.status(500).json({
+                    error: { code: 'INTERNAL_ERROR', message: 'An unexpected error occurred' }
+                });
+            }
+            next(e);
         }
     };
 };

package/middleware/multipart-bridge.d.ts

@@ -0,0 +1,26 @@
+import type { RequestHandler } from 'express';
+/**
+ * Bridge middleware between graphql-upload and grafserv (PostGraphile v5).
+ *
+ * graphql-upload's `graphqlUploadExpress()` parses multipart/form-data requests
+ * and sets `req.body` to a standard GraphQL operation object, but leaves the
+ * original Content-Type header unchanged. grafserv rejects any Content-Type it
+ * doesn't recognize (415 Unsupported Media Type) because its allowlist only
+ * includes `application/json` and `application/graphql`.
+ *
+ * This middleware rewrites the Content-Type header to `application/json` after
+ * graphql-upload has finished parsing, so grafserv accepts the request.
+ *
+ * This is the standard bridge pattern for grafserv + graphql-upload.
+ * See: https://github.com/graphql/graphql-http/discussions/36
+ *
+ * Must be registered immediately after `graphqlUploadExpress()` in the
+ * middleware chain — it relies on graphql-upload having already parsed the
+ * multipart body into `req.body`.
+ *
+ * Security note: multipart/form-data is a CORS "simple request" content type,
+ * which means browsers send it without a preflight OPTIONS check. The CSRF risk
+ * is mitigated by the CORS middleware that runs before this middleware in the
+ * Express pipeline.
+ */
+export declare const multipartBridge: RequestHandler;

package/middleware/multipart-bridge.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.multipartBridge = void 0;
+/**
+ * Bridge middleware between graphql-upload and grafserv (PostGraphile v5).
+ *
+ * graphql-upload's `graphqlUploadExpress()` parses multipart/form-data requests
+ * and sets `req.body` to a standard GraphQL operation object, but leaves the
+ * original Content-Type header unchanged. grafserv rejects any Content-Type it
+ * doesn't recognize (415 Unsupported Media Type) because its allowlist only
+ * includes `application/json` and `application/graphql`.
+ *
+ * This middleware rewrites the Content-Type header to `application/json` after
+ * graphql-upload has finished parsing, so grafserv accepts the request.
+ *
+ * This is the standard bridge pattern for grafserv + graphql-upload.
+ * See: https://github.com/graphql/graphql-http/discussions/36
+ *
+ * Must be registered immediately after `graphqlUploadExpress()` in the
+ * middleware chain — it relies on graphql-upload having already parsed the
+ * multipart body into `req.body`.
+ *
+ * Security note: multipart/form-data is a CORS "simple request" content type,
+ * which means browsers send it without a preflight OPTIONS check. The CSRF risk
+ * is mitigated by the CORS middleware that runs before this middleware in the
+ * Express pipeline.
+ */
+const multipartBridge = (req, _res, next) => {
+    if (req.body != null && req.headers['content-type']?.startsWith('multipart/form-data')) {
+        req.headers['content-type'] = 'application/json';
+    }
+    next();
+};
+exports.multipartBridge = multipartBridge;

package/middleware/types.d.ts

@@ -1,7 +1,7 @@
 import type { ApiStructure } from '../types';
 export type ConstructiveAPIToken = {
-    id: string;
-    user_id: string;
+    id?: string;
+    user_id?: string;
     [key: string]: unknown;
 };
 declare global {

package/middleware/upload.d.ts

@@ -0,0 +1,20 @@
+import type { PgpmOptions } from '@pgpmjs/types';
+import type { RequestHandler } from 'express';
+import './types';
+/**
+ * Upload-specific authentication middleware.
+ *
+ * This middleware enforces strict auth semantics for `POST /upload` while
+ * preserving existing GraphQL auth behavior for other routes.
+ */
+export declare const createUploadAuthenticateMiddleware: (opts: PgpmOptions) => RequestHandler;
+/**
+ * REST file upload endpoint.
+ *
+ * Accepts a single file via multipart/form-data, streams it to S3/MinIO,
+ * and returns file metadata. The frontend uses this in a two-step flow:
+ *
+ * 1. POST /upload  -> { url, filename, mime, size }
+ * 2. GraphQL mutation -> patch row with the returned metadata
+ */
+export declare const uploadRoute: RequestHandler[];

package/middleware/upload.js

@@ -0,0 +1,266 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.uploadRoute = exports.createUploadAuthenticateMiddleware = void 0;
+const logger_1 = require("@pgpmjs/logger");
+const fs_1 = __importDefault(require("fs"));
+const multer_1 = __importDefault(require("multer"));
+const os_1 = __importDefault(require("os"));
+const pg_1 = require("pg");
+const pg_cache_1 = require("pg-cache");
+const pg_query_context_1 = __importDefault(require("pg-query-context"));
+const graphile_settings_1 = require("graphile-settings");
+require("./types");
+const uploadLog = new logger_1.Logger('upload');
+const authLog = new logger_1.Logger('upload-auth');
+const envFileSize = process.env.MAX_UPLOAD_FILE_SIZE
+    ? parseInt(process.env.MAX_UPLOAD_FILE_SIZE, 10)
+    : NaN;
+const MAX_FILE_SIZE = envFileSize > 0 ? envFileSize : 10 * 1024 * 1024;
+const BLOCKED_MIME_TYPES = new Set([
+    'application/x-executable',
+    'application/x-sharedlib',
+    'application/x-mach-binary',
+    'application/x-dosexec',
+    'text/html',
+    'application/xhtml+xml',
+    'application/javascript',
+    'text/javascript'
+]);
+const parseFile = (0, multer_1.default)({
+    storage: multer_1.default.diskStorage({
+        destination: os_1.default.tmpdir(),
+        filename: (_req, _file, cb) => {
+            const uniqueSuffix = `${Date.now()}-${Math.round(Math.random() * 1e9)}`;
+            cb(null, `upload-${uniqueSuffix}.tmp`);
+        },
+    }),
+    limits: { fileSize: MAX_FILE_SIZE },
+}).single('file');
+const parseFileWithErrors = (req, res, next) => {
+    parseFile(req, res, (err) => {
+        if (!err)
+            return next();
+        if (err.code === 'LIMIT_FILE_SIZE') {
+            return res.status(413).json({ error: `File exceeds maximum size of ${MAX_FILE_SIZE / (1024 * 1024)} MB` });
+        }
+        if (err.code === 'LIMIT_UNEXPECTED_FILE') {
+            return res.status(400).json({ error: 'Unexpected file field. Send a single file as "file".' });
+        }
+        return res.status(400).json({ error: 'File upload failed' });
+    });
+};
+const RLS_MODULE_BASE_SQL = `
+  SELECT
+    rm.authenticate,
+    rm.authenticate_strict,
+    ps.schema_name as private_schema_name
+  FROM metaschema_modules_public.rls_module rm
+  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id`;
+const RLS_MODULE_BY_DATABASE_ID_SQL = `${RLS_MODULE_BASE_SQL}
+  JOIN services_public.apis a ON rm.api_id = a.id
+  WHERE a.database_id = $1
+  ORDER BY a.id
+  LIMIT 1
+`;
+const RLS_MODULE_BY_API_ID_SQL = `${RLS_MODULE_BASE_SQL}
+  WHERE rm.api_id = $1
+  LIMIT 1
+`;
+const RLS_MODULE_BY_DBNAME_SQL = `${RLS_MODULE_BASE_SQL}
+  JOIN services_public.apis a ON rm.api_id = a.id
+  WHERE a.dbname = $1
+  ORDER BY a.id
+  LIMIT 1
+`;
+const toRlsModule = (row) => {
+    if (!row || !row.private_schema_name)
+        return undefined;
+    return {
+        authenticate: row.authenticate ?? undefined,
+        authenticateStrict: row.authenticate_strict ?? undefined,
+        privateSchema: { schemaName: row.private_schema_name },
+    };
+};
+const getBearerToken = (authorization) => {
+    if (!authorization)
+        return null;
+    const [authType, authToken] = authorization.split(' ');
+    if (authType?.toLowerCase() !== 'bearer' || !authToken) {
+        return null;
+    }
+    return authToken;
+};
+const queryRlsModuleByDatabaseId = async (pool, databaseId) => {
+    const result = await pool.query(RLS_MODULE_BY_DATABASE_ID_SQL, [databaseId]);
+    return toRlsModule(result.rows[0] ?? null);
+};
+const queryRlsModuleByApiId = async (pool, apiId) => {
+    const result = await pool.query(RLS_MODULE_BY_API_ID_SQL, [apiId]);
+    return toRlsModule(result.rows[0] ?? null);
+};
+const queryRlsModuleByDbname = async (pool, dbname) => {
+    const result = await pool.query(RLS_MODULE_BY_DBNAME_SQL, [dbname]);
+    return toRlsModule(result.rows[0] ?? null);
+};
+const resolveUploadRlsModule = async (opts, req) => {
+    const api = req.api;
+    if (!api)
+        return undefined;
+    // Use API-scoped RLS module when available (e.g., meta API).
+    if (api.rlsModule) {
+        return api.rlsModule;
+    }
+    const pool = (0, pg_cache_1.getPgPool)(opts.pg);
+    if (api.apiId) {
+        const byApiId = await queryRlsModuleByApiId(pool, api.apiId);
+        if (byApiId)
+            return byApiId;
+    }
+    if (api.databaseId) {
+        const byDatabaseId = await queryRlsModuleByDatabaseId(pool, api.databaseId);
+        if (byDatabaseId)
+            return byDatabaseId;
+    }
+    if (api.dbname) {
+        return queryRlsModuleByDbname(pool, api.dbname);
+    }
+    return undefined;
+};
+const authError = (res) => res.status(401).json({ error: 'Authentication required' });
+/**
+ * Upload-specific authentication middleware.
+ *
+ * This middleware enforces strict auth semantics for `POST /upload` while
+ * preserving existing GraphQL auth behavior for other routes.
+ */
+const createUploadAuthenticateMiddleware = (opts) => {
+    return async (req, res, next) => {
+        const api = req.api;
+        if (!api) {
+            res.status(500).send('Missing API info');
+            return;
+        }
+        if (req.token?.user_id) {
+            next();
+            return;
+        }
+        const authToken = getBearerToken(req.headers.authorization);
+        if (!authToken) {
+            authError(res);
+            return;
+        }
+        let rlsModule;
+        try {
+            rlsModule = await resolveUploadRlsModule(opts, req);
+        }
+        catch (error) {
+            authLog.error('[upload-auth] Failed to resolve RLS module for upload route', error);
+            authError(res);
+            return;
+        }
+        if (!rlsModule) {
+            authLog.info(`[upload-auth] No RLS module found for db=${api.dbname} databaseId=${api.databaseId ?? 'none'}`);
+            authError(res);
+            return;
+        }
+        const authFn = opts.server?.strictAuth ? rlsModule.authenticateStrict : rlsModule.authenticate;
+        const privateSchema = rlsModule.privateSchema?.schemaName;
+        if (!authFn || !privateSchema) {
+            authLog.warn(`[upload-auth] Missing auth function or private schema for db=${api.dbname}; strictAuth=${opts.server?.strictAuth ?? false}`);
+            authError(res);
+            return;
+        }
+        const SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/;
+        if (!SAFE_IDENTIFIER.test(privateSchema) || !SAFE_IDENTIFIER.test(authFn)) {
+            authLog.error(`[upload-auth] Invalid SQL identifier: schema=${privateSchema} fn=${authFn}`);
+            authError(res);
+            return;
+        }
+        const pool = (0, pg_cache_1.getPgPool)({
+            ...opts.pg,
+            database: api.dbname,
+        });
+        const context = {};
+        if (req.clientIp) {
+            context['jwt.claims.ip_address'] = req.clientIp;
+        }
+        if (req.get('origin')) {
+            context['jwt.claims.origin'] = req.get('origin');
+        }
+        if (req.get('User-Agent')) {
+            context['jwt.claims.user_agent'] = req.get('User-Agent');
+        }
+        try {
+            const result = await (0, pg_query_context_1.default)({
+                client: pool,
+                context,
+                query: `SELECT * FROM ${(0, pg_1.escapeIdentifier)(privateSchema)}.${(0, pg_1.escapeIdentifier)(authFn)}($1)`,
+                variables: [authToken],
+            });
+            if (!result?.rowCount) {
+                authError(res);
+                return;
+            }
+            req.token = result.rows[0];
+            if (!req.token?.user_id) {
+                authError(res);
+                return;
+            }
+            next();
+        }
+        catch (error) {
+            authLog.warn('[upload-auth] Upload authentication failed', error);
+            authError(res);
+        }
+    };
+};
+exports.createUploadAuthenticateMiddleware = createUploadAuthenticateMiddleware;
+/**
+ * REST file upload endpoint.
+ *
+ * Accepts a single file via multipart/form-data, streams it to S3/MinIO,
+ * and returns file metadata. The frontend uses this in a two-step flow:
+ *
+ * 1. POST /upload  -> { url, filename, mime, size }
+ * 2. GraphQL mutation -> patch row with the returned metadata
+ */
+exports.uploadRoute = [
+    parseFileWithErrors,
+    (async (req, res, next) => {
+        if (!req.token?.user_id) {
+            return res.status(401).json({ error: 'Authentication required' });
+        }
+        if (!req.file) {
+            return res.status(400).json({ error: 'No file provided. Send a "file" field.' });
+        }
+        if (req.file.mimetype && BLOCKED_MIME_TYPES.has(req.file.mimetype)) {
+            fs_1.default.unlink(req.file.path, () => { });
+            return res.status(415).json({ error: 'File type not allowed' });
+        }
+        try {
+            const readStream = fs_1.default.createReadStream(req.file.path);
+            const result = await (0, graphile_settings_1.streamToStorage)(readStream, req.file.originalname);
+            uploadLog.debug(`[upload] Uploaded file for user=${req.token.user_id} filename=${req.file.originalname} mime=${result.mime} size=${req.file.size}`);
+            res.json({
+                url: result.url,
+                filename: result.filename,
+                mime: result.mime,
+                size: req.file.size,
+            });
+        }
+        catch (error) {
+            uploadLog.error('[upload] Upload processing failed', error);
+            if (!res.headersSent) {
+                res.status(500).json({ error: 'Upload processing failed' });
+            }
+        }
+        finally {
+            if (req.file?.path) {
+                fs_1.default.unlink(req.file.path, () => { });
+            }
+        }
+    }),
+];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@constructive-io/graphql-server",
-  "version": "4.1.1",
+  "version": "4.3.0",
   "author": "Constructive <developers@constructive.io>",
   "description": "Constructive GraphQL Server",
   "main": "index.js",
@@ -39,34 +39,36 @@
     "backend"
   ],
   "dependencies": {
-    "@constructive-io/graphql-env": "^3.1.0",
-    "@constructive-io/graphql-types": "^3.0.0",
-    "@constructive-io/s3-utils": "^2.6.0",
-    "@constructive-io/upload-names": "^2.6.0",
-    "@constructive-io/url-domains": "^2.6.0",
+    "@constructive-io/graphql-env": "^3.2.0",
+    "@constructive-io/graphql-types": "^3.1.0",
+    "@constructive-io/s3-utils": "^2.7.0",
+    "@constructive-io/upload-names": "^2.7.0",
+    "@constructive-io/url-domains": "^2.7.0",
     "@graphile-contrib/pg-many-to-many": "2.0.0-rc.1",
     "@graphile/simplify-inflection": "8.0.0-rc.3",
-    "@pgpmjs/logger": "^2.1.0",
-    "@pgpmjs/server-utils": "^3.1.0",
-    "@pgpmjs/types": "^2.16.0",
+    "@pgpmjs/logger": "^2.2.0",
+    "@pgpmjs/server-utils": "^3.2.0",
+    "@pgpmjs/types": "^2.17.0",
     "cors": "^2.8.5",
     "deepmerge": "^4.3.1",
     "express": "^5.2.1",
-    "gql-ast": "^3.0.0",
+    "gql-ast": "^3.1.0",
     "grafast": "1.0.0-rc.7",
     "grafserv": "1.0.0-rc.6",
     "graphile-build": "5.0.0-rc.4",
     "graphile-build-pg": "5.0.0-rc.5",
-    "graphile-cache": "^3.0.1",
+    "graphile-cache": "^3.1.0",
     "graphile-config": "1.0.0-rc.5",
-    "graphile-settings": "^4.1.1",
+    "graphile-settings": "^4.3.0",
+    "graphile-utils": "^5.0.0-rc.5",
     "graphql": "^16.9.0",
     "graphql-upload": "^13.0.0",
     "lru-cache": "^11.2.4",
+    "multer": "^2.0.1",
     "pg": "^8.17.1",
-    "pg-cache": "^3.0.0",
-    "pg-env": "^1.4.0",
-    "pg-query-context": "^2.5.0",
+    "pg-cache": "^3.1.0",
+    "pg-env": "^1.5.0",
+    "pg-query-context": "^2.6.0",
     "pg-sql2": "5.0.0-rc.4",
     "postgraphile": "5.0.0-rc.7",
     "postgraphile-plugin-connection-filter": "3.0.0-rc.1",
@@ -77,12 +79,13 @@
     "@types/cors": "^2.8.17",
     "@types/express": "^5.0.6",
     "@types/graphql-upload": "^8.0.12",
+    "@types/multer": "^1.4.12",
     "@types/pg": "^8.16.0",
     "@types/request-ip": "^0.0.41",
-    "graphile-test": "4.1.1",
+    "graphile-test": "4.2.0",
     "makage": "^0.1.10",
     "nodemon": "^3.1.10",
     "ts-node": "^10.9.2"
   },
-  "gitHead": "921594a77964d3467261c70fed1d529eddabb549"
+  "gitHead": "b758178b808ce0bf451e86c0bd7e92079155db7c"
 }

package/server.js

@@ -10,7 +10,6 @@ const server_utils_1 = require("@pgpmjs/server-utils");
 const url_domains_1 = require("@constructive-io/url-domains");
 const crypto_1 = require("crypto");
 const express_1 = __importDefault(require("express"));
-// @ts-ignore
 const graphql_upload_1 = __importDefault(require("graphql-upload"));
 const graphile_cache_1 = require("graphile-cache");
 const pg_cache_1 = require("pg-cache");
@@ -22,9 +21,10 @@ const error_handler_1 = require("./middleware/error-handler");
 const favicon_1 = require("./middleware/favicon");
 const flush_1 = require("./middleware/flush");
 const graphile_1 = require("./middleware/graphile");
+const multipart_bridge_1 = require("./middleware/multipart-bridge");
+const upload_1 = require("./middleware/upload");
 const options_1 = require("./options");
 const log = new logger_1.Logger('server');
-const isDev = () => (0, graphql_env_1.getNodeEnv)() === 'development';
 /**
  * Creates and starts a GraphQL server instance
  *
@@ -71,9 +71,13 @@ class Server {
         const app = (0, express_1.default)();
         const api = (0, api_1.createApiMiddleware)(effectiveOpts);
         const authenticate = (0, auth_1.createAuthenticateMiddleware)(effectiveOpts);
+        const uploadAuthenticate = (0, upload_1.createUploadAuthenticateMiddleware)(effectiveOpts);
+        const SAFE_REQUEST_ID = /^[a-zA-Z0-9\-_]{1,128}$/;
         const requestLogger = (req, res, next) => {
             const headerRequestId = req.header('x-request-id');
-            const reqId = headerRequestId || (0, crypto_1.randomUUID)();
+            const reqId = (headerRequestId && SAFE_REQUEST_ID.test(headerRequestId))
+                ? headerRequestId
+                : (0, crypto_1.randomUUID)();
             const start = process.hrtime.bigint();
             req.requestId = reqId;
             const host = req.hostname || req.headers.host || 'unknown';
@@ -103,7 +107,7 @@ class Server {
             metaSchemas: apiOpts.metaSchemas?.join(',') || 'default',
             exposedSchemas: apiOpts.exposedSchemas?.join(',') || 'none',
             anonRole: apiOpts.anonRole,
-            roleName: apiOpts.roleName
+            roleName: apiOpts.roleName,
         });
         (0, server_utils_1.healthz)(app);
         app.use(favicon_1.favicon);
@@ -120,11 +124,17 @@ class Server {
         }
         app.use((0, server_utils_1.poweredBy)('constructive'));
         app.use((0, cors_1.cors)(fallbackOrigin));
-        app.use(graphql_upload_1.default.graphqlUploadExpress());
+        app.use('/graphql', graphql_upload_1.default.graphqlUploadExpress({
+            maxFileSize: 10 * 1024 * 1024, // 10 MB
+            maxFiles: 10,
+        }));
+        // Rewrite Content-Type after graphql-upload so grafserv accepts the request
+        app.use('/graphql', multipart_bridge_1.multipartBridge);
         app.use((0, url_domains_1.middleware)());
         app.use(request_ip_1.default.mw());
         app.use(requestLogger);
         app.use(api);
+        app.post('/upload', uploadAuthenticate, ...upload_1.uploadRoute);
         app.use(authenticate);
         app.use((0, graphile_1.graphile)(effectiveOpts));
         app.use(flush_1.flush);

package/types.d.ts

@@ -31,6 +31,7 @@ export interface RlsModule {
     };
 }
 export interface ApiStructure {
+    apiId?: string;
     dbname: string;
     anonRole: string;
     roleName: string;