@constructive-io/graphql-server 4.25.2 → 4.26.1

package/esm/middleware/api.js

@@ -75,6 +75,28 @@ const RLS_MODULE_SQL = `
   WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
+const RLS_SETTINGS_SQL = `
+  SELECT
+    auth_schema.schema_name AS authenticate_schema,
+    role_schema.schema_name AS role_schema,
+    auth_fn.name AS authenticate,
+    auth_strict_fn.name AS authenticate_strict,
+    role_fn.name AS current_role,
+    role_id_fn.name AS current_role_id,
+    ua_fn.name AS current_user_agent,
+    ip_fn.name AS current_ip_address
+  FROM services_public.rls_settings rs
+  LEFT JOIN metaschema_public.schema auth_schema ON rs.authenticate_schema_id = auth_schema.id
+  LEFT JOIN metaschema_public.schema role_schema ON rs.role_schema_id = role_schema.id
+  LEFT JOIN metaschema_public.function auth_fn ON rs.authenticate_function_id = auth_fn.id
+  LEFT JOIN metaschema_public.function auth_strict_fn ON rs.authenticate_strict_function_id = auth_strict_fn.id
+  LEFT JOIN metaschema_public.function role_fn ON rs.current_role_function_id = role_fn.id
+  LEFT JOIN metaschema_public.function role_id_fn ON rs.current_role_id_function_id = role_id_fn.id
+  LEFT JOIN metaschema_public.function ua_fn ON rs.current_user_agent_function_id = ua_fn.id
+  LEFT JOIN metaschema_public.function ip_fn ON rs.current_ip_address_function_id = ip_fn.id
+  WHERE rs.database_id = $1
+  LIMIT 1
+`;
 /**
  * Discover auth settings table location via public metaschema tables.
  * Joins sessions_module with metaschema_public.schema to resolve
@@ -155,6 +177,24 @@ const toRlsModule = (row) => {
         currentUserAgent: d.current_user_agent,
     };
 };
+const toRlsModuleFromSettings = (row) => {
+    if (!row)
+        return undefined;
+    return {
+        authenticate: row.authenticate,
+        authenticateStrict: row.authenticate_strict,
+        privateSchema: {
+            schemaName: row.authenticate_schema,
+        },
+        publicSchema: {
+            schemaName: row.role_schema,
+        },
+        currentRole: row.current_role,
+        currentRoleId: row.current_role_id,
+        currentIpAddress: row.current_ip_address,
+        currentUserAgent: row.current_user_agent,
+    };
+};
 const toAuthSettings = (row) => {
     if (!row)
         return undefined;
@@ -169,14 +209,14 @@ const toAuthSettings = (row) => {
         captchaSiteKey: row.captcha_site_key,
     };
 };
-const toApiStructure = (row, opts, rlsModuleRow, authSettingsRow) => ({
+const toApiStructure = (row, opts, rlsModule, authSettingsRow) => ({
     apiId: row.api_id,
     dbname: row.dbname || opts.pg?.database || '',
     anonRole: row.anon_role || 'anon',
     roleName: row.role_name || 'authenticated',
     schema: row.schemas || [],
     apiModules: [],
-    rlsModule: toRlsModule(rlsModuleRow ?? null),
+    rlsModule,
     domains: [],
     databaseId: row.database_id,
     isPublic: row.is_public,
@@ -211,9 +251,24 @@ const queryApiList = async (pool, isPublic) => {
     const result = await pool.query(API_LIST_SQL, [isPublic]);
     return result.rows;
 };
-const queryRlsModule = async (pool, apiId) => {
+const queryRlsSettings = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(RLS_SETTINGS_SQL, [databaseId]);
+        return toRlsModuleFromSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryRlsModuleLegacy = async (pool, apiId) => {
     const result = await pool.query(RLS_MODULE_SQL, [apiId]);
-    return result.rows[0] ?? null;
+    return toRlsModule(result.rows[0] ?? null);
+};
+const queryRlsModule = async (pool, databaseId, apiId) => {
+    const fromSettings = await queryRlsSettings(pool, databaseId);
+    if (fromSettings)
+        return fromSettings;
+    return queryRlsModuleLegacy(pool, apiId);
 };
 /**
  * Load server-relevant auth settings from the tenant DB.
@@ -291,7 +346,7 @@ const resolveApiNameHeader = async (ctx) => {
         log.debug(`[api-name-lookup] No API found for databaseId=${headers.databaseId} name=${headers.apiName}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.api_id);
+    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
     const authSettings = await queryAuthSettings(opts, row.dbname);
     log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
     return toApiStructure(row, opts, rlsModule, authSettings);
@@ -308,7 +363,7 @@ const resolveDomainLookup = async (ctx) => {
         log.debug(`[domain-lookup] No API found for domain=${domain} subdomain=${subdomain}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.api_id);
+    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
     const authSettings = await queryAuthSettings(opts, row.dbname);
     log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
     return toApiStructure(row, opts, rlsModule, authSettings);

package/esm/middleware/upload.js

@@ -68,6 +68,51 @@ const RLS_MODULE_BY_DBNAME_SQL = `
   ORDER BY a.id
   LIMIT 1
 `;
+const RLS_SETTINGS_BY_DATABASE_ID_SQL = `
+  SELECT
+    auth_schema.schema_name AS authenticate_schema,
+    role_schema.schema_name AS role_schema,
+    auth_fn.name AS authenticate,
+    auth_strict_fn.name AS authenticate_strict,
+    role_fn.name AS current_role,
+    role_id_fn.name AS current_role_id,
+    ua_fn.name AS current_user_agent,
+    ip_fn.name AS current_ip_address
+  FROM services_public.rls_settings rs
+  LEFT JOIN metaschema_public.schema auth_schema ON rs.authenticate_schema_id = auth_schema.id
+  LEFT JOIN metaschema_public.schema role_schema ON rs.role_schema_id = role_schema.id
+  LEFT JOIN metaschema_public.function auth_fn ON rs.authenticate_function_id = auth_fn.id
+  LEFT JOIN metaschema_public.function auth_strict_fn ON rs.authenticate_strict_function_id = auth_strict_fn.id
+  LEFT JOIN metaschema_public.function role_fn ON rs.current_role_function_id = role_fn.id
+  LEFT JOIN metaschema_public.function role_id_fn ON rs.current_role_id_function_id = role_id_fn.id
+  LEFT JOIN metaschema_public.function ua_fn ON rs.current_user_agent_function_id = ua_fn.id
+  LEFT JOIN metaschema_public.function ip_fn ON rs.current_ip_address_function_id = ip_fn.id
+  WHERE rs.database_id = $1
+  LIMIT 1
+`;
+const RLS_SETTINGS_BY_DBNAME_SQL = `
+  SELECT
+    auth_schema.schema_name AS authenticate_schema,
+    role_schema.schema_name AS role_schema,
+    auth_fn.name AS authenticate,
+    auth_strict_fn.name AS authenticate_strict,
+    role_fn.name AS current_role,
+    role_id_fn.name AS current_role_id,
+    ua_fn.name AS current_user_agent,
+    ip_fn.name AS current_ip_address
+  FROM services_public.rls_settings rs
+  JOIN services_public.apis a ON rs.database_id = a.database_id
+  LEFT JOIN metaschema_public.schema auth_schema ON rs.authenticate_schema_id = auth_schema.id
+  LEFT JOIN metaschema_public.schema role_schema ON rs.role_schema_id = role_schema.id
+  LEFT JOIN metaschema_public.function auth_fn ON rs.authenticate_function_id = auth_fn.id
+  LEFT JOIN metaschema_public.function auth_strict_fn ON rs.authenticate_strict_function_id = auth_strict_fn.id
+  LEFT JOIN metaschema_public.function role_fn ON rs.current_role_function_id = role_fn.id
+  LEFT JOIN metaschema_public.function role_id_fn ON rs.current_role_id_function_id = role_id_fn.id
+  LEFT JOIN metaschema_public.function ua_fn ON rs.current_user_agent_function_id = ua_fn.id
+  LEFT JOIN metaschema_public.function ip_fn ON rs.current_ip_address_function_id = ip_fn.id
+  WHERE a.dbname = $1
+  LIMIT 1
+`;
 const toRlsModule = (row) => {
     if (!row?.data)
         return undefined;
@@ -83,6 +128,20 @@ const toRlsModule = (row) => {
         currentUserAgent: d.current_user_agent,
     };
 };
+const toRlsModuleFromSettings = (row) => {
+    if (!row)
+        return undefined;
+    return {
+        authenticate: row.authenticate,
+        authenticateStrict: row.authenticate_strict,
+        privateSchema: { schemaName: row.authenticate_schema },
+        publicSchema: { schemaName: row.role_schema },
+        currentRole: row.current_role,
+        currentRoleId: row.current_role_id,
+        currentIpAddress: row.current_ip_address,
+        currentUserAgent: row.current_user_agent,
+    };
+};
 const getBearerToken = (authorization) => {
     if (!authorization)
         return null;
@@ -92,7 +151,28 @@ const getBearerToken = (authorization) => {
     }
     return authToken;
 };
+const queryRlsSettingsByDatabaseId = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(RLS_SETTINGS_BY_DATABASE_ID_SQL, [databaseId]);
+        return toRlsModuleFromSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryRlsSettingsByDbname = async (pool, dbname) => {
+    try {
+        const result = await pool.query(RLS_SETTINGS_BY_DBNAME_SQL, [dbname]);
+        return toRlsModuleFromSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
 const queryRlsModuleByDatabaseId = async (pool, databaseId) => {
+    const fromSettings = await queryRlsSettingsByDatabaseId(pool, databaseId);
+    if (fromSettings)
+        return fromSettings;
     const result = await pool.query(RLS_MODULE_BY_DATABASE_ID_SQL, [databaseId]);
     return toRlsModule(result.rows[0] ?? null);
 };
@@ -101,6 +181,9 @@ const queryRlsModuleByApiId = async (pool, apiId) => {
     return toRlsModule(result.rows[0] ?? null);
 };
 const queryRlsModuleByDbname = async (pool, dbname) => {
+    const fromSettings = await queryRlsSettingsByDbname(pool, dbname);
+    if (fromSettings)
+        return fromSettings;
     const result = await pool.query(RLS_MODULE_BY_DBNAME_SQL, [dbname]);
     return toRlsModule(result.rows[0] ?? null);
 };

package/middleware/api.js

@@ -81,6 +81,28 @@ const RLS_MODULE_SQL = `
   WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
+const RLS_SETTINGS_SQL = `
+  SELECT
+    auth_schema.schema_name AS authenticate_schema,
+    role_schema.schema_name AS role_schema,
+    auth_fn.name AS authenticate,
+    auth_strict_fn.name AS authenticate_strict,
+    role_fn.name AS current_role,
+    role_id_fn.name AS current_role_id,
+    ua_fn.name AS current_user_agent,
+    ip_fn.name AS current_ip_address
+  FROM services_public.rls_settings rs
+  LEFT JOIN metaschema_public.schema auth_schema ON rs.authenticate_schema_id = auth_schema.id
+  LEFT JOIN metaschema_public.schema role_schema ON rs.role_schema_id = role_schema.id
+  LEFT JOIN metaschema_public.function auth_fn ON rs.authenticate_function_id = auth_fn.id
+  LEFT JOIN metaschema_public.function auth_strict_fn ON rs.authenticate_strict_function_id = auth_strict_fn.id
+  LEFT JOIN metaschema_public.function role_fn ON rs.current_role_function_id = role_fn.id
+  LEFT JOIN metaschema_public.function role_id_fn ON rs.current_role_id_function_id = role_id_fn.id
+  LEFT JOIN metaschema_public.function ua_fn ON rs.current_user_agent_function_id = ua_fn.id
+  LEFT JOIN metaschema_public.function ip_fn ON rs.current_ip_address_function_id = ip_fn.id
+  WHERE rs.database_id = $1
+  LIMIT 1
+`;
 /**
  * Discover auth settings table location via public metaschema tables.
  * Joins sessions_module with metaschema_public.schema to resolve
@@ -163,6 +185,24 @@ const toRlsModule = (row) => {
         currentUserAgent: d.current_user_agent,
     };
 };
+const toRlsModuleFromSettings = (row) => {
+    if (!row)
+        return undefined;
+    return {
+        authenticate: row.authenticate,
+        authenticateStrict: row.authenticate_strict,
+        privateSchema: {
+            schemaName: row.authenticate_schema,
+        },
+        publicSchema: {
+            schemaName: row.role_schema,
+        },
+        currentRole: row.current_role,
+        currentRoleId: row.current_role_id,
+        currentIpAddress: row.current_ip_address,
+        currentUserAgent: row.current_user_agent,
+    };
+};
 const toAuthSettings = (row) => {
     if (!row)
         return undefined;
@@ -177,14 +217,14 @@ const toAuthSettings = (row) => {
         captchaSiteKey: row.captcha_site_key,
     };
 };
-const toApiStructure = (row, opts, rlsModuleRow, authSettingsRow) => ({
+const toApiStructure = (row, opts, rlsModule, authSettingsRow) => ({
     apiId: row.api_id,
     dbname: row.dbname || opts.pg?.database || '',
     anonRole: row.anon_role || 'anon',
     roleName: row.role_name || 'authenticated',
     schema: row.schemas || [],
     apiModules: [],
-    rlsModule: toRlsModule(rlsModuleRow ?? null),
+    rlsModule,
     domains: [],
     databaseId: row.database_id,
     isPublic: row.is_public,
@@ -219,9 +259,24 @@ const queryApiList = async (pool, isPublic) => {
     const result = await pool.query(API_LIST_SQL, [isPublic]);
     return result.rows;
 };
-const queryRlsModule = async (pool, apiId) => {
+const queryRlsSettings = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(RLS_SETTINGS_SQL, [databaseId]);
+        return toRlsModuleFromSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryRlsModuleLegacy = async (pool, apiId) => {
     const result = await pool.query(RLS_MODULE_SQL, [apiId]);
-    return result.rows[0] ?? null;
+    return toRlsModule(result.rows[0] ?? null);
+};
+const queryRlsModule = async (pool, databaseId, apiId) => {
+    const fromSettings = await queryRlsSettings(pool, databaseId);
+    if (fromSettings)
+        return fromSettings;
+    return queryRlsModuleLegacy(pool, apiId);
 };
 /**
  * Load server-relevant auth settings from the tenant DB.
@@ -299,7 +354,7 @@ const resolveApiNameHeader = async (ctx) => {
         log.debug(`[api-name-lookup] No API found for databaseId=${headers.databaseId} name=${headers.apiName}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.api_id);
+    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
     const authSettings = await queryAuthSettings(opts, row.dbname);
     log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
     return toApiStructure(row, opts, rlsModule, authSettings);
@@ -316,7 +371,7 @@ const resolveDomainLookup = async (ctx) => {
         log.debug(`[domain-lookup] No API found for domain=${domain} subdomain=${subdomain}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.api_id);
+    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
     const authSettings = await queryAuthSettings(opts, row.dbname);
     log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
     return toApiStructure(row, opts, rlsModule, authSettings);

package/middleware/upload.js

@@ -74,6 +74,51 @@ const RLS_MODULE_BY_DBNAME_SQL = `
   ORDER BY a.id
   LIMIT 1
 `;
+const RLS_SETTINGS_BY_DATABASE_ID_SQL = `
+  SELECT
+    auth_schema.schema_name AS authenticate_schema,
+    role_schema.schema_name AS role_schema,
+    auth_fn.name AS authenticate,
+    auth_strict_fn.name AS authenticate_strict,
+    role_fn.name AS current_role,
+    role_id_fn.name AS current_role_id,
+    ua_fn.name AS current_user_agent,
+    ip_fn.name AS current_ip_address
+  FROM services_public.rls_settings rs
+  LEFT JOIN metaschema_public.schema auth_schema ON rs.authenticate_schema_id = auth_schema.id
+  LEFT JOIN metaschema_public.schema role_schema ON rs.role_schema_id = role_schema.id
+  LEFT JOIN metaschema_public.function auth_fn ON rs.authenticate_function_id = auth_fn.id
+  LEFT JOIN metaschema_public.function auth_strict_fn ON rs.authenticate_strict_function_id = auth_strict_fn.id
+  LEFT JOIN metaschema_public.function role_fn ON rs.current_role_function_id = role_fn.id
+  LEFT JOIN metaschema_public.function role_id_fn ON rs.current_role_id_function_id = role_id_fn.id
+  LEFT JOIN metaschema_public.function ua_fn ON rs.current_user_agent_function_id = ua_fn.id
+  LEFT JOIN metaschema_public.function ip_fn ON rs.current_ip_address_function_id = ip_fn.id
+  WHERE rs.database_id = $1
+  LIMIT 1
+`;
+const RLS_SETTINGS_BY_DBNAME_SQL = `
+  SELECT
+    auth_schema.schema_name AS authenticate_schema,
+    role_schema.schema_name AS role_schema,
+    auth_fn.name AS authenticate,
+    auth_strict_fn.name AS authenticate_strict,
+    role_fn.name AS current_role,
+    role_id_fn.name AS current_role_id,
+    ua_fn.name AS current_user_agent,
+    ip_fn.name AS current_ip_address
+  FROM services_public.rls_settings rs
+  JOIN services_public.apis a ON rs.database_id = a.database_id
+  LEFT JOIN metaschema_public.schema auth_schema ON rs.authenticate_schema_id = auth_schema.id
+  LEFT JOIN metaschema_public.schema role_schema ON rs.role_schema_id = role_schema.id
+  LEFT JOIN metaschema_public.function auth_fn ON rs.authenticate_function_id = auth_fn.id
+  LEFT JOIN metaschema_public.function auth_strict_fn ON rs.authenticate_strict_function_id = auth_strict_fn.id
+  LEFT JOIN metaschema_public.function role_fn ON rs.current_role_function_id = role_fn.id
+  LEFT JOIN metaschema_public.function role_id_fn ON rs.current_role_id_function_id = role_id_fn.id
+  LEFT JOIN metaschema_public.function ua_fn ON rs.current_user_agent_function_id = ua_fn.id
+  LEFT JOIN metaschema_public.function ip_fn ON rs.current_ip_address_function_id = ip_fn.id
+  WHERE a.dbname = $1
+  LIMIT 1
+`;
 const toRlsModule = (row) => {
     if (!row?.data)
         return undefined;
@@ -89,6 +134,20 @@ const toRlsModule = (row) => {
         currentUserAgent: d.current_user_agent,
     };
 };
+const toRlsModuleFromSettings = (row) => {
+    if (!row)
+        return undefined;
+    return {
+        authenticate: row.authenticate,
+        authenticateStrict: row.authenticate_strict,
+        privateSchema: { schemaName: row.authenticate_schema },
+        publicSchema: { schemaName: row.role_schema },
+        currentRole: row.current_role,
+        currentRoleId: row.current_role_id,
+        currentIpAddress: row.current_ip_address,
+        currentUserAgent: row.current_user_agent,
+    };
+};
 const getBearerToken = (authorization) => {
     if (!authorization)
         return null;
@@ -98,7 +157,28 @@ const getBearerToken = (authorization) => {
     }
     return authToken;
 };
+const queryRlsSettingsByDatabaseId = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(RLS_SETTINGS_BY_DATABASE_ID_SQL, [databaseId]);
+        return toRlsModuleFromSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryRlsSettingsByDbname = async (pool, dbname) => {
+    try {
+        const result = await pool.query(RLS_SETTINGS_BY_DBNAME_SQL, [dbname]);
+        return toRlsModuleFromSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
 const queryRlsModuleByDatabaseId = async (pool, databaseId) => {
+    const fromSettings = await queryRlsSettingsByDatabaseId(pool, databaseId);
+    if (fromSettings)
+        return fromSettings;
     const result = await pool.query(RLS_MODULE_BY_DATABASE_ID_SQL, [databaseId]);
     return toRlsModule(result.rows[0] ?? null);
 };
@@ -107,6 +187,9 @@ const queryRlsModuleByApiId = async (pool, apiId) => {
     return toRlsModule(result.rows[0] ?? null);
 };
 const queryRlsModuleByDbname = async (pool, dbname) => {
+    const fromSettings = await queryRlsSettingsByDbname(pool, dbname);
+    if (fromSettings)
+        return fromSettings;
     const result = await pool.query(RLS_MODULE_BY_DBNAME_SQL, [dbname]);
     return toRlsModule(result.rows[0] ?? null);
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@constructive-io/graphql-server",
-  "version": "4.25.2",
+  "version": "4.26.1",
   "author": "Constructive <developers@constructive.io>",
   "description": "Constructive GraphQL Server",
   "main": "index.js",
@@ -63,7 +63,7 @@
     "graphile-build-pg": "5.0.0",
     "graphile-cache": "^3.8.0",
     "graphile-config": "1.0.0",
-    "graphile-settings": "^4.30.0",
+    "graphile-settings": "^4.30.2",
     "graphile-utils": "5.0.0",
     "graphql": "16.13.0",
     "graphql-upload": "^13.0.0",
@@ -85,10 +85,10 @@
     "@types/multer": "^2.1.0",
     "@types/pg": "^8.18.0",
     "@types/request-ip": "^0.0.41",
-    "graphile-test": "4.12.0",
+    "graphile-test": "4.12.1",
     "makage": "^0.3.0",
     "nodemon": "^3.1.14",
     "ts-node": "^10.9.2"
   },
-  "gitHead": "b1a89c4ab45fd22a63487cc6dc923a17772fac60"
+  "gitHead": "0fcb26c8f3379de5c2bf486e7ad78bb61a76e497"
 }