@constructive-io/graphql-server 4.26.0 → 4.27.0

package/esm/middleware/api.js

@@ -125,6 +125,93 @@ const AUTH_SETTINGS_SQL = (schemaName, tableName) => `
   FROM "${schemaName}"."${tableName}"
   LIMIT 1
 `;
+const CORS_SETTINGS_SQL = `
+  SELECT allowed_origins
+  FROM services_public.cors_settings
+  WHERE database_id = $1 AND api_id = $2
+  LIMIT 1
+`;
+const CORS_SETTINGS_DB_DEFAULT_SQL = `
+  SELECT allowed_origins
+  FROM services_public.cors_settings
+  WHERE database_id = $1 AND api_id IS NULL
+  LIMIT 1
+`;
+const CORS_MODULE_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'cors'
+  LIMIT 1
+`;
+const PUBKEY_SETTINGS_SQL = `
+  SELECT
+    s.schema_name AS schema,
+    ps.crypto_network,
+    sign_up_fn.name AS sign_up_with_key,
+    sign_in_req_fn.name AS sign_in_request_challenge,
+    sign_in_fail_fn.name AS sign_in_record_failure,
+    sign_in_fn.name AS sign_in_with_challenge
+  FROM services_public.pubkey_settings ps
+  LEFT JOIN metaschema_public.schema s ON ps.schema_id = s.id
+  LEFT JOIN metaschema_public.function sign_up_fn ON ps.sign_up_with_key_function_id = sign_up_fn.id
+  LEFT JOIN metaschema_public.function sign_in_req_fn ON ps.sign_in_request_challenge_function_id = sign_in_req_fn.id
+  LEFT JOIN metaschema_public.function sign_in_fail_fn ON ps.sign_in_record_failure_function_id = sign_in_fail_fn.id
+  LEFT JOIN metaschema_public.function sign_in_fn ON ps.sign_in_with_challenge_function_id = sign_in_fn.id
+  WHERE ps.database_id = $1
+  LIMIT 1
+`;
+const PUBKEY_MODULE_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'pubkey_challenge'
+  LIMIT 1
+`;
+const WEBAUTHN_SETTINGS_SQL = `
+  SELECT
+    s.schema_name AS schema,
+    cred_s.schema_name AS credentials_schema,
+    sess_s.schema_name AS sessions_schema,
+    sec_s.schema_name AS session_secrets_schema,
+    ws.rp_id,
+    ws.rp_name,
+    ws.origin_allowlist,
+    ws.attestation_type,
+    ws.require_user_verification,
+    ws.resident_key,
+    ws.challenge_expiry_seconds
+  FROM services_public.webauthn_settings ws
+  LEFT JOIN metaschema_public.schema s ON ws.schema_id = s.id
+  LEFT JOIN metaschema_public.schema cred_s ON ws.credentials_schema_id = cred_s.id
+  LEFT JOIN metaschema_public.schema sess_s ON ws.sessions_schema_id = sess_s.id
+  LEFT JOIN metaschema_public.schema sec_s ON ws.session_secrets_schema_id = sec_s.id
+  WHERE ws.database_id = $1
+  LIMIT 1
+`;
+const DATABASE_SETTINGS_SQL = `
+  SELECT
+    ds.enable_aggregates,
+    ds.enable_postgis,
+    ds.enable_search,
+    ds.enable_direct_uploads,
+    ds.enable_presigned_uploads,
+    ds.enable_many_to_many,
+    ds.enable_connection_filter,
+    ds.enable_ltree,
+    ds.enable_llm,
+    COALESCE(aps.enable_aggregates, ds.enable_aggregates) AS resolved_enable_aggregates,
+    COALESCE(aps.enable_postgis, ds.enable_postgis) AS resolved_enable_postgis,
+    COALESCE(aps.enable_search, ds.enable_search) AS resolved_enable_search,
+    COALESCE(aps.enable_direct_uploads, ds.enable_direct_uploads) AS resolved_enable_direct_uploads,
+    COALESCE(aps.enable_presigned_uploads, ds.enable_presigned_uploads) AS resolved_enable_presigned_uploads,
+    COALESCE(aps.enable_many_to_many, ds.enable_many_to_many) AS resolved_enable_many_to_many,
+    COALESCE(aps.enable_connection_filter, ds.enable_connection_filter) AS resolved_enable_connection_filter,
+    COALESCE(aps.enable_ltree, ds.enable_ltree) AS resolved_enable_ltree,
+    COALESCE(aps.enable_llm, ds.enable_llm) AS resolved_enable_llm
+  FROM services_public.database_settings ds
+  LEFT JOIN services_public.api_settings aps ON ds.database_id = aps.database_id AND aps.api_id = $2
+  WHERE ds.database_id = $1
+  LIMIT 1
+`;
 // =============================================================================
 // Helpers
 // =============================================================================
@@ -209,18 +296,22 @@ const toAuthSettings = (row) => {
         captchaSiteKey: row.captcha_site_key,
     };
 };
-const toApiStructure = (row, opts, rlsModule, authSettingsRow) => ({
+const toApiStructure = (row, opts, settings = {}) => ({
     apiId: row.api_id,
     dbname: row.dbname || opts.pg?.database || '',
     anonRole: row.anon_role || 'anon',
     roleName: row.role_name || 'authenticated',
     schema: row.schemas || [],
     apiModules: [],
-    rlsModule,
+    rlsModule: settings.rlsModule,
     domains: [],
     databaseId: row.database_id,
     isPublic: row.is_public,
-    authSettings: toAuthSettings(authSettingsRow ?? null),
+    authSettings: toAuthSettings(settings.authSettingsRow ?? null),
+    corsOrigins: settings.corsOrigins,
+    databaseSettings: settings.databaseSettings,
+    pubkeyChallengeSettings: settings.pubkeyChallengeSettings,
+    webauthnSettings: settings.webauthnSettings,
 });
 const createAdminStructure = (opts, schemas, databaseId) => ({
     dbname: opts.pg?.database ?? '',
@@ -270,6 +361,132 @@ const queryRlsModule = async (pool, databaseId, apiId) => {
         return fromSettings;
     return queryRlsModuleLegacy(pool, apiId);
 };
+// -- CORS --
+const queryCorsSettings = async (pool, databaseId, apiId) => {
+    try {
+        if (apiId) {
+            const perApi = await pool.query(CORS_SETTINGS_SQL, [databaseId, apiId]);
+            if (perApi.rows[0])
+                return perApi.rows[0].allowed_origins;
+        }
+        const dbDefault = await pool.query(CORS_SETTINGS_DB_DEFAULT_SQL, [databaseId]);
+        return dbDefault.rows[0]?.allowed_origins;
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryCorsModuleLegacy = async (pool, apiId) => {
+    const result = await pool.query(CORS_MODULE_SQL, [apiId]);
+    return result.rows[0]?.data?.urls;
+};
+const queryCorsOrigins = async (pool, databaseId, apiId) => {
+    const fromSettings = await queryCorsSettings(pool, databaseId, apiId);
+    if (fromSettings)
+        return fromSettings;
+    if (apiId)
+        return queryCorsModuleLegacy(pool, apiId);
+    return undefined;
+};
+// -- Pubkey --
+const toPubkeyChallengeSettings = (row) => {
+    if (!row?.schema || !row?.sign_up_with_key)
+        return undefined;
+    return {
+        schema: row.schema,
+        cryptoNetwork: row.crypto_network,
+        signUpWithKey: row.sign_up_with_key,
+        signInRequestChallenge: row.sign_in_request_challenge,
+        signInRecordFailure: row.sign_in_record_failure,
+        signInWithChallenge: row.sign_in_with_challenge,
+    };
+};
+const toPubkeyChallengeFromModule = (row) => {
+    if (!row?.data?.schema)
+        return undefined;
+    const d = row.data;
+    return {
+        schema: d.schema,
+        cryptoNetwork: d.crypto_network,
+        signUpWithKey: d.sign_up_with_key,
+        signInRequestChallenge: d.sign_in_request_challenge,
+        signInRecordFailure: d.sign_in_record_failure,
+        signInWithChallenge: d.sign_in_with_challenge,
+    };
+};
+const queryPubkeySettings = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(PUBKEY_SETTINGS_SQL, [databaseId]);
+        return toPubkeyChallengeSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryPubkeyModuleLegacy = async (pool, apiId) => {
+    const result = await pool.query(PUBKEY_MODULE_SQL, [apiId]);
+    return toPubkeyChallengeFromModule(result.rows[0] ?? null);
+};
+const queryPubkeyChallenge = async (pool, databaseId, apiId) => {
+    const fromSettings = await queryPubkeySettings(pool, databaseId);
+    if (fromSettings)
+        return fromSettings;
+    if (apiId)
+        return queryPubkeyModuleLegacy(pool, apiId);
+    return undefined;
+};
+// -- WebAuthn --
+const toWebauthnSettings = (row) => {
+    if (!row?.schema)
+        return undefined;
+    return {
+        schema: row.schema,
+        credentialsSchema: row.credentials_schema,
+        sessionsSchema: row.sessions_schema,
+        sessionSecretsSchema: row.session_secrets_schema,
+        rpId: row.rp_id,
+        rpName: row.rp_name,
+        originAllowlist: row.origin_allowlist,
+        attestationType: row.attestation_type,
+        requireUserVerification: row.require_user_verification,
+        residentKey: row.resident_key,
+        challengeExpirySeconds: row.challenge_expiry_seconds,
+    };
+};
+const queryWebauthnSettings = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(WEBAUTHN_SETTINGS_SQL, [databaseId]);
+        return toWebauthnSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+// -- Database Settings (feature flags) --
+const toDatabaseSettings = (row) => {
+    if (!row)
+        return undefined;
+    return {
+        enableAggregates: row.resolved_enable_aggregates,
+        enablePostgis: row.resolved_enable_postgis,
+        enableSearch: row.resolved_enable_search,
+        enableDirectUploads: row.resolved_enable_direct_uploads,
+        enablePresignedUploads: row.resolved_enable_presigned_uploads,
+        enableManyToMany: row.resolved_enable_many_to_many,
+        enableConnectionFilter: row.resolved_enable_connection_filter,
+        enableLtree: row.resolved_enable_ltree,
+        enableLlm: row.resolved_enable_llm,
+    };
+};
+const queryDatabaseSettings = async (pool, databaseId, apiId) => {
+    try {
+        const result = await pool.query(DATABASE_SETTINGS_SQL, [databaseId, apiId ?? null]);
+        return toDatabaseSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
 /**
  * Load server-relevant auth settings from the tenant DB.
  * Discovers the auth settings table dynamically by joining
@@ -346,10 +563,16 @@ const resolveApiNameHeader = async (ctx) => {
         log.debug(`[api-name-lookup] No API found for databaseId=${headers.databaseId} name=${headers.apiName}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
-    const authSettings = await queryAuthSettings(opts, row.dbname);
-    log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
-    return toApiStructure(row, opts, rlsModule, authSettings);
+    const [rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings] = await Promise.all([
+        queryRlsModule(pool, row.database_id, row.api_id),
+        queryAuthSettings(opts, row.dbname),
+        queryCorsOrigins(pool, row.database_id, row.api_id),
+        queryDatabaseSettings(pool, row.database_id, row.api_id),
+        queryPubkeyChallenge(pool, row.database_id, row.api_id),
+        queryWebauthnSettings(pool, row.database_id),
+    ]);
+    log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettingsRow ? 'found' : 'none'}`);
+    return toApiStructure(row, opts, { rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings });
 };
 const resolveMetaSchemaHeader = (ctx, validatedSchemas) => {
     return createAdminStructure(ctx.opts, validatedSchemas, ctx.headers.databaseId);
@@ -363,10 +586,16 @@ const resolveDomainLookup = async (ctx) => {
         log.debug(`[domain-lookup] No API found for domain=${domain} subdomain=${subdomain}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
-    const authSettings = await queryAuthSettings(opts, row.dbname);
-    log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
-    return toApiStructure(row, opts, rlsModule, authSettings);
+    const [rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings] = await Promise.all([
+        queryRlsModule(pool, row.database_id, row.api_id),
+        queryAuthSettings(opts, row.dbname),
+        queryCorsOrigins(pool, row.database_id, row.api_id),
+        queryDatabaseSettings(pool, row.database_id, row.api_id),
+        queryPubkeyChallenge(pool, row.database_id, row.api_id),
+        queryWebauthnSettings(pool, row.database_id),
+    ]);
+    log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettingsRow ? 'found' : 'none'}`);
+    return toApiStructure(row, opts, { rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings });
 };
 const buildDevFallbackError = async (ctx, req) => {
     if (getNodeEnv() !== 'development')

package/esm/middleware/cors.js

@@ -6,7 +6,8 @@ import './types'; // for Request type
  *
  * Feature parity + compatibility:
  *  - Respects a global fallback origin (e.g. from env/CLI) for quick overrides.
- *  - Preserves multi-tenant, per-API CORS via meta schema ('cors' module + domains).
+ *  - Reads per-API CORS origins from typed cors_settings table (via req.api.corsOrigins).
+ *  - Falls back to legacy api_modules CORS data for backwards compatibility.
  *  - Always allows localhost to ease development.
  *
  * Usage:
@@ -31,9 +32,13 @@ export const cors = (fallbackOrigin) => {
         //    createApiMiddleware runs before this in server.ts, so req.api should be set
         const api = req.api;
         if (api) {
+            // Typed cors_settings origins (preferred)
+            const typedOrigins = api.corsOrigins || [];
+            // Legacy api_modules CORS data (fallback)
             const corsModules = (api.apiModules || []).filter((m) => m.name === 'cors');
+            const legacyOrigins = corsModules.reduce((m, mod) => [...mod.data.urls, ...m], []);
             const siteUrls = api.domains || [];
-            const listOfDomains = corsModules.reduce((m, mod) => [...mod.data.urls, ...m], siteUrls);
+            const listOfDomains = [...typedOrigins, ...legacyOrigins, ...siteUrls];
             if (origin && listOfDomains.includes(origin)) {
                 return callback(null, true);
             }

package/esm/middleware/graphile.js

@@ -2,7 +2,7 @@ import crypto from 'node:crypto';
 import { getNodeEnv } from '@pgpmjs/env';
 import { Logger } from '@pgpmjs/logger';
 import { createGraphileInstance, graphileCache } from 'graphile-cache';
-import { ConstructivePreset, makePgService } from 'graphile-settings';
+import { createConstructivePreset, makePgService } from 'graphile-settings';
 import { getPgPool } from 'pg-cache';
 import { getPgEnvOptions } from 'pg-env';
 import './types'; // for Request type
@@ -177,10 +177,15 @@ const log = new Logger('graphile');
 const reqLabel = (req) => (req.requestId ? `[${req.requestId}]` : '[req]');
 /**
  * Build a PostGraphile v5 preset for a tenant.
+ *
+ * When `databaseSettings` are available the flags are forwarded to
+ * `createConstructivePreset()` which conditionally includes each
+ * plugin preset.  Without settings the default preset is used
+ * (everything on except aggregates and LLM).
  */
-const buildPreset = (pool, schemas, anonRole, roleName) => {
+const buildPreset = (pool, schemas, anonRole, roleName, databaseSettings) => {
     return {
-        extends: [ConstructivePreset],
+        extends: [createConstructivePreset(databaseSettings)],
         pgServices: [
             makePgService({
                 pool,
@@ -314,7 +319,7 @@ export const graphile = (opts) => {
             // properly, preventing leaked connections during database teardown.
             const pool = getPgPool(pgConfig);
             // Create promise and store in in-flight map BEFORE try block
-            const preset = buildPreset(pool, schema || [], anonRole, roleName);
+            const preset = buildPreset(pool, schema || [], anonRole, roleName, api.databaseSettings);
             const creationPromise = observeGraphileBuild({
                 cacheKey: key,
                 serviceKey: key,

package/middleware/api.js

@@ -131,6 +131,93 @@ const AUTH_SETTINGS_SQL = (schemaName, tableName) => `
   FROM "${schemaName}"."${tableName}"
   LIMIT 1
 `;
+const CORS_SETTINGS_SQL = `
+  SELECT allowed_origins
+  FROM services_public.cors_settings
+  WHERE database_id = $1 AND api_id = $2
+  LIMIT 1
+`;
+const CORS_SETTINGS_DB_DEFAULT_SQL = `
+  SELECT allowed_origins
+  FROM services_public.cors_settings
+  WHERE database_id = $1 AND api_id IS NULL
+  LIMIT 1
+`;
+const CORS_MODULE_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'cors'
+  LIMIT 1
+`;
+const PUBKEY_SETTINGS_SQL = `
+  SELECT
+    s.schema_name AS schema,
+    ps.crypto_network,
+    sign_up_fn.name AS sign_up_with_key,
+    sign_in_req_fn.name AS sign_in_request_challenge,
+    sign_in_fail_fn.name AS sign_in_record_failure,
+    sign_in_fn.name AS sign_in_with_challenge
+  FROM services_public.pubkey_settings ps
+  LEFT JOIN metaschema_public.schema s ON ps.schema_id = s.id
+  LEFT JOIN metaschema_public.function sign_up_fn ON ps.sign_up_with_key_function_id = sign_up_fn.id
+  LEFT JOIN metaschema_public.function sign_in_req_fn ON ps.sign_in_request_challenge_function_id = sign_in_req_fn.id
+  LEFT JOIN metaschema_public.function sign_in_fail_fn ON ps.sign_in_record_failure_function_id = sign_in_fail_fn.id
+  LEFT JOIN metaschema_public.function sign_in_fn ON ps.sign_in_with_challenge_function_id = sign_in_fn.id
+  WHERE ps.database_id = $1
+  LIMIT 1
+`;
+const PUBKEY_MODULE_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'pubkey_challenge'
+  LIMIT 1
+`;
+const WEBAUTHN_SETTINGS_SQL = `
+  SELECT
+    s.schema_name AS schema,
+    cred_s.schema_name AS credentials_schema,
+    sess_s.schema_name AS sessions_schema,
+    sec_s.schema_name AS session_secrets_schema,
+    ws.rp_id,
+    ws.rp_name,
+    ws.origin_allowlist,
+    ws.attestation_type,
+    ws.require_user_verification,
+    ws.resident_key,
+    ws.challenge_expiry_seconds
+  FROM services_public.webauthn_settings ws
+  LEFT JOIN metaschema_public.schema s ON ws.schema_id = s.id
+  LEFT JOIN metaschema_public.schema cred_s ON ws.credentials_schema_id = cred_s.id
+  LEFT JOIN metaschema_public.schema sess_s ON ws.sessions_schema_id = sess_s.id
+  LEFT JOIN metaschema_public.schema sec_s ON ws.session_secrets_schema_id = sec_s.id
+  WHERE ws.database_id = $1
+  LIMIT 1
+`;
+const DATABASE_SETTINGS_SQL = `
+  SELECT
+    ds.enable_aggregates,
+    ds.enable_postgis,
+    ds.enable_search,
+    ds.enable_direct_uploads,
+    ds.enable_presigned_uploads,
+    ds.enable_many_to_many,
+    ds.enable_connection_filter,
+    ds.enable_ltree,
+    ds.enable_llm,
+    COALESCE(aps.enable_aggregates, ds.enable_aggregates) AS resolved_enable_aggregates,
+    COALESCE(aps.enable_postgis, ds.enable_postgis) AS resolved_enable_postgis,
+    COALESCE(aps.enable_search, ds.enable_search) AS resolved_enable_search,
+    COALESCE(aps.enable_direct_uploads, ds.enable_direct_uploads) AS resolved_enable_direct_uploads,
+    COALESCE(aps.enable_presigned_uploads, ds.enable_presigned_uploads) AS resolved_enable_presigned_uploads,
+    COALESCE(aps.enable_many_to_many, ds.enable_many_to_many) AS resolved_enable_many_to_many,
+    COALESCE(aps.enable_connection_filter, ds.enable_connection_filter) AS resolved_enable_connection_filter,
+    COALESCE(aps.enable_ltree, ds.enable_ltree) AS resolved_enable_ltree,
+    COALESCE(aps.enable_llm, ds.enable_llm) AS resolved_enable_llm
+  FROM services_public.database_settings ds
+  LEFT JOIN services_public.api_settings aps ON ds.database_id = aps.database_id AND aps.api_id = $2
+  WHERE ds.database_id = $1
+  LIMIT 1
+`;
 // =============================================================================
 // Helpers
 // =============================================================================
@@ -217,18 +304,22 @@ const toAuthSettings = (row) => {
         captchaSiteKey: row.captcha_site_key,
     };
 };
-const toApiStructure = (row, opts, rlsModule, authSettingsRow) => ({
+const toApiStructure = (row, opts, settings = {}) => ({
     apiId: row.api_id,
     dbname: row.dbname || opts.pg?.database || '',
     anonRole: row.anon_role || 'anon',
     roleName: row.role_name || 'authenticated',
     schema: row.schemas || [],
     apiModules: [],
-    rlsModule,
+    rlsModule: settings.rlsModule,
     domains: [],
     databaseId: row.database_id,
     isPublic: row.is_public,
-    authSettings: toAuthSettings(authSettingsRow ?? null),
+    authSettings: toAuthSettings(settings.authSettingsRow ?? null),
+    corsOrigins: settings.corsOrigins,
+    databaseSettings: settings.databaseSettings,
+    pubkeyChallengeSettings: settings.pubkeyChallengeSettings,
+    webauthnSettings: settings.webauthnSettings,
 });
 const createAdminStructure = (opts, schemas, databaseId) => ({
     dbname: opts.pg?.database ?? '',
@@ -278,6 +369,132 @@ const queryRlsModule = async (pool, databaseId, apiId) => {
         return fromSettings;
     return queryRlsModuleLegacy(pool, apiId);
 };
+// -- CORS --
+const queryCorsSettings = async (pool, databaseId, apiId) => {
+    try {
+        if (apiId) {
+            const perApi = await pool.query(CORS_SETTINGS_SQL, [databaseId, apiId]);
+            if (perApi.rows[0])
+                return perApi.rows[0].allowed_origins;
+        }
+        const dbDefault = await pool.query(CORS_SETTINGS_DB_DEFAULT_SQL, [databaseId]);
+        return dbDefault.rows[0]?.allowed_origins;
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryCorsModuleLegacy = async (pool, apiId) => {
+    const result = await pool.query(CORS_MODULE_SQL, [apiId]);
+    return result.rows[0]?.data?.urls;
+};
+const queryCorsOrigins = async (pool, databaseId, apiId) => {
+    const fromSettings = await queryCorsSettings(pool, databaseId, apiId);
+    if (fromSettings)
+        return fromSettings;
+    if (apiId)
+        return queryCorsModuleLegacy(pool, apiId);
+    return undefined;
+};
+// -- Pubkey --
+const toPubkeyChallengeSettings = (row) => {
+    if (!row?.schema || !row?.sign_up_with_key)
+        return undefined;
+    return {
+        schema: row.schema,
+        cryptoNetwork: row.crypto_network,
+        signUpWithKey: row.sign_up_with_key,
+        signInRequestChallenge: row.sign_in_request_challenge,
+        signInRecordFailure: row.sign_in_record_failure,
+        signInWithChallenge: row.sign_in_with_challenge,
+    };
+};
+const toPubkeyChallengeFromModule = (row) => {
+    if (!row?.data?.schema)
+        return undefined;
+    const d = row.data;
+    return {
+        schema: d.schema,
+        cryptoNetwork: d.crypto_network,
+        signUpWithKey: d.sign_up_with_key,
+        signInRequestChallenge: d.sign_in_request_challenge,
+        signInRecordFailure: d.sign_in_record_failure,
+        signInWithChallenge: d.sign_in_with_challenge,
+    };
+};
+const queryPubkeySettings = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(PUBKEY_SETTINGS_SQL, [databaseId]);
+        return toPubkeyChallengeSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+const queryPubkeyModuleLegacy = async (pool, apiId) => {
+    const result = await pool.query(PUBKEY_MODULE_SQL, [apiId]);
+    return toPubkeyChallengeFromModule(result.rows[0] ?? null);
+};
+const queryPubkeyChallenge = async (pool, databaseId, apiId) => {
+    const fromSettings = await queryPubkeySettings(pool, databaseId);
+    if (fromSettings)
+        return fromSettings;
+    if (apiId)
+        return queryPubkeyModuleLegacy(pool, apiId);
+    return undefined;
+};
+// -- WebAuthn --
+const toWebauthnSettings = (row) => {
+    if (!row?.schema)
+        return undefined;
+    return {
+        schema: row.schema,
+        credentialsSchema: row.credentials_schema,
+        sessionsSchema: row.sessions_schema,
+        sessionSecretsSchema: row.session_secrets_schema,
+        rpId: row.rp_id,
+        rpName: row.rp_name,
+        originAllowlist: row.origin_allowlist,
+        attestationType: row.attestation_type,
+        requireUserVerification: row.require_user_verification,
+        residentKey: row.resident_key,
+        challengeExpirySeconds: row.challenge_expiry_seconds,
+    };
+};
+const queryWebauthnSettings = async (pool, databaseId) => {
+    try {
+        const result = await pool.query(WEBAUTHN_SETTINGS_SQL, [databaseId]);
+        return toWebauthnSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
+// -- Database Settings (feature flags) --
+const toDatabaseSettings = (row) => {
+    if (!row)
+        return undefined;
+    return {
+        enableAggregates: row.resolved_enable_aggregates,
+        enablePostgis: row.resolved_enable_postgis,
+        enableSearch: row.resolved_enable_search,
+        enableDirectUploads: row.resolved_enable_direct_uploads,
+        enablePresignedUploads: row.resolved_enable_presigned_uploads,
+        enableManyToMany: row.resolved_enable_many_to_many,
+        enableConnectionFilter: row.resolved_enable_connection_filter,
+        enableLtree: row.resolved_enable_ltree,
+        enableLlm: row.resolved_enable_llm,
+    };
+};
+const queryDatabaseSettings = async (pool, databaseId, apiId) => {
+    try {
+        const result = await pool.query(DATABASE_SETTINGS_SQL, [databaseId, apiId ?? null]);
+        return toDatabaseSettings(result.rows[0] ?? null);
+    }
+    catch {
+        return undefined;
+    }
+};
 /**
  * Load server-relevant auth settings from the tenant DB.
  * Discovers the auth settings table dynamically by joining
@@ -354,10 +571,16 @@ const resolveApiNameHeader = async (ctx) => {
         log.debug(`[api-name-lookup] No API found for databaseId=${headers.databaseId} name=${headers.apiName}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
-    const authSettings = await queryAuthSettings(opts, row.dbname);
-    log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
-    return toApiStructure(row, opts, rlsModule, authSettings);
+    const [rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings] = await Promise.all([
+        queryRlsModule(pool, row.database_id, row.api_id),
+        queryAuthSettings(opts, row.dbname),
+        queryCorsOrigins(pool, row.database_id, row.api_id),
+        queryDatabaseSettings(pool, row.database_id, row.api_id),
+        queryPubkeyChallenge(pool, row.database_id, row.api_id),
+        queryWebauthnSettings(pool, row.database_id),
+    ]);
+    log.debug(`[api-name-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettingsRow ? 'found' : 'none'}`);
+    return toApiStructure(row, opts, { rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings });
 };
 const resolveMetaSchemaHeader = (ctx, validatedSchemas) => {
     return createAdminStructure(ctx.opts, validatedSchemas, ctx.headers.databaseId);
@@ -371,10 +594,16 @@ const resolveDomainLookup = async (ctx) => {
         log.debug(`[domain-lookup] No API found for domain=${domain} subdomain=${subdomain}`);
         return null;
     }
-    const rlsModule = await queryRlsModule(pool, row.database_id, row.api_id);
-    const authSettings = await queryAuthSettings(opts, row.dbname);
-    log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettings ? 'found' : 'none'}`);
-    return toApiStructure(row, opts, rlsModule, authSettings);
+    const [rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings] = await Promise.all([
+        queryRlsModule(pool, row.database_id, row.api_id),
+        queryAuthSettings(opts, row.dbname),
+        queryCorsOrigins(pool, row.database_id, row.api_id),
+        queryDatabaseSettings(pool, row.database_id, row.api_id),
+        queryPubkeyChallenge(pool, row.database_id, row.api_id),
+        queryWebauthnSettings(pool, row.database_id),
+    ]);
+    log.debug(`[domain-lookup] resolved schemas: [${row.schemas?.join(', ')}], rlsModule: ${rlsModule ? 'found' : 'none'}, authSettings: ${authSettingsRow ? 'found' : 'none'}`);
+    return toApiStructure(row, opts, { rlsModule, authSettingsRow, corsOrigins, databaseSettings, pubkeyChallengeSettings, webauthnSettings });
 };
 const buildDevFallbackError = async (ctx, req) => {
     if ((0, env_1.getNodeEnv)() !== 'development')

package/middleware/cors.d.ts

@@ -5,7 +5,8 @@ import './types';
  *
  * Feature parity + compatibility:
  *  - Respects a global fallback origin (e.g. from env/CLI) for quick overrides.
- *  - Preserves multi-tenant, per-API CORS via meta schema ('cors' module + domains).
+ *  - Reads per-API CORS origins from typed cors_settings table (via req.api.corsOrigins).
+ *  - Falls back to legacy api_modules CORS data for backwards compatibility.
  *  - Always allows localhost to ease development.
  *
  * Usage:

package/middleware/cors.js

@@ -12,7 +12,8 @@ require("./types"); // for Request type
  *
  * Feature parity + compatibility:
  *  - Respects a global fallback origin (e.g. from env/CLI) for quick overrides.
- *  - Preserves multi-tenant, per-API CORS via meta schema ('cors' module + domains).
+ *  - Reads per-API CORS origins from typed cors_settings table (via req.api.corsOrigins).
+ *  - Falls back to legacy api_modules CORS data for backwards compatibility.
  *  - Always allows localhost to ease development.
  *
  * Usage:
@@ -37,9 +38,13 @@ const cors = (fallbackOrigin) => {
         //    createApiMiddleware runs before this in server.ts, so req.api should be set
         const api = req.api;
         if (api) {
+            // Typed cors_settings origins (preferred)
+            const typedOrigins = api.corsOrigins || [];
+            // Legacy api_modules CORS data (fallback)
             const corsModules = (api.apiModules || []).filter((m) => m.name === 'cors');
+            const legacyOrigins = corsModules.reduce((m, mod) => [...mod.data.urls, ...m], []);
             const siteUrls = api.domains || [];
-            const listOfDomains = corsModules.reduce((m, mod) => [...mod.data.urls, ...m], siteUrls);
+            const listOfDomains = [...typedOrigins, ...legacyOrigins, ...siteUrls];
             if (origin && listOfDomains.includes(origin)) {
                 return callback(null, true);
             }

package/middleware/graphile.js

@@ -186,10 +186,15 @@ const log = new logger_1.Logger('graphile');
 const reqLabel = (req) => (req.requestId ? `[${req.requestId}]` : '[req]');
 /**
  * Build a PostGraphile v5 preset for a tenant.
+ *
+ * When `databaseSettings` are available the flags are forwarded to
+ * `createConstructivePreset()` which conditionally includes each
+ * plugin preset.  Without settings the default preset is used
+ * (everything on except aggregates and LLM).
  */
-const buildPreset = (pool, schemas, anonRole, roleName) => {
+const buildPreset = (pool, schemas, anonRole, roleName, databaseSettings) => {
     return {
-        extends: [graphile_settings_1.ConstructivePreset],
+        extends: [(0, graphile_settings_1.createConstructivePreset)(databaseSettings)],
         pgServices: [
             (0, graphile_settings_1.makePgService)({
                 pool,
@@ -323,7 +328,7 @@ const graphile = (opts) => {
             // properly, preventing leaked connections during database teardown.
             const pool = (0, pg_cache_1.getPgPool)(pgConfig);
             // Create promise and store in in-flight map BEFORE try block
-            const preset = buildPreset(pool, schema || [], anonRole, roleName);
+            const preset = buildPreset(pool, schema || [], anonRole, roleName, api.databaseSettings);
             const creationPromise = (0, graphile_build_stats_1.observeGraphileBuild)({
                 cacheKey: key,
                 serviceKey: key,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@constructive-io/graphql-server",
-  "version": "4.26.0",
+  "version": "4.27.0",
   "author": "Constructive <developers@constructive.io>",
   "description": "Constructive GraphQL Server",
   "main": "index.js",
@@ -63,7 +63,7 @@
     "graphile-build-pg": "5.0.0",
     "graphile-cache": "^3.8.0",
     "graphile-config": "1.0.0",
-    "graphile-settings": "^4.30.1",
+    "graphile-settings": "^4.31.0",
     "graphile-utils": "5.0.0",
     "graphql": "16.13.0",
     "graphql-upload": "^13.0.0",
@@ -85,10 +85,10 @@
     "@types/multer": "^2.1.0",
     "@types/pg": "^8.18.0",
     "@types/request-ip": "^0.0.41",
-    "graphile-test": "4.12.0",
+    "graphile-test": "4.12.1",
     "makage": "^0.3.0",
     "nodemon": "^3.1.14",
     "ts-node": "^10.9.2"
   },
-  "gitHead": "97ec8e14f2b0855b0ee0bc732a082e1a91301b64"
+  "gitHead": "38a99d5e61d756271a0024eb16d4f85923da936f"
 }

package/types.d.ts

@@ -14,6 +14,50 @@ export interface PublicKeyChallengeData {
 export interface GenericModuleData {
     [key: string]: unknown;
 }
+/**
+ * Resolved feature flags from database_settings + api_settings cascade.
+ * api_settings values (when non-null) override database_settings defaults.
+ */
+export interface DatabaseSettings {
+    enableAggregates: boolean;
+    enablePostgis: boolean;
+    enableSearch: boolean;
+    enableDirectUploads: boolean;
+    enablePresignedUploads: boolean;
+    enableManyToMany: boolean;
+    enableConnectionFilter: boolean;
+    enableLtree: boolean;
+    enableLlm: boolean;
+}
+/**
+ * Resolved pubkey challenge config from pubkey_settings typed table.
+ * Matches the shape expected by the PublicKeySignature Graphile plugin.
+ */
+export interface PubkeyChallengeSettings {
+    schema: string;
+    cryptoNetwork: string;
+    signUpWithKey: string;
+    signInRequestChallenge: string;
+    signInRecordFailure: string;
+    signInWithChallenge: string;
+}
+/**
+ * Resolved WebAuthn config from webauthn_settings typed table.
+ * Stored on ApiStructure for future server-side WebAuthn wiring.
+ */
+export interface WebauthnSettings {
+    schema: string;
+    credentialsSchema: string;
+    sessionsSchema: string;
+    sessionSecretsSchema: string;
+    rpId: string;
+    rpName: string;
+    originAllowlist: string[];
+    attestationType: string;
+    requireUserVerification: boolean;
+    residentKey: string;
+    challengeExpirySeconds: number;
+}
 export type ApiModule = {
     name: 'cors';
     data: CorsModuleData;
@@ -67,6 +111,10 @@ export interface ApiStructure {
     databaseId?: string;
     isPublic?: boolean;
     authSettings?: AuthSettings;
+    corsOrigins?: string[];
+    databaseSettings?: DatabaseSettings;
+    pubkeyChallengeSettings?: PubkeyChallengeSettings;
+    webauthnSettings?: WebauthnSettings;
 }
 export type ApiError = {
     errorHtml: string;