@constructive-io/graphql-server 4.5.2 → 4.6.1

package/esm/middleware/api.js

@@ -70,13 +70,9 @@ const API_LIST_SQL = `
   LIMIT 100
 `;
 const RLS_MODULE_SQL = `
-  SELECT 
-    rm.authenticate,
-    rm.authenticate_strict,
-    ps.schema_name as private_schema_name
-  FROM metaschema_modules_public.rls_module rm
-  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id
-  WHERE rm.api_id = $1
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
 // =============================================================================
@@ -113,14 +109,22 @@ export const getSvcKey = (opts, req) => {
     return baseKey;
 };
 const toRlsModule = (row) => {
-    if (!row || !row.private_schema_name)
+    if (!row?.data)
         return undefined;
+    const d = row.data;
     return {
-        authenticate: row.authenticate ?? undefined,
-        authenticateStrict: row.authenticate_strict ?? undefined,
+        authenticate: d.authenticate,
+        authenticateStrict: d.authenticate_strict,
         privateSchema: {
-            schemaName: row.private_schema_name,
+            schemaName: d.authenticate_schema,
+        },
+        publicSchema: {
+            schemaName: d.role_schema,
         },
+        currentRole: d.current_role,
+        currentRoleId: d.current_role_id,
+        currentIpAddress: d.current_ip_address,
+        currentUserAgent: d.current_user_agent,
     };
 };
 const toApiStructure = (row, opts, rlsModuleRow) => ({

package/esm/middleware/upload.js

@@ -2,7 +2,7 @@ import { Logger } from '@pgpmjs/logger';
 import fs from 'fs';
 import multer from 'multer';
 import os from 'os';
-import { escapeIdentifier } from 'pg';
+import { QuoteUtils } from '@pgsql/quotes';
 import { getPgPool } from 'pg-cache';
 import pgQueryContext from 'pg-query-context';
 import { streamToStorage } from 'graphile-settings';
@@ -46,36 +46,41 @@ const parseFileWithErrors = (req, res, next) => {
         return res.status(400).json({ error: 'File upload failed' });
     });
 };
-const RLS_MODULE_BASE_SQL = `
-  SELECT
-    rm.authenticate,
-    rm.authenticate_strict,
-    ps.schema_name as private_schema_name
-  FROM metaschema_modules_public.rls_module rm
-  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id`;
-const RLS_MODULE_BY_DATABASE_ID_SQL = `${RLS_MODULE_BASE_SQL}
-  JOIN services_public.apis a ON rm.api_id = a.id
-  WHERE a.database_id = $1
+const RLS_MODULE_BY_DATABASE_ID_SQL = `
+  SELECT am.data
+  FROM services_public.api_modules am
+  JOIN services_public.apis a ON am.api_id = a.id
+  WHERE am.name = 'rls_module' AND a.database_id = $1
   ORDER BY a.id
   LIMIT 1
 `;
-const RLS_MODULE_BY_API_ID_SQL = `${RLS_MODULE_BASE_SQL}
-  WHERE rm.api_id = $1
+const RLS_MODULE_BY_API_ID_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
-const RLS_MODULE_BY_DBNAME_SQL = `${RLS_MODULE_BASE_SQL}
-  JOIN services_public.apis a ON rm.api_id = a.id
-  WHERE a.dbname = $1
+const RLS_MODULE_BY_DBNAME_SQL = `
+  SELECT am.data
+  FROM services_public.api_modules am
+  JOIN services_public.apis a ON am.api_id = a.id
+  WHERE am.name = 'rls_module' AND a.dbname = $1
   ORDER BY a.id
   LIMIT 1
 `;
 const toRlsModule = (row) => {
-    if (!row || !row.private_schema_name)
+    if (!row?.data)
         return undefined;
+    const d = row.data;
     return {
-        authenticate: row.authenticate ?? undefined,
-        authenticateStrict: row.authenticate_strict ?? undefined,
-        privateSchema: { schemaName: row.private_schema_name },
+        authenticate: d.authenticate,
+        authenticateStrict: d.authenticate_strict,
+        privateSchema: { schemaName: d.authenticate_schema },
+        publicSchema: { schemaName: d.role_schema },
+        currentRole: d.current_role,
+        currentRoleId: d.current_role_id,
+        currentIpAddress: d.current_ip_address,
+        currentUserAgent: d.current_user_agent,
     };
 };
 const getBearerToken = (authorization) => {
@@ -167,12 +172,6 @@ export const createUploadAuthenticateMiddleware = (opts) => {
             authError(res);
             return;
         }
-        const SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/;
-        if (!SAFE_IDENTIFIER.test(privateSchema) || !SAFE_IDENTIFIER.test(authFn)) {
-            authLog.error(`[upload-auth] Invalid SQL identifier: schema=${privateSchema} fn=${authFn}`);
-            authError(res);
-            return;
-        }
         const pool = getPgPool({
             ...opts.pg,
             database: api.dbname,
@@ -191,7 +190,7 @@ export const createUploadAuthenticateMiddleware = (opts) => {
             const result = await pgQueryContext({
                 client: pool,
                 context,
-                query: `SELECT * FROM ${escapeIdentifier(privateSchema)}.${escapeIdentifier(authFn)}($1)`,
+                query: `SELECT * FROM ${QuoteUtils.quoteQualifiedIdentifier(privateSchema, authFn)}($1)`,
                 variables: [authToken],
             });
             if (!result?.rowCount) {

package/middleware/api.js

@@ -76,13 +76,9 @@ const API_LIST_SQL = `
   LIMIT 100
 `;
 const RLS_MODULE_SQL = `
-  SELECT 
-    rm.authenticate,
-    rm.authenticate_strict,
-    ps.schema_name as private_schema_name
-  FROM metaschema_modules_public.rls_module rm
-  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id
-  WHERE rm.api_id = $1
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
 // =============================================================================
@@ -121,14 +117,22 @@ const getSvcKey = (opts, req) => {
 };
 exports.getSvcKey = getSvcKey;
 const toRlsModule = (row) => {
-    if (!row || !row.private_schema_name)
+    if (!row?.data)
         return undefined;
+    const d = row.data;
     return {
-        authenticate: row.authenticate ?? undefined,
-        authenticateStrict: row.authenticate_strict ?? undefined,
+        authenticate: d.authenticate,
+        authenticateStrict: d.authenticate_strict,
         privateSchema: {
-            schemaName: row.private_schema_name,
+            schemaName: d.authenticate_schema,
+        },
+        publicSchema: {
+            schemaName: d.role_schema,
         },
+        currentRole: d.current_role,
+        currentRoleId: d.current_role_id,
+        currentIpAddress: d.current_ip_address,
+        currentUserAgent: d.current_user_agent,
     };
 };
 const toApiStructure = (row, opts, rlsModuleRow) => ({

package/middleware/upload.js

@@ -8,7 +8,7 @@ const logger_1 = require("@pgpmjs/logger");
 const fs_1 = __importDefault(require("fs"));
 const multer_1 = __importDefault(require("multer"));
 const os_1 = __importDefault(require("os"));
-const pg_1 = require("pg");
+const quotes_1 = require("@pgsql/quotes");
 const pg_cache_1 = require("pg-cache");
 const pg_query_context_1 = __importDefault(require("pg-query-context"));
 const graphile_settings_1 = require("graphile-settings");
@@ -52,36 +52,41 @@ const parseFileWithErrors = (req, res, next) => {
         return res.status(400).json({ error: 'File upload failed' });
     });
 };
-const RLS_MODULE_BASE_SQL = `
-  SELECT
-    rm.authenticate,
-    rm.authenticate_strict,
-    ps.schema_name as private_schema_name
-  FROM metaschema_modules_public.rls_module rm
-  LEFT JOIN metaschema_public.schema ps ON rm.private_schema_id = ps.id`;
-const RLS_MODULE_BY_DATABASE_ID_SQL = `${RLS_MODULE_BASE_SQL}
-  JOIN services_public.apis a ON rm.api_id = a.id
-  WHERE a.database_id = $1
+const RLS_MODULE_BY_DATABASE_ID_SQL = `
+  SELECT am.data
+  FROM services_public.api_modules am
+  JOIN services_public.apis a ON am.api_id = a.id
+  WHERE am.name = 'rls_module' AND a.database_id = $1
   ORDER BY a.id
   LIMIT 1
 `;
-const RLS_MODULE_BY_API_ID_SQL = `${RLS_MODULE_BASE_SQL}
-  WHERE rm.api_id = $1
+const RLS_MODULE_BY_API_ID_SQL = `
+  SELECT data
+  FROM services_public.api_modules
+  WHERE api_id = $1 AND name = 'rls_module'
   LIMIT 1
 `;
-const RLS_MODULE_BY_DBNAME_SQL = `${RLS_MODULE_BASE_SQL}
-  JOIN services_public.apis a ON rm.api_id = a.id
-  WHERE a.dbname = $1
+const RLS_MODULE_BY_DBNAME_SQL = `
+  SELECT am.data
+  FROM services_public.api_modules am
+  JOIN services_public.apis a ON am.api_id = a.id
+  WHERE am.name = 'rls_module' AND a.dbname = $1
   ORDER BY a.id
   LIMIT 1
 `;
 const toRlsModule = (row) => {
-    if (!row || !row.private_schema_name)
+    if (!row?.data)
         return undefined;
+    const d = row.data;
     return {
-        authenticate: row.authenticate ?? undefined,
-        authenticateStrict: row.authenticate_strict ?? undefined,
-        privateSchema: { schemaName: row.private_schema_name },
+        authenticate: d.authenticate,
+        authenticateStrict: d.authenticate_strict,
+        privateSchema: { schemaName: d.authenticate_schema },
+        publicSchema: { schemaName: d.role_schema },
+        currentRole: d.current_role,
+        currentRoleId: d.current_role_id,
+        currentIpAddress: d.current_ip_address,
+        currentUserAgent: d.current_user_agent,
     };
 };
 const getBearerToken = (authorization) => {
@@ -173,12 +178,6 @@ const createUploadAuthenticateMiddleware = (opts) => {
             authError(res);
             return;
         }
-        const SAFE_IDENTIFIER = /^[a-z_][a-z0-9_]*$/;
-        if (!SAFE_IDENTIFIER.test(privateSchema) || !SAFE_IDENTIFIER.test(authFn)) {
-            authLog.error(`[upload-auth] Invalid SQL identifier: schema=${privateSchema} fn=${authFn}`);
-            authError(res);
-            return;
-        }
         const pool = (0, pg_cache_1.getPgPool)({
             ...opts.pg,
             database: api.dbname,
@@ -197,7 +196,7 @@ const createUploadAuthenticateMiddleware = (opts) => {
             const result = await (0, pg_query_context_1.default)({
                 client: pool,
                 context,
-                query: `SELECT * FROM ${(0, pg_1.escapeIdentifier)(privateSchema)}.${(0, pg_1.escapeIdentifier)(authFn)}($1)`,
+                query: `SELECT * FROM ${quotes_1.QuoteUtils.quoteQualifiedIdentifier(privateSchema, authFn)}($1)`,
                 variables: [authToken],
             });
             if (!result?.rowCount) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@constructive-io/graphql-server",
-  "version": "4.5.2",
+  "version": "4.6.1",
   "author": "Constructive <developers@constructive.io>",
   "description": "Constructive GraphQL Server",
   "main": "index.js",
@@ -41,52 +41,53 @@
   "dependencies": {
     "@constructive-io/graphql-env": "^3.2.2",
     "@constructive-io/graphql-types": "^3.1.2",
-    "@constructive-io/s3-utils": "^2.7.0",
+    "@constructive-io/s3-utils": "^2.7.1",
     "@constructive-io/upload-names": "^2.7.0",
     "@constructive-io/url-domains": "^2.7.0",
     "@graphile-contrib/pg-many-to-many": "2.0.0-rc.1",
     "@graphile/simplify-inflection": "8.0.0-rc.3",
     "@pgpmjs/env": "^2.13.0",
-    "@pgpmjs/logger": "^2.2.0",
-    "@pgpmjs/server-utils": "^3.2.0",
+    "@pgpmjs/logger": "^2.2.1",
+    "@pgpmjs/server-utils": "^3.2.1",
     "@pgpmjs/types": "^2.17.0",
-    "cors": "^2.8.5",
+    "@pgsql/quotes": "^17.1.0",
+    "cors": "^2.8.6",
     "deepmerge": "^4.3.1",
     "express": "^5.2.1",
-    "gql-ast": "^3.1.0",
+    "gql-ast": "^3.1.1",
     "grafast": "1.0.0-rc.7",
     "grafserv": "1.0.0-rc.6",
     "graphile-build": "5.0.0-rc.4",
     "graphile-build-pg": "5.0.0-rc.5",
-    "graphile-cache": "^3.1.0",
+    "graphile-cache": "^3.1.1",
     "graphile-config": "1.0.0-rc.5",
-    "graphile-settings": "^4.6.1",
+    "graphile-settings": "^4.6.3",
     "graphile-utils": "5.0.0-rc.5",
-    "graphql": "^16.9.0",
+    "graphql": "^16.13.0",
     "graphql-upload": "^13.0.0",
-    "lru-cache": "^11.2.4",
-    "multer": "^2.0.1",
-    "pg": "^8.17.1",
-    "pg-cache": "^3.1.0",
+    "lru-cache": "^11.2.6",
+    "multer": "^2.1.0",
+    "pg": "^8.19.0",
+    "pg-cache": "^3.1.1",
     "pg-env": "^1.5.0",
-    "pg-query-context": "^2.6.0",
+    "pg-query-context": "^2.6.1",
     "pg-sql2": "5.0.0-rc.4",
     "postgraphile": "5.0.0-rc.7",
     "postgraphile-plugin-connection-filter": "3.0.0-rc.1",
     "request-ip": "^3.3.0"
   },
   "devDependencies": {
-    "@aws-sdk/client-s3": "^3.971.0",
+    "@aws-sdk/client-s3": "^3.1001.0",
     "@types/cors": "^2.8.17",
     "@types/express": "^5.0.6",
     "@types/graphql-upload": "^8.0.12",
-    "@types/multer": "^1.4.12",
-    "@types/pg": "^8.16.0",
+    "@types/multer": "^2.0.0",
+    "@types/pg": "^8.18.0",
     "@types/request-ip": "^0.0.41",
-    "graphile-test": "4.3.1",
+    "graphile-test": "4.3.2",
     "makage": "^0.1.10",
-    "nodemon": "^3.1.10",
+    "nodemon": "^3.1.14",
     "ts-node": "^10.9.2"
   },
-  "gitHead": "ff397a83e345bbefcd999079c7568c21de8dd3ea"
+  "gitHead": "d0d7d3916b70c8d960bc13e40ac85d73ea869224"
 }

package/types.d.ts

@@ -25,11 +25,18 @@ export type ApiModule = {
     data?: GenericModuleData;
 };
 export interface RlsModule {
-    authenticate?: string;
-    authenticateStrict?: string;
+    authenticate: string;
+    authenticateStrict: string;
     privateSchema: {
         schemaName: string;
     };
+    publicSchema: {
+        schemaName: string;
+    };
+    currentRole: string;
+    currentRoleId: string;
+    currentIpAddress: string;
+    currentUserAgent: string;
 }
 export interface ApiStructure {
     apiId?: string;