@gencow/core 0.1.19 → 0.1.22

package/src/__tests__/rls-crud-basic.test.ts

@@ -0,0 +1,431 @@
+/**
+ * fixtures/basic + PGlite — apply migrations, explicit fixtures, verify tasks.list CRUD handler.
+ *
+ * Users and tasks: fixed `id` / FK / `done` per row. Any other column omitted from the fixture is
+ * filled by drizzle-seed’s same per-type generators as `seed()` (see `fillPartialRowsForInsert`).
+ *
+ * Migrations run as the PGlite bootstrap user (table owner). We then create `gencow_rls_app` and
+ * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` + crud’s use of
+ * `db.transaction` sets `app.current_user_id` per operation.
+ * We rely on `current_setting('app.current_user_id', true)` (missing_ok=true): this avoids
+ * missing-GUC errors before `set_config` and keeps PGlite behavior aligned with PostgreSQL.
+ *
+ * Run: bun test packages/core/src/__tests__/rls-crud-basic.test.ts
+ */
+
+import {
+  describe,
+  it,
+  expect,
+  beforeAll,
+  afterAll,
+} from "bun:test";
+import { dirname, join } from "path";
+import { fileURLToPath } from "url";
+import type { InferSelectModel } from "drizzle-orm";
+import { PGlite } from "@electric-sql/pglite";
+import { drizzle } from "drizzle-orm/pglite";
+import { crud } from "../crud";
+import type { UserIdentity } from "../reactive";
+import { tasks, user } from "./fixtures/basic/schema";
+import {
+  createPgliteRlsAppRole,
+  DEFAULT_PGLITE_RLS_APP_ROLE,
+  setPgliteSessionRole,
+} from "./helpers/pglite-rls-session";
+import { loadAndApplyMigrations } from "./helpers/pglite-migrations";
+import { fillPartialRowsForInsert } from "./helpers/seed-like-fill";
+import {
+  makeTestGencowCtxWithRls,
+  runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+const fixtureUsers = [
+  { id: "us_000", name: "User 0", email: "user-0@s.com", emailVerified: true },
+  { id: "us_001", name: "User 1", email: "user-1@s.com", emailVerified: true },
+];
+
+/** Realistic titles; "Project Alpha" appears on two rows for us_000 and one for us_001 (RLS). */
+const fixtureTasks = [
+  {
+    id: "tk-000",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Project Alpha — Q4 review prep",
+  },
+  {
+    id: "tk-001",
+    userId: fixtureUsers[1].id,
+    done: true,
+    title: "Project Alpha — teammate handoff",
+  },
+  {
+    id: "tk-002",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Project Alpha — backlog grooming",
+  },
+  {
+    id: "tk-003",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Quarterly planning — Q4",
+  },
+  {
+    id: "tk-004",
+    userId: fixtureUsers[1].id,
+    done: false,
+    title: "Project Beta — API docs",
+  },
+  {
+    id: "tk-005",
+    userId: fixtureUsers[1].id,
+    done: false,
+    title: "Project Gamma — research notes",
+  },
+  {
+    id: "tk-006",
+    userId: fixtureUsers[0].id,
+    done: false,
+    title: "Project Beta — spike",
+  },
+];
+
+const user0Identity = {
+  id: fixtureUsers[0].id,
+  email: fixtureUsers[0].email,
+} satisfies UserIdentity;
+
+const user1Identity = {
+  id: fixtureUsers[1].id,
+  email: fixtureUsers[1].email,
+} satisfies UserIdentity;
+
+type TaskRow = InferSelectModel<typeof tasks>;
+type CrudDefs = ReturnType<typeof crud<typeof tasks>>;
+type TaskListResult = { data: TaskRow[]; total: number };
+
+async function seedBasicFixtures(db: ReturnType<typeof drizzle>) {
+  await db.insert(user).values(fillPartialRowsForInsert(user, fixtureUsers));
+  const taskRows = fillPartialRowsForInsert(
+    tasks,
+    fixtureTasks
+  ) as TaskRow[];
+  await db.insert(tasks).values(taskRows);
+  return taskRows;
+}
+
+async function createSeededCrudEnv() {
+  const client = new PGlite();
+  await client.waitReady;
+  await loadAndApplyMigrations(
+    client,
+    join(__dirname, "fixtures/basic/migrations")
+  );
+  const db = drizzle(client);
+  const taskRows = await seedBasicFixtures(db);
+  await createPgliteRlsAppRole(client, {
+    roleName: DEFAULT_PGLITE_RLS_APP_ROLE,
+  });
+  await setPgliteSessionRole(client, DEFAULT_PGLITE_RLS_APP_ROLE);
+
+  const defs = crud(tasks, {
+    prefix: "fixture_basic_pglite_tasks",
+    searchFields: ["title", "description"],
+    defaultLimit: 50,
+  });
+
+  return { client, db, taskRows, defs };
+}
+
+describe("fixtures/basic + PGlite + CRUD + RLS", () => {
+  let client: PGlite;
+  let db: ReturnType<typeof drizzle>;
+  let seededTaskRows: TaskRow[];
+  let listDef: CrudDefs["list"];
+  let listHandler: (ctx: unknown, args: unknown) => Promise<TaskListResult>;
+  let getHandler: NonNullable<CrudDefs["get"]>["handler"];
+  let createHandler: NonNullable<CrudDefs["create"]>["handler"];
+  let updateHandler: NonNullable<CrudDefs["update"]>["handler"];
+  let removeHandler: NonNullable<CrudDefs["remove"]>["handler"];
+
+  beforeAll(async () => {
+    const env = await createSeededCrudEnv();
+    client = env.client;
+    db = env.db;
+    seededTaskRows = env.taskRows;
+    listDef = env.defs.list;
+    listHandler = env.defs.list!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskListResult>;
+    getHandler = env.defs.get!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskRow | null>;
+    createHandler = env.defs.create!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskRow>;
+    updateHandler = env.defs.update!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<TaskRow | undefined>;
+    removeHandler = env.defs.remove!.handler as (
+      ctx: unknown,
+      args: unknown
+    ) => Promise<{ success: boolean }>;
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it("tasks.list returns only the current user (us_000) rows per RLS and total matches", async () => {
+    expect(listDef).toBeDefined();
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const listResult = await listHandler(ctx, {});
+
+      const expected = seededTaskRows.filter(
+        (r) => r.userId === fixtureUsers[0].id
+      );
+
+      expect(listResult).toHaveProperty("data");
+      expect(listResult).toHaveProperty("total");
+      expect(listResult.total).toBe(expected.length);
+
+      const rows = listResult.data;
+
+      const byId = new Map(rows.map((r) => [r.id, r]));
+      expect(byId.size).toBe(expected.length);
+
+      for (const seeded of expected) {
+        const row = byId.get(seeded.id);
+        expect(row).toBeDefined();
+        expect(row!.id).toBe(seeded.id);
+        expect(row!.userId).toBe(seeded.userId);
+        expect(row!.done).toBe(seeded.done);
+        expect(row!.title).toBe(seeded.title);
+      }
+    });
+  });
+
+  it("search parameter applies to title/description ilike search", async () => {
+    expect(listDef).toBeDefined();
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const sharedSubstring = "Project Alpha";
+      const expectedForUser0 = seededTaskRows.filter(
+        (r) =>
+          r.userId === user0Identity.id &&
+          r.title.toLowerCase().includes(sharedSubstring.toLowerCase())
+      );
+      expect(expectedForUser0.length).toBe(2);
+
+      const result = await listHandler(ctx, { search: sharedSubstring });
+      const rows = result.data;
+      expect(rows.length).toBe(expectedForUser0.length);
+
+      const byId = new Map(rows.map((r) => [r.id, r]));
+      for (const seeded of expectedForUser0) {
+        expect(byId.get(seeded.id)?.title).toBe(seeded.title);
+      }
+    });
+  });
+
+  it("tasks.get succeeds when current user reads own task", async () => {
+    const ownTaskId = "tk-003";
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const task = await getHandler(ctx, { id: ownTaskId });
+
+      expect(task).toBeDefined();
+      expect(task?.id).toBe(ownTaskId);
+      expect(task?.userId).toBe(user0Identity.id);
+    });
+  });
+
+  it("tasks.get fails when current user tries to read another user's task", async () => {
+    const user1TaskId = "tk-001";
+
+    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
+      const task = await getHandler(ctx, { id: user1TaskId });
+      expect(task).toBeNull();
+    });
+  });
+
+  it("tasks.update succeeds when updating a task owned by current user", async () => {
+    const ownTaskId = "tk-000";
+    const updatedTitle = "Project Alpha — updated by owner";
+    const updatedDone = true;
+
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const before = await getHandler(ctx, {
+          id: ownTaskId,
+        });
+        expect(before?.title).not.toBe(updatedTitle);
+        expect(before?.done).not.toBe(updatedDone);
+
+        const updated = await updateHandler(ctx, {
+          id: ownTaskId,
+          title: updatedTitle,
+          done: updatedDone,
+        });
+
+        expect(updated).toBeDefined();
+        expect(updated?.id).toBe(ownTaskId);
+        expect(updated?.userId).toBe(user0Identity.id);
+        expect(updated?.title).toBe(updatedTitle);
+        expect(updated?.done).toBe(updatedDone);
+
+        const fetched = await getHandler(ctx, {
+          id: ownTaskId,
+        });
+        expect(fetched?.id).toBe(ownTaskId);
+        expect(fetched?.title).toBe(updatedTitle);
+        expect(fetched?.done).toBe(updatedDone);
+      }
+    );
+  });
+
+  it("tasks.create succeeds when creating a task with current userId", async () => {
+    const ownTaskId = "tk-own-create";
+    const ownTaskTitle = "Project Delta — created by owner";
+
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const created = await createHandler(user0Ctx, {
+          id: ownTaskId,
+          userId: user0Identity.id,
+          title: ownTaskTitle,
+          done: false,
+        });
+
+        expect(created).toBeDefined();
+        expect(created.id).toBe(ownTaskId);
+        expect(created.userId).toBe(user0Identity.id);
+        expect(created.title).toBe(ownTaskTitle);
+        expect(created.done).toBe(false);
+
+        const fetched = await getHandler(user0Ctx, {
+          id: ownTaskId,
+        });
+        expect(fetched).toBeDefined();
+        expect(fetched?.id).toBe(ownTaskId);
+        expect(fetched?.userId).toBe(user0Identity.id);
+      }
+    );
+  });
+
+  it("tasks.create fails when current user tries to create with another userId", async () => {
+    const unauthorizedTaskId = "tk-other-user-create";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        await expect(
+          createHandler(user0Ctx, {
+            id: unauthorizedTaskId,
+            userId: user1Identity.id,
+            title: "Unauthorized create attempt",
+            done: false,
+          })
+        ).rejects.toThrow();
+
+        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+        const after = await getHandler(user1Ctx, { id: unauthorizedTaskId });
+        expect(after).toBeNull();
+      }
+    );
+  });
+
+  it("tasks.update fails when current user tries to update user1 task", async () => {
+    const user1TaskId = "tk-001";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+
+        const before = await getHandler(user1Ctx, {
+          id: user1TaskId,
+        });
+        expect(before).toBeDefined();
+        const beforeTitle = before?.title;
+        const beforeDone = before?.done ?? false;
+
+        const unauthorizedUpdate = await updateHandler(user0Ctx, {
+          id: user1TaskId,
+          title: "Unauthorized update attempt",
+          done: !beforeDone,
+        });
+
+        expect(unauthorizedUpdate).toBeUndefined();
+
+        const after = await getHandler(user1Ctx, {
+          id: user1TaskId,
+        });
+        expect(after).toBeDefined();
+        expect(after?.title).toBe(beforeTitle);
+        expect(after?.done).toBe(beforeDone);
+      }
+    );
+  });
+
+  it("tasks.remove succeeds when deleting a task owned by current user", async () => {
+    const ownTaskId = "tk-002";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const before = await getHandler(user0Ctx, { id: ownTaskId });
+        expect(before).toBeDefined();
+
+        const removeResult = await removeHandler(user0Ctx, {
+          id: ownTaskId,
+        });
+        expect(removeResult.success).toBe(true);
+
+        const after = await getHandler(user0Ctx, { id: ownTaskId });
+        expect(after).toBeNull();
+      }
+    );
+  });
+
+  it("tasks.remove cannot delete a task owned by another user", async () => {
+    const user1TaskId = "tk-004";
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (user0Ctx) => {
+        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+
+        const before = await getHandler(user1Ctx, { id: user1TaskId });
+        expect(before).toBeDefined();
+
+        const removeResult = await removeHandler(user0Ctx, {
+          id: user1TaskId,
+        });
+        expect(removeResult.success).toBe(true);
+
+        const after = await getHandler(user1Ctx, {
+          id: user1TaskId,
+        });
+        expect(after).toBeDefined();
+        expect(after?.id).toBe(user1TaskId);
+      }
+    );
+  });
+});

package/src/__tests__/tsconfig.json

@@ -0,0 +1,8 @@
+{
+    "extends": "../../tsconfig.json",
+    "compilerOptions": {
+        "noEmit": true
+    },
+    "include": ["./**/*.ts"],
+    "exclude": []
+}