@gencow/core 0.1.22 → 0.1.24

package/src/__tests__/rls-crud-basic.test.ts

@@ -5,131 +5,39 @@
  * filled by drizzle-seed’s same per-type generators as `seed()` (see `fillPartialRowsForInsert`).
  *
  * Migrations run as the PGlite bootstrap user (table owner). We then create `gencow_rls_app` and
- * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` + crud’s use of
- * `db.transaction` sets `app.current_user_id` per operation.
+ * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` injects
+ * `app.current_user_id` for every query path (including bare `select()` / `execute()`).
  * We rely on `current_setting('app.current_user_id', true)` (missing_ok=true): this avoids
  * missing-GUC errors before `set_config` and keeps PGlite behavior aligned with PostgreSQL.
  *
  * Run: bun test packages/core/src/__tests__/rls-crud-basic.test.ts
  */
 
-import {
-  describe,
-  it,
-  expect,
-  beforeAll,
-  afterAll,
-} from "bun:test";
-import { dirname, join } from "path";
-import { fileURLToPath } from "url";
-import type { InferSelectModel } from "drizzle-orm";
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+import { eq, type InferSelectModel } from "drizzle-orm";
 import { PGlite } from "@electric-sql/pglite";
 import { drizzle } from "drizzle-orm/pglite";
-import { crud } from "../crud";
-import type { UserIdentity } from "../reactive";
-import { tasks, user } from "./fixtures/basic/schema";
+import { crud } from "../crud.js";
+import { createRlsDb } from "../rls-db.js";
+import { tasks } from "./fixtures/basic/schema.js";
 import {
-  createPgliteRlsAppRole,
-  DEFAULT_PGLITE_RLS_APP_ROLE,
-  setPgliteSessionRole,
-} from "./helpers/pglite-rls-session";
-import { loadAndApplyMigrations } from "./helpers/pglite-migrations";
-import { fillPartialRowsForInsert } from "./helpers/seed-like-fill";
+  basicFixtureUsers as fixtureUsers,
+  basicFixtureTasks as fixtureTasks,
+  basicUser0Identity as user0Identity,
+  basicUser1Identity as user1Identity,
+  createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
 import {
   makeTestGencowCtxWithRls,
   runWithRollbackTestGencowCtxWithRls,
-} from "./helpers/test-gencow-ctx-rls";
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-
-const fixtureUsers = [
-  { id: "us_000", name: "User 0", email: "user-0@s.com", emailVerified: true },
-  { id: "us_001", name: "User 1", email: "user-1@s.com", emailVerified: true },
-];
-
-/** Realistic titles; "Project Alpha" appears on two rows for us_000 and one for us_001 (RLS). */
-const fixtureTasks = [
-  {
-    id: "tk-000",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Project Alpha — Q4 review prep",
-  },
-  {
-    id: "tk-001",
-    userId: fixtureUsers[1].id,
-    done: true,
-    title: "Project Alpha — teammate handoff",
-  },
-  {
-    id: "tk-002",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Project Alpha — backlog grooming",
-  },
-  {
-    id: "tk-003",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Quarterly planning — Q4",
-  },
-  {
-    id: "tk-004",
-    userId: fixtureUsers[1].id,
-    done: false,
-    title: "Project Beta — API docs",
-  },
-  {
-    id: "tk-005",
-    userId: fixtureUsers[1].id,
-    done: false,
-    title: "Project Gamma — research notes",
-  },
-  {
-    id: "tk-006",
-    userId: fixtureUsers[0].id,
-    done: false,
-    title: "Project Beta — spike",
-  },
-];
-
-const user0Identity = {
-  id: fixtureUsers[0].id,
-  email: fixtureUsers[0].email,
-} satisfies UserIdentity;
-
-const user1Identity = {
-  id: fixtureUsers[1].id,
-  email: fixtureUsers[1].email,
-} satisfies UserIdentity;
+} from "./helpers/test-gencow-ctx-rls.js";
 
 type TaskRow = InferSelectModel<typeof tasks>;
 type CrudDefs = ReturnType<typeof crud<typeof tasks>>;
 type TaskListResult = { data: TaskRow[]; total: number };
 
-async function seedBasicFixtures(db: ReturnType<typeof drizzle>) {
-  await db.insert(user).values(fillPartialRowsForInsert(user, fixtureUsers));
-  const taskRows = fillPartialRowsForInsert(
-    tasks,
-    fixtureTasks
-  ) as TaskRow[];
-  await db.insert(tasks).values(taskRows);
-  return taskRows;
-}
-
 async function createSeededCrudEnv() {
-  const client = new PGlite();
-  await client.waitReady;
-  await loadAndApplyMigrations(
-    client,
-    join(__dirname, "fixtures/basic/migrations")
-  );
-  const db = drizzle(client);
-  const taskRows = await seedBasicFixtures(db);
-  await createPgliteRlsAppRole(client, {
-    roleName: DEFAULT_PGLITE_RLS_APP_ROLE,
-  });
-  await setPgliteSessionRole(client, DEFAULT_PGLITE_RLS_APP_ROLE);
+  const { client, db, taskRows } = await createBasicRlsEnvironment();
 
   const defs = crud(tasks, {
     prefix: "fixture_basic_pglite_tasks",
@@ -187,78 +95,116 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
     }
   });
 
+  it("createRlsDb: bare select() applies RLS without explicit db.transaction", async () => {
+    const scoped = createRlsDb(db as any, {
+      userId: user0Identity.id,
+      role: "user",
+      tenantId: "tenant_fixture",
+      vars: { "app.note": "ok" },
+    });
+    const otherUserRows = await scoped
+      .select()
+      .from(tasks)
+      .where(eq(tasks.userId, fixtureUsers[1].id));
+    expect(otherUserRows.length).toBe(0);
+
+    const ownRows = await scoped
+      .select()
+      .from(tasks)
+      .where(eq(tasks.userId, user0Identity.id));
+    expect(ownRows.length).toBe(
+      seededTaskRows.filter((r) => r.userId === user0Identity.id).length
+    );
+  });
+
   it("tasks.list returns only the current user (us_000) rows per RLS and total matches", async () => {
     expect(listDef).toBeDefined();
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const listResult = await listHandler(ctx, {});
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const listResult = await listHandler(ctx, {});
 
-      const expected = seededTaskRows.filter(
-        (r) => r.userId === fixtureUsers[0].id
-      );
+        const expected = seededTaskRows.filter(
+          (r) => r.userId === fixtureUsers[0].id
+        );
 
-      expect(listResult).toHaveProperty("data");
-      expect(listResult).toHaveProperty("total");
-      expect(listResult.total).toBe(expected.length);
+        expect(listResult).toHaveProperty("data");
+        expect(listResult).toHaveProperty("total");
+        expect(listResult.total).toBe(expected.length);
 
-      const rows = listResult.data;
+        const rows = listResult.data;
 
-      const byId = new Map(rows.map((r) => [r.id, r]));
-      expect(byId.size).toBe(expected.length);
+        const byId = new Map(rows.map((r) => [r.id, r]));
+        expect(byId.size).toBe(expected.length);
 
-      for (const seeded of expected) {
-        const row = byId.get(seeded.id);
-        expect(row).toBeDefined();
-        expect(row!.id).toBe(seeded.id);
-        expect(row!.userId).toBe(seeded.userId);
-        expect(row!.done).toBe(seeded.done);
-        expect(row!.title).toBe(seeded.title);
+        for (const seeded of expected) {
+          const row = byId.get(seeded.id);
+          expect(row).toBeDefined();
+          expect(row!.id).toBe(seeded.id);
+          expect(row!.userId).toBe(seeded.userId);
+          expect(row!.done).toBe(seeded.done);
+          expect(row!.title).toBe(seeded.title);
+        }
       }
-    });
+    );
   });
 
   it("search parameter applies to title/description ilike search", async () => {
     expect(listDef).toBeDefined();
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const sharedSubstring = "Project Alpha";
-      const expectedForUser0 = seededTaskRows.filter(
-        (r) =>
-          r.userId === user0Identity.id &&
-          r.title.toLowerCase().includes(sharedSubstring.toLowerCase())
-      );
-      expect(expectedForUser0.length).toBe(2);
-
-      const result = await listHandler(ctx, { search: sharedSubstring });
-      const rows = result.data;
-      expect(rows.length).toBe(expectedForUser0.length);
-
-      const byId = new Map(rows.map((r) => [r.id, r]));
-      for (const seeded of expectedForUser0) {
-        expect(byId.get(seeded.id)?.title).toBe(seeded.title);
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const sharedSubstring = "Project Alpha";
+        const expectedForUser0 = seededTaskRows.filter(
+          (r) =>
+            r.userId === user0Identity.id &&
+            r.title.toLowerCase().includes(sharedSubstring.toLowerCase())
+        );
+        expect(expectedForUser0.length).toBe(2);
+
+        const result = await listHandler(ctx, { search: sharedSubstring });
+        const rows = result.data;
+        expect(rows.length).toBe(expectedForUser0.length);
+
+        const byId = new Map(rows.map((r) => [r.id, r]));
+        for (const seeded of expectedForUser0) {
+          expect(byId.get(seeded.id)?.title).toBe(seeded.title);
+        }
       }
-    });
+    );
   });
 
   it("tasks.get succeeds when current user reads own task", async () => {
     const ownTaskId = "tk-003";
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const task = await getHandler(ctx, { id: ownTaskId });
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const task = await getHandler(ctx, { id: ownTaskId });
 
-      expect(task).toBeDefined();
-      expect(task?.id).toBe(ownTaskId);
-      expect(task?.userId).toBe(user0Identity.id);
-    });
+        expect(task).toBeDefined();
+        expect(task?.id).toBe(ownTaskId);
+        expect(task?.userId).toBe(user0Identity.id);
+      }
+    );
   });
 
   it("tasks.get fails when current user tries to read another user's task", async () => {
     const user1TaskId = "tk-001";
 
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const task = await getHandler(ctx, { id: user1TaskId });
-      expect(task).toBeNull();
-    });
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      user0Identity,
+      async (ctx) => {
+        const task = await getHandler(ctx, { id: user1TaskId });
+        expect(task).toBeNull();
+      }
+    );
   });
 
   it("tasks.update succeeds when updating a task owned by current user", async () => {
@@ -335,16 +281,23 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
       db,
       user0Identity,
       async (user0Ctx) => {
-        await expect(
-          createHandler(user0Ctx, {
+        let thrown: unknown;
+        try {
+          await createHandler(user0Ctx, {
             id: unauthorizedTaskId,
             userId: user1Identity.id,
             title: "Unauthorized create attempt",
             done: false,
-          })
-        ).rejects.toThrow();
-
-        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+          });
+        } catch (e) {
+          thrown = e;
+        }
+        expect(thrown).toBeInstanceOf(Error);
+
+        const user1Ctx = makeTestGencowCtxWithRls(
+          user0Ctx.unsafeDb as any,
+          user1Identity
+        );
         const after = await getHandler(user1Ctx, { id: unauthorizedTaskId });
         expect(after).toBeNull();
       }
@@ -357,7 +310,10 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
       db,
       user0Identity,
       async (user0Ctx) => {
-        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+        const user1Ctx = makeTestGencowCtxWithRls(
+          user0Ctx.unsafeDb as any,
+          user1Identity
+        );
 
         const before = await getHandler(user1Ctx, {
           id: user1TaskId,
@@ -410,7 +366,10 @@ describe("fixtures/basic + PGlite + CRUD + RLS", () => {
       db,
       user0Identity,
       async (user0Ctx) => {
-        const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
+        const user1Ctx = makeTestGencowCtxWithRls(
+          user0Ctx.unsafeDb as any,
+          user1Identity
+        );
 
         const before = await getHandler(user1Ctx, { id: user1TaskId });
         expect(before).toBeDefined();

package/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts

@@ -0,0 +1,117 @@
+/**
+ * `news` has **no** `ownerRls()` and **no** PostgreSQL RLS (`fixtures/basic/migrations/0001_news.sql`).
+ * `crud(news, { public: true })` keeps legacy behavior: no Layer-1 owner filter on list/get/update/remove.
+ *
+ * Complements mock-based `crud-owner-rls.test.ts` (“하위호환”) with PGlite + non-owner session.
+ *
+ * Run: bun test packages/core/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+
+import { crud } from "../crud.js";
+import { createRlsDb } from "../rls-db.js";
+import { news } from "./fixtures/basic/schema.js";
+import {
+    assertTableRowLevelSecurityDisabled,
+    basicUser0Identity,
+    basicUser1Identity,
+    createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
+import {
+    makeTestGencowCtxWithRls,
+    runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls.js";
+
+describe("crud + PGlite: news without ownerRls, public crud", () => {
+    let client: import("@electric-sql/pglite").PGlite;
+    let db: ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
+    let listHandler: (ctx: unknown, args: unknown) => Promise<{ data: unknown[]; total: number }>;
+    let getHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+    let createHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+    let updateHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
+    let removeHandler: (ctx: unknown, args: unknown) => Promise<{ success: boolean }>;
+
+    beforeAll(async () => {
+        const env = await createBasicRlsEnvironment();
+        client = env.client;
+        db = env.db;
+
+        const defs = crud(news, {
+            prefix: "fixture_basic_news",
+            public: true,
+            defaultLimit: 50,
+        });
+        listHandler = defs.list!.handler as (typeof listHandler);
+        getHandler = defs.get!.handler as (typeof getHandler);
+        createHandler = defs.create!.handler as (typeof createHandler);
+        updateHandler = defs.update!.handler as (typeof updateHandler);
+        removeHandler = defs.remove!.handler as (typeof removeHandler);
+    });
+
+    afterAll(async () => {
+        try {
+            await client.close();
+        } catch {
+            /* ignore */
+        }
+    });
+
+    it("list: authenticated user sees all rows (no owner filter)", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const result = await listHandler(ctx, {});
+        expect(result.total).toBe(2);
+        expect(result.data).toHaveLength(2);
+        const ids = new Set(result.data.map((r: any) => r.id));
+        expect(ids.has("nw-000")).toBe(true);
+        expect(ids.has("nw-001")).toBe(true);
+    });
+
+    it("get: can read another user row by id (no owner filter)", async () => {
+        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+        const row = await getHandler(ctx, { id: "nw-001" });
+        expect(row).not.toBeNull();
+        expect((row as any).userId).toBe(basicUser1Identity.id);
+    });
+
+    it("createRlsDb + bare select: no DB policies — still full table visibility", async () => {
+        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+            userId: basicUser0Identity.id,
+        });
+        const rows = await scoped.select().from(news);
+        expect(rows.length).toBe(2);
+    });
+
+    it("create: with public crud, pass userId explicitly (no auth-based auto-inject)", async () => {
+        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+            const created = await createHandler(ctx, {
+                id: "nw-created",
+                title: "new row",
+                userId: basicUser0Identity.id,
+            });
+            expect((created as any).userId).toBe(basicUser0Identity.id);
+        });
+    });
+
+    it("update: can change another user row by id (no owner WHERE)", async () => {
+        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+            const updated = await updateHandler(ctx, {
+                id: "nw-001",
+                title: "touched by user0",
+            });
+            expect((updated as any).title).toBe("touched by user0");
+        });
+    });
+
+    it("remove: can delete another user row by id (no owner WHERE)", async () => {
+        await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+            await removeHandler(ctx, { id: "nw-001" });
+            const after = await getHandler(ctx, { id: "nw-001" });
+            expect(after).toBeNull();
+        });
+    });
+
+    it("pg_catalog: news has row security disabled", async () => {
+        await assertTableRowLevelSecurityDisabled(db, news);
+    });
+});

package/src/__tests__/rls-custom-mutation-handlers.test.ts

@@ -0,0 +1,189 @@
+/**
+ * Custom **mutation** handlers (not `crud()` factory) that use `ctx.db` must respect RLS
+ * (update/delete/insert withCheck).
+ *
+ * Run: bun test packages/core/src/__tests__/rls-custom-mutation-handlers.test.ts
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from "bun:test";
+import { eq } from "drizzle-orm";
+import { PGlite } from "@electric-sql/pglite";
+import { drizzle } from "drizzle-orm/pglite";
+
+import type { GencowCtx } from "../reactive.js";
+import { tasks } from "./fixtures/basic/schema.js";
+import {
+  basicFixtureUsers,
+  basicUser0Identity,
+  basicUser1Identity,
+  createBasicRlsEnvironment,
+} from "./helpers/basic-rls-fixture.js";
+import { fillPartialRowsForInsert } from "./helpers/seed-like-fill.js";
+import {
+  makeTestGencowCtxWithRls,
+  runWithRollbackTestGencowCtxWithRls,
+} from "./helpers/test-gencow-ctx-rls.js";
+
+/** User-defined mutation: update title by task id. */
+async function customMutationUpdateTitle(
+  ctx: GencowCtx,
+  taskId: string,
+  title: string
+) {
+  return ctx.db
+    .update(tasks)
+    .set({ title, updatedAt: new Date() })
+    .where(eq(tasks.id, taskId))
+    .returning();
+}
+
+/** User-defined mutation: delete by id. */
+async function customMutationDeleteById(ctx: GencowCtx, taskId: string) {
+  return ctx.db.delete(tasks).where(eq(tasks.id, taskId)).returning();
+}
+
+/** User-defined mutation: insert a new task for the current user (caller supplies logical fields). */
+async function customMutationInsertTask(
+  ctx: GencowCtx,
+  values: { id: string; title: string; userId: string; done?: boolean }
+) {
+  const [row] = fillPartialRowsForInsert(tasks, [
+    {
+      id: values.id,
+      title: values.title,
+      userId: values.userId,
+      done: values.done ?? false,
+    },
+  ]);
+  return ctx.db.insert(tasks).values(row).returning();
+}
+
+describe("Custom mutation handlers + ctx.db + RLS", () => {
+  let client: PGlite;
+  let db: ReturnType<typeof drizzle>;
+
+  beforeAll(async () => {
+    const env = await createBasicRlsEnvironment();
+    client = env.client;
+    db = env.db;
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it("custom update: can change own task", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const updated = await customMutationUpdateTitle(
+          ctx,
+          "tk-003",
+          "Updated by custom handler"
+        );
+        expect(updated.length).toBe(1);
+        expect(updated[0]!.title).toBe("Updated by custom handler");
+      }
+    );
+  });
+
+  it("custom update: cannot modify another user's task (0 rows)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const updated = await customMutationUpdateTitle(
+          ctx,
+          "tk-001",
+          "Should not apply"
+        );
+        expect(updated.length).toBe(0);
+      }
+    );
+  });
+
+  it("custom delete: can remove own task", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const removed = await customMutationDeleteById(ctx, "tk-000");
+        expect(removed.length).toBe(1);
+      }
+    );
+  });
+
+  it("custom delete: cannot remove another user's task (0 rows)", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const removed = await customMutationDeleteById(ctx, "tk-004");
+        expect(removed.length).toBe(0);
+      }
+    );
+  });
+
+  it("custom insert: succeeds when userId matches session", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const inserted = await customMutationInsertTask(ctx, {
+          id: "tk-custom-own",
+          title: "Custom insert OK",
+          userId: basicUser0Identity.id,
+        });
+        expect(inserted.length).toBe(1);
+        expect(inserted[0]!.userId).toBe(basicUser0Identity.id);
+      }
+    );
+  });
+
+  it("custom insert: forged userId (another user) violates RLS withCheck", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        let thrown: unknown;
+        try {
+          await customMutationInsertTask(ctx, {
+            id: "tk-custom-forge",
+            title: "Forged owner",
+            userId: basicFixtureUsers[1].id,
+          });
+        } catch (e) {
+          thrown = e;
+        }
+        expect(thrown).toBeInstanceOf(Error);
+      }
+    );
+  });
+
+  it("nested db.transaction in custom handler still applies RLS on inner selects", async () => {
+    await runWithRollbackTestGencowCtxWithRls(
+      db,
+      basicUser0Identity,
+      async (ctx) => {
+        const inner = await ctx.db.transaction(async (tx: typeof ctx.db) => {
+          return tx
+            .select()
+            .from(tasks)
+            .where(eq(tasks.userId, basicFixtureUsers[1].id));
+        });
+        expect(inner.length).toBe(0);
+      }
+    );
+  });
+
+  it("direct ctx.db without outer rollback wrapper: mutation still RLS-scoped", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser1Identity);
+    const updated = await customMutationUpdateTitle(ctx, "tk-000", "hax");
+    expect(updated.length).toBe(0);
+  });
+});