@gencow/core 0.1.23 → 0.1.25

package/src/__tests__/rls-session-and-policies.test.ts

@@ -28,219 +28,201 @@ import { eq, sql } from "drizzle-orm";
 import { createRlsDb } from "../rls-db.js";
 import { tasks } from "./fixtures/basic/schema.js";
 import {
-    basicFixtureTasks,
-    basicUser0Identity,
-    basicUser1Identity,
-    createBasicRlsEnvironment,
+  basicFixtureTasks,
+  basicUser0Identity,
+  basicUser1Identity,
+  createBasicRlsEnvironment,
 } from "./helpers/basic-rls-fixture.js";
 import { fillPartialRowsForInsert } from "./helpers/seed-like-fill.js";
 import {
-    makeTestGencowCtxWithRls,
-    runWithRollbackTestGencowCtxWithRls,
+  makeTestGencowCtxWithRls,
+  runWithRollbackTestGencowCtxWithRls,
 } from "./helpers/test-gencow-ctx-rls.js";
 
 type PgliteDb = ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
 
 describe("RLS session + policies (PGlite, non-owner session)", () => {
-    let client: import("@electric-sql/pglite").PGlite;
-    let db: PgliteDb;
-
-    beforeAll(async () => {
-        const env = await createBasicRlsEnvironment();
-        client = env.client;
-        db = env.db;
-    });
-
-    afterAll(async () => {
-        try {
-            await client.close();
-        } catch {
-            /* ignore */
-        }
-    });
-
-    function expectedCountForUser(userId: string): number {
-        return basicFixtureTasks.filter((t) => t.userId === userId).length;
+  let client: import("@electric-sql/pglite").PGlite;
+  let db: PgliteDb;
+
+  beforeAll(async () => {
+    const env = await createBasicRlsEnvironment();
+    client = env.client;
+    db = env.db;
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {
+      /* ignore */
     }
+  });
 
-    it("empty userId matches unauthenticated server contract — no rows visible", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: "",
-        });
-        const rows = await scoped.select().from(tasks);
-        expect(rows.length).toBe(0);
-    });
-
-    it("authenticated userId sees only own rows (policy USING)", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const rows = await scoped.select().from(tasks);
-        expect(rows.length).toBe(expectedCountForUser(basicUser0Identity.id));
-        expect(rows.every((r) => r.userId === basicUser0Identity.id)).toBe(true);
-    });
-
-    it("createRlsDb sets optional role and tenantId GUCs (readable via execute)", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-            role: "editor",
-            tenantId: "tenant_test",
-        });
-        const r = await scoped.execute(
-            sql`select current_setting('app.current_user_role', true) as role,
-                       current_setting('app.tenant_id', true) as tid`,
-        );
-        const row = (r as { rows: { role: string; tid: string }[] }).rows[0];
-        expect(row?.role).toBe("editor");
-        expect(row?.tid).toBe("tenant_test");
-    });
-
-    it("custom vars (validated app.* names) are applied for set_config", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-            vars: { "app.org_slug": "acme" },
-        });
-        const r = await scoped.execute(
-            sql`select current_setting('app.org_slug', true) as slug`,
-        );
-        const row = (r as { rows: { slug: string }[] }).rows[0];
-        expect(row?.slug).toBe("acme");
-    });
-
-    it("invalid GUC name in vars throws before executing SQL", async () => {
-        const bad = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-            vars: { "App.invalid": "x" },
-        });
-        await expect(Promise.resolve(bad.select().from(tasks))).rejects.toThrow(
-            /invalid/,
-        );
-    });
-
-    it("reserved keys must not appear in vars", async () => {
-        const bad = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-            vars: { "app.current_user_id": "hijack" },
-        });
-        await expect(Promise.resolve(bad.select().from(tasks))).rejects.toThrow(
-            /vars must not set/,
-        );
-    });
-
-    it("autocommit path and outer-transaction path return the same RLS-visible counts", async () => {
-        const expected = expectedCountForUser(basicUser0Identity.id);
-
-        const ctxPlain = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const plainCount = (await ctxPlain.db.select().from(tasks)).length;
-        expect(plainCount).toBe(expected);
-
-        await runWithRollbackTestGencowCtxWithRls(
-            db,
-            basicUser0Identity,
-            async (ctx) => {
-                const txCount = (await ctx.db.select().from(tasks)).length;
-                expect(txCount).toBe(expected);
-            },
-        );
-    });
-
-    it("createRlsDb(db).transaction() injects session vars — inner selects respect RLS", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        await scoped.transaction(async (tx) => {
-            const rows = await tx.select().from(tasks);
-            expect(rows.length).toBe(expectedCountForUser(basicUser0Identity.id));
-        });
-    });
-
-    it("parallel selects on the same ctx.db both see RLS-consistent results", async () => {
-        const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-        const expected = expectedCountForUser(basicUser0Identity.id);
-        const [a, b] = await Promise.all([
-            ctx.db.select().from(tasks),
-            ctx.db.select().from(tasks),
-        ]);
-        expect(a.length).toBe(expected);
-        expect(b.length).toBe(expected);
-    });
-
-    it("unsafeDb INSERT without session GUC fails RLS withCheck (non-owner)", async () => {
-        const [row] = fillPartialRowsForInsert(tasks, [
-            {
-                id: "tk-rls-unsafe-insert",
-                title: "should not persist",
-                userId: basicUser0Identity.id,
-                done: false,
-            },
-        ]);
-        await expect(Promise.resolve(db.insert(tasks).values(row))).rejects.toThrow();
-    });
-
-    it("unsafeDb UPDATE touches 0 rows when session GUC is unset", async () => {
-        const updated = await db
-            .update(tasks)
-            .set({ title: "nope", updatedAt: new Date() })
-            .where(eq(tasks.id, "tk-000"))
-            .returning();
-        expect(updated.length).toBe(0);
-    });
-
-    it("scoped INSERT cannot forge another user row (withCheck)", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const [row] = fillPartialRowsForInsert(tasks, [
-            {
-                id: "tk-forge-other",
-                title: "forged",
-                userId: basicUser1Identity.id,
-                done: false,
-            },
-        ]);
-        await expect(Promise.resolve(scoped.insert(tasks).values(row))).rejects.toThrow();
-    });
-
-    it("wrong scoped userId cannot read other user's row by primary key", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const rows = await scoped
-            .select()
-            .from(tasks)
-            .where(eq(tasks.id, "tk-001"));
-        expect(rows.length).toBe(0);
-    });
+  function expectedCountForUser(userId: string): number {
+    return basicFixtureTasks.filter((t) => t.userId === userId).length;
+  }
 
-    it("scoped UPDATE affects 0 rows for another user's task (policy USING)", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const updated = await scoped
-            .update(tasks)
-            .set({ title: "blocked", updatedAt: new Date() })
-            .where(eq(tasks.id, "tk-001"))
-            .returning();
-        expect(updated.length).toBe(0);
+  it("empty userId matches unauthenticated server contract — no rows visible", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: "",
     });
+    const rows = await scoped.select().from(tasks);
+    expect(rows.length).toBe(0);
+  });
 
-    it("scoped DELETE removes 0 rows for another user's task (policy USING)", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const removed = await scoped.delete(tasks).where(eq(tasks.id, "tk-001")).returning();
-        expect(removed.length).toBe(0);
+  it("authenticated userId sees only own rows (policy USING)", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
     });
+    const rows = await scoped.select().from(tasks);
+    expect(rows.length).toBe(expectedCountForUser(basicUser0Identity.id));
+    expect(rows.every((r) => r.userId === basicUser0Identity.id)).toBe(true);
+  });
 
-    it("nested raw SQL count matches builder select count for same session", async () => {
-        const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-            userId: basicUser0Identity.id,
-        });
-        const fromBuilder = await scoped.select().from(tasks);
-        const raw = await scoped.execute(
-            sql`select count(*)::int as c from ${tasks}`,
-        );
-        const c = (raw as { rows: { c: number }[] }).rows[0]?.c ?? -1;
-        expect(c).toBe(fromBuilder.length);
+  it("createRlsDb sets optional role and tenantId GUCs (readable via execute)", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+      role: "editor",
+      tenantId: "tenant_test",
     });
+    const r = await scoped.execute(
+      sql`select current_setting('app.current_user_role', true) as role,
+                       current_setting('app.tenant_id', true) as tid`,
+    );
+    const row = (r as { rows: { role: string; tid: string }[] }).rows[0];
+    expect(row?.role).toBe("editor");
+    expect(row?.tid).toBe("tenant_test");
+  });
+
+  it("custom vars (validated app.* names) are applied for set_config", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+      vars: { "app.org_slug": "acme" },
+    });
+    const r = await scoped.execute(sql`select current_setting('app.org_slug', true) as slug`);
+    const row = (r as { rows: { slug: string }[] }).rows[0];
+    expect(row?.slug).toBe("acme");
+  });
+
+  it("invalid GUC name in vars throws before executing SQL", async () => {
+    const bad = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+      vars: { "App.invalid": "x" },
+    });
+    await expect(Promise.resolve(bad.select().from(tasks))).rejects.toThrow(/invalid/);
+  });
+
+  it("reserved keys must not appear in vars", async () => {
+    const bad = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+      vars: { "app.current_user_id": "hijack" },
+    });
+    await expect(Promise.resolve(bad.select().from(tasks))).rejects.toThrow(/vars must not set/);
+  });
+
+  it("autocommit path and outer-transaction path return the same RLS-visible counts", async () => {
+    const expected = expectedCountForUser(basicUser0Identity.id);
+
+    const ctxPlain = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const plainCount = (await ctxPlain.db.select().from(tasks)).length;
+    expect(plainCount).toBe(expected);
+
+    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
+      const txCount = (await ctx.db.select().from(tasks)).length;
+      expect(txCount).toBe(expected);
+    });
+  });
+
+  it("createRlsDb(db).transaction() injects session vars — inner selects respect RLS", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+    });
+    await scoped.transaction(async (tx) => {
+      const rows = await tx.select().from(tasks);
+      expect(rows.length).toBe(expectedCountForUser(basicUser0Identity.id));
+    });
+  });
+
+  it("parallel selects on the same ctx.db both see RLS-consistent results", async () => {
+    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
+    const expected = expectedCountForUser(basicUser0Identity.id);
+    const [a, b] = await Promise.all([ctx.db.select().from(tasks), ctx.db.select().from(tasks)]);
+    expect(a.length).toBe(expected);
+    expect(b.length).toBe(expected);
+  });
+
+  it("unsafeDb INSERT without session GUC fails RLS withCheck (non-owner)", async () => {
+    const [row] = fillPartialRowsForInsert(tasks, [
+      {
+        id: "tk-rls-unsafe-insert",
+        title: "should not persist",
+        userId: basicUser0Identity.id,
+        done: false,
+      },
+    ]);
+    await expect(Promise.resolve(db.insert(tasks).values(row))).rejects.toThrow();
+  });
+
+  it("unsafeDb UPDATE touches 0 rows when session GUC is unset", async () => {
+    const updated = await db
+      .update(tasks)
+      .set({ title: "nope", updatedAt: new Date() })
+      .where(eq(tasks.id, "tk-000"))
+      .returning();
+    expect(updated.length).toBe(0);
+  });
+
+  it("scoped INSERT cannot forge another user row (withCheck)", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+    });
+    const [row] = fillPartialRowsForInsert(tasks, [
+      {
+        id: "tk-forge-other",
+        title: "forged",
+        userId: basicUser1Identity.id,
+        done: false,
+      },
+    ]);
+    await expect(Promise.resolve(scoped.insert(tasks).values(row))).rejects.toThrow();
+  });
+
+  it("wrong scoped userId cannot read other user's row by primary key", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+    });
+    const rows = await scoped.select().from(tasks).where(eq(tasks.id, "tk-001"));
+    expect(rows.length).toBe(0);
+  });
+
+  it("scoped UPDATE affects 0 rows for another user's task (policy USING)", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+    });
+    const updated = await scoped
+      .update(tasks)
+      .set({ title: "blocked", updatedAt: new Date() })
+      .where(eq(tasks.id, "tk-001"))
+      .returning();
+    expect(updated.length).toBe(0);
+  });
+
+  it("scoped DELETE removes 0 rows for another user's task (policy USING)", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+    });
+    const removed = await scoped.delete(tasks).where(eq(tasks.id, "tk-001")).returning();
+    expect(removed.length).toBe(0);
+  });
+
+  it("nested raw SQL count matches builder select count for same session", async () => {
+    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
+      userId: basicUser0Identity.id,
+    });
+    const fromBuilder = await scoped.select().from(tasks);
+    const raw = await scoped.execute(sql`select count(*)::int as c from ${tasks}`);
+    const c = (raw as { rows: { c: number }[] }).rows[0]?.c ?? -1;
+    expect(c).toBe(fromBuilder.length);
+  });
 });