@gencow/core 0.1.27 → 0.1.29

package/src/__tests__/rls-crud-basic.test.ts

@@ -1,317 +0,0 @@
-/**
- * fixtures/basic + PGlite — apply migrations, explicit fixtures, verify tasks.list CRUD handler.
- *
- * Users and tasks: fixed `id` / FK / `done` per row. Any other column omitted from the fixture is
- * filled by drizzle-seed’s same per-type generators as `seed()` (see `fillPartialRowsForInsert`).
- *
- * Migrations run as the PGlite bootstrap user (table owner). We then create `gencow_rls_app` and
- * `SET ROLE` so the session is non-owner → RLS policies apply. `createRlsDb` injects
- * `app.current_user_id` for every query path (including bare `select()` / `execute()`).
- * We rely on `current_setting('app.current_user_id', true)` (missing_ok=true): this avoids
- * missing-GUC errors before `set_config` and keeps PGlite behavior aligned with PostgreSQL.
- *
- * Run: bun test packages/core/src/__tests__/rls-crud-basic.test.ts
- */
-
-import { describe, it, expect, beforeAll, afterAll } from "bun:test";
-import { eq, type InferSelectModel } from "drizzle-orm";
-import { PGlite } from "@electric-sql/pglite";
-import { drizzle } from "drizzle-orm/pglite";
-import { crud } from "../crud.js";
-import { createRlsDb } from "../rls-db.js";
-import { tasks } from "./fixtures/basic/schema.js";
-import {
-  basicFixtureUsers as fixtureUsers,
-  basicFixtureTasks as fixtureTasks,
-  basicUser0Identity as user0Identity,
-  basicUser1Identity as user1Identity,
-  createBasicRlsEnvironment,
-} from "./helpers/basic-rls-fixture.js";
-import {
-  makeTestGencowCtxWithRls,
-  runWithRollbackTestGencowCtxWithRls,
-} from "./helpers/test-gencow-ctx-rls.js";
-
-type TaskRow = InferSelectModel<typeof tasks>;
-type CrudDefs = ReturnType<typeof crud<typeof tasks>>;
-type TaskListResult = { data: TaskRow[]; total: number };
-
-async function createSeededCrudEnv() {
-  const { client, db, taskRows } = await createBasicRlsEnvironment();
-
-  const defs = crud(tasks, {
-    prefix: "fixture_basic_pglite_tasks",
-    searchFields: ["title", "description"],
-    defaultLimit: 50,
-  });
-
-  return { client, db, taskRows, defs };
-}
-
-describe("fixtures/basic + PGlite + CRUD + RLS", () => {
-  let client: PGlite;
-  let db: ReturnType<typeof drizzle>;
-  let seededTaskRows: TaskRow[];
-  let listDef: CrudDefs["list"];
-  let listHandler: (ctx: unknown, args: unknown) => Promise<TaskListResult>;
-  let getHandler: NonNullable<CrudDefs["get"]>["handler"];
-  let createHandler: NonNullable<CrudDefs["create"]>["handler"];
-  let updateHandler: NonNullable<CrudDefs["update"]>["handler"];
-  let removeHandler: NonNullable<CrudDefs["remove"]>["handler"];
-
-  beforeAll(async () => {
-    const env = await createSeededCrudEnv();
-    client = env.client;
-    db = env.db;
-    seededTaskRows = env.taskRows;
-    listDef = env.defs.list;
-    listHandler = env.defs.list!.handler as (ctx: unknown, args: unknown) => Promise<TaskListResult>;
-    getHandler = env.defs.get!.handler as (ctx: unknown, args: unknown) => Promise<TaskRow | null>;
-    createHandler = env.defs.create!.handler as (ctx: unknown, args: unknown) => Promise<TaskRow>;
-    updateHandler = env.defs.update!.handler as (ctx: unknown, args: unknown) => Promise<TaskRow | undefined>;
-    removeHandler = env.defs.remove!.handler as (
-      ctx: unknown,
-      args: unknown,
-    ) => Promise<{ success: boolean }>;
-  });
-
-  afterAll(async () => {
-    try {
-      await client.close();
-    } catch {
-      /* ignore */
-    }
-  });
-
-  it("createRlsDb: bare select() applies RLS without explicit db.transaction", async () => {
-    const scoped = createRlsDb(db as any, {
-      userId: user0Identity.id,
-      role: "user",
-      tenantId: "tenant_fixture",
-      vars: { "app.note": "ok" },
-    });
-    const otherUserRows = await scoped.select().from(tasks).where(eq(tasks.userId, fixtureUsers[1].id));
-    expect(otherUserRows.length).toBe(0);
-
-    const ownRows = await scoped.select().from(tasks).where(eq(tasks.userId, user0Identity.id));
-    expect(ownRows.length).toBe(seededTaskRows.filter((r) => r.userId === user0Identity.id).length);
-  });
-
-  it("tasks.list returns only the current user (us_000) rows per RLS and total matches", async () => {
-    expect(listDef).toBeDefined();
-
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const listResult = await listHandler(ctx, {});
-
-      const expected = seededTaskRows.filter((r) => r.userId === fixtureUsers[0].id);
-
-      expect(listResult).toHaveProperty("data");
-      expect(listResult).toHaveProperty("total");
-      expect(listResult.total).toBe(expected.length);
-
-      const rows = listResult.data;
-
-      const byId = new Map(rows.map((r) => [r.id, r]));
-      expect(byId.size).toBe(expected.length);
-
-      for (const seeded of expected) {
-        const row = byId.get(seeded.id);
-        expect(row).toBeDefined();
-        expect(row!.id).toBe(seeded.id);
-        expect(row!.userId).toBe(seeded.userId);
-        expect(row!.done).toBe(seeded.done);
-        expect(row!.title).toBe(seeded.title);
-      }
-    });
-  });
-
-  it("search parameter applies to title/description ilike search", async () => {
-    expect(listDef).toBeDefined();
-
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const sharedSubstring = "Project Alpha";
-      const expectedForUser0 = seededTaskRows.filter(
-        (r) => r.userId === user0Identity.id && r.title.toLowerCase().includes(sharedSubstring.toLowerCase()),
-      );
-      expect(expectedForUser0.length).toBe(2);
-
-      const result = await listHandler(ctx, { search: sharedSubstring });
-      const rows = result.data;
-      expect(rows.length).toBe(expectedForUser0.length);
-
-      const byId = new Map(rows.map((r) => [r.id, r]));
-      for (const seeded of expectedForUser0) {
-        expect(byId.get(seeded.id)?.title).toBe(seeded.title);
-      }
-    });
-  });
-
-  it("tasks.get succeeds when current user reads own task", async () => {
-    const ownTaskId = "tk-003";
-
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const task = await getHandler(ctx, { id: ownTaskId });
-
-      expect(task).toBeDefined();
-      expect(task?.id).toBe(ownTaskId);
-      expect(task?.userId).toBe(user0Identity.id);
-    });
-  });
-
-  it("tasks.get fails when current user tries to read another user's task", async () => {
-    const user1TaskId = "tk-001";
-
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const task = await getHandler(ctx, { id: user1TaskId });
-      expect(task).toBeNull();
-    });
-  });
-
-  it("tasks.update succeeds when updating a task owned by current user", async () => {
-    const ownTaskId = "tk-000";
-    const updatedTitle = "Project Alpha — updated by owner";
-    const updatedDone = true;
-
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (ctx) => {
-      const before = await getHandler(ctx, {
-        id: ownTaskId,
-      });
-      expect(before?.title).not.toBe(updatedTitle);
-      expect(before?.done).not.toBe(updatedDone);
-
-      const updated = await updateHandler(ctx, {
-        id: ownTaskId,
-        title: updatedTitle,
-        done: updatedDone,
-      });
-
-      expect(updated).toBeDefined();
-      expect(updated?.id).toBe(ownTaskId);
-      expect(updated?.userId).toBe(user0Identity.id);
-      expect(updated?.title).toBe(updatedTitle);
-      expect(updated?.done).toBe(updatedDone);
-
-      const fetched = await getHandler(ctx, {
-        id: ownTaskId,
-      });
-      expect(fetched?.id).toBe(ownTaskId);
-      expect(fetched?.title).toBe(updatedTitle);
-      expect(fetched?.done).toBe(updatedDone);
-    });
-  });
-
-  it("tasks.create succeeds when creating a task with current userId", async () => {
-    const ownTaskId = "tk-own-create";
-    const ownTaskTitle = "Project Delta — created by owner";
-
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (user0Ctx) => {
-      const created = await createHandler(user0Ctx, {
-        id: ownTaskId,
-        userId: user0Identity.id,
-        title: ownTaskTitle,
-        done: false,
-      });
-
-      expect(created).toBeDefined();
-      expect(created.id).toBe(ownTaskId);
-      expect(created.userId).toBe(user0Identity.id);
-      expect(created.title).toBe(ownTaskTitle);
-      expect(created.done).toBe(false);
-
-      const fetched = await getHandler(user0Ctx, {
-        id: ownTaskId,
-      });
-      expect(fetched).toBeDefined();
-      expect(fetched?.id).toBe(ownTaskId);
-      expect(fetched?.userId).toBe(user0Identity.id);
-    });
-  });
-
-  it("tasks.create fails when current user tries to create with another userId", async () => {
-    const unauthorizedTaskId = "tk-other-user-create";
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (user0Ctx) => {
-      let thrown: unknown;
-      try {
-        await createHandler(user0Ctx, {
-          id: unauthorizedTaskId,
-          userId: user1Identity.id,
-          title: "Unauthorized create attempt",
-          done: false,
-        });
-      } catch (e) {
-        thrown = e;
-      }
-      expect(thrown).toBeInstanceOf(Error);
-
-      const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
-      const after = await getHandler(user1Ctx, { id: unauthorizedTaskId });
-      expect(after).toBeNull();
-    });
-  });
-
-  it("tasks.update fails when current user tries to update user1 task", async () => {
-    const user1TaskId = "tk-001";
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (user0Ctx) => {
-      const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
-
-      const before = await getHandler(user1Ctx, {
-        id: user1TaskId,
-      });
-      expect(before).toBeDefined();
-      const beforeTitle = before?.title;
-      const beforeDone = before?.done ?? false;
-
-      const unauthorizedUpdate = await updateHandler(user0Ctx, {
-        id: user1TaskId,
-        title: "Unauthorized update attempt",
-        done: !beforeDone,
-      });
-
-      expect(unauthorizedUpdate).toBeUndefined();
-
-      const after = await getHandler(user1Ctx, {
-        id: user1TaskId,
-      });
-      expect(after).toBeDefined();
-      expect(after?.title).toBe(beforeTitle);
-      expect(after?.done).toBe(beforeDone);
-    });
-  });
-
-  it("tasks.remove succeeds when deleting a task owned by current user", async () => {
-    const ownTaskId = "tk-002";
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (user0Ctx) => {
-      const before = await getHandler(user0Ctx, { id: ownTaskId });
-      expect(before).toBeDefined();
-
-      const removeResult = await removeHandler(user0Ctx, {
-        id: ownTaskId,
-      });
-      expect(removeResult.success).toBe(true);
-
-      const after = await getHandler(user0Ctx, { id: ownTaskId });
-      expect(after).toBeNull();
-    });
-  });
-
-  it("tasks.remove cannot delete a task owned by another user", async () => {
-    const user1TaskId = "tk-004";
-    await runWithRollbackTestGencowCtxWithRls(db, user0Identity, async (user0Ctx) => {
-      const user1Ctx = makeTestGencowCtxWithRls(user0Ctx.unsafeDb as any, user1Identity);
-
-      const before = await getHandler(user1Ctx, { id: user1TaskId });
-      expect(before).toBeDefined();
-
-      const removeResult = await removeHandler(user0Ctx, {
-        id: user1TaskId,
-      });
-      expect(removeResult.success).toBe(true);
-
-      const after = await getHandler(user1Ctx, {
-        id: user1TaskId,
-      });
-      expect(after).toBeDefined();
-      expect(after?.id).toBe(user1TaskId);
-    });
-  });
-});

package/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts

@@ -1,117 +0,0 @@
-/**
- * `news` has **no** `ownerRls()` and **no** PostgreSQL RLS (`fixtures/basic/migrations/0001_news.sql`).
- * `crud(news, { public: true })` keeps legacy behavior: no Layer-1 owner filter on list/get/update/remove.
- *
- * Complements mock-based `crud-owner-rls.test.ts` (“하위호환”) with PGlite + non-owner session.
- *
- * Run: bun test packages/core/src/__tests__/rls-crud-no-owner-rls-pglite.test.ts
- */
-
-import { describe, it, expect, beforeAll, afterAll } from "bun:test";
-
-import { crud } from "../crud.js";
-import { createRlsDb } from "../rls-db.js";
-import { news } from "./fixtures/basic/schema.js";
-import {
-  assertTableRowLevelSecurityDisabled,
-  basicUser0Identity,
-  basicUser1Identity,
-  createBasicRlsEnvironment,
-} from "./helpers/basic-rls-fixture.js";
-import {
-  makeTestGencowCtxWithRls,
-  runWithRollbackTestGencowCtxWithRls,
-} from "./helpers/test-gencow-ctx-rls.js";
-
-describe("crud + PGlite: news without ownerRls, public crud", () => {
-  let client: import("@electric-sql/pglite").PGlite;
-  let db: ReturnType<typeof import("drizzle-orm/pglite").drizzle>;
-  let listHandler: (ctx: unknown, args: unknown) => Promise<{ data: unknown[]; total: number }>;
-  let getHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
-  let createHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
-  let updateHandler: (ctx: unknown, args: unknown) => Promise<unknown>;
-  let removeHandler: (ctx: unknown, args: unknown) => Promise<{ success: boolean }>;
-
-  beforeAll(async () => {
-    const env = await createBasicRlsEnvironment();
-    client = env.client;
-    db = env.db;
-
-    const defs = crud(news, {
-      prefix: "fixture_basic_news",
-      public: true,
-      defaultLimit: 50,
-    });
-    listHandler = defs.list!.handler as typeof listHandler;
-    getHandler = defs.get!.handler as typeof getHandler;
-    createHandler = defs.create!.handler as typeof createHandler;
-    updateHandler = defs.update!.handler as typeof updateHandler;
-    removeHandler = defs.remove!.handler as typeof removeHandler;
-  });
-
-  afterAll(async () => {
-    try {
-      await client.close();
-    } catch {
-      /* ignore */
-    }
-  });
-
-  it("list: authenticated user sees all rows (no owner filter)", async () => {
-    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-    const result = await listHandler(ctx, {});
-    expect(result.total).toBe(2);
-    expect(result.data).toHaveLength(2);
-    const ids = new Set(result.data.map((r: any) => r.id));
-    expect(ids.has("nw-000")).toBe(true);
-    expect(ids.has("nw-001")).toBe(true);
-  });
-
-  it("get: can read another user row by id (no owner filter)", async () => {
-    const ctx = makeTestGencowCtxWithRls(db, basicUser0Identity);
-    const row = await getHandler(ctx, { id: "nw-001" });
-    expect(row).not.toBeNull();
-    expect((row as any).userId).toBe(basicUser1Identity.id);
-  });
-
-  it("createRlsDb + bare select: no DB policies — still full table visibility", async () => {
-    const scoped = createRlsDb(db as Parameters<typeof createRlsDb>[0], {
-      userId: basicUser0Identity.id,
-    });
-    const rows = await scoped.select().from(news);
-    expect(rows.length).toBe(2);
-  });
-
-  it("create: with public crud, pass userId explicitly (no auth-based auto-inject)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const created = await createHandler(ctx, {
-        id: "nw-created",
-        title: "new row",
-        userId: basicUser0Identity.id,
-      });
-      expect((created as any).userId).toBe(basicUser0Identity.id);
-    });
-  });
-
-  it("update: can change another user row by id (no owner WHERE)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const updated = await updateHandler(ctx, {
-        id: "nw-001",
-        title: "touched by user0",
-      });
-      expect((updated as any).title).toBe("touched by user0");
-    });
-  });
-
-  it("remove: can delete another user row by id (no owner WHERE)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      await removeHandler(ctx, { id: "nw-001" });
-      const after = await getHandler(ctx, { id: "nw-001" });
-      expect(after).toBeNull();
-    });
-  });
-
-  it("pg_catalog: news has row security disabled", async () => {
-    await assertTableRowLevelSecurityDisabled(db, news);
-  });
-});

package/src/__tests__/rls-custom-mutation-handlers.test.ts

@@ -1,142 +0,0 @@
-/**
- * Custom **mutation** handlers (not `crud()` factory) that use `ctx.db` must respect RLS
- * (update/delete/insert withCheck).
- *
- * Run: bun test packages/core/src/__tests__/rls-custom-mutation-handlers.test.ts
- */
-
-import { describe, it, expect, beforeAll, afterAll } from "bun:test";
-import { eq } from "drizzle-orm";
-import { PGlite } from "@electric-sql/pglite";
-import { drizzle } from "drizzle-orm/pglite";
-
-import type { GencowCtx } from "../reactive.js";
-import { tasks } from "./fixtures/basic/schema.js";
-import {
-  basicFixtureUsers,
-  basicUser0Identity,
-  basicUser1Identity,
-  createBasicRlsEnvironment,
-} from "./helpers/basic-rls-fixture.js";
-import { fillPartialRowsForInsert } from "./helpers/seed-like-fill.js";
-import {
-  makeTestGencowCtxWithRls,
-  runWithRollbackTestGencowCtxWithRls,
-} from "./helpers/test-gencow-ctx-rls.js";
-
-/** User-defined mutation: update title by task id. */
-async function customMutationUpdateTitle(ctx: GencowCtx, taskId: string, title: string) {
-  return ctx.db.update(tasks).set({ title, updatedAt: new Date() }).where(eq(tasks.id, taskId)).returning();
-}
-
-/** User-defined mutation: delete by id. */
-async function customMutationDeleteById(ctx: GencowCtx, taskId: string) {
-  return ctx.db.delete(tasks).where(eq(tasks.id, taskId)).returning();
-}
-
-/** User-defined mutation: insert a new task for the current user (caller supplies logical fields). */
-async function customMutationInsertTask(
-  ctx: GencowCtx,
-  values: { id: string; title: string; userId: string; done?: boolean },
-) {
-  const [row] = fillPartialRowsForInsert(tasks, [
-    {
-      id: values.id,
-      title: values.title,
-      userId: values.userId,
-      done: values.done ?? false,
-    },
-  ]);
-  return ctx.db.insert(tasks).values(row).returning();
-}
-
-describe("Custom mutation handlers + ctx.db + RLS", () => {
-  let client: PGlite;
-  let db: ReturnType<typeof drizzle>;
-
-  beforeAll(async () => {
-    const env = await createBasicRlsEnvironment();
-    client = env.client;
-    db = env.db;
-  });
-
-  afterAll(async () => {
-    try {
-      await client.close();
-    } catch {
-      /* ignore */
-    }
-  });
-
-  it("custom update: can change own task", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const updated = await customMutationUpdateTitle(ctx, "tk-003", "Updated by custom handler");
-      expect(updated.length).toBe(1);
-      expect(updated[0]!.title).toBe("Updated by custom handler");
-    });
-  });
-
-  it("custom update: cannot modify another user's task (0 rows)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const updated = await customMutationUpdateTitle(ctx, "tk-001", "Should not apply");
-      expect(updated.length).toBe(0);
-    });
-  });
-
-  it("custom delete: can remove own task", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const removed = await customMutationDeleteById(ctx, "tk-000");
-      expect(removed.length).toBe(1);
-    });
-  });
-
-  it("custom delete: cannot remove another user's task (0 rows)", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const removed = await customMutationDeleteById(ctx, "tk-004");
-      expect(removed.length).toBe(0);
-    });
-  });
-
-  it("custom insert: succeeds when userId matches session", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const inserted = await customMutationInsertTask(ctx, {
-        id: "tk-custom-own",
-        title: "Custom insert OK",
-        userId: basicUser0Identity.id,
-      });
-      expect(inserted.length).toBe(1);
-      expect(inserted[0]!.userId).toBe(basicUser0Identity.id);
-    });
-  });
-
-  it("custom insert: forged userId (another user) violates RLS withCheck", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      let thrown: unknown;
-      try {
-        await customMutationInsertTask(ctx, {
-          id: "tk-custom-forge",
-          title: "Forged owner",
-          userId: basicFixtureUsers[1].id,
-        });
-      } catch (e) {
-        thrown = e;
-      }
-      expect(thrown).toBeInstanceOf(Error);
-    });
-  });
-
-  it("nested db.transaction in custom handler still applies RLS on inner selects", async () => {
-    await runWithRollbackTestGencowCtxWithRls(db, basicUser0Identity, async (ctx) => {
-      const inner = await ctx.db.transaction(async (tx: typeof ctx.db) => {
-        return tx.select().from(tasks).where(eq(tasks.userId, basicFixtureUsers[1].id));
-      });
-      expect(inner.length).toBe(0);
-    });
-  });
-
-  it("direct ctx.db without outer rollback wrapper: mutation still RLS-scoped", async () => {
-    const ctx = makeTestGencowCtxWithRls(db, basicUser1Identity);
-    const updated = await customMutationUpdateTitle(ctx, "tk-000", "hax");
-    expect(updated.length).toBe(0);
-  });
-});