@gencow/core 0.1.7 → 0.1.9

package/src/storage.ts

@@ -7,10 +7,14 @@ import * as crypto from "crypto";
 /** 파일 업로드 최대 크기: 50MB (하드코딩 — 사용자가 오버라이드 불가) */
 const MAX_FILE_SIZE = 50 * 1024 * 1024;
 
+/** 기본 스토리지 쿼터: 1GB */
+const DEFAULT_STORAGE_QUOTA = 1024 * 1024 * 1024;
+
 function formatBytes(bytes: number): string {
     if (bytes < 1024) return `${bytes}B`;
     if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)}KB`;
-    return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+    if (bytes < 1024 * 1024 * 1024) return `${(bytes / (1024 * 1024)).toFixed(1)}MB`;
+    return `${(bytes / (1024 * 1024 * 1024)).toFixed(2)}GB`;
 }
 
 // ─── Types ──────────────────────────────────────────────
@@ -23,6 +27,13 @@ interface StorageFile {
     path: string;
 }
 
+export interface StorageOptions {
+    /** Raw SQL 실행 함수 — DB 자동 기록 + 쿼터 검증에 필요 */
+    rawSql?: (sql: string, params?: unknown[]) => Promise<unknown[]>;
+    /** 앱별 스토리지 쿼터 (bytes). 0 = 무제한. 기본: 1GB */
+    storageQuota?: number;
+}
+
 export interface Storage {
     /** Store a file and return a storageId — Convex의 ctx.storage.store() */
     store(file: File | Blob, filename?: string): Promise<string>;
@@ -40,27 +51,120 @@ export interface Storage {
 
 const metaStore = new Map<string, StorageFile>();
 
+/**
+ * files 테이블 자동 생성 (이미 존재하면 무시)
+ * admin.ts의 CREATE_FILES_TABLE_SQL과 동일한 스키마 사용
+ */
+let filesTableEnsured = false;
+
+async function ensureFilesTable(
+    rawSql: (sql: string, params?: unknown[]) => Promise<unknown[]>,
+): Promise<void> {
+    if (filesTableEnsured) return;
+    await rawSql(`
+        DO $$
+        BEGIN
+            IF NOT EXISTS (
+                SELECT 1 FROM information_schema.tables
+                WHERE table_schema = current_schema()
+                AND table_name = 'files'
+            ) THEN
+                CREATE TABLE files (
+                    id SERIAL PRIMARY KEY,
+                    storage_id TEXT NOT NULL,
+                    name TEXT NOT NULL,
+                    size TEXT NOT NULL,
+                    type TEXT NOT NULL DEFAULT 'application/octet-stream',
+                    uploaded_by TEXT DEFAULT 'api',
+                    created_at TIMESTAMP DEFAULT NOW()
+                );
+            END IF;
+        END$$;
+    `);
+    filesTableEnsured = true;
+}
+
+/**
+ * 스토리지 쿼터 검증 — 현재 총 사용량 + 새 파일 크기가 쿼터를 초과하는지 확인
+ */
+async function checkStorageQuota(
+    rawSql: (sql: string, params?: unknown[]) => Promise<unknown[]>,
+    newFileSize: number,
+    quota: number,
+): Promise<void> {
+    if (quota <= 0) return; // 무제한
+
+    const rows = await rawSql(
+        `SELECT COALESCE(SUM(CAST(size AS BIGINT)), 0) AS total FROM files`,
+    );
+    const currentUsage = Number((rows[0] as Record<string, string>)?.total || "0");
+    const projectedUsage = currentUsage + newFileSize;
+
+    if (projectedUsage > quota) {
+        throw new Error(
+            `Storage quota exceeded: ${formatBytes(currentUsage)} used + ${formatBytes(newFileSize)} new = ${formatBytes(projectedUsage)}, ` +
+            `quota is ${formatBytes(quota)}. Delete files or increase quota.`
+        );
+    }
+}
+
+/**
+ * DB에 파일 메타데이터 기록 — store() 호출 시 자동 수행
+ *
+ * 대시보드 업로드(admin.ts)는 uploaded_by='dashboard'로 별도 INSERT하므로,
+ * 여기서는 skipDbRecord 옵션으로 중복 방지 가능.
+ */
+async function recordFileToDb(
+    rawSql: (sql: string, params?: unknown[]) => Promise<unknown[]>,
+    storageId: string,
+    name: string,
+    size: number,
+    type: string,
+    uploadedBy: string = "api",
+): Promise<void> {
+    await ensureFilesTable(rawSql);
+    await rawSql(
+        `INSERT INTO files (storage_id, name, size, type, uploaded_by, created_at)
+         VALUES ($1, $2, $3, $4, $5, NOW())`,
+        [storageId, name, String(size), type, uploadedBy],
+    );
+}
+
 /**
  * Create a storage instance — Convex storage 패턴 재현
  *
+ * @param dir - 파일 저장 디렉토리
+ * @param options - DB 연동 + 쿼터 옵션
+ *
  * @example
- * const storage = createStorage('./uploads');
+ * const storage = createStorage('./uploads', { rawSql, storageQuota: 1024 * 1024 * 1024 });
  * const id = await storage.store(file);
  * const url = storage.getUrl(id);
  */
-export function createStorage(dir: string = "./uploads"): Storage {
+export function createStorage(
+    dir: string = "./uploads",
+    options?: StorageOptions,
+): Storage {
+    const rawSql = options?.rawSql;
+    const quota = options?.storageQuota ?? DEFAULT_STORAGE_QUOTA;
+
     // Ensure directory exists
     fs.mkdir(dir, { recursive: true }).catch(() => { });
 
     return {
         async store(file: File | Blob, filename?: string): Promise<string> {
-            // 크기 제한 검증
+            // 크기 제한 검증 (단일 파일)
             if (file.size > MAX_FILE_SIZE) {
                 throw new Error(
                     `File too large: ${formatBytes(file.size)} exceeds limit of ${formatBytes(MAX_FILE_SIZE)}`
                 );
             }
 
+            // 스토리지 쿼터 검증 (앱 전체 용량)
+            if (rawSql) {
+                await checkStorageQuota(rawSql, file.size, quota);
+            }
+
             const id = crypto.randomUUID();
             const name = filename || (file instanceof File ? file.name : `${id}.bin`);
             const filePath = path.join(dir, id);
@@ -68,14 +172,27 @@ export function createStorage(dir: string = "./uploads"): Storage {
             const arrayBuffer = await file.arrayBuffer();
             await fs.writeFile(filePath, Buffer.from(arrayBuffer));
 
+            const type = file.type || "application/octet-stream";
+
             metaStore.set(id, {
                 id,
                 name,
                 size: file.size,
-                type: file.type || "application/octet-stream",
+                type,
                 path: filePath,
             });
 
+            // DB 자동 기록 (rawSql 있을 때만)
+            if (rawSql) {
+                try {
+                    await recordFileToDb(rawSql, id, name, file.size, type, "api");
+                } catch (e: unknown) {
+                    // DB 기록 실패해도 파일 저장은 성공 — 로그만 남김
+                    const msg = e instanceof Error ? e.message : String(e);
+                    console.warn(`[storage] DB record failed for ${id}: ${msg}`);
+                }
+            }
+
             return id;
         },
 
@@ -84,16 +201,21 @@ export function createStorage(dir: string = "./uploads"): Storage {
             filename: string,
             type: string = "application/octet-stream"
         ): Promise<string> {
-            const id = crypto.randomUUID();
-            const filePath = path.join(dir, id);
-
-            // 크기 제한 검증
+            // 크기 제한 검증 (단일 파일)
             if (buffer.length > MAX_FILE_SIZE) {
                 throw new Error(
                     `File too large: ${formatBytes(buffer.length)} exceeds limit of ${formatBytes(MAX_FILE_SIZE)}`
                 );
             }
 
+            // 스토리지 쿼터 검증 (앱 전체 용량)
+            if (rawSql) {
+                await checkStorageQuota(rawSql, buffer.length, quota);
+            }
+
+            const id = crypto.randomUUID();
+            const filePath = path.join(dir, id);
+
             await fs.writeFile(filePath, buffer);
 
             metaStore.set(id, {
@@ -104,6 +226,16 @@ export function createStorage(dir: string = "./uploads"): Storage {
                 path: filePath,
             });
 
+            // DB 자동 기록
+            if (rawSql) {
+                try {
+                    await recordFileToDb(rawSql, id, filename, buffer.length, type, "api");
+                } catch (e: unknown) {
+                    const msg = e instanceof Error ? e.message : String(e);
+                    console.warn(`[storage] DB record failed for ${id}: ${msg}`);
+                }
+            }
+
             return id;
         },
 
@@ -121,19 +253,32 @@ export function createStorage(dir: string = "./uploads"): Storage {
                 await fs.unlink(meta.path).catch(() => { });
                 metaStore.delete(storageId);
             }
+
+            // DB에서도 삭제 (rawSql 있을 때만)
+            if (rawSql) {
+                try {
+                    await rawSql(
+                        `DELETE FROM files WHERE storage_id = $1`,
+                        [storageId],
+                    );
+                } catch { /* 삭제 실패 무시 — 파일은 이미 제거됨 */ }
+            }
         },
     };
 }
 
 /**
  * Hono routes for serving stored files
+ *
+ * 인증 없이 public URL로 서빙 — Convex getUrl() 패턴과 동일.
+ * 접근 제어는 URL을 반환하는 query/mutation 레벨에서 개발자가 구현.
  */
 export function storageRoutes(
     storage: ReturnType<typeof createStorage>,
-    rawSql?: (sql: string, params?: any[]) => Promise<any[]>,
+    rawSql?: (sql: string, params?: unknown[]) => Promise<unknown[]>,
     storageDir?: string,
 ) {
-    return async (c: any) => {
+    return async (c: { req: { param: (key: string) => string }; json: (data: unknown, status?: number) => Response; body: (data: unknown, status: number, headers: Record<string, string>) => Response }) => {
         const id = c.req.param("id");
         let meta = await storage.getMeta(id);
 
@@ -145,7 +290,7 @@ export function storageRoutes(
                     [id]
                 );
                 if (rows.length > 0) {
-                    const row = rows[0];
+                    const row = rows[0] as Record<string, string>;
                     const dir = storageDir || "./uploads";
                     meta = {
                         id: row.storage_id,

package/src/table.ts

@@ -0,0 +1,165 @@
+/**
+ * packages/core/src/table.ts
+ *
+ * gencowTable() — Drizzle pgTable wrapper with schema-level access control.
+ * Inspired by KeystoneJS's declarative filter pattern.
+ *
+ * Run tests: bun test packages/core/src/__tests__/table.test.ts
+ */
+
+import { pgTable } from "drizzle-orm/pg-core";
+import { eq } from "drizzle-orm";
+import type { GencowCtx } from "./reactive";
+import type { SQL } from "drizzle-orm";
+
+// ─── Types ──────────────────────────────────────────────
+
+/**
+ * Access control filter function.
+ * Returns a Drizzle SQL condition, `true` (allow all), or `false` (deny all).
+ * Can be async (e.g., for team membership lookups).
+ */
+export type AccessFilter = (ctx: GencowCtx) => SQL | boolean | Promise<SQL | boolean>;
+
+/** Field-level access control: per-field read permission. */
+export interface FieldAccessRule {
+    read: (ctx: GencowCtx) => boolean;
+}
+
+/** Options for gencowTable — access control metadata. */
+export interface GencowTableOptions {
+    /** Row-level filter — auto-injected into all queries on this table */
+    filter: AccessFilter;
+    /** Field-level access — unauthorized fields are nullified in results */
+    fieldAccess?: Record<string, FieldAccessRule>;
+}
+
+/** Stored metadata for a gencowTable. */
+export interface TableAccessMeta {
+    filter: AccessFilter;
+    fieldAccess?: Record<string, FieldAccessRule>;
+    tableName: string;
+}
+
+// Internal marker for ownerFilter
+interface OwnerFilterOptions extends GencowTableOptions {
+    _ownerColumn: string;
+}
+
+function isOwnerFilter(opts: GencowTableOptions): opts is OwnerFilterOptions {
+    return "_ownerColumn" in opts;
+}
+
+// ─── Global Registry ────────────────────────────────────
+
+declare global {
+    // eslint-disable-next-line no-var
+    var __gencow_tableAccessRegistry: Map<any, TableAccessMeta>;
+}
+
+if (!globalThis.__gencow_tableAccessRegistry) {
+    globalThis.__gencow_tableAccessRegistry = new Map();
+}
+
+const tableAccessRegistry = globalThis.__gencow_tableAccessRegistry;
+
+// ─── gencowTable() ──────────────────────────────────────
+
+/**
+ * Drizzle pgTable wrapper with schema-level access control.
+ *
+ * Creates a standard Drizzle pgTable (100% compatible) and registers
+ * filter + fieldAccess metadata that ctx.db Proxy uses to auto-inject
+ * WHERE clauses.
+ *
+ * @param name    - PostgreSQL table name
+ * @param columns - Drizzle column definitions (same as pgTable)
+ * @param options - Access control (filter required, fieldAccess optional)
+ */
+export function gencowTable<T extends Record<string, any>>(
+    name: string,
+    columns: T,
+    options: GencowTableOptions,
+): ReturnType<typeof pgTable<string, T>> {
+    if (!options || (typeof options.filter !== "function" && !isOwnerFilter(options))) {
+        throw new Error(
+            `[gencow] gencowTable("${name}") requires a filter option. ` +
+            `Use ownerFilter("userId") for simple user isolation, ` +
+            `or { filter: () => true } for public tables.`
+        );
+    }
+
+    // Create standard Drizzle pgTable — fully compatible
+    const table = pgTable(name, columns);
+
+    // Resolve ownerFilter to a concrete filter bound to this table
+    let filter: AccessFilter;
+    if (isOwnerFilter(options)) {
+        const columnName = options._ownerColumn;
+        const col = (table as any)[columnName];
+        if (!col) {
+            throw new Error(
+                `[gencow] ownerFilter("${columnName}"): column "${columnName}" not found on table "${name}". ` +
+                `Available columns: ${Object.keys(table as any).filter(k => !k.startsWith("_") && !k.startsWith("$")).join(", ")}`
+            );
+        }
+        filter = (ctx: GencowCtx) => {
+            const user = ctx.auth.requireAuth();
+            return eq(col, user.id);
+        };
+    } else {
+        filter = options.filter;
+    }
+
+    // Store access control metadata keyed by the table object reference
+    tableAccessRegistry.set(table, {
+        filter,
+        fieldAccess: options.fieldAccess,
+        tableName: name,
+    });
+
+    return table;
+}
+
+// ─── ownerFilter() helper ───────────────────────────────
+
+/**
+ * Convenience helper for userId-based isolation.
+ *
+ * Usage:
+ *   export const tasks = gencowTable("tasks", { ... }, ownerFilter("userId"));
+ *   export const files = gencowTable("files", { ... }, ownerFilter("ownerId"));
+ *
+ * @param columnName - Name of the user ID column (default: "userId")
+ */
+export function ownerFilter(columnName: string = "userId"): GencowTableOptions {
+    // Return a marker object — gencowTable() resolves this to a concrete filter
+    // by binding to the actual table column at registration time.
+    return {
+        _ownerColumn: columnName,
+        // Placeholder filter — replaced by gencowTable()
+        filter: () => { throw new Error("[gencow] ownerFilter placeholder should not be called directly"); },
+    } as OwnerFilterOptions;
+}
+
+// ─── Lookup ─────────────────────────────────────────────
+
+/** Get access control metadata for a table. Returns undefined for plain pgTable. */
+export function getTableAccessMeta(table: any): TableAccessMeta | undefined {
+    return tableAccessRegistry.get(table);
+}
+
+/** Check if a table has gencowTable metadata registered. */
+export function isGencowTable(table: any): boolean {
+    return tableAccessRegistry.has(table);
+}
+
+/** Get all registered gencowTables (for audit/boot-time checks). */
+export function getAllGencowTables(): Map<any, TableAccessMeta> {
+    return new Map(tableAccessRegistry);
+}
+
+/** Reset registry (for testing only). */
+export function _resetTableRegistry(): void {
+    tableAccessRegistry.clear();
+}