@nest-boot/row-level-security 7.0.0

package/dist/utils/row-level-security-context-builder.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RowLevelSecurityContextBuilder = void 0;
+const assert_snake_case_1 = require("./assert-snake-case");
+const escape_sql_literal_1 = require("./escape-sql-literal");
+/** Builds SQL that writes RLS context values into PostgreSQL transaction settings. */
+class RowLevelSecurityContextBuilder {
+    constructor() {
+        this.ctx = new Map();
+        this.namespace = "app";
+    }
+    /** Adds a context key and value, ignoring nullish values. */
+    set(key, value) {
+        (0, assert_snake_case_1.assertSnakeCase)(key, "Row level security context key");
+        if (value === null || value === undefined) {
+            return this;
+        }
+        this.ctx.set(key, String(value));
+        return this;
+    }
+    /** Returns the context entries that will be emitted to SQL. */
+    entries() {
+        return Array.from(this.ctx.entries());
+    }
+    /** Renders a `SELECT set_config(...)` statement for the collected entries. */
+    toSQL() {
+        const statements = this.entries()
+            .map(([key, value]) => {
+            const escapedValue = (0, escape_sql_literal_1.escapeSqlLiteral)(value);
+            return /* SQL */ `set_config('${this.namespace}.${key}', '${escapedValue}', true)`;
+        })
+            .join(",");
+        if (!statements) {
+            return "SELECT 1;";
+        }
+        return /* SQL */ `SELECT ${statements};`;
+    }
+}
+exports.RowLevelSecurityContextBuilder = RowLevelSecurityContextBuilder;
+//# sourceMappingURL=row-level-security-context-builder.js.map

package/dist/utils/row-level-security-context-builder.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-context-builder.js","sourceRoot":"","sources":["../../src/utils/row-level-security-context-builder.ts"],"names":[],"mappings":";;;AAAA,2DAAsD;AACtD,6DAAwD;AAMxD,sFAAsF;AACtF,MAAa,8BAA8B;IAA3C;QACmB,QAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;QAChC,cAAS,GAAG,KAAK,CAAC;IAqCrC,CAAC;IAnCC,6DAA6D;IAC7D,GAAG,CACD,GAAiB,EACjB,KAAmC;QAEnC,IAAA,mCAAe,EAAC,GAAG,EAAE,gCAAgC,CAAC,CAAC;QAEvD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,+DAA+D;IAC/D,OAAO;QACL,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,8EAA8E;IAC9E,KAAK;QACH,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE;aAC9B,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YACpB,MAAM,YAAY,GAAG,IAAA,qCAAgB,EAAC,KAAK,CAAC,CAAC;YAC7C,OAAO,SAAS,CAAC,eAAe,IAAI,CAAC,SAAS,IAAI,GAAG,OAAO,YAAY,UAAU,CAAC;QACrF,CAAC,CAAC;aACD,IAAI,CAAC,GAAG,CAAC,CAAC;QAEb,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,OAAO,SAAS,CAAC,UAAU,UAAU,GAAG,CAAC;IAC3C,CAAC;CACF;AAvCD,wEAuCC"}

package/dist/utils/row-level-security-context-builder.spec.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/row-level-security-context-builder.spec.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const row_level_security_context_builder_1 = require("./row-level-security-context-builder");
+describe("RowLevelSecurityContextBuilder", () => {
+    it("generates transaction-local tenant context SQL", () => {
+        const builder = new row_level_security_context_builder_1.RowLevelSecurityContextBuilder();
+        builder.set("request_id", "1");
+        builder.set("tenant_id", "42");
+        expect(builder.entries()).toEqual([
+            ["request_id", "1"],
+            ["tenant_id", "42"],
+        ]);
+        expect(builder.toSQL()).toBe("SELECT set_config('app.request_id', '1', true),set_config('app.tenant_id', '42', true);");
+    });
+    it("ignores null and undefined values", () => {
+        const builder = new row_level_security_context_builder_1.RowLevelSecurityContextBuilder();
+        builder.set("request_id", undefined);
+        builder.set("tenant_id", null);
+        builder.set("is_enabled", false);
+        expect(builder.entries()).toEqual([["is_enabled", "false"]]);
+        expect(builder.toSQL()).toBe("SELECT set_config('app.is_enabled', 'false', true);");
+    });
+    it("renders no-op SQL when every value is nullish", () => {
+        const builder = new row_level_security_context_builder_1.RowLevelSecurityContextBuilder();
+        builder.set("request_id", undefined);
+        builder.set("tenant_id", null);
+        expect(builder.entries()).toEqual([]);
+        expect(builder.toSQL()).toBe("SELECT 1;");
+    });
+    it("escapes string values for SQL literals", () => {
+        const builder = new row_level_security_context_builder_1.RowLevelSecurityContextBuilder();
+        builder.set("user_name", "O'Connor");
+        expect(builder.toSQL()).toBe("SELECT set_config('app.user_name', 'O''Connor', true);");
+    });
+    it("rejects non snake_case context keys", () => {
+        const builder = new row_level_security_context_builder_1.RowLevelSecurityContextBuilder();
+        expect(() => builder.set("userId", "1")).toThrow("Row level security context key must be snake_case");
+    });
+});
+//# sourceMappingURL=row-level-security-context-builder.spec.js.map

package/dist/utils/row-level-security-context-builder.spec.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-context-builder.spec.js","sourceRoot":"","sources":["../../src/utils/row-level-security-context-builder.spec.ts"],"names":[],"mappings":";;AAAA,6FAAsF;AAEtF,QAAQ,CAAC,gCAAgC,EAAE,GAAG,EAAE;IAC9C,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,OAAO,GAAG,IAAI,mEAA8B,EAAE,CAAC;QAErD,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAE/B,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC;YAChC,CAAC,YAAY,EAAE,GAAG,CAAC;YACnB,CAAC,WAAW,EAAE,IAAI,CAAC;SACpB,CAAC,CAAC;QACH,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAC1B,yFAAyF,CAC1F,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,OAAO,GAAG,IAAI,mEAA8B,EAAE,CAAC;QAErD,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QAEjC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC;QAC7D,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAC1B,qDAAqD,CACtD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,OAAO,GAAG,IAAI,mEAA8B,EAAE,CAAC;QAErD,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAE/B,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,OAAO,GAAG,IAAI,mEAA8B,EAAE,CAAC;QAErD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;QAErC,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,IAAI,CAC1B,wDAAwD,CACzD,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;QAC7C,MAAM,OAAO,GAAG,IAAI,mEAA8B,EAAE,CAAC;QAErD,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,QAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CACvD,mDAAmD,CACpD,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/utils/row-level-security-context-builder.types.d.ts

@@ -0,0 +1,10 @@
+/** Lowercase letters allowed in snake_case context keys. */
+export type LowercaseLetter = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x" | "y" | "z";
+/** Characters allowed in snake_case context keys. */
+export type ValidChar = LowercaseLetter | "_";
+/** Compile-time predicate that checks whether a string contains only valid characters. */
+export type IsValidSnakeCase<S extends string> = S extends `${infer First}${infer Rest}` ? First extends ValidChar ? IsValidSnakeCase<Rest> : false : true;
+/** Compile-time snake_case constraint used by RLS context helpers. */
+export type SnakeCase<S extends string> = S extends "" ? never : S extends `_${string}` | `${string}_` ? never : S extends `${string}__${string}` ? never : IsValidSnakeCase<S> extends true ? S : never;
+/** Values that can be stored in RLS context and converted to PostgreSQL settings. */
+export type RowLevelSecurityContextValue = string | number | boolean | null | undefined;

package/dist/utils/row-level-security-context-builder.types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=row-level-security-context-builder.types.js.map

package/dist/utils/row-level-security-context-builder.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-context-builder.types.js","sourceRoot":"","sources":["../../src/utils/row-level-security-context-builder.types.ts"],"names":[],"mappings":""}

package/dist/utils/row-level-security-options-state.d.ts

@@ -0,0 +1,4 @@
+import { RowLevelSecurityOptions } from "../interfaces/row-level-security-options.interface";
+export declare const rowLevelSecurityOptionsState: {
+    value: RowLevelSecurityOptions;
+};

package/dist/utils/row-level-security-options-state.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rowLevelSecurityOptionsState = void 0;
+const default_row_level_security_options_1 = require("./default-row-level-security-options");
+exports.rowLevelSecurityOptionsState = {
+    value: default_row_level_security_options_1.DEFAULT_ROW_LEVEL_SECURITY_OPTIONS,
+};
+//# sourceMappingURL=row-level-security-options-state.js.map

package/dist/utils/row-level-security-options-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"row-level-security-options-state.js","sourceRoot":"","sources":["../../src/utils/row-level-security-options-state.ts"],"names":[],"mappings":";;;AACA,6FAA0F;AAE7E,QAAA,4BAA4B,GAErC;IACF,KAAK,EAAE,uEAAkC;CAC1C,CAAC"}

package/dist/utils/set-row-level-security-options.d.ts

@@ -0,0 +1,3 @@
+import { RowLevelSecurityOptions } from "../interfaces/row-level-security-options.interface";
+/** Replaces the process-level RLS options used by {@link RowLevelSecurityEntityManager}. */
+export declare function setRowLevelSecurityOptions(options?: RowLevelSecurityOptions): void;

package/dist/utils/set-row-level-security-options.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setRowLevelSecurityOptions = setRowLevelSecurityOptions;
+const default_row_level_security_options_1 = require("./default-row-level-security-options");
+const row_level_security_options_state_1 = require("./row-level-security-options-state");
+/** Replaces the process-level RLS options used by {@link RowLevelSecurityEntityManager}. */
+function setRowLevelSecurityOptions(options = {}) {
+    row_level_security_options_state_1.rowLevelSecurityOptionsState.value = {
+        ...default_row_level_security_options_1.DEFAULT_ROW_LEVEL_SECURITY_OPTIONS,
+        ...options,
+    };
+}
+//# sourceMappingURL=set-row-level-security-options.js.map

package/dist/utils/set-row-level-security-options.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"set-row-level-security-options.js","sourceRoot":"","sources":["../../src/utils/set-row-level-security-options.ts"],"names":[],"mappings":";;AAKA,gEAOC;AAXD,6FAA0F;AAC1F,yFAAkF;AAElF,4FAA4F;AAC5F,SAAgB,0BAA0B,CACxC,UAAmC,EAAE;IAErC,+DAA4B,CAAC,KAAK,GAAG;QACnC,GAAG,uEAAkC;QACrC,GAAG,OAAO;KACX,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,77 @@
+{
+  "name": "@nest-boot/row-level-security",
+  "version": "7.0.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nest-boot/nest-boot.git",
+    "directory": "packages/row-level-security"
+  },
+  "description": "PostgreSQL row level security helpers for Nest Boot applications",
+  "author": {
+    "name": "Xudong Huang",
+    "email": "me@huangxudong.com",
+    "url": "https://www.huangxudong.com/"
+  },
+  "homepage": "",
+  "license": "MIT",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "directories": {
+    "lib": "dist"
+  },
+  "files": [
+    "dist"
+  ],
+  "peerDependencies": {
+    "@mikro-orm/migrations": "^6.0.0",
+    "@mikro-orm/postgresql": "^6.0.0",
+    "@nest-boot/request-context": "^7.4.3",
+    "reflect-metadata": "^0.2.2"
+  },
+  "devDependencies": {
+    "@mikro-orm/core": "6.6.2",
+    "@mikro-orm/migrations": "6.6.2",
+    "@mikro-orm/nestjs": "^6.1.1",
+    "@mikro-orm/postgresql": "6.6.2",
+    "@mikro-orm/reflection": "6.6.2",
+    "@nestjs/common": "^11.1.11",
+    "@nestjs/core": "^11.1.11",
+    "@nestjs/testing": "^11.1.11",
+    "@types/jest": "^29.5.14",
+    "@types/node": "^22.18.6",
+    "dotenv": "^17.2.3",
+    "eslint": "^9.39.3",
+    "jest": "^29.7.0",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.2",
+    "ts-jest": "^29.4.4",
+    "typescript": "^5.9.3",
+    "@nest-boot/eslint-config": "^7.0.3",
+    "@nest-boot/mikro-orm": "^7.4.0",
+    "@nest-boot/request-context": "^7.4.3",
+    "@nest-boot/tsconfig": "^7.0.1",
+    "@nest-boot/eslint-plugin": "^7.0.5"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "lint-staged": {
+    "*.ts": [
+      "prettier --write",
+      "eslint --fix"
+    ]
+  },
+  "volta": {
+    "extends": "../../package.json"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "clean": "rm -rf .turbo && rm -rf node_modules && rm -rf dist",
+    "dev": "tsc -w -p tsconfig.build.json",
+    "lint": "eslint \"{src,test}/**/*.ts\" --fix",
+    "test": "jest",
+    "test:cov": "jest --coverage",
+    "test:watch": "jest --watch",
+    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand"
+  }
+}