@nextblock-cms/db 0.2.6 → 0.2.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nextblock-cms/db",
-  "version": "0.2.6",
+  "version": "0.2.8",
   "main": "index.cjs.js",
   "module": "index.es.js",
   "types": "index.d.ts",
@@ -16,5 +16,15 @@
       "default": "./server.es.js"
     },
     "./package.json": "./package.json"
-  }
-}
+  },
+  "files": [
+    "dist",
+    "supabase",
+    "supabase/**",
+    "*.js",
+    "*.cjs.js",
+    "*.es.js",
+    "*.mjs",
+    "*.d.ts"
+  ]
+}

package/supabase/config.toml

@@ -0,0 +1,319 @@
+# For detailed configuration reference documentation, visit:
+# https://supabase.com/docs/guides/local-development/cli/config
+# A string used to distinguish different Supabase projects on the same host. Defaults to the
+# working directory name when running `supabase init`.
+project_id = "env(SUPABASE_PROJECT_ID)"
+
+[api]
+enabled = true
+# Port to use for the API URL.
+port = 54321
+# Schemas to expose in your API. Tables, views and stored procedures in this schema will get API
+# endpoints. `public` and `graphql_public` schemas are included by default.
+schemas = ["public", "graphql_public"]
+# Extra schemas to add to the search_path of every request.
+extra_search_path = ["public", "extensions"]
+# The maximum number of rows returns from a view, table, or stored procedure. Limits payload size
+# for accidental or malicious requests.
+max_rows = 1000
+
+[api.tls]
+# Enable HTTPS endpoints locally using a self-signed certificate.
+enabled = false
+
+[db]
+# Port to use for the local database URL.
+port = 54322
+# Port used by db diff command to initialize the shadow database.
+shadow_port = 54320
+# The database major version to use. This has to be the same as your remote database's. Run `SHOW
+# server_version;` on the remote database to check.
+major_version = 17
+
+[db.pooler]
+enabled = false
+# Port to use for the local connection pooler.
+port = 54329
+# Specifies when a server connection can be reused by other clients.
+# Configure one of the supported pooler modes: `transaction`, `session`.
+pool_mode = "transaction"
+# How many server connections to allow per user/database pair.
+default_pool_size = 20
+# Maximum number of client connections allowed.
+max_client_conn = 100
+
+# [db.vault]
+# secret_key = "env(SECRET_VALUE)"
+
+[db.migrations]
+# Specifies an ordered list of schema files that describe your database.
+# Supports glob patterns relative to supabase directory: "./schemas/*.sql"
+schema_paths = []
+
+[db.seed]
+# If enabled, seeds the database after migrations during a db reset.
+enabled = true
+# Specifies an ordered list of seed files to load during db reset.
+# Supports glob patterns relative to supabase directory: "./seeds/*.sql"
+sql_paths = ["./seed.sql"]
+
+[realtime]
+enabled = true
+# Bind realtime via either IPv4 or IPv6. (default: IPv4)
+# ip_version = "IPv6"
+# The maximum length in bytes of HTTP request headers. (default: 4096)
+# max_header_length = 4096
+
+[studio]
+enabled = true
+# Port to use for Supabase Studio.
+port = 54323
+# External URL of the API server that frontend connects to.
+api_url = "http://127.0.0.1"
+# OpenAI API Key to use for Supabase AI in the Supabase Studio.
+openai_api_key = "env(OPENAI_API_KEY)"
+
+# Email testing server. Emails sent with the local dev setup are not actually sent - rather, they
+# are monitored, and you can view the emails that would have been sent from the web interface.
+[inbucket]
+enabled = true
+# Port to use for the email testing server web interface.
+port = 54324
+# Uncomment to expose additional ports for testing user applications that send emails.
+# smtp_port = 54325
+# pop3_port = 54326
+# admin_email = "admin@email.com"
+# sender_name = "Admin"
+
+[storage]
+enabled = true
+# The maximum file size allowed (e.g. "5MB", "500KB").
+file_size_limit = "50MiB"
+
+# Image transformation API is available to Supabase Pro plan.
+# [storage.image_transformation]
+# enabled = true
+
+# Uncomment to configure local storage buckets
+# [storage.buckets.images]
+# public = false
+# file_size_limit = "50MiB"
+# allowed_mime_types = ["image/png", "image/jpeg"]
+# objects_path = "./images"
+
+[auth]
+enabled = true
+# The base URL of your website. Used as an allow-list for redirects and for constructing URLs used
+# in emails.
+site_url = "http://localhost:3000"
+# A list of *exact* URLs that auth providers are permitted to redirect to post authentication.
+additional_redirect_urls = []
+# How long tokens are valid for, in seconds. Defaults to 3600 (1 hour), maximum 604,800 (1 week).
+jwt_expiry = 3600
+# If disabled, the refresh token will never expire.
+enable_refresh_token_rotation = true
+# Allows refresh tokens to be reused after expiry, up to the specified interval in seconds.
+# Requires enable_refresh_token_rotation = true.
+refresh_token_reuse_interval = 10
+# Allow/disallow new user signups to your project.
+enable_signup = true
+# Allow/disallow anonymous sign-ins to your project.
+enable_anonymous_sign_ins = false
+# Allow/disallow testing manual linking of accounts
+enable_manual_linking = false
+# Passwords shorter than this value will be rejected as weak. Minimum 6, recommended 8 or more.
+minimum_password_length = 6
+# Passwords that do not meet the following requirements will be rejected as weak. Supported values
+# are: `letters_digits`, `lower_upper_letters_digits`, `lower_upper_letters_digits_symbols`
+password_requirements = ""
+
+[auth.rate_limit]
+# Number of emails that can be sent per hour. Requires auth.email.smtp to be enabled.
+email_sent = 2
+# Number of SMS messages that can be sent per hour. Requires auth.sms to be enabled.
+sms_sent = 30
+# Number of anonymous sign-ins that can be made per hour per IP address. Requires enable_anonymous_sign_ins = true.
+anonymous_users = 30
+# Number of sessions that can be refreshed in a 5 minute interval per IP address.
+token_refresh = 150
+# Number of sign up and sign-in requests that can be made in a 5 minute interval per IP address (excludes anonymous users).
+sign_in_sign_ups = 30
+# Number of OTP / Magic link verifications that can be made in a 5 minute interval per IP address.
+token_verifications = 30
+
+# Configure one of the supported captcha providers: `hcaptcha`, `turnstile`.
+# [auth.captcha]
+# enabled = true
+# provider = "hcaptcha"
+# secret = ""
+
+[auth.email]
+# Allow/disallow new user signups via email to your project.
+enable_signup = true
+# If enabled, a user will be required to confirm any email change on both the old, and new email
+# addresses. If disabled, only the new email is required to confirm.
+double_confirm_changes = true
+# If enabled, users need to confirm their email address before signing in.
+enable_confirmations = true
+# If enabled, users will need to reauthenticate or have logged in recently to change their password.
+secure_password_change = false
+# Controls the minimum amount of time that must pass before sending another signup confirmation or password reset email.
+max_frequency = "1m0s"
+# Number of characters used in the email OTP.
+otp_length = 6
+# Number of seconds before the email OTP expires (defaults to 1 hour).
+otp_expiry = 3600
+
+# Use a production-ready SMTP server
+# [auth.email.smtp]
+# enabled = true
+# host = "smtp.sendgrid.net"
+# port = 587
+# user = "apikey"
+# pass = "env(SENDGRID_API_KEY)"
+# admin_email = "admin@email.com"
+# sender_name = "Admin"
+
+# Uncomment to customize email template
+# [auth.email.template.invite]
+# subject = "You have been invited"
+# content_path = "./supabase/templates/invite.html"
+
+[auth.sms]
+# Allow/disallow new user signups via SMS to your project.
+enable_signup = false
+# If enabled, users need to confirm their phone number before signing in.
+enable_confirmations = false
+# Template for sending OTP to users
+template = "Your code is {{ .Code }}"
+# Controls the minimum amount of time that must pass before sending another sms otp.
+max_frequency = "5s"
+
+# Use pre-defined map of phone number to OTP for testing.
+# [auth.sms.test_otp]
+# 4152127777 = "123456"
+
+# Configure logged in session timeouts.
+# [auth.sessions]
+# Force log out after the specified duration.
+# timebox = "24h"
+# Force log out if the user has been inactive longer than the specified duration.
+# inactivity_timeout = "8h"
+
+# This hook runs before a token is issued and allows you to add additional claims based on the authentication method used.
+# [auth.hook.custom_access_token]
+# enabled = true
+# uri = "pg-functions://<database>/<schema>/<hook_name>"
+
+# Configure one of the supported SMS providers: `twilio`, `twilio_verify`, `messagebird`, `textlocal`, `vonage`.
+[auth.sms.twilio]
+enabled = false
+account_sid = ""
+message_service_sid = ""
+# DO NOT commit your Twilio auth token to git. Use environment variable substitution instead:
+auth_token = "env(SUPABASE_AUTH_SMS_TWILIO_AUTH_TOKEN)"
+
+# Multi-factor-authentication is available to Supabase Pro plan.
+[auth.mfa]
+# Control how many MFA factors can be enrolled at once per user.
+max_enrolled_factors = 10
+
+# Control MFA via App Authenticator (TOTP)
+[auth.mfa.totp]
+enroll_enabled = false
+verify_enabled = false
+
+# Configure MFA via Phone Messaging
+[auth.mfa.phone]
+enroll_enabled = false
+verify_enabled = false
+otp_length = 6
+template = "Your code is {{ .Code }}"
+max_frequency = "5s"
+
+# Configure MFA via WebAuthn
+# [auth.mfa.web_authn]
+# enroll_enabled = true
+# verify_enabled = true
+
+# Use an external OAuth provider. The full list of providers are: `apple`, `azure`, `bitbucket`,
+# `discord`, `facebook`, `github`, `gitlab`, `google`, `keycloak`, `linkedin_oidc`, `notion`, `twitch`,
+# `twitter`, `slack`, `spotify`, `workos`, `zoom`.
+[auth.external.apple]
+enabled = false
+client_id = ""
+# DO NOT commit your OAuth provider secret to git. Use environment variable substitution instead:
+secret = "env(SUPABASE_AUTH_EXTERNAL_APPLE_SECRET)"
+# Overrides the default auth redirectUrl.
+redirect_uri = ""
+# Overrides the default auth provider URL. Used to support self-hosted gitlab, single-tenant Azure,
+# or any other third-party OIDC providers.
+url = ""
+# If enabled, the nonce check will be skipped. Required for local sign in with Google auth.
+skip_nonce_check = false
+
+# Use Firebase Auth as a third-party provider alongside Supabase Auth.
+[auth.third_party.firebase]
+enabled = false
+# project_id = "my-firebase-project"
+
+# Use Auth0 as a third-party provider alongside Supabase Auth.
+[auth.third_party.auth0]
+enabled = false
+# tenant = "my-auth0-tenant"
+# tenant_region = "us"
+
+# Use AWS Cognito (Amplify) as a third-party provider alongside Supabase Auth.
+[auth.third_party.aws_cognito]
+enabled = false
+# user_pool_id = "my-user-pool-id"
+# user_pool_region = "us-east-1"
+
+# Use Clerk as a third-party provider alongside Supabase Auth.
+[auth.third_party.clerk]
+enabled = false
+# Obtain from https://clerk.com/setup/supabase
+# domain = "example.clerk.accounts.dev"
+
+[edge_runtime]
+enabled = true
+# Configure one of the supported request policies: `oneshot`, `per_worker`.
+# Use `oneshot` for hot reload, or `per_worker` for load testing.
+policy = "oneshot"
+# Port to attach the Chrome inspector for debugging edge functions.
+inspector_port = 8083
+# The Deno major version to use.
+deno_version = 1
+
+# [edge_runtime.secrets]
+# secret_key = "env(SECRET_VALUE)"
+
+[analytics]
+enabled = true
+port = 54327
+# Configure one of the supported backends: `postgres`, `bigquery`.
+backend = "postgres"
+
+# Experimental features may be deprecated any time
+[experimental]
+# Configures Postgres storage engine to use OrioleDB (S3)
+orioledb_version = ""
+# Configures S3 bucket URL, eg. <bucket_name>.s3-<region>.amazonaws.com
+s3_host = "env(S3_HOST)"
+# Configures S3 bucket region, eg. us-east-1
+s3_region = "env(S3_REGION)"
+# Configures AWS_ACCESS_KEY_ID for S3 bucket
+s3_access_key = "env(S3_ACCESS_KEY)"
+# Configures AWS_SECRET_ACCESS_KEY for S3 bucket
+s3_secret_key = "env(S3_SECRET_KEY)"
+
+[functions.on-content-change-revalidate]
+enabled = true
+verify_jwt = true
+import_map = "./functions/on-content-change-revalidate/deno.json"
+# Uncomment to specify a custom file path to the entrypoint.
+# Supported file extensions are: .ts, .js, .mjs, .jsx, .tsx
+entrypoint = "./functions/on-content-change-revalidate/index.ts"
+# Specifies static files to be bundled with the function. Supports glob patterns.
+# For example, if you want to serve static HTML pages in your function:
+# static_files = [ "./functions/on-content-change-revalidate/*.html" ]

package/supabase/migrations/20250513194738_setup_roles_and_profiles.sql

@@ -0,0 +1,41 @@
+-- lowercase sql
+
+-- 1. create the user_role enum type
+create type public.user_role as enum ('ADMIN', 'WRITER', 'USER');
+
+-- 2. create the profiles table
+create table public.profiles (
+  id uuid not null primary key, -- references auth.users(id)
+  updated_at timestamp with time zone,
+  username text unique,
+  full_name text,
+  avatar_url text,
+  website text,
+  role public.user_role not null default 'USER',
+
+  constraint username_length check (char_length(username) >= 3)
+);
+
+-- 3. set up foreign key from profiles.id to auth.users.id
+alter table public.profiles
+  add constraint profiles_id_fkey
+  foreign key (id)
+  references auth.users (id)
+  on delete cascade; -- if a user is deleted, their profile is also deleted
+
+-- 4. (optional) add some sample inserts for roles if needed directly, though roles are part of the enum.
+-- users will get roles assigned. an admin user might need to be set manually or via seed.
+-- example: update a specific user to be an admin after they sign up.
+-- update public.profiles set role = 'ADMIN' where id = 'user_id_of_admin';
+
+-- 5. (optional) seed an initial admin user if you know their auth.users.id
+-- this requires the user to exist in auth.users first.
+-- insert into public.profiles (id, username, full_name, role)
+-- values ('<some-auth-user-id>', 'admin_user', 'Admin User', 'ADMIN')
+-- on conflict (id) do update set role = 'ADMIN';
+-- note: the trigger in the next migration is preferred for new users.
+-- this manual insert/update is for bootstrapping your first admin.
+
+comment on table public.profiles is 'profile information for each user, extending auth.users.';
+comment on column public.profiles.id is 'references auth.users.id';
+comment on column public.profiles.role is 'user role for rbac.';

package/supabase/migrations/20250513194910_auto_create_profile_trigger.sql

@@ -0,0 +1,48 @@
+-- This function is triggered when a new user signs up in auth.users
+-- It creates a corresponding profile in public.profiles
+-- and assigns 'ADMIN' to the first user, then 'USER' thereafter, using a KV flag in site_settings.
+
+CREATE OR REPLACE FUNCTION public.handle_new_user()
+RETURNS TRIGGER
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = 'public'
+AS $$
+DECLARE
+  admin_flag_set BOOLEAN := FALSE;
+  user_role TEXT;
+BEGIN
+  -- Ensure the admin flag row exists
+  INSERT INTO public.site_settings (key, value)
+  VALUES ('is_admin_created', 'false'::jsonb)
+  ON CONFLICT (key) DO NOTHING;
+
+  -- Lock and read the flag
+  SELECT COALESCE((value)::jsonb::boolean, FALSE)
+  INTO admin_flag_set
+  FROM public.site_settings
+  WHERE key = 'is_admin_created'
+  FOR UPDATE;
+
+  IF admin_flag_set = FALSE THEN
+    user_role := 'ADMIN';
+    UPDATE public.site_settings
+    SET value = 'true'::jsonb
+    WHERE key = 'is_admin_created';
+  ELSE
+    user_role := 'USER';
+  END IF;
+
+  INSERT INTO public.profiles (id, role)
+  VALUES (NEW.id, user_role);
+  
+  RETURN NEW;
+END;
+$$;
+
+-- Drop and recreate the trigger to use the updated function
+DROP TRIGGER IF EXISTS on_auth_user_created ON auth.users;
+
+CREATE TRIGGER on_auth_user_created
+  AFTER INSERT ON auth.users
+  FOR EACH ROW EXECUTE FUNCTION public.handle_new_user();

package/supabase/migrations/20250513194916_rls_for_profiles.sql

@@ -0,0 +1,85 @@
+-- lowercase sql
+
+-- 1. enable row level security on the profiles table
+alter table public.profiles enable row level security;
+
+-- 2. create policies for profiles table
+
+-- allow users to read their own profile
+create policy "users_can_select_own_profile"
+on public.profiles for select
+using (auth.uid() = id);
+
+-- allow users to update their own profile
+create policy "users_can_update_own_profile"
+on public.profiles for update
+using (auth.uid() = id)
+with check (auth.uid() = id);
+
+-- allow admins to select any profile
+create policy "admins_can_select_any_profile"
+on public.profiles for select
+using (
+  exists (
+    select 1
+    from public.profiles
+    where id = auth.uid() and role = 'ADMIN'
+  )
+);
+
+-- allow admins to update any profile
+create policy "admins_can_update_any_profile"
+on public.profiles for update
+using (
+  exists (
+    select 1
+    from public.profiles
+    where id = auth.uid() and role = 'ADMIN'
+  )
+)
+with check (
+  exists (
+    select 1
+    from public.profiles
+    where id = auth.uid() and role = 'ADMIN'
+  )
+);
+
+-- allow admins to insert profiles (e.g., for manual setup, though trigger handles new users)
+create policy "admins_can_insert_profiles"
+on public.profiles for insert
+with check (
+  exists (
+    select 1
+    from public.profiles
+    where id = auth.uid() and role = 'ADMIN'
+  )
+);
+
+-- (optional) allow any authenticated user to read any profile if roles need to be widely available
+-- create policy "authenticated_users_can_read_profiles"
+-- on public.profiles for select
+-- to authenticated
+-- using (true);
+-- For now, we'll stick to more restrictive select policies above.
+-- The middleware will need to fetch the current user's role. The "users_can_select_own_profile"
+-- policy allows this. If an admin needs to see other user's roles in a list,
+-- "admins_can_select_any_profile" covers that.
+
+comment on policy "users_can_select_own_profile" on public.profiles is 'users can read their own profile.';
+comment on policy "users_can_update_own_profile" on public.profiles is 'users can update their own profile.';
+comment on policy "admins_can_select_any_profile" on public.profiles is 'admin users can read any profile.';
+comment on policy "admins_can_update_any_profile" on public.profiles is 'admin users can update any profile.';
+comment on policy "admins_can_insert_profiles" on public.profiles is 'admin users can insert new profiles.';
+
+-- Note on Deletion: Deletion is handled by `on delete cascade` from `auth.users`.
+-- If direct deletion from `profiles` table is needed (e.g., by an admin), a policy would be:
+-- create policy "admins_can_delete_profiles"
+-- on public.profiles for delete
+-- using (
+--   exists (
+--     select 1
+--     from public.profiles
+--     where id = auth.uid() and role = 'ADMIN'
+--   )
+-- );

package/supabase/migrations/20250514125634_fix_recursive_rls_policies.sql

@@ -0,0 +1,51 @@
+-- Migration to fix recursive RLS policies on the 'profiles' table
+
+-- 1. Create a helper function to get the current user's role securely
+-- This function runs with the definer's privileges, avoiding RLS recursion
+-- when called from within an RLS policy.
+create or replace function public.get_current_user_role()
+returns public.user_role -- Your ENUM type for roles
+language sql
+stable -- Indicates the function doesn't modify the database
+security definer
+set search_path = public -- Ensures 'profiles' table is found in 'public' schema
+as $$
+  select role from public.profiles where id = auth.uid();
+$$;
+
+comment on function public.get_current_user_role() is 'Fetches the role of the currently authenticated user. SECURITY DEFINER to prevent RLS recursion issues when used in policies.';
+
+-- 2. Drop the old, problematic RLS policies
+-- It's good practice to drop before creating, even if they might not exist or cause errors if they don't.
+-- The original error means the "admins_can_select_any_profile" policy was indeed created.
+drop policy if exists "admins_can_select_any_profile" on public.profiles;
+drop policy if exists "admins_can_update_any_profile" on public.profiles;
+drop policy if exists "admins_can_insert_profiles" on public.profiles;
+-- Add any other admin policies that used the recursive pattern, e.g., for delete
+-- drop policy if exists "admins_can_delete_profiles" on public.profiles;
+
+-- 3. Recreate the admin policies using the helper function
+-- For SELECT: Allows admins to select any profile.
+create policy "admins_can_select_any_profile"
+on public.profiles for select
+using (public.get_current_user_role() = 'ADMIN'); -- Compares ENUM to 'ADMIN' literal
+
+-- For UPDATE: Allows admins to update any profile.
+create policy "admins_can_update_any_profile"
+on public.profiles for update
+using (public.get_current_user_role() = 'ADMIN')
+with check (public.get_current_user_role() = 'ADMIN');
+
+-- For INSERT: Allows admins to insert profiles (trigger handles new users, this is for manual admin action).
+create policy "admins_can_insert_profiles"
+on public.profiles for insert
+with check (public.get_current_user_role() = 'ADMIN');
+
+-- (Optional) If you had an admin delete policy with the recursive pattern:
+-- create policy "admins_can_delete_profiles"
+-- on public.profiles for delete
+-- using (public.get_current_user_role() = 'ADMIN');
+
+-- Note: The "users_can_select_own_profile" and "users_can_update_own_profile"
+-- policies from your previous migration are fine and do not need to be changed
+-- as they don't have the recursive subquery pattern.

package/supabase/migrations/20250514143016_setup_languages_table.sql

@@ -0,0 +1,66 @@
+-- lowercase sql
+
+-- 1. create the languages table
+create table public.languages (
+  id bigint generated by default as identity primary key,
+  code text not null unique, -- e.g., 'en', 'fr' (BCP 47 language tags)
+  name text not null, -- e.g., 'English', 'Français'
+  is_default boolean not null default false,
+  created_at timestamp with time zone not null default now(),
+  updated_at timestamp with time zone not null default now()
+);
+
+comment on table public.languages is 'Stores supported languages for the CMS.';
+comment on column public.languages.code is 'BCP 47 language code (e.g., en, en-US, fr, fr-CA).';
+comment on column public.languages.name is 'Human-readable name of the language.';
+comment on column public.languages.is_default is 'Indicates if this is the default fallback language.';
+
+-- 2. create a partial unique index to ensure only one language can be default
+-- This ensures data integrity at the database level for the is_default flag.
+create unique index ensure_single_default_language_idx
+on public.languages (is_default)
+where (is_default = true);
+
+-- 3. seed initial languages: english (default) and french
+insert into public.languages (code, name, is_default)
+values
+  ('en', 'English', true),
+  ('fr', 'Français', false);
+
+-- 4. enable row level security (rls) on the languages table
+alter table public.languages enable row level security;
+
+-- 5. create rls policies for the languages table
+-- policy: allow public read access to languages
+create policy "languages_are_publicly_readable"
+on public.languages for select
+to anon, authenticated
+using (true);
+
+-- policy: allow admins to manage languages (insert, update, delete)
+create policy "admins_can_manage_languages"
+on public.languages for all -- covers insert, update, delete
+to authenticated
+using (
+  -- check if the user is an admin by calling the helper function created in phase 1
+  public.get_current_user_role() = 'ADMIN'
+)
+with check (
+  public.get_current_user_role() = 'ADMIN'
+);
+
+-- (Optional) Trigger to automatically update 'updated_at' timestamp
+create or replace function public.handle_languages_update()
+returns trigger
+language plpgsql
+as $$
+begin
+  new.updated_at = now();
+  return new;
+end;
+$$;
+
+create trigger on_languages_update
+  before update on public.languages
+  for each row
+  execute procedure public.handle_languages_update();