@pgplex/pgconsole 0.0.4 → 0.1.0

package/dist/server.mjs

@@ -41271,57 +41271,36 @@ See https://docs.pgconsole.com/configuration/config`);
     if (a.jwt_secret.length < 32) {
       throw new Error("Auth jwt_secret must be at least 32 characters");
     }
-    let providers = void 0;
+    const providers = [];
     const rawProviders = a.providers;
-    if (rawProviders) {
-      providers = {};
-      for (const key of Object.keys(rawProviders)) {
-        const raw = rawProviders[key];
-        if (key === "google") {
-          if (!raw.client_id || typeof raw.client_id !== "string") {
-            throw new Error("Google provider missing required field: client_id");
-          }
-          if (!raw.client_secret || typeof raw.client_secret !== "string") {
-            throw new Error("Google provider missing required field: client_secret");
-          }
-          providers.google = {
-            client_id: raw.client_id,
-            client_secret: raw.client_secret
-          };
-        } else if (key === "keycloak") {
-          if (!raw.issuer_url || typeof raw.issuer_url !== "string") {
-            throw new Error("Keycloak provider missing required field: issuer_url");
-          }
-          if (!raw.client_id || typeof raw.client_id !== "string") {
-            throw new Error("Keycloak provider missing required field: client_id");
-          }
-          if (!raw.client_secret || typeof raw.client_secret !== "string") {
-            throw new Error("Keycloak provider missing required field: client_secret");
-          }
-          providers.keycloak = {
-            issuer_url: raw.issuer_url.replace(/\/+$/, ""),
-            client_id: raw.client_id,
-            client_secret: raw.client_secret
-          };
-        } else if (key === "okta") {
-          if (!raw.issuer_url || typeof raw.issuer_url !== "string") {
-            throw new Error("Okta provider missing required field: issuer_url");
-          }
-          if (!raw.client_id || typeof raw.client_id !== "string") {
-            throw new Error("Okta provider missing required field: client_id");
-          }
-          if (!raw.client_secret || typeof raw.client_secret !== "string") {
-            throw new Error("Okta provider missing required field: client_secret");
-          }
-          providers.okta = {
-            issuer_url: raw.issuer_url.replace(/\/+$/, ""),
-            client_id: raw.client_id,
-            client_secret: raw.client_secret
-          };
-        }
+    const validProviderTypes = ["google", "keycloak", "okta"];
+    if (rawProviders && Array.isArray(rawProviders)) {
+      for (const entry of rawProviders) {
+        const raw = entry;
+        if (!raw.type || typeof raw.type !== "string") {
+          throw new Error("Auth provider missing required field: type");
+        }
+        if (!validProviderTypes.includes(raw.type)) {
+          throw new Error(`Auth provider has invalid type: ${raw.type}. Must be one of: ${validProviderTypes.join(", ")}`);
+        }
+        if (!raw.client_id || typeof raw.client_id !== "string") {
+          throw new Error(`${raw.type} provider missing required field: client_id`);
+        }
+        if (!raw.client_secret || typeof raw.client_secret !== "string") {
+          throw new Error(`${raw.type} provider missing required field: client_secret`);
+        }
+        if ((raw.type === "keycloak" || raw.type === "okta") && (!raw.issuer_url || typeof raw.issuer_url !== "string")) {
+          throw new Error(`${raw.type} provider missing required field: issuer_url`);
+        }
+        providers.push({
+          type: raw.type,
+          client_id: raw.client_id,
+          client_secret: raw.client_secret,
+          issuer_url: typeof raw.issuer_url === "string" ? raw.issuer_url.replace(/\/+$/, "") : void 0
+        });
       }
     }
-    const hasOAuthProvider = providers?.google || providers?.keycloak || providers?.okta;
+    const hasOAuthProvider = providers.length > 0;
     if (hasOAuthProvider && !external_url) {
       throw new Error("[general] external_url is required when OAuth providers are enabled");
     }
@@ -41395,10 +41374,10 @@ See https://docs.pgconsole.com/configuration/config`);
       if (typeof perm !== "string") {
         throw new Error(`IAM rule ${ruleNum} has invalid permission: must be string`);
       }
-      if (perm === "allPermissions") {
+      if (perm === "*") {
         permissions.push(...validPermissions);
       } else if (!validPermissions.includes(perm)) {
-        throw new Error(`IAM rule ${ruleNum} has invalid permission: ${perm}. Must be one of: ${validPermissions.join(", ")}, allPermissions`);
+        throw new Error(`IAM rule ${ruleNum} has invalid permission: ${perm}. Must be one of: ${validPermissions.join(", ")}, *`);
       } else {
         permissions.push(perm);
       }
@@ -41412,7 +41391,7 @@ See https://docs.pgconsole.com/configuration/config`);
         throw new Error(`IAM rule ${ruleNum} has invalid member: must be non-empty string`);
       }
       const m2 = member.trim();
-      if (m2 === "allUsers") {
+      if (m2 === "*") {
         members.push(m2);
       } else if (m2.startsWith("user:")) {
         const email = m2.slice(5);
@@ -41430,7 +41409,7 @@ See https://docs.pgconsole.com/configuration/config`);
         }
         members.push(m2);
       } else {
-        throw new Error(`IAM rule ${ruleNum} has invalid member format: ${m2}. Must be "allUsers", "user:xxx", or "group:xxx"`);
+        throw new Error(`IAM rule ${ruleNum} has invalid member format: ${m2}. Must be "*", "user:xxx", or "group:xxx"`);
       }
     }
     iam.push({ connection, permissions, members });
@@ -41472,6 +41451,9 @@ function getConnectionById(id) {
 function getAuthConfig() {
   return loadedConfig.auth;
 }
+function getAuthProvider(type) {
+  return loadedConfig.auth?.providers.find((p) => p.type === type);
+}
 function getUsers() {
   return loadedConfig.users;
 }
@@ -41634,11 +41616,24 @@ function auditSQL(actor, connection, database, sql, success, duration_ms, row_co
   if (error) event.error = error;
   emit(event);
 }
+function auditExport(actor, connection, database, sql, row_count, format) {
+  emit({
+    type: "audit",
+    ts: now(),
+    action: "data.export",
+    actor,
+    connection,
+    database,
+    sql,
+    row_count,
+    format
+  });
+}
 
 // server/lib/oauth/google.ts
 function registerGoogleOAuth(router3, opts) {
   router3.get("/google", (_req, res) => {
-    const google = getAuthConfig()?.providers?.google;
+    const google = getAuthProvider("google");
     if (!google) {
       return res.status(400).json({ error: "Google OAuth not configured" });
     }
@@ -41655,7 +41650,7 @@ function registerGoogleOAuth(router3, opts) {
     return res.redirect(`https://accounts.google.com/o/oauth2/v2/auth?${params}`);
   });
   router3.get("/google/callback", async (req, res) => {
-    const google = getAuthConfig()?.providers?.google;
+    const google = getAuthProvider("google");
     const externalUrl = getExternalUrl();
     if (!google) {
       return res.redirect(`${externalUrl}/signin?error=not_configured`);
@@ -41725,7 +41720,7 @@ function registerGoogleOAuth(router3, opts) {
 // server/lib/oauth/keycloak.ts
 function registerKeycloakOAuth(router3, opts) {
   router3.get("/keycloak", (_req, res) => {
-    const keycloak = getAuthConfig()?.providers?.keycloak;
+    const keycloak = getAuthProvider("keycloak");
     if (!keycloak) {
       return res.status(400).json({ error: "Keycloak not configured" });
     }
@@ -41742,7 +41737,7 @@ function registerKeycloakOAuth(router3, opts) {
     return res.redirect(`${keycloak.issuer_url}/protocol/openid-connect/auth?${params}`);
   });
   router3.get("/keycloak/callback", async (req, res) => {
-    const keycloak = getAuthConfig()?.providers?.keycloak;
+    const keycloak = getAuthProvider("keycloak");
     const externalUrl = getExternalUrl();
     if (!keycloak) {
       return res.redirect(`${externalUrl}/signin?error=not_configured`);
@@ -41809,7 +41804,7 @@ function registerKeycloakOAuth(router3, opts) {
 // server/lib/oauth/okta.ts
 function registerOktaOAuth(router3, opts) {
   router3.get("/okta", (_req, res) => {
-    const okta = getAuthConfig()?.providers?.okta;
+    const okta = getAuthProvider("okta");
     if (!okta) {
       return res.status(400).json({ error: "Okta not configured" });
     }
@@ -41826,7 +41821,7 @@ function registerOktaOAuth(router3, opts) {
     return res.redirect(`${okta.issuer_url}/v1/authorize?${params}`);
   });
   router3.get("/okta/callback", async (req, res) => {
-    const okta = getAuthConfig()?.providers?.okta;
+    const okta = getAuthProvider("okta");
     const externalUrl = getExternalUrl();
     if (!okta) {
       return res.redirect(`${externalUrl}/signin?error=not_configured`);
@@ -42014,14 +42009,12 @@ router.get("/providers", (_req, res) => {
   const plan = getPlan();
   const providers = [];
   if (getUsers().some((u) => u.password)) providers.push({ name: "basic" });
-  if (config?.providers) {
-    for (const key of Object.keys(config.providers)) {
-      const feat = SSO_FEATURE[key];
-      if (feat && !feature(feat, plan)) {
-        providers.push({ name: key, requiredPlan: requiredPlan(feat) });
-      } else {
-        providers.push({ name: key });
-      }
+  for (const provider of config?.providers ?? []) {
+    const feat = SSO_FEATURE[provider.type];
+    if (feat && !feature(feat, plan)) {
+      providers.push({ name: provider.type, requiredPlan: requiredPlan(feat) });
+    } else {
+      providers.push({ name: provider.type });
     }
   }
   return res.json({ providers });
@@ -56345,6 +56338,93 @@ var TerminateSessionResponse = class _TerminateSessionResponse extends Message {
     return proto3.util.equals(_TerminateSessionResponse, a, b);
   }
 };
+var AuditExportRequest = class _AuditExportRequest extends Message {
+  /**
+   * @generated from field: string connection_id = 1;
+   */
+  connectionId = "";
+  /**
+   * @generated from field: string sql = 2;
+   */
+  sql = "";
+  /**
+   * @generated from field: int32 row_count = 3;
+   */
+  rowCount = 0;
+  /**
+   * @generated from field: string format = 4;
+   */
+  format = "";
+  constructor(data) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+  static runtime = proto3;
+  static typeName = "query.v1.AuditExportRequest";
+  static fields = proto3.util.newFieldList(() => [
+    {
+      no: 1,
+      name: "connection_id",
+      kind: "scalar",
+      T: 9
+      /* ScalarType.STRING */
+    },
+    {
+      no: 2,
+      name: "sql",
+      kind: "scalar",
+      T: 9
+      /* ScalarType.STRING */
+    },
+    {
+      no: 3,
+      name: "row_count",
+      kind: "scalar",
+      T: 5
+      /* ScalarType.INT32 */
+    },
+    {
+      no: 4,
+      name: "format",
+      kind: "scalar",
+      T: 9
+      /* ScalarType.STRING */
+    }
+  ]);
+  static fromBinary(bytes, options) {
+    return new _AuditExportRequest().fromBinary(bytes, options);
+  }
+  static fromJson(jsonValue, options) {
+    return new _AuditExportRequest().fromJson(jsonValue, options);
+  }
+  static fromJsonString(jsonString, options) {
+    return new _AuditExportRequest().fromJsonString(jsonString, options);
+  }
+  static equals(a, b) {
+    return proto3.util.equals(_AuditExportRequest, a, b);
+  }
+};
+var AuditExportResponse = class _AuditExportResponse extends Message {
+  constructor(data) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+  static runtime = proto3;
+  static typeName = "query.v1.AuditExportResponse";
+  static fields = proto3.util.newFieldList(() => []);
+  static fromBinary(bytes, options) {
+    return new _AuditExportResponse().fromBinary(bytes, options);
+  }
+  static fromJson(jsonValue, options) {
+    return new _AuditExportResponse().fromJson(jsonValue, options);
+  }
+  static fromJsonString(jsonString, options) {
+    return new _AuditExportResponse().fromJsonString(jsonString, options);
+  }
+  static equals(a, b) {
+    return proto3.util.equals(_AuditExportResponse, a, b);
+  }
+};
 
 // src/gen/query_connect.ts
 var QueryService = {
@@ -56511,6 +56591,15 @@ var QueryService = {
       I: TerminateSessionRequest,
       O: TerminateSessionResponse,
       kind: MethodKind.Unary
+    },
+    /**
+     * @generated from rpc query.v1.QueryService.AuditExport
+     */
+    auditExport: {
+      name: "AuditExport",
+      I: AuditExportRequest,
+      O: AuditExportResponse,
+      kind: MethodKind.Unary
     }
   }
 };
@@ -57484,12 +57573,17 @@ function setConnectionVersion(connectionId, version) {
   const info = { version };
   connectionCache.set(connectionId, info);
 }
-function extractPostgresVersion(versionString) {
+async function testAndCacheConnection(client, connectionId) {
+  await client`SELECT 1`;
+  const versionResult = await client`SELECT version()`;
+  const versionString = versionResult[0]?.version || "";
   const match = versionString.match(/PostgreSQL (\d+)/);
   if (!match?.[1]) {
     throw new Error(`Failed to extract PostgreSQL version from: ${versionString}`);
   }
-  return match[1];
+  const version = match[1];
+  setConnectionVersion(connectionId, version);
+  return version;
 }
 
 // server/lib/iam.ts
@@ -57538,7 +57632,7 @@ function getUserPermissions(email, connectionId) {
       continue;
     }
     const matches = rule.members.some((member) => {
-      if (member === "allUsers") {
+      if (member === "*") {
         return true;
       }
       if (member.startsWith("user:")) {
@@ -57640,11 +57734,7 @@ var connectionServiceHandlers = {
       sslMode: conn.ssl_mode || "prefer"
     }, user?.email);
     try {
-      await client`SELECT 1`;
-      const versionResult = await client`SELECT version()`;
-      const versionString = versionResult[0]?.version || "";
-      const version = extractPostgresVersion(versionString);
-      setConnectionVersion(req.id, version);
+      await testAndCacheConnection(client, req.id);
       const latencyMs = Date.now() - start2;
       return { success: true, error: "", latencyMs };
     } catch (err) {
@@ -63197,6 +63287,21 @@ var queryServiceHandlers = {
         error: err instanceof Error ? err.message : "Failed to terminate session"
       };
     }
+  },
+  async auditExport(req, context) {
+    if (!req.connectionId) {
+      throw new ConnectError("connection_id is required", Code.InvalidArgument);
+    }
+    const user = await getUserFromContext(context.values);
+    if (!user) {
+      throw new ConnectError("Authentication required", Code.Unauthenticated);
+    }
+    const conn = getConnectionById(req.connectionId);
+    if (!conn) {
+      throw new ConnectError("Connection not found", Code.NotFound);
+    }
+    auditExport(user.email, req.connectionId, conn.database, req.sql, req.rowCount, req.format);
+    return {};
   }
 };
 
@@ -92450,11 +92555,7 @@ async function testAllConnections() {
         sslMode: conn.ssl_mode || "prefer"
       });
       try {
-        await client`SELECT 1`;
-        const versionResult = await client`SELECT version()`;
-        const versionString = versionResult[0]?.version || "";
-        const version = extractPostgresVersion(versionString);
-        setConnectionVersion(conn.id, version);
+        const version = await testAndCacheConnection(client, conn.id);
         console.log(`  \u2713 ${conn.name} (PostgreSQL ${version})`);
       } finally {
         await client.end();
@@ -92532,6 +92633,7 @@ async function start() {
   const configPath = args.config || "pgconsole.toml";
   try {
     await loadConfig(configPath);
+    console.log(`\u2713 Loaded config from: ${path4.resolve(configPath)}`);
   } catch (error) {
     console.error("Failed to load config:", error instanceof Error ? error.message : error);
     process.exit(1);
@@ -92561,7 +92663,7 @@ async function start() {
    \\ \\_\\    /\\____/
     \\/_/    \\_/__/
 
-    Version ${"0.0.4"}
+    Version ${"0.1.0"}
 `);
     console.log(`Server running on http://localhost:${port}`);
     const browserUrl = false ? `http://localhost:5173` : getExternalUrl() || `http://localhost:${port}`;