@powersync/service-core 1.13.4 → 1.15.0

package/test/src/auth.test.ts

@@ -6,7 +6,8 @@ import { KeySpec } from '../../src/auth/KeySpec.js';
 import { RemoteJWKSCollector } from '../../src/auth/RemoteJWKSCollector.js';
 import { KeyResult } from '../../src/auth/KeyCollector.js';
 import { CachedKeyCollector } from '../../src/auth/CachedKeyCollector.js';
-import { JwtPayload } from '@/index.js';
+import { JwtPayload, StaticSupabaseKeyCollector } from '@/index.js';
+import { debugKeyNotFound } from '../../src/auth/utils.js';
 
 const publicKeyRSA: jose.JWK = {
   use: 'sig',
@@ -438,4 +439,325 @@ describe('JWT Auth', () => {
 
     expect(verified.claim).toEqual('test-claim-2');
   });
+
+  describe('debugKeyNotFound', () => {
+    test('Supabase token with legacy auth not configured', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - legacy not enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: false,
+        sharedSecretEnabled: false
+      };
+
+      // Create a legacy Supabase token (HS256)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'HS256', kid: 'test' })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(Buffer.from('secret'));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Token is a Supabase Legacy HS256 (Shared Secret) token, but Supabase JWT secret is not configured'
+      );
+    });
+
+    test('Legacy Supabase token with wrong secret', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([sharedKey]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - legacy enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: false,
+        sharedSecretEnabled: true
+      };
+
+      // Create a legacy Supabase token (HS256)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'HS256', kid: sharedKey2.kid })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(sharedKey2));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Token is a Supabase Legacy HS256 (Shared Secret) token, but configured Supabase JWT secret does not match'
+      );
+    });
+
+    test('New HS256 Supabase token with wrong secret', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([sharedKey]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - legacy enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: false,
+        sharedSecretEnabled: true
+      };
+
+      // Create a new HS256 Supabase token.
+      // The only real difference here is that the kid is a UUID
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'HS256', kid: '2fc01f1d-90fb-4c8b-b646-1c06ed86be46' })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(sharedKey2));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Token is a Supabase HS256 (Shared Secret) token, but configured Supabase JWT secret does not match'
+      );
+    });
+
+    test('Supabase signing key token with no Supabase connection', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - no Supabase connection
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: false,
+        sharedSecretEnabled: false
+      };
+
+      const signKey = await jose.importJWK(privateKeyECDSA);
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: 'test-kid' })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(signKey);
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Token uses Supabase JWT Signing Keys, but no Supabase connection is configured'
+      );
+    });
+
+    test('Supabase signing key token with Supabase auth disabled', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - Supabase project, but Supabase auth not enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: {
+          projectId: 'abc123',
+          hostname: 'db.abc123.supabase.co',
+          url: 'https://abc123.supabase.co/auth/v1/.well-known/jwks.json'
+        },
+        jwksEnabled: false,
+        sharedSecretEnabled: false
+      };
+
+      const signKey = await jose.importJWK(privateKeyECDSA);
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: 'test-kid' })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(signKey);
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Token uses Supabase JWT Signing Keys, but Supabase Auth is not enabled'
+      );
+    });
+
+    test('Supabase project ID mismatch', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([publicKeyRSA]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - JWKS enabled with different project ID
+      store.supabaseAuthDebug = {
+        jwksDetails: {
+          projectId: 'expected123',
+          hostname: 'db.expected123.supabase.co',
+          url: 'https://expected123.supabase.co/auth/v1/.well-known/jwks.json'
+        },
+        jwksEnabled: true,
+        sharedSecretEnabled: false
+      };
+
+      // Create a modern Supabase token with different project ID
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: privateKeyECDSA.kid })
+        .setSubject('test')
+        .setIssuer('https://different456.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(privateKeyECDSA));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Supabase project id mismatch. Expected project: expected123, got issuer: https://different456.supabase.co/auth/v1'
+      );
+    });
+
+    test('Supabase signing keys configured but no matching keys', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([publicKeyRSA]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - JWKS enabled with matching project ID
+      store.supabaseAuthDebug = {
+        jwksDetails: {
+          projectId: 'abc123',
+          hostname: 'db.abc123.supabase.co',
+          url: 'https://abc123.supabase.co/auth/v1/.well-known/jwks.json'
+        },
+        jwksEnabled: true,
+        sharedSecretEnabled: false
+      };
+
+      // Create a modern Supabase token with matching project ID
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: privateKeyECDSA.kid })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(privateKeyECDSA));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch(
+        'Supabase signing keys configured, but no matching keys found. Known keys: '
+      );
+    });
+
+    test('non-Supabase token', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([sharedKey]);
+      const store = new KeyStore(keys);
+
+      // Create a regular JWT token (not Supabase)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: privateKeyECDSA.kid })
+        .setSubject('test')
+        .setIssuer('https://regular-issuer.com')
+        .setAudience('my-audience')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(privateKeyECDSA));
+
+      // Treated as just a generic unknown key
+      const err = await store.verifyJwt(token, { defaultAudiences: ['my-audience'], maxAge: '1d' }).catch((e) => e);
+      expect(err.configurationDetails).toMatch('Known keys:');
+    });
+
+    test('Valid legacy Supabase token', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([sharedKey]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - legacy enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: false,
+        sharedSecretEnabled: true
+      };
+
+      // Create a legacy Supabase token (HS256)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'HS256', kid: sharedKey.kid })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(sharedKey));
+
+      await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' });
+    });
+
+    test('Valid Supabase signing key', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([privateKeyECDSA]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - JWKS enabled, legacy disabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: true,
+        sharedSecretEnabled: false
+      };
+
+      // Create a modern Supabase signing key token (ES256)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: privateKeyECDSA.kid })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('authenticated')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(privateKeyECDSA));
+
+      await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' });
+    });
+
+    test('Legacy Supabase anon token', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([sharedKey]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - legacy enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: false,
+        sharedSecretEnabled: true
+      };
+
+      // Create a legacy Supabase token (HS256)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'HS256', kid: sharedKey.kid })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('anon')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(sharedKey));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.message).toMatch('[PSYNC_S2105] Unexpected "aud" claim value: "anon"');
+    });
+
+    test('Supabase signing key anon token', async () => {
+      const keys = await StaticSupabaseKeyCollector.importKeys([privateKeyECDSA]);
+      const store = new KeyStore(keys);
+
+      // Mock Supabase debug info - JWKS enabled
+      store.supabaseAuthDebug = {
+        jwksDetails: null,
+        jwksEnabled: true,
+        sharedSecretEnabled: false
+      };
+
+      // Create a modern Supabase signing key token (ES256)
+      const token = await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: privateKeyECDSA.kid })
+        .setSubject('test')
+        .setIssuer('https://abc123.supabase.co/auth/v1')
+        .setAudience('anon')
+        .setExpirationTime('1h')
+        .setIssuedAt()
+        .sign(await jose.importJWK(privateKeyECDSA));
+
+      const err = await store.verifyJwt(token, { defaultAudiences: [], maxAge: '1d' }).catch((e) => e);
+      expect(err.message).toMatch('[PSYNC_S2105] Unexpected "aud" claim value: "anon"');
+    });
+  });
 });

package/test/src/checksum_cache.test.ts

@@ -1,5 +1,5 @@
-import { ChecksumCache, FetchChecksums, FetchPartialBucketChecksum, PartialChecksum } from '@/storage/ChecksumCache.js';
-import { addChecksums, InternalOpId } from '@/util/util-index.js';
+import { ChecksumCache, FetchChecksums, FetchPartialBucketChecksum } from '@/storage/ChecksumCache.js';
+import { addChecksums, BucketChecksum, InternalOpId, PartialChecksum } from '@/util/util-index.js';
 import * as crypto from 'node:crypto';
 import { describe, expect, it } from 'vitest';
 
@@ -12,22 +12,20 @@ function testHash(bucket: string, checkpoint: InternalOpId) {
   return hash;
 }
 
-function testPartialHash(request: FetchPartialBucketChecksum): PartialChecksum {
+function testPartialHash(request: FetchPartialBucketChecksum): PartialChecksum | BucketChecksum {
   if (request.start) {
     const a = testHash(request.bucket, request.start);
     const b = testHash(request.bucket, request.end);
     return {
       bucket: request.bucket,
       partialCount: Number(request.end) - Number(request.start),
-      partialChecksum: addChecksums(b, -a),
-      isFullChecksum: false
+      partialChecksum: addChecksums(b, -a)
     };
   } else {
     return {
       bucket: request.bucket,
-      partialChecksum: testHash(request.bucket, request.end),
-      partialCount: Number(request.end),
-      isFullChecksum: true
+      checksum: testHash(request.bucket, request.end),
+      count: Number(request.end)
     };
   }
 }

package/test/src/routes/mocks.ts

@@ -0,0 +1,59 @@
+import {
+  BucketStorageFactory,
+  createCoreAPIMetrics,
+  MetricsEngine,
+  OpenTelemetryMetricsFactory,
+  RouteAPI,
+  RouterEngine,
+  ServiceContext,
+  StorageEngine,
+  SyncContext,
+  SyncRulesBucketStorage
+} from '@/index.js';
+import { MeterProvider } from '@opentelemetry/sdk-metrics';
+
+export function mockServiceContext(storage: Partial<SyncRulesBucketStorage> | null) {
+  // This is very incomplete - just enough to get the current tests passing.
+
+  const storageEngine: StorageEngine = {
+    activeBucketStorage: {
+      async getActiveStorage() {
+        return storage;
+      }
+    } as Partial<BucketStorageFactory>
+  } as any;
+
+  const meterProvider = new MeterProvider({
+    readers: []
+  });
+  const meter = meterProvider.getMeter('powersync-tests');
+  const metricsEngine = new MetricsEngine({
+    disable_telemetry_sharing: true,
+    factory: new OpenTelemetryMetricsFactory(meter)
+  });
+  createCoreAPIMetrics(metricsEngine);
+  const service_context: Partial<ServiceContext> = {
+    syncContext: new SyncContext({ maxBuckets: 1, maxDataFetchConcurrency: 1, maxParameterQueryResults: 1 }),
+    routerEngine: {
+      getAPI() {
+        return {
+          getParseSyncRulesOptions() {
+            return { defaultSchema: 'public' };
+          }
+        } as Partial<RouteAPI>;
+      },
+      addStopHandler() {
+        return () => {};
+      }
+    } as Partial<RouterEngine> as any,
+    storageEngine,
+    metricsEngine: metricsEngine,
+    // Not used
+    configuration: null as any,
+    lifeCycleEngine: null as any,
+    migrations: null as any,
+    replicationEngine: null as any,
+    serviceMode: null as any
+  };
+  return service_context as ServiceContext;
+}

package/test/src/routes/stream.test.ts

@@ -0,0 +1,84 @@
+import { BasicRouterRequest, Context, SyncRulesBucketStorage } from '@/index.js';
+import { logger, RouterResponse, ServiceError } from '@powersync/lib-services-framework';
+import { SqlSyncRules } from '@powersync/service-sync-rules';
+import { Readable, Writable } from 'stream';
+import { pipeline } from 'stream/promises';
+import { beforeEach, describe, expect, it, vi } from 'vitest';
+import { syncStreamed } from '../../../src/routes/endpoints/sync-stream.js';
+import { mockServiceContext } from './mocks.js';
+
+describe('Stream Route', () => {
+  describe('compressed stream', () => {
+    it('handles missing sync rules', async () => {
+      const context: Context = {
+        logger: logger,
+        service_context: mockServiceContext(null)
+      };
+
+      const request: BasicRouterRequest = {
+        headers: {},
+        hostname: '',
+        protocol: 'http'
+      };
+
+      const error = (await (syncStreamed.handler({ context, params: {}, request }) as Promise<RouterResponse>).catch(
+        (e) => e
+      )) as ServiceError;
+
+      expect(error.errorData.status).toEqual(500);
+      expect(error.errorData.code).toEqual('PSYNC_S2302');
+    });
+
+    it('handles a stream error with compression', async () => {
+      // This primarily tests that an underlying storage error doesn't result in an uncaught error
+      // when compressing the stream.
+
+      const storage = {
+        getParsedSyncRules() {
+          return new SqlSyncRules('bucket_definitions: {}');
+        },
+        watchCheckpointChanges: async function* (options) {
+          throw new Error('Simulated storage error');
+        }
+      } as Partial<SyncRulesBucketStorage>;
+      const serviceContext = mockServiceContext(storage);
+
+      const context: Context = {
+        logger: logger,
+        service_context: serviceContext,
+        token_payload: {
+          exp: new Date().getTime() / 1000 + 10000,
+          iat: new Date().getTime() / 1000 - 10000,
+          sub: 'test-user'
+        }
+      };
+
+      // It may be worth eventually doing this via Fastify to test the full stack
+
+      const request: BasicRouterRequest = {
+        headers: {
+          'accept-encoding': 'gzip'
+        },
+        hostname: '',
+        protocol: 'http'
+      };
+
+      const response = await (syncStreamed.handler({ context, params: {}, request }) as Promise<RouterResponse>);
+      expect(response.status).toEqual(200);
+      const stream = response.data as Readable;
+      const r = await drainWithTimeout(stream).catch((error) => error);
+      expect(r.message).toContain('Simulated storage error');
+    });
+  });
+});
+
+export async function drainWithTimeout(readable: Readable, ms = 2_000) {
+  const devNull = new Writable({
+    write(_chunk, _enc, cb) {
+      cb();
+    } // discard everything
+  });
+
+  // Throws AbortError if it takes longer than ms, and destroys the stream
+  await pipeline(readable, devNull, { signal: AbortSignal.timeout(ms) });
+}