@powersync/service-module-postgres 0.0.0-dev-20250611110033 → 0.0.0-dev-20250618131818

package/src/replication/WalStreamReplicationJob.ts

@@ -1,4 +1,4 @@
-import { container, logger } from '@powersync/lib-services-framework';
+import { container, logger, ReplicationAbortedError } from '@powersync/lib-services-framework';
 import { PgManager } from './PgManager.js';
 import { MissingReplicationSlotError, sendKeepAlive, WalStream } from './WalStream.js';
 
@@ -104,6 +104,10 @@ export class WalStreamReplicationJob extends replication.AbstractReplicationJob
       this.lastStream = stream;
       await stream.replicate();
     } catch (e) {
+      if (this.isStopped && e instanceof ReplicationAbortedError) {
+        // Ignore aborted errors
+        return;
+      }
       this.logger.error(`Replication error`, e);
       if (e.cause != null) {
         // Example:

package/src/replication/replication-utils.ts

@@ -1,7 +1,7 @@
 import * as pgwire from '@powersync/service-jpgwire';
 
 import * as lib_postgres from '@powersync/lib-service-postgres';
-import { ErrorCode, logger, ServiceError } from '@powersync/lib-services-framework';
+import { ErrorCode, logger, ServiceAssertionError, ServiceError } from '@powersync/lib-services-framework';
 import { PatternResult, storage } from '@powersync/service-core';
 import * as sync_rules from '@powersync/service-sync-rules';
 import * as service_types from '@powersync/service-types';
@@ -136,6 +136,61 @@ $$ LANGUAGE plpgsql;`
   }
 }
 
+export async function checkTableRls(
+  db: pgwire.PgClient,
+  relationId: number
+): Promise<{ canRead: boolean; message?: string }> {
+  const rs = await lib_postgres.retriedQuery(db, {
+    statement: `
+WITH user_info AS (
+    SELECT 
+        current_user as username,
+        r.rolsuper,
+        r.rolbypassrls
+    FROM pg_roles r 
+    WHERE r.rolname = current_user
+)
+SELECT
+    c.relname as tablename,
+    c.relrowsecurity as rls_enabled,
+    u.username as username,
+    u.rolsuper as is_superuser,
+    u.rolbypassrls as bypasses_rls
+FROM pg_class c
+CROSS JOIN user_info u
+WHERE c.oid = $1::oid;
+`,
+    params: [{ type: 'int4', value: relationId }]
+  });
+
+  const rows = pgwire.pgwireRows<{
+    rls_enabled: boolean;
+    tablename: string;
+    username: string;
+    is_superuser: boolean;
+    bypasses_rls: boolean;
+  }>(rs);
+  if (rows.length == 0) {
+    // Not expected, since we already got the oid
+    throw new ServiceAssertionError(`Table with OID ${relationId} does not exist.`);
+  }
+  const row = rows[0];
+  if (row.is_superuser || row.bypasses_rls) {
+    // Bypasses RLS automatically.
+    return { canRead: true };
+  }
+
+  if (row.rls_enabled) {
+    // Don't skip, since we _may_ still be able to get results.
+    return {
+      canRead: false,
+      message: `[${ErrorCode.PSYNC_S1145}] Row Level Security is enabled on table "${row.tablename}". To make sure that ${row.username} can read the table, run: 'ALTER ROLE ${row.username} BYPASSRLS'.`
+    };
+  }
+
+  return { canRead: true };
+}
+
 export interface GetDebugTablesInfoOptions {
   db: pgwire.PgClient;
   publicationName: string;
@@ -309,6 +364,9 @@ export async function getDebugTableInfo(options: GetDebugTableInfoOptions): Prom
     };
   }
 
+  const rlsCheck = await checkTableRls(db, relationId);
+  const rlsError = rlsCheck.canRead ? null : { message: rlsCheck.message!, level: 'warning' };
+
   return {
     schema: schema,
     name: name,
@@ -316,7 +374,7 @@ export async function getDebugTableInfo(options: GetDebugTableInfoOptions): Prom
     replication_id: id_columns.map((c) => c.name),
     data_queries: syncData,
     parameter_queries: syncParameters,
-    errors: [id_columns_error, selectError, replicateError].filter(
+    errors: [id_columns_error, selectError, replicateError, rlsError].filter(
       (error) => error != null
     ) as service_types.ReplicationError[]
   };

package/test/src/checkpoints.test.ts

@@ -1,7 +1,7 @@
 import { PostgresRouteAPIAdapter } from '@module/api/PostgresRouteAPIAdapter.js';
-import { checkpointUserId, createWriteCheckpoint } from '@powersync/service-core';
+import { checkpointUserId, createWriteCheckpoint, TestStorageFactory } from '@powersync/service-core';
 import { describe, test } from 'vitest';
-import { INITIALIZED_MONGO_STORAGE_FACTORY } from './util.js';
+import { describeWithStorage } from './util.js';
 import { WalStreamTestContext } from './wal_stream_utils.js';
 
 import timers from 'node:timers/promises';
@@ -12,8 +12,11 @@ const BASIC_SYNC_RULES = `bucket_definitions:
       - SELECT id, description, other FROM "test_data"`;
 
 describe('checkpoint tests', () => {
+  describeWithStorage({}, checkpointTests);
+});
+
+const checkpointTests = (factory: TestStorageFactory) => {
   test('write checkpoints', { timeout: 50_000 }, async () => {
-    const factory = INITIALIZED_MONGO_STORAGE_FACTORY;
     await using context = await WalStreamTestContext.open(factory);
 
     await context.updateSyncRules(BASIC_SYNC_RULES);
@@ -78,4 +81,4 @@ describe('checkpoint tests', () => {
       controller.abort();
     }
   });
-});
+};