@rebasepro/server-postgresql 0.1.0 → 0.2.1

package/src/PostgresBootstrapper.ts

@@ -2,16 +2,11 @@
  * PostgresBootstrapper
  *
  * Implements the `BackendBootstrapper` interface for PostgreSQL.
- * Encapsulates all Postgres-specific initialization logic that was previously
- * hardcoded inside `initializeRebaseBackend()`.
- *
- * Third-party drivers (MongoDB, MySQL, etc.) can implement their own
- * bootstrapper following this pattern and pass it to the coordinator.
  */
 
-import { getTableName, isTable, Relations, sql } from "drizzle-orm";
+import { getTableName, isTable, Relations, sql, Table } from "drizzle-orm";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
-import { PgEnum, PgTable } from "drizzle-orm/pg-core";
+import { PgEnum, PgTable, getTableConfig, AnyPgColumn } from "drizzle-orm/pg-core";
 import {
     BackendBootstrapper,
     InitializedDriver,
@@ -19,6 +14,7 @@ import {
     DatabaseAdmin,
     RealtimeProvider,
     type DataDriver,
+    type AuthAdapter,
     EntityCollection
 } from "@rebasepro/types";
 import { PostgresBackendDriver } from "./PostgresBackendDriver";
@@ -33,7 +29,8 @@ import {
 // @ts-ignore
 } from "@rebasepro/server-core";
 import { ensureAuthTablesExist } from "./auth/ensure-tables";
-import { RoleService, UserService, PostgresAuthRepository } from "./auth/services";
+import { RoleService, UserService, PostgresAuthRepository, AuthSchemaTables } from "./auth/services";
+import { createAuthSchema } from "./schema/auth-schema";
 
 // @ts-ignore
 import { createEmailService, type EmailConfig, type EmailService } from "@rebasepro/server-core";
@@ -99,7 +96,7 @@ export function createPostgresBootstrapper(pgConfig: PostgresDriverConfig): Back
                 });
             }
 
-            if (pgConfig.schema?.enums) registry.registerEnums(pgConfig.schema.enums as Record<string, PgEnum<any>>);
+            if (pgConfig.schema?.enums) registry.registerEnums(pgConfig.schema.enums as Record<string, PgEnum<[string, ...string[]]>>);
             if (pgConfig.schema?.relations) registry.registerRelations(pgConfig.schema.relations as Record<string, Relations>);
 
             // Build schema-aware Drizzle connection
@@ -169,17 +166,39 @@ export function createPostgresBootstrapper(pgConfig: PostgresDriverConfig): Back
 
             const internals = driverResult.internals as PostgresDriverInternals;
             const db = internals.db;
+            const registry = internals.registry;
 
-            await ensureAuthTablesExist(db);
+            await ensureAuthTablesExist(db, registry);
 
             let emailService: EmailService | undefined;
             if (authConfig.email) {
                 emailService = createEmailService(authConfig.email);
             }
 
-            const userService = new UserService(db);
-            const roleService = new RoleService(db);
-            const authRepository = new PostgresAuthRepository(db);
+            const customUsersTable = registry?.getTable("users");
+            const customRolesTable = registry?.getTable("roles");
+
+            let usersSchemaName = "rebase";
+            let rolesSchemaName = "rebase";
+
+            if (customUsersTable) {
+                usersSchemaName = getTableConfig(customUsersTable).schema || "public";
+            }
+            if (customRolesTable) {
+                rolesSchemaName = getTableConfig(customRolesTable).schema || "public";
+            }
+
+            const authTables = createAuthSchema(rolesSchemaName, usersSchemaName) as unknown as AuthSchemaTables;
+            if (customUsersTable) {
+                authTables.users = customUsersTable as unknown as PgTable & Record<string, AnyPgColumn>;
+            }
+            if (customRolesTable) {
+                authTables.roles = customRolesTable as unknown as PgTable & Record<string, AnyPgColumn>;
+            }
+
+            const userService = new UserService(db, authTables);
+            const roleService = new RoleService(db, authTables);
+            const authRepository = new PostgresAuthRepository(db, authTables);
 
             return { userService,
 roleService,
@@ -218,13 +237,14 @@ authRepository };
             // Currently Postgres doesn't need additional routes beyond what the coordinator mounts.
         },
 
-        async initializeWebsockets(server: unknown, realtimeService: RealtimeProvider, driver: DataDriver, config?: unknown): Promise<void> {
+        async initializeWebsockets(server: unknown, realtimeService: RealtimeProvider, driver: DataDriver, config?: unknown, adapter?: unknown): Promise<void> {
             const { createPostgresWebSocket } = await import("./websocket");
             createPostgresWebSocket(
                 server as import("http").Server,
                 realtimeService as RealtimeService,
                 driver as PostgresBackendDriver,
-                config as AuthConfig
+                config as AuthConfig,
+                adapter as AuthAdapter | undefined
             );
         }
     };

package/src/auth/ensure-tables.ts

@@ -1,5 +1,8 @@
 import { sql } from "drizzle-orm";
 import { NodePgDatabase } from "drizzle-orm/node-postgres";
+import { getTableConfig, AnyPgColumn, PgTable } from "drizzle-orm/pg-core";
+import { getColumnMeta } from "../services/entity-helpers";
+import { PostgresCollectionRegistry } from "../collections/PostgresCollectionRegistry";
 
 /**
  * Default roles to seed on first run
@@ -9,34 +12,21 @@ const DEFAULT_ROLES = [
         id: "admin",
         name: "Admin",
         is_admin: true,
-        default_permissions: { read: true,
-create: true,
-edit: true,
-delete: true },
-        config: { createCollections: true,
-editCollections: "all",
-deleteCollections: "all" }
+        default_permissions: { read: true, create: true, edit: true, delete: true },
+        config: { createCollections: true, editCollections: "all", deleteCollections: "all" }
     },
     {
         id: "editor",
         name: "Editor",
         is_admin: false,
-        default_permissions: { read: true,
-create: true,
-edit: true,
-delete: true },
-        config: { createCollections: true,
-editCollections: "own",
-deleteCollections: "own" }
+        default_permissions: { read: true, create: true, edit: true, delete: true },
+        config: { createCollections: true, editCollections: "own", deleteCollections: "own" }
     },
     {
         id: "viewer",
         name: "Viewer",
         is_admin: false,
-        default_permissions: { read: true,
-create: false,
-edit: false,
-delete: false },
+        default_permissions: { read: true, create: false, edit: false, delete: false },
         config: null
     }
 ];
@@ -45,39 +35,70 @@ delete: false },
  * Auto-create auth tables if they don't exist
  * This runs on startup to ensure the database is ready for auth
  */
-export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
+export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: PostgresCollectionRegistry): Promise<void> {
     console.log("🔍 Checking auth tables...");
 
     try {
-        // ── Create the rebase schema ────────────────────────────────────
-        await db.execute(sql`CREATE SCHEMA IF NOT EXISTS rebase`);
+        // Resolve dynamic user table name and ID type
+        let usersTableName = '"users"';
+        let userIdType = "TEXT";
+        let usersSchema = "public";
+        if (registry) {
+            const usersTable = registry.getTable("users") as (PgTable & Record<string, AnyPgColumn>) | undefined;
+            if (usersTable) {
+                const { getTableName } = await import("drizzle-orm");
+                usersSchema = getTableConfig(usersTable).schema || "public";
+                usersTableName = usersSchema === "public" ? `"${getTableName(usersTable)}"` : `"${usersSchema}"."${getTableName(usersTable)}"`;
+
+                // Inspect users.id column to match referenced column type
+                if (usersTable.id) {
+                    const col = usersTable.id;
+                    const meta = getColumnMeta(col);
+                    const columnType = meta.columnType;
+                    if (columnType === "PgUUID") {
+                        userIdType = "UUID";
+                    } else if (columnType === "PgSerial" || columnType === "PgInteger") {
+                        userIdType = "INTEGER";
+                    } else if (columnType === "PgBigInt" || columnType === "PgBigSerial") {
+                        userIdType = "BIGINT";
+                    }
+                }
+            }
+        }
 
-        // ── Create tables (idempotent) ──────────────────────────────────
+        // Resolve dynamic roles schema name
+        let rolesSchema = "rebase";
+        if (registry) {
+            const rolesTable = registry.getTable("roles");
+            if (rolesTable) {
+                rolesSchema = getTableConfig(rolesTable).schema || "public";
+            }
+        }
 
-        // Create users table
-        await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.users (
-                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
-                email TEXT NOT NULL UNIQUE,
-                password_hash TEXT,
-                display_name TEXT,
-                photo_url TEXT,
-                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
-                updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
-            )
-        `);
+        // ── Create schemas (idempotent) ──────────────────────────────────
+        if (usersSchema !== "public") {
+            await db.execute(sql`CREATE SCHEMA IF NOT EXISTS ${sql.raw(usersSchema)}`);
+        }
+        if (rolesSchema !== "public" && rolesSchema !== usersSchema) {
+            await db.execute(sql`CREATE SCHEMA IF NOT EXISTS ${sql.raw(rolesSchema)}`);
+        }
+        await db.execute(sql`CREATE SCHEMA IF NOT EXISTS rebase`);
 
-        // Create index on email for faster lookups
-        await db.execute(sql`
-            CREATE INDEX IF NOT EXISTS idx_users_email 
-            ON rebase.users(email)
-        `);
+        // Dynamic table names
+        const userIdentitiesTable = `"${rolesSchema}"."user_identities"`;
+        const rolesTableName = `"${rolesSchema}"."roles"`;
+        const userRolesTableName = `"${rolesSchema}"."user_roles"`;
+        const refreshTokensTableName = `"${rolesSchema}"."refresh_tokens"`;
+        const passwordResetTokensTableName = `"${rolesSchema}"."password_reset_tokens"`;
+        const appConfigTableName = `"${rolesSchema}"."app_config"`;
+
+        // ── Create tables (idempotent) ──────────────────────────────────
 
         // Create user_identities table
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.user_identities (
+            CREATE TABLE IF NOT EXISTS ${sql.raw(userIdentitiesTable)} (
                 id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
-                user_id TEXT NOT NULL REFERENCES rebase.users(id) ON DELETE CASCADE,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
                 provider TEXT NOT NULL,
                 provider_id TEXT NOT NULL,
                 profile_data JSONB,
@@ -90,13 +111,13 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
         // Create indexes on user_identities
         await db.execute(sql`
             CREATE INDEX IF NOT EXISTS idx_user_identities_user 
-            ON rebase.user_identities(user_id)
+            ON ${sql.raw(userIdentitiesTable)}(user_id)
         `);
 
 
         // Create roles table
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.roles (
+            CREATE TABLE IF NOT EXISTS ${sql.raw(rolesTableName)} (
                 id TEXT PRIMARY KEY,
                 name TEXT NOT NULL,
                 is_admin BOOLEAN DEFAULT FALSE,
@@ -109,9 +130,9 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
 
         // Create user_roles junction table
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.user_roles (
-                user_id TEXT NOT NULL REFERENCES rebase.users(id) ON DELETE CASCADE,
-                role_id TEXT NOT NULL REFERENCES rebase.roles(id) ON DELETE CASCADE,
+            CREATE TABLE IF NOT EXISTS ${sql.raw(userRolesTableName)} (
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                role_id TEXT NOT NULL REFERENCES ${sql.raw(rolesTableName)}(id) ON DELETE CASCADE,
                 PRIMARY KEY (user_id, role_id)
             )
         `);
@@ -119,14 +140,14 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
         // Create index on user_id for faster lookups
         await db.execute(sql`
             CREATE INDEX IF NOT EXISTS idx_user_roles_user 
-            ON rebase.user_roles(user_id)
+            ON ${sql.raw(userRolesTableName)}(user_id)
         `);
 
         // Create refresh tokens table (includes user_agent, ip_address, and unique constraint)
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.refresh_tokens (
+            CREATE TABLE IF NOT EXISTS ${sql.raw(refreshTokensTableName)} (
                 id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
-                user_id TEXT NOT NULL REFERENCES rebase.users(id) ON DELETE CASCADE,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
                 token_hash TEXT NOT NULL UNIQUE,
                 expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
                 user_agent TEXT,
@@ -139,20 +160,20 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
         // Create index on token_hash for faster lookups
         await db.execute(sql`
             CREATE INDEX IF NOT EXISTS idx_refresh_tokens_hash 
-            ON rebase.refresh_tokens(token_hash)
+            ON ${sql.raw(refreshTokensTableName)}(token_hash)
         `);
 
         // Create index on user_id for cleanup operations
         await db.execute(sql`
             CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user 
-            ON rebase.refresh_tokens(user_id)
+            ON ${sql.raw(refreshTokensTableName)}(user_id)
         `);
 
         // Create password reset tokens table
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.password_reset_tokens (
+            CREATE TABLE IF NOT EXISTS ${sql.raw(passwordResetTokensTableName)} (
                 id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
-                user_id TEXT NOT NULL REFERENCES rebase.users(id) ON DELETE CASCADE,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
                 token_hash TEXT NOT NULL UNIQUE,
                 expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
                 used_at TIMESTAMP WITH TIME ZONE,
@@ -163,37 +184,28 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
         // Create index on token_hash for password reset lookups
         await db.execute(sql`
             CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_hash 
-            ON rebase.password_reset_tokens(token_hash)
+            ON ${sql.raw(passwordResetTokensTableName)}(token_hash)
         `);
 
         // Create index on user_id for password reset cleanup
         await db.execute(sql`
             CREATE INDEX IF NOT EXISTS idx_password_reset_tokens_user 
-            ON rebase.password_reset_tokens(user_id)
+            ON ${sql.raw(passwordResetTokensTableName)}(user_id)
         `);
 
         // Create app config table
         await db.execute(sql`
-            CREATE TABLE IF NOT EXISTS rebase.app_config (
+            CREATE TABLE IF NOT EXISTS ${sql.raw(appConfigTableName)} (
                 key TEXT PRIMARY KEY,
                 value JSONB NOT NULL,
                 updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
             )
         `);
 
-        // Apply any schema alterations for existing databases
-        await applyInternalMigrations(db);
-
         // Create the `auth` schema with Supabase-style helper functions for RLS.
-        //   auth.uid()   → returns the current user's ID (reads app.user_id)
-        //   auth.jwt()   → returns the full JWT claims as JSONB (reads app.jwt)
-        //   auth.roles() → returns comma-separated role IDs (reads app.user_roles)
-        // These read from session-local config vars set per-transaction by withAuth().
         await db.execute(sql`CREATE SCHEMA IF NOT EXISTS auth`);
 
         // Use an advisory transaction lock to serialize function recreation during HMR
-        // This prevents the "tuple concurrently updated" race condition when multiple Node
-        // workers or rapid restarts attempt to CREATE OR REPLACE FUNCTION simultaneously.
         await db.transaction(async (tx) => {
             await tx.execute(sql`SELECT pg_advisory_xact_lock(hashtext('rebase_auth_functions_init'))`);
 
@@ -220,7 +232,7 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
         });
 
         // Seed default roles if none exist
-        await seedDefaultRoles(db);
+        await seedDefaultRoles(db, rolesTableName);
 
         console.log("✅ Auth tables ready");
     } catch (error) {
@@ -232,10 +244,10 @@ export async function ensureAuthTablesExist(db: NodePgDatabase): Promise<void> {
 /**
  * Seed default roles if the roles table is empty
  */
-async function seedDefaultRoles(db: NodePgDatabase): Promise<void> {
+async function seedDefaultRoles(db: NodePgDatabase, rolesTableName: string): Promise<void> {
     // Check if any roles exist
-    const result = await db.execute(sql`SELECT COUNT(*) as count FROM rebase.roles`);
-    const count = parseInt((result.rows[0] as unknown as Record<string, string | number>)?.count as string || "0", 10);
+    const result = await db.execute(sql`SELECT COUNT(*) as count FROM ${sql.raw(rolesTableName)}`);
+    const count = parseInt((result.rows[0] as Record<string, string | number>)?.count as string || "0", 10);
 
     if (count > 0) {
         console.log(`📋 Found ${count} existing roles`);
@@ -246,7 +258,7 @@ async function seedDefaultRoles(db: NodePgDatabase): Promise<void> {
 
     for (const role of DEFAULT_ROLES) {
         await db.execute(sql`
-            INSERT INTO rebase.roles (id, name, is_admin, default_permissions, config)
+            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions, config)
             VALUES (
                 ${role.id}, 
                 ${role.name}, 
@@ -260,122 +272,3 @@ async function seedDefaultRoles(db: NodePgDatabase): Promise<void> {
 
     console.log("✅ Default roles created: admin, editor, viewer");
 }
-
-/**
- * Apply idempotent alterations for internal Rebase tables.
- * This runs after CREATE TABLE IF NOT EXISTS to ensure existing
- * databases get new columns without needing external Drizzle migrations.
- */
-async function applyInternalMigrations(db: NodePgDatabase): Promise<void> {
-    try {
-        // Users Table Migrations
-        await db.execute(sql`
-            ALTER TABLE rebase.users 
-            ADD COLUMN IF NOT EXISTS email_verified BOOLEAN DEFAULT FALSE,
-            ADD COLUMN IF NOT EXISTS email_verification_token TEXT,
-            ADD COLUMN IF NOT EXISTS email_verification_sent_at TIMESTAMP WITH TIME ZONE
-        `);
-
-        // Migrate Old OAuth Data to user_identities table
-
-        // 1. Check if legacy columns exist
-        const columnsCheck = await db.execute(sql`
-            SELECT column_name 
-            FROM information_schema.columns 
-            WHERE table_schema='rebase' AND table_name='users' AND column_name IN ('google_id', 'linkedin_id', 'provider')
-        `);
-        const existingColumns = columnsCheck.rows.map(r => r.column_name);
-
-        if (existingColumns.includes("google_id")) {
-            // Migrate google users
-            await db.execute(sql`
-                INSERT INTO rebase.user_identities (user_id, provider, provider_id)
-                SELECT id, 'google', google_id
-                FROM rebase.users
-                WHERE google_id IS NOT NULL
-                ON CONFLICT (provider, provider_id) DO NOTHING
-            `);
-        }
-
-        if (existingColumns.includes("linkedin_id")) {
-            // Migrate linkedin users
-            await db.execute(sql`
-                INSERT INTO rebase.user_identities (user_id, provider, provider_id)
-                SELECT id, 'linkedin', linkedin_id
-                FROM rebase.users
-                WHERE linkedin_id IS NOT NULL
-                ON CONFLICT (provider, provider_id) DO NOTHING
-            `);
-        }
-
-        // Now drop legacy columns safely if they exist
-        if (existingColumns.length > 0) {
-            await db.execute(sql`
-                ALTER TABLE rebase.users
-                DROP COLUMN IF EXISTS provider,
-                DROP COLUMN IF EXISTS google_id,
-                DROP COLUMN IF EXISTS linkedin_id
-            `);
-
-            // Drop legacy indexes
-            await db.execute(sql`DROP INDEX IF EXISTS rebase.idx_users_google_id`);
-            await db.execute(sql`DROP INDEX IF EXISTS rebase.idx_users_linkedin_id`);
-
-            console.log("✅ Migrated to user_identities and dropped legacy columns.");
-        }
-
-        // Roles Table Migrations
-        await db.execute(sql`
-            ALTER TABLE rebase.roles 
-            ADD COLUMN IF NOT EXISTS collection_permissions JSONB
-        `);
-
-        // Refresh Tokens Table Migrations
-        await db.execute(sql`
-            ALTER TABLE rebase.refresh_tokens 
-            ADD COLUMN IF NOT EXISTS user_agent TEXT,
-            ADD COLUMN IF NOT EXISTS ip_address TEXT
-        `);
-
-        const constraintCheck = await db.execute(sql`
-            SELECT 1 FROM information_schema.table_constraints 
-            WHERE constraint_name = 'unique_device_session' 
-            AND table_schema = 'rebase'
-            AND table_name = 'refresh_tokens'
-        `);
-
-        if (constraintCheck.rows.length === 0) {
-            try {
-                await db.execute(sql`
-                    ALTER TABLE rebase.refresh_tokens
-                    ADD CONSTRAINT unique_device_session UNIQUE (user_id, user_agent, ip_address)
-                `);
-                console.log("✅ Added unique_device_session constraint");
-            } catch (e: unknown) {
-                const errorMessage = e instanceof Error ? e.message : String(e);
-                if (errorMessage.includes("could not create unique index")) {
-                    console.warn("⚠️ Duplicate sessions found, cleaning up before adding constraint...");
-                    await db.execute(sql`
-                        DELETE FROM rebase.refresh_tokens a
-                        USING rebase.refresh_tokens b
-                        WHERE a.user_id = b.user_id 
-                        AND COALESCE(a.user_agent, '') = COALESCE(b.user_agent, '')
-                        AND COALESCE(a.ip_address, '') = COALESCE(b.ip_address, '')
-                        AND a.created_at < b.created_at
-                    `);
-                    await db.execute(sql`
-                        ALTER TABLE rebase.refresh_tokens
-                        ADD CONSTRAINT unique_device_session UNIQUE (user_id, user_agent, ip_address)
-                    `).catch((retryErr: unknown) => {
-                        const retryMessage = retryErr instanceof Error ? retryErr.message : String(retryErr);
-                        console.error("Failed to add unique_device_session constraint after cleanup:", retryMessage);
-                    });
-                } else {
-                    console.error("Constraint migration issue:", errorMessage);
-                }
-            }
-        }
-    } catch (error) {
-        console.error("❌ Failed to run internal migrations:", error);
-    }
-}