@rebasepro/server-postgresql 0.2.1 → 0.2.4

package/src/PostgresBootstrapper.ts

@@ -25,7 +25,8 @@ import {
     createAuthRoutes,
     createAdminRoutes,
     requireAuth,
-    requireAdmin
+    requireAdmin,
+    logger
 // @ts-ignore
 } from "@rebasepro/server-core";
 import { ensureAuthTablesExist } from "./auth/ensure-tables";
@@ -50,6 +51,7 @@ import type { HonoEnv } from "@rebasepro/server-core";
  */
 export interface PostgresDriverInternals {
     db: NodePgDatabase<any>;
+    readDb?: NodePgDatabase<any>;
     registry: PostgresCollectionRegistry;
     realtimeService: RealtimeService;
     driver: PostgresBackendDriver;
@@ -83,7 +85,7 @@ export function createPostgresBootstrapper(pgConfig: PostgresDriverConfig): Back
             const registry = new PostgresCollectionRegistry();
             if (collections) {
                 registry.registerMultiple(collections);
-                console.log(`📋 [PostgresRegistry] Registered ${registry.getCollections().length} collections: [${registry.getCollections().map(c => c.slug).join(", ")}]`);
+                logger.info(`📋 [PostgresRegistry] Registered ${registry.getCollections().length} collections: [${registry.getCollections().map(c => c.slug).join(", ")}]`);
             }
 
             // Register tables
@@ -114,12 +116,26 @@ export function createPostgresBootstrapper(pgConfig: PostgresDriverConfig): Back
             try {
                 await schemaAwareDb.execute(sql`SELECT 1`);
             } catch (err) {
-                console.error("❌ Failed to connect to PostgreSQL:", err);
-                console.warn("⚠️ Continuing without initial database verification. Drizzle/PG will attempt to connect on subsequent queries.");
+                logger.error("❌ Failed to connect to PostgreSQL", { error: err });
+                logger.warn("⚠️ Continuing without initial database verification. Drizzle/PG will attempt to connect on subsequent queries.");
             }
 
             // Create services
             const realtimeService = new RealtimeService(schemaAwareDb, registry);
+
+            // Initialize read replica connection if configured
+            let readDb: import("drizzle-orm/node-postgres").NodePgDatabase<any> | undefined;
+            const readUrl = process.env.DATABASE_READ_URL;
+            if (readUrl && readUrl !== pgConfig.connectionString) {
+                try {
+                    const { createReadReplicaConnection } = await import("./connection");
+                    const readResources = createReadReplicaConnection(readUrl, mergedSchema);
+                    readDb = readResources.db;
+                    logger.info("📖 [PostgresBootstrapper] Read replica connection established");
+                } catch (err) {
+                    logger.warn("⚠️ Could not connect to read replica, falling back to primary for all queries", { error: err });
+                }
+            }
             const poolManager = pgConfig.adminConnectionString
                 ? new DatabasePoolManager(pgConfig.adminConnectionString)
                 : undefined;
@@ -131,21 +147,24 @@ export function createPostgresBootstrapper(pgConfig: PostgresDriverConfig): Back
                 try {
                     await driver.branchService.ensureBranchMetadataTable();
                 } catch (err) {
-                    console.warn("⚠️ Could not initialize branch metadata table:", err);
+                    logger.warn("⚠️ Could not initialize branch metadata table", { error: err });
                 }
             }
 
             // Enable cross-instance realtime (opt-in)
-            if (pgConfig.connectionString) {
+            // Prefer DATABASE_DIRECT_URL to bypass PgBouncer for LISTEN/NOTIFY
+            const directUrl = process.env.DATABASE_DIRECT_URL || pgConfig.connectionString;
+            if (directUrl) {
                 try {
-                    await realtimeService.startListening(pgConfig.connectionString);
+                    await realtimeService.startListening(directUrl);
                 } catch (err) {
-                    console.warn("⚠️ Cross-instance realtime could not be started:", err);
+                    logger.warn("⚠️ Cross-instance realtime could not be started", { error: err });
                 }
             }
 
             const internals: PostgresDriverInternals = {
                 db: schemaAwareDb,
+                readDb,
                 registry,
                 realtimeService,
                 driver,

package/src/auth/ensure-tables.ts

@@ -3,6 +3,7 @@ import { NodePgDatabase } from "drizzle-orm/node-postgres";
 import { getTableConfig, AnyPgColumn, PgTable } from "drizzle-orm/pg-core";
 import { getColumnMeta } from "../services/entity-helpers";
 import { PostgresCollectionRegistry } from "../collections/PostgresCollectionRegistry";
+import { logger } from "@rebasepro/server-core";
 
 /**
  * Default roles to seed on first run
@@ -12,22 +13,19 @@ const DEFAULT_ROLES = [
         id: "admin",
         name: "Admin",
         is_admin: true,
-        default_permissions: { read: true, create: true, edit: true, delete: true },
-        config: { createCollections: true, editCollections: "all", deleteCollections: "all" }
+        default_permissions: { read: true, create: true, edit: true, delete: true }
     },
     {
         id: "editor",
         name: "Editor",
         is_admin: false,
-        default_permissions: { read: true, create: true, edit: true, delete: true },
-        config: { createCollections: true, editCollections: "own", deleteCollections: "own" }
+        default_permissions: { read: true, create: true, edit: true, delete: true }
     },
     {
         id: "viewer",
         name: "Viewer",
         is_admin: false,
-        default_permissions: { read: true, create: false, edit: false, delete: false },
-        config: null
+        default_permissions: { read: true, create: false, edit: false, delete: false }
     }
 ];
 
@@ -36,7 +34,7 @@ const DEFAULT_ROLES = [
  * This runs on startup to ensure the database is ready for auth
  */
 export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: PostgresCollectionRegistry): Promise<void> {
-    console.log("🔍 Checking auth tables...");
+    logger.info("🔍 Checking auth tables...");
 
     try {
         // Resolve dynamic user table name and ID type
@@ -123,7 +121,6 @@ export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: Postg
                 is_admin BOOLEAN DEFAULT FALSE,
                 default_permissions JSONB,
                 collection_permissions JSONB,
-                config JSONB,
                 created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
             )
         `);
@@ -234,10 +231,76 @@ export async function ensureAuthTablesExist(db: NodePgDatabase, registry?: Postg
         // Seed default roles if none exist
         await seedDefaultRoles(db, rolesTableName);
 
-        console.log("✅ Auth tables ready");
+        // ── Migration: Add is_anonymous column (safe for existing tables) ────
+        await db.execute(sql`
+            ALTER TABLE ${sql.raw(usersTableName)}
+            ADD COLUMN IF NOT EXISTS is_anonymous BOOLEAN DEFAULT FALSE
+        `);
+
+        // ── MFA tables ──────────────────────────────────────────────────────
+        const mfaFactorsTableName = `"${rolesSchema}"."mfa_factors"`;
+        const mfaChallengesTableName = `"${rolesSchema}"."mfa_challenges"`;
+        const recoveryCodesTableName = `"${rolesSchema}"."recovery_codes"`;
+
+        // Create mfa_factors table
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(mfaFactorsTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                factor_type TEXT NOT NULL DEFAULT 'totp',
+                secret_encrypted TEXT NOT NULL,
+                friendly_name TEXT,
+                verified BOOLEAN DEFAULT FALSE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+
+        // Create indexes on mfa_factors
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_factors_user
+            ON ${sql.raw(mfaFactorsTableName)}(user_id)
+        `);
+
+        // Create mfa_challenges table
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(mfaChallengesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                factor_id TEXT NOT NULL REFERENCES ${sql.raw(mfaFactorsTableName)}(id) ON DELETE CASCADE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+                verified_at TIMESTAMP WITH TIME ZONE,
+                ip_address TEXT,
+                expires_at TIMESTAMP WITH TIME ZONE NOT NULL
+            )
+        `);
+
+        // Create indexes on mfa_challenges
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_mfa_challenges_factor
+            ON ${sql.raw(mfaChallengesTableName)}(factor_id)
+        `);
+
+        // Create recovery_codes table
+        await db.execute(sql`
+            CREATE TABLE IF NOT EXISTS ${sql.raw(recoveryCodesTableName)} (
+                id TEXT PRIMARY KEY DEFAULT gen_random_uuid()::text,
+                user_id ${sql.raw(userIdType)} NOT NULL REFERENCES ${sql.raw(usersTableName)}(id) ON DELETE CASCADE,
+                code_hash TEXT NOT NULL,
+                used_at TIMESTAMP WITH TIME ZONE,
+                created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+            )
+        `);
+
+        // Create indexes on recovery_codes
+        await db.execute(sql`
+            CREATE INDEX IF NOT EXISTS idx_recovery_codes_user
+            ON ${sql.raw(recoveryCodesTableName)}(user_id)
+        `);
+
+        logger.info("✅ Auth tables ready");
     } catch (error) {
-        console.error("❌ Failed to create auth tables:", error);
-        console.warn("⚠️ Continuing without creating auth tables.");
+        logger.error("❌ Failed to create auth tables", { error });
+        logger.warn("⚠️ Continuing without creating auth tables.");
     }
 }
 
@@ -250,25 +313,24 @@ async function seedDefaultRoles(db: NodePgDatabase, rolesTableName: string): Pro
     const count = parseInt((result.rows[0] as Record<string, string | number>)?.count as string || "0", 10);
 
     if (count > 0) {
-        console.log(`📋 Found ${count} existing roles`);
+        logger.info(`📋 Found ${count} existing roles`);
         return;
     }
 
-    console.log("🌱 Seeding default roles...");
+    logger.info("🌱 Seeding default roles...");
 
     for (const role of DEFAULT_ROLES) {
         await db.execute(sql`
-            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions, config)
+            INSERT INTO ${sql.raw(rolesTableName)} (id, name, is_admin, default_permissions)
             VALUES (
                 ${role.id}, 
                 ${role.name}, 
                 ${role.is_admin}, 
-                ${JSON.stringify(role.default_permissions)}::jsonb, 
-                ${role.config ? JSON.stringify(role.config) : null}::jsonb
+                ${JSON.stringify(role.default_permissions)}::jsonb
             )
             ON CONFLICT (id) DO NOTHING
         `);
     }
 
-    console.log("✅ Default roles created: admin, editor, viewer");
+    logger.info("✅ Default roles created: admin, editor, viewer");
 }