@rocicorp/zero 0.26.0-canary.6 → 0.26.0-canary.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (171) hide show
  1. package/out/analyze-query/src/bin-transform.js +3 -1
  2. package/out/analyze-query/src/bin-transform.js.map +1 -1
  3. package/out/analyze-query/src/run-ast.d.ts.map +1 -1
  4. package/out/analyze-query/src/run-ast.js +2 -1
  5. package/out/analyze-query/src/run-ast.js.map +1 -1
  6. package/out/zero/package.json.js +1 -1
  7. package/out/zero-cache/src/auth/auth.d.ts +45 -0
  8. package/out/zero-cache/src/auth/auth.d.ts.map +1 -0
  9. package/out/zero-cache/src/auth/auth.js +179 -0
  10. package/out/zero-cache/src/auth/auth.js.map +1 -0
  11. package/out/zero-cache/src/auth/read-authorizer.d.ts +3 -3
  12. package/out/zero-cache/src/auth/read-authorizer.d.ts.map +1 -1
  13. package/out/zero-cache/src/auth/read-authorizer.js +4 -4
  14. package/out/zero-cache/src/auth/read-authorizer.js.map +1 -1
  15. package/out/zero-cache/src/config/zero-config.d.ts +4 -0
  16. package/out/zero-cache/src/config/zero-config.d.ts.map +1 -1
  17. package/out/zero-cache/src/config/zero-config.js +23 -0
  18. package/out/zero-cache/src/config/zero-config.js.map +1 -1
  19. package/out/zero-cache/src/db/transaction-pool.d.ts.map +1 -1
  20. package/out/zero-cache/src/db/transaction-pool.js +4 -3
  21. package/out/zero-cache/src/db/transaction-pool.js.map +1 -1
  22. package/out/zero-cache/src/server/change-streamer.d.ts.map +1 -1
  23. package/out/zero-cache/src/server/change-streamer.js +8 -1
  24. package/out/zero-cache/src/server/change-streamer.js.map +1 -1
  25. package/out/zero-cache/src/server/syncer.d.ts.map +1 -1
  26. package/out/zero-cache/src/server/syncer.js +9 -2
  27. package/out/zero-cache/src/server/syncer.js.map +1 -1
  28. package/out/zero-cache/src/services/analyze.d.ts +2 -2
  29. package/out/zero-cache/src/services/analyze.d.ts.map +1 -1
  30. package/out/zero-cache/src/services/analyze.js +2 -2
  31. package/out/zero-cache/src/services/analyze.js.map +1 -1
  32. package/out/zero-cache/src/services/change-source/common/backfill-manager.d.ts +47 -0
  33. package/out/zero-cache/src/services/change-source/common/backfill-manager.d.ts.map +1 -0
  34. package/out/zero-cache/src/services/change-source/common/backfill-manager.js +424 -0
  35. package/out/zero-cache/src/services/change-source/common/backfill-manager.js.map +1 -0
  36. package/out/zero-cache/src/services/change-source/common/change-stream-multiplexer.d.ts +7 -6
  37. package/out/zero-cache/src/services/change-source/common/change-stream-multiplexer.d.ts.map +1 -1
  38. package/out/zero-cache/src/services/change-source/common/change-stream-multiplexer.js +16 -5
  39. package/out/zero-cache/src/services/change-source/common/change-stream-multiplexer.js.map +1 -1
  40. package/out/zero-cache/src/services/change-source/pg/backfill-metadata.js +15 -0
  41. package/out/zero-cache/src/services/change-source/pg/backfill-metadata.js.map +1 -0
  42. package/out/zero-cache/src/services/change-source/pg/backfill-stream.d.ts +19 -0
  43. package/out/zero-cache/src/services/change-source/pg/backfill-stream.d.ts.map +1 -0
  44. package/out/zero-cache/src/services/change-source/pg/backfill-stream.js +205 -0
  45. package/out/zero-cache/src/services/change-source/pg/backfill-stream.js.map +1 -0
  46. package/out/zero-cache/src/services/change-source/pg/change-source.d.ts.map +1 -1
  47. package/out/zero-cache/src/services/change-source/pg/change-source.js +62 -22
  48. package/out/zero-cache/src/services/change-source/pg/change-source.js.map +1 -1
  49. package/out/zero-cache/src/services/change-source/pg/logical-replication/stream.d.ts +7 -3
  50. package/out/zero-cache/src/services/change-source/pg/logical-replication/stream.d.ts.map +1 -1
  51. package/out/zero-cache/src/services/change-source/pg/logical-replication/stream.js +2 -4
  52. package/out/zero-cache/src/services/change-source/pg/logical-replication/stream.js.map +1 -1
  53. package/out/zero-cache/src/services/change-source/protocol/current/data.d.ts +2 -0
  54. package/out/zero-cache/src/services/change-source/protocol/current/data.d.ts.map +1 -1
  55. package/out/zero-cache/src/services/change-source/protocol/current/data.js +6 -1
  56. package/out/zero-cache/src/services/change-source/protocol/current/data.js.map +1 -1
  57. package/out/zero-cache/src/services/change-source/protocol/current/downstream.d.ts +6 -1
  58. package/out/zero-cache/src/services/change-source/protocol/current/downstream.d.ts.map +1 -1
  59. package/out/zero-cache/src/services/change-source/protocol/current/downstream.js +2 -2
  60. package/out/zero-cache/src/services/change-source/protocol/current/downstream.js.map +1 -1
  61. package/out/zero-cache/src/services/change-source/protocol/current/status.d.ts +24 -8
  62. package/out/zero-cache/src/services/change-source/protocol/current/status.d.ts.map +1 -1
  63. package/out/zero-cache/src/services/change-source/protocol/current/status.js +15 -6
  64. package/out/zero-cache/src/services/change-source/protocol/current/status.js.map +1 -1
  65. package/out/zero-cache/src/services/change-source/protocol/current/upstream.d.ts +5 -1
  66. package/out/zero-cache/src/services/change-source/protocol/current/upstream.d.ts.map +1 -1
  67. package/out/zero-cache/src/services/change-source/protocol/current/upstream.js +2 -2
  68. package/out/zero-cache/src/services/change-source/protocol/current/upstream.js.map +1 -1
  69. package/out/zero-cache/src/services/change-source/protocol/current.js +5 -4
  70. package/out/zero-cache/src/services/change-streamer/change-streamer-service.d.ts +1 -1
  71. package/out/zero-cache/src/services/change-streamer/change-streamer-service.d.ts.map +1 -1
  72. package/out/zero-cache/src/services/change-streamer/change-streamer-service.js +21 -7
  73. package/out/zero-cache/src/services/change-streamer/change-streamer-service.js.map +1 -1
  74. package/out/zero-cache/src/services/change-streamer/change-streamer.d.ts +1 -0
  75. package/out/zero-cache/src/services/change-streamer/change-streamer.d.ts.map +1 -1
  76. package/out/zero-cache/src/services/change-streamer/forwarder.d.ts +1 -1
  77. package/out/zero-cache/src/services/change-streamer/forwarder.d.ts.map +1 -1
  78. package/out/zero-cache/src/services/change-streamer/forwarder.js +3 -4
  79. package/out/zero-cache/src/services/change-streamer/forwarder.js.map +1 -1
  80. package/out/zero-cache/src/services/change-streamer/storer.d.ts +7 -4
  81. package/out/zero-cache/src/services/change-streamer/storer.d.ts.map +1 -1
  82. package/out/zero-cache/src/services/change-streamer/storer.js +20 -7
  83. package/out/zero-cache/src/services/change-streamer/storer.js.map +1 -1
  84. package/out/zero-cache/src/services/change-streamer/subscriber.d.ts +2 -3
  85. package/out/zero-cache/src/services/change-streamer/subscriber.d.ts.map +1 -1
  86. package/out/zero-cache/src/services/change-streamer/subscriber.js +9 -13
  87. package/out/zero-cache/src/services/change-streamer/subscriber.js.map +1 -1
  88. package/out/zero-cache/src/services/mutagen/pusher.d.ts +2 -2
  89. package/out/zero-cache/src/services/mutagen/pusher.d.ts.map +1 -1
  90. package/out/zero-cache/src/services/mutagen/pusher.js +17 -5
  91. package/out/zero-cache/src/services/mutagen/pusher.js.map +1 -1
  92. package/out/zero-cache/src/services/replicator/change-processor.js +2 -2
  93. package/out/zero-cache/src/services/replicator/change-processor.js.map +1 -1
  94. package/out/zero-cache/src/services/run-ast.d.ts +4 -4
  95. package/out/zero-cache/src/services/run-ast.d.ts.map +1 -1
  96. package/out/zero-cache/src/services/run-ast.js +3 -3
  97. package/out/zero-cache/src/services/run-ast.js.map +1 -1
  98. package/out/zero-cache/src/services/view-syncer/inspect-handler.d.ts +2 -2
  99. package/out/zero-cache/src/services/view-syncer/inspect-handler.d.ts.map +1 -1
  100. package/out/zero-cache/src/services/view-syncer/inspect-handler.js +3 -3
  101. package/out/zero-cache/src/services/view-syncer/inspect-handler.js.map +1 -1
  102. package/out/zero-cache/src/services/view-syncer/snapshotter.d.ts.map +1 -1
  103. package/out/zero-cache/src/services/view-syncer/snapshotter.js +8 -2
  104. package/out/zero-cache/src/services/view-syncer/snapshotter.js.map +1 -1
  105. package/out/zero-cache/src/services/view-syncer/view-syncer.d.ts +12 -9
  106. package/out/zero-cache/src/services/view-syncer/view-syncer.d.ts.map +1 -1
  107. package/out/zero-cache/src/services/view-syncer/view-syncer.js +86 -52
  108. package/out/zero-cache/src/services/view-syncer/view-syncer.js.map +1 -1
  109. package/out/zero-cache/src/types/pg-data-type.d.ts +2 -0
  110. package/out/zero-cache/src/types/pg-data-type.d.ts.map +1 -1
  111. package/out/zero-cache/src/types/pg-data-type.js +2 -0
  112. package/out/zero-cache/src/types/pg-data-type.js.map +1 -1
  113. package/out/zero-cache/src/types/pg-types.js +3 -1
  114. package/out/zero-cache/src/types/pg-types.js.map +1 -1
  115. package/out/zero-cache/src/types/pg.d.ts.map +1 -1
  116. package/out/zero-cache/src/types/pg.js +16 -6
  117. package/out/zero-cache/src/types/pg.js.map +1 -1
  118. package/out/zero-cache/src/types/state-version.js +5 -1
  119. package/out/zero-cache/src/types/state-version.js.map +1 -1
  120. package/out/zero-cache/src/types/websocket-handoff.d.ts.map +1 -1
  121. package/out/zero-cache/src/types/websocket-handoff.js +7 -1
  122. package/out/zero-cache/src/types/websocket-handoff.js.map +1 -1
  123. package/out/zero-cache/src/workers/connection.js +1 -1
  124. package/out/zero-cache/src/workers/syncer-ws-message-handler.d.ts +2 -2
  125. package/out/zero-cache/src/workers/syncer-ws-message-handler.d.ts.map +1 -1
  126. package/out/zero-cache/src/workers/syncer-ws-message-handler.js +27 -14
  127. package/out/zero-cache/src/workers/syncer-ws-message-handler.js.map +1 -1
  128. package/out/zero-cache/src/workers/syncer.d.ts +2 -1
  129. package/out/zero-cache/src/workers/syncer.d.ts.map +1 -1
  130. package/out/zero-cache/src/workers/syncer.js +39 -43
  131. package/out/zero-cache/src/workers/syncer.js.map +1 -1
  132. package/out/zero-client/src/client/options.d.ts +6 -3
  133. package/out/zero-client/src/client/options.d.ts.map +1 -1
  134. package/out/zero-client/src/client/options.js.map +1 -1
  135. package/out/zero-client/src/client/version.js +1 -1
  136. package/out/zero-client/src/client/zero.d.ts.map +1 -1
  137. package/out/zero-client/src/client/zero.js +4 -3
  138. package/out/zero-client/src/client/zero.js.map +1 -1
  139. package/out/zero-protocol/src/protocol-version.d.ts +1 -1
  140. package/out/zero-protocol/src/protocol-version.d.ts.map +1 -1
  141. package/out/zero-protocol/src/protocol-version.js +1 -1
  142. package/out/zero-protocol/src/protocol-version.js.map +1 -1
  143. package/out/zero-protocol/src/push.d.ts +8 -0
  144. package/out/zero-protocol/src/push.d.ts.map +1 -1
  145. package/out/zero-protocol/src/push.js +4 -2
  146. package/out/zero-protocol/src/push.js.map +1 -1
  147. package/out/zero-protocol/src/up.d.ts +2 -0
  148. package/out/zero-protocol/src/up.d.ts.map +1 -1
  149. package/out/zero-protocol/src/up.js +2 -0
  150. package/out/zero-protocol/src/up.js.map +1 -1
  151. package/out/zero-protocol/src/update-auth.d.ts +11 -0
  152. package/out/zero-protocol/src/update-auth.d.ts.map +1 -0
  153. package/out/zero-protocol/src/update-auth.js +13 -0
  154. package/out/zero-protocol/src/update-auth.js.map +1 -0
  155. package/out/zero-react/src/use-query.d.ts.map +1 -1
  156. package/out/zero-react/src/use-query.js +1 -2
  157. package/out/zero-react/src/use-query.js.map +1 -1
  158. package/out/zero-solid/src/solid-view.d.ts +42 -0
  159. package/out/zero-solid/src/solid-view.d.ts.map +1 -1
  160. package/out/zero-solid/src/solid-view.js +1 -1
  161. package/out/zero-solid/src/solid-view.js.map +1 -1
  162. package/out/zql/src/ivm/array-view.d.ts.map +1 -1
  163. package/out/zql/src/ivm/array-view.js +57 -6
  164. package/out/zql/src/ivm/array-view.js.map +1 -1
  165. package/out/zql/src/ivm/view-apply-change.d.ts +50 -3
  166. package/out/zql/src/ivm/view-apply-change.d.ts.map +1 -1
  167. package/out/zql/src/ivm/view-apply-change.js +358 -105
  168. package/out/zql/src/ivm/view-apply-change.js.map +1 -1
  169. package/out/zql/src/query/query-delegate-base.js +1 -3
  170. package/out/zql/src/query/query-delegate-base.js.map +1 -1
  171. package/package.json +1 -1
package/out/analyze-query/src/bin-transform.js CHANGED
@@ -36,7 +36,9 @@ const queryAst = transformAndHashQuery(
36
36
  "",
37
37
  rows[0].clientAST,
38
38
  permissions,
39
- {},
39
+ {
40
+ decoded: {}
41
+ },
40
42
  rows[0].internal
41
43
  ).transformedAst;
42
44
  console.log("\n=== AST ===\n");
package/out/analyze-query/src/bin-transform.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"bin-transform.js","sources":["../../../../analyze-query/src/bin-transform.ts"],"sourcesContent":["import '../../shared/src/dotenv.ts';\n\nimport {consoleLogSink, LogContext} from '@rocicorp/logger';\nimport {astToZQL} from '../../ast-to-zql/src/ast-to-zql.ts';\nimport {formatOutput} from '../../ast-to-zql/src/format.ts';\nimport {must} from '../../shared/src/must.ts';\nimport {parseOptions} from '../../shared/src/options.ts';\nimport * as v from '../../shared/src/valita.ts';\nimport {transformAndHashQuery} from '../../zero-cache/src/auth/read-authorizer.ts';\nimport {\n appOptions,\n shardOptions,\n ZERO_ENV_VAR_PREFIX,\n} from '../../zero-cache/src/config/zero-config.ts';\nimport {loadSchemaAndPermissions} from '../../zero-cache/src/scripts/permissions.ts';\nimport {pgClient} from '../../zero-cache/src/types/pg.ts';\nimport {getShardID, upstreamSchema} from '../../zero-cache/src/types/shards.ts';\n\nconst options = {\n cvr: {db: v.string()},\n schema: {\n type: v.string().default('./schema.ts'),\n desc: ['Path to the schema file.'],\n },\n app: appOptions,\n shard: shardOptions,\n hash: {\n type: v.string().optional(),\n desc: ['Hash of the query to fetch the AST for.'],\n },\n};\n\nconst config = parseOptions(options, {envNamePrefix: ZERO_ENV_VAR_PREFIX});\n\nconst lc = new LogContext('debug', {}, consoleLogSink);\nconst {permissions} = await loadSchemaAndPermissions(config.schema);\n\nconst cvrDB = pgClient(lc, config.cvr.db);\n\nconst rows =\n await cvrDB`select \"clientAST\", \"internal\" from ${cvrDB(upstreamSchema(getShardID(config)) + '/cvr')}.\"queries\" where \"queryHash\" = ${must(\n config.hash,\n )} limit 1;`;\n\nconst queryAst = transformAndHashQuery(\n lc,\n '',\n rows[0].clientAST,\n permissions,\n {},\n rows[0].internal,\n).transformedAst;\n\n// oxlint-disable no-console\nconsole.log('\\n=== AST ===\\n');\nconsole.log(JSON.stringify(queryAst, null, 2));\nconsole.log('\\n=== ZQL ===\\n');\nconsole.log(await formatOutput(queryAst.table + astToZQL(queryAst)));\n// oxlint-enable no-console\n\nawait cvrDB.end();\n"],"names":["v.string"],"mappings":";;;;;;;;;;;;;AAkBA,MAAM,UAAU;AAAA,EACd,KAAK,EAAC,IAAIA,SAAS;AAAA,EACnB,QAAQ;AAAA,IACN,MAAMA,OAAE,EAAS,QAAQ,aAAa;AAAA,IACtC,MAAM,CAAC,0BAA0B;AAAA,EAAA;AAAA,EAEnC,KAAK;AAAA,EACL,OAAO;AAAA,EACP,MAAM;AAAA,IACJ,MAAMA,OAAE,EAAS,SAAA;AAAA,IACjB,MAAM,CAAC,yCAAyC;AAAA,EAAA;AAEpD;AAEA,MAAM,SAAS,aAAa,SAAS,EAAC,eAAe,qBAAoB;AAEzE,MAAM,KAAK,IAAI,WAAW,SAAS,CAAA,GAAI,cAAc;AACrD,MAAM,EAAC,YAAA,IAAe,MAAM,yBAAyB,OAAO,MAAM;AAElE,MAAM,QAAQ,SAAS,IAAI,OAAO,IAAI,EAAE;AAExC,MAAM,OACJ,MAAM,4CAA4C,MAAM,eAAe,WAAW,MAAM,CAAC,IAAI,MAAM,CAAC,kCAAkC;AAAA,EACpI,OAAO;AACT,CAAC;AAEH,MAAM,WAAW;AAAA,EACf;AAAA,EACA;AAAA,EACA,KAAK,CAAC,EAAE;AAAA,EACR;AAAA,EACA,CAAA;AAAA,EACA,KAAK,CAAC,EAAE;AACV,EAAE;AAGF,QAAQ,IAAI,iBAAiB;AAC7B,QAAQ,IAAI,KAAK,UAAU,UAAU,MAAM,CAAC,CAAC;AAC7C,QAAQ,IAAI,iBAAiB;AAC7B,QAAQ,IAAI,MAAM,aAAa,SAAS,QAAQ,SAAS,QAAQ,CAAC,CAAC;AAGnE,MAAM,MAAM,IAAA;"}
1
+ {"version":3,"file":"bin-transform.js","sources":["../../../../analyze-query/src/bin-transform.ts"],"sourcesContent":["import '../../shared/src/dotenv.ts';\n\nimport {consoleLogSink, LogContext} from '@rocicorp/logger';\nimport {astToZQL} from '../../ast-to-zql/src/ast-to-zql.ts';\nimport {formatOutput} from '../../ast-to-zql/src/format.ts';\nimport {must} from '../../shared/src/must.ts';\nimport {parseOptions} from '../../shared/src/options.ts';\nimport * as v from '../../shared/src/valita.ts';\nimport {transformAndHashQuery} from '../../zero-cache/src/auth/read-authorizer.ts';\nimport {\n appOptions,\n shardOptions,\n ZERO_ENV_VAR_PREFIX,\n} from '../../zero-cache/src/config/zero-config.ts';\nimport {loadSchemaAndPermissions} from '../../zero-cache/src/scripts/permissions.ts';\nimport {pgClient} from '../../zero-cache/src/types/pg.ts';\nimport {getShardID, upstreamSchema} from '../../zero-cache/src/types/shards.ts';\n\nconst options = {\n cvr: {db: v.string()},\n schema: {\n type: v.string().default('./schema.ts'),\n desc: ['Path to the schema file.'],\n },\n app: appOptions,\n shard: shardOptions,\n hash: {\n type: v.string().optional(),\n desc: ['Hash of the query to fetch the AST for.'],\n },\n};\n\nconst config = parseOptions(options, {envNamePrefix: ZERO_ENV_VAR_PREFIX});\n\nconst lc = new LogContext('debug', {}, consoleLogSink);\nconst {permissions} = await loadSchemaAndPermissions(config.schema);\n\nconst cvrDB = pgClient(lc, config.cvr.db);\n\nconst rows =\n await cvrDB`select \"clientAST\", \"internal\" from ${cvrDB(upstreamSchema(getShardID(config)) + '/cvr')}.\"queries\" where \"queryHash\" = ${must(\n config.hash,\n )} limit 1;`;\n\nconst queryAst = transformAndHashQuery(\n lc,\n '',\n rows[0].clientAST,\n permissions,\n {\n type: 'jwt',\n raw: '',\n decoded: {},\n },\n rows[0].internal,\n).transformedAst;\n\n// oxlint-disable no-console\nconsole.log('\\n=== AST ===\\n');\nconsole.log(JSON.stringify(queryAst, null, 2));\nconsole.log('\\n=== ZQL ===\\n');\nconsole.log(await formatOutput(queryAst.table + astToZQL(queryAst)));\n// oxlint-enable no-console\n\nawait cvrDB.end();\n"],"names":["v.string"],"mappings":";;;;;;;;;;;;;AAkBA,MAAM,UAAU;AAAA,EACd,KAAK,EAAC,IAAIA,SAAS;AAAA,EACnB,QAAQ;AAAA,IACN,MAAMA,OAAE,EAAS,QAAQ,aAAa;AAAA,IACtC,MAAM,CAAC,0BAA0B;AAAA,EAAA;AAAA,EAEnC,KAAK;AAAA,EACL,OAAO;AAAA,EACP,MAAM;AAAA,IACJ,MAAMA,OAAE,EAAS,SAAA;AAAA,IACjB,MAAM,CAAC,yCAAyC;AAAA,EAAA;AAEpD;AAEA,MAAM,SAAS,aAAa,SAAS,EAAC,eAAe,qBAAoB;AAEzE,MAAM,KAAK,IAAI,WAAW,SAAS,CAAA,GAAI,cAAc;AACrD,MAAM,EAAC,YAAA,IAAe,MAAM,yBAAyB,OAAO,MAAM;AAElE,MAAM,QAAQ,SAAS,IAAI,OAAO,IAAI,EAAE;AAExC,MAAM,OACJ,MAAM,4CAA4C,MAAM,eAAe,WAAW,MAAM,CAAC,IAAI,MAAM,CAAC,kCAAkC;AAAA,EACpI,OAAO;AACT,CAAC;AAEH,MAAM,WAAW;AAAA,EACf;AAAA,EACA;AAAA,EACA,KAAK,CAAC,EAAE;AAAA,EACR;AAAA,EACA;AAAA,IAGE,SAAS,CAAA;AAAA,EAAC;AAAA,EAEZ,KAAK,CAAC,EAAE;AACV,EAAE;AAGF,QAAQ,IAAI,iBAAiB;AAC7B,QAAQ,IAAI,KAAK,UAAU,UAAU,MAAM,CAAC,CAAC;AAC7C,QAAQ,IAAI,iBAAiB;AAC7B,QAAQ,IAAI,MAAM,aAAa,SAAS,QAAQ,SAAS,QAAQ,CAAC,CAAC;AAGnE,MAAM,MAAM,IAAA;"}
package/out/analyze-query/src/run-ast.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"run-ast.d.ts","sourceRoot":"","sources":["../../../../analyze-query/src/run-ast.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAMjD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAErE,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,iDAAiD,CAAC;AACxF,OAAO,KAAK,EAAC,GAAG,EAAC,MAAM,gCAAgC,CAAC;AAExD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,0CAA0C,CAAC;AAG3E,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,+CAA+C,CAAC;AACrF,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAEL,KAAK,eAAe,EACrB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG;IAC1B,gBAAgB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACvC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,oBAAoB,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IAC9C,EAAE,EAAE,QAAQ,CAAC;IACb,IAAI,EAAE,eAAe,CAAC;IACtB,WAAW,CAAC,EAAE,iBAAiB,GAAG,SAAS,CAAC;IAC5C,UAAU,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACjC,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACxC,UAAU,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CAClC,CAAC;AAEF,wBAAsB,MAAM,CAC1B,EAAE,EAAE,UAAU,EACd,YAAY,EAAE,YAAY,EAC1B,GAAG,EAAE,GAAG,EACR,aAAa,EAAE,OAAO,EACtB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,kBAAkB,CAAC,CA6F7B"}
1
+ {"version":3,"file":"run-ast.d.ts","sourceRoot":"","sources":["../../../../analyze-query/src/run-ast.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAOjD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,kCAAkC,CAAC;AAErE,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,iDAAiD,CAAC;AACxF,OAAO,KAAK,EAAC,GAAG,EAAC,MAAM,gCAAgC,CAAC;AAExD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,0CAA0C,CAAC;AAG3E,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,+CAA+C,CAAC;AACrF,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,sCAAsC,CAAC;AACrE,OAAO,EAEL,KAAK,eAAe,EACrB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG;IAC1B,gBAAgB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACvC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,oBAAoB,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IAC9C,EAAE,EAAE,QAAQ,CAAC;IACb,IAAI,EAAE,eAAe,CAAC;IACtB,WAAW,CAAC,EAAE,iBAAiB,GAAG,SAAS,CAAC;IAC5C,UAAU,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;IACjC,UAAU,EAAE,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACxC,UAAU,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CAClC,CAAC;AAEF,wBAAsB,MAAM,CAC1B,EAAE,EAAE,UAAU,EACd,YAAY,EAAE,YAAY,EAC1B,GAAG,EAAE,GAAG,EACR,aAAa,EAAE,OAAO,EACtB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,kBAAkB,CAAC,CA8F7B"}
package/out/analyze-query/src/run-ast.js CHANGED
@@ -33,6 +33,7 @@ async function runAst(lc, clientSchema, ast, isTransformed, options) {
33
33
  "No auth data provided. Permission rules will compare to `NULL` wherever an auth data field is referenced."
34
34
  );
35
35
  }
36
+ const auth = { decoded: authData };
36
37
  ast = transformAndHashQuery(
37
38
  lc,
38
39
  "clientGroupIDForAnalyze",
@@ -41,7 +42,7 @@ async function runAst(lc, clientSchema, ast, isTransformed, options) {
41
42
  permissions,
42
43
  "Permissions are required when applyPermissions is true"
43
44
  ),
44
- authData,
45
+ auth,
45
46
  false
46
47
  ).transformedAst;
47
48
  result.afterPermissions = await formatOutput(ast.table + astToZQL(ast));
package/out/analyze-query/src/run-ast.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"run-ast.js","sources":["../../../../analyze-query/src/run-ast.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport {astToZQL} from '../../ast-to-zql/src/ast-to-zql.ts';\nimport {formatOutput} from '../../ast-to-zql/src/format.ts';\nimport {assert} from '../../shared/src/asserts.ts';\nimport {must} from '../../shared/src/must.ts';\nimport {transformAndHashQuery} from '../../zero-cache/src/auth/read-authorizer.ts';\nimport type {LiteAndZqlSpec} from '../../zero-cache/src/db/specs.ts';\nimport {hydrate} from '../../zero-cache/src/services/view-syncer/pipeline-driver.ts';\nimport type {AnalyzeQueryResult} from '../../zero-protocol/src/analyze-query-result.ts';\nimport type {AST} from '../../zero-protocol/src/ast.ts';\nimport {mapAST} from '../../zero-protocol/src/ast.ts';\nimport type {ClientSchema} from '../../zero-protocol/src/client-schema.ts';\nimport type {Row} from '../../zero-protocol/src/data.ts';\nimport {hashOfAST} from '../../zero-protocol/src/query-hash.ts';\nimport type {PermissionsConfig} from '../../zero-schema/src/compiled-permissions.ts';\nimport type {NameMapper} from '../../zero-schema/src/name-mapper.ts';\nimport {\n buildPipeline,\n type BuilderDelegate,\n} from '../../zql/src/builder/builder.ts';\nimport type {Database} from '../../zqlite/src/db.ts';\n\nexport type RunAstOptions = {\n applyPermissions?: boolean | undefined;\n authData?: string | undefined;\n clientToServerMapper?: NameMapper | undefined;\n db: Database;\n host: BuilderDelegate;\n permissions?: PermissionsConfig | undefined;\n syncedRows?: boolean | undefined;\n tableSpecs: Map<string, LiteAndZqlSpec>;\n vendedRows?: boolean | undefined;\n};\n\nexport async function runAst(\n lc: LogContext,\n clientSchema: ClientSchema,\n ast: AST,\n isTransformed: boolean,\n options: RunAstOptions,\n): Promise<AnalyzeQueryResult> {\n const {clientToServerMapper, permissions, host} = options;\n const result: AnalyzeQueryResult = {\n warnings: [],\n syncedRows: undefined,\n syncedRowCount: 0,\n start: 0,\n end: 0,\n afterPermissions: undefined,\n readRows: undefined,\n readRowCountsByQuery: {},\n readRowCount: undefined,\n };\n\n if (!isTransformed) {\n // map the AST to server names if not already transformed\n ast = mapAST(ast, must(clientToServerMapper));\n }\n if (options.applyPermissions) {\n result.warnings.push(\n 'Permissions are deprecated and will be removed in an upcoming release. See: https://zero.rocicorp.dev/docs/auth.',\n );\n\n const authData = options.authData ? JSON.parse(options.authData) : {};\n if (!options.authData) {\n result.warnings.push(\n 'No auth data provided. Permission rules will compare to `NULL` wherever an auth data field is referenced.',\n );\n }\n ast = transformAndHashQuery(\n lc,\n 'clientGroupIDForAnalyze',\n ast,\n must(\n permissions,\n 'Permissions are required when applyPermissions is true',\n ),\n authData,\n false,\n ).transformedAst;\n result.afterPermissions = await formatOutput(ast.table + astToZQL(ast));\n }\n const pipeline = buildPipeline(ast, host, 'query-id');\n\n const start = performance.now();\n\n let syncedRowCount = 0;\n const rowsByTable: Record<string, Row[]> = {};\n const seenByTable: Set<string> = new Set();\n for (const rowChange of hydrate(pipeline, hashOfAST(ast), clientSchema)) {\n if (rowChange === 'yield') {\n continue;\n }\n assert(rowChange.type === 'add');\n\n let rows: Row[] = rowsByTable[rowChange.table];\n const s = rowChange.table + '.' + JSON.stringify(rowChange.row);\n if (seenByTable.has(s)) {\n continue; // skip duplicates\n }\n syncedRowCount++;\n seenByTable.add(s);\n if (options.syncedRows) {\n if (!rows) {\n rows = [];\n rowsByTable[rowChange.table] = rows;\n }\n rows.push(rowChange.row);\n }\n }\n\n const end = performance.now();\n if (options.syncedRows) {\n result.syncedRows = rowsByTable;\n }\n result.start = start;\n result.end = end;\n\n // Always include the count of synced and vended rows.\n result.syncedRowCount = syncedRowCount;\n result.readRowCountsByQuery = host.debug?.getVendedRowCounts() ?? {};\n let readRowCount = 0;\n for (const c of Object.values(result.readRowCountsByQuery)) {\n for (const v of Object.values(c)) {\n readRowCount += v;\n }\n }\n result.readRowCount = readRowCount;\n\n if (options.vendedRows) {\n result.readRows = host.debug?.getVendedRows();\n }\n return result;\n}\n"],"names":[],"mappings":";;;;;;;;;AAkCA,eAAsB,OACpB,IACA,cACA,KACA,eACA,SAC6B;AAC7B,QAAM,EAAC,sBAAsB,aAAa,KAAA,IAAQ;AAClD,QAAM,SAA6B;AAAA,IACjC,UAAU,CAAA;AAAA,IACV,YAAY;AAAA,IACZ,gBAAgB;AAAA,IAChB,OAAO;AAAA,IACP,KAAK;AAAA,IACL,kBAAkB;AAAA,IAClB,UAAU;AAAA,IACV,sBAAsB,CAAA;AAAA,IACtB,cAAc;AAAA,EAAA;AAGhB,MAAI,CAAC,eAAe;AAElB,UAAM,OAAO,KAAK,KAAK,oBAAoB,CAAC;AAAA,EAC9C;AACA,MAAI,QAAQ,kBAAkB;AAC5B,WAAO,SAAS;AAAA,MACd;AAAA,IAAA;AAGF,UAAM,WAAW,QAAQ,WAAW,KAAK,MAAM,QAAQ,QAAQ,IAAI,CAAA;AACnE,QAAI,CAAC,QAAQ,UAAU;AACrB,aAAO,SAAS;AAAA,QACd;AAAA,MAAA;AAAA,IAEJ;AACA,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,QACE;AAAA,QACA;AAAA,MAAA;AAAA,MAEF;AAAA,MACA;AAAA,IAAA,EACA;AACF,WAAO,mBAAmB,MAAM,aAAa,IAAI,QAAQ,SAAS,GAAG,CAAC;AAAA,EACxE;AACA,QAAM,WAAW,cAAc,KAAK,MAAM,UAAU;AAEpD,QAAM,QAAQ,YAAY,IAAA;AAE1B,MAAI,iBAAiB;AACrB,QAAM,cAAqC,CAAA;AAC3C,QAAM,kCAA+B,IAAA;AACrC,aAAW,aAAa,QAAQ,UAAU,UAAU,GAAG,GAAG,YAAY,GAAG;AACvE,QAAI,cAAc,SAAS;AACzB;AAAA,IACF;AACA,WAAO,UAAU,SAAS,KAAK;AAE/B,QAAI,OAAc,YAAY,UAAU,KAAK;AAC7C,UAAM,IAAI,UAAU,QAAQ,MAAM,KAAK,UAAU,UAAU,GAAG;AAC9D,QAAI,YAAY,IAAI,CAAC,GAAG;AACtB;AAAA,IACF;AACA;AACA,gBAAY,IAAI,CAAC;AACjB,QAAI,QAAQ,YAAY;AACtB,UAAI,CAAC,MAAM;AACT,eAAO,CAAA;AACP,oBAAY,UAAU,KAAK,IAAI;AAAA,MACjC;AACA,WAAK,KAAK,UAAU,GAAG;AAAA,IACzB;AAAA,EACF;AAEA,QAAM,MAAM,YAAY,IAAA;AACxB,MAAI,QAAQ,YAAY;AACtB,WAAO,aAAa;AAAA,EACtB;AACA,SAAO,QAAQ;AACf,SAAO,MAAM;AAGb,SAAO,iBAAiB;AACxB,SAAO,uBAAuB,KAAK,OAAO,mBAAA,KAAwB,CAAA;AAClE,MAAI,eAAe;AACnB,aAAW,KAAK,OAAO,OAAO,OAAO,oBAAoB,GAAG;AAC1D,eAAW,KAAK,OAAO,OAAO,CAAC,GAAG;AAChC,sBAAgB;AAAA,IAClB;AAAA,EACF;AACA,SAAO,eAAe;AAEtB,MAAI,QAAQ,YAAY;AACtB,WAAO,WAAW,KAAK,OAAO,cAAA;AAAA,EAChC;AACA,SAAO;AACT;"}
1
+ {"version":3,"file":"run-ast.js","sources":["../../../../analyze-query/src/run-ast.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport {astToZQL} from '../../ast-to-zql/src/ast-to-zql.ts';\nimport {formatOutput} from '../../ast-to-zql/src/format.ts';\nimport {assert} from '../../shared/src/asserts.ts';\nimport {must} from '../../shared/src/must.ts';\nimport type {JWTAuth} from '../../zero-cache/src/auth/auth.ts';\nimport {transformAndHashQuery} from '../../zero-cache/src/auth/read-authorizer.ts';\nimport type {LiteAndZqlSpec} from '../../zero-cache/src/db/specs.ts';\nimport {hydrate} from '../../zero-cache/src/services/view-syncer/pipeline-driver.ts';\nimport type {AnalyzeQueryResult} from '../../zero-protocol/src/analyze-query-result.ts';\nimport type {AST} from '../../zero-protocol/src/ast.ts';\nimport {mapAST} from '../../zero-protocol/src/ast.ts';\nimport type {ClientSchema} from '../../zero-protocol/src/client-schema.ts';\nimport type {Row} from '../../zero-protocol/src/data.ts';\nimport {hashOfAST} from '../../zero-protocol/src/query-hash.ts';\nimport type {PermissionsConfig} from '../../zero-schema/src/compiled-permissions.ts';\nimport type {NameMapper} from '../../zero-schema/src/name-mapper.ts';\nimport {\n buildPipeline,\n type BuilderDelegate,\n} from '../../zql/src/builder/builder.ts';\nimport type {Database} from '../../zqlite/src/db.ts';\n\nexport type RunAstOptions = {\n applyPermissions?: boolean | undefined;\n authData?: string | undefined;\n clientToServerMapper?: NameMapper | undefined;\n db: Database;\n host: BuilderDelegate;\n permissions?: PermissionsConfig | undefined;\n syncedRows?: boolean | undefined;\n tableSpecs: Map<string, LiteAndZqlSpec>;\n vendedRows?: boolean | undefined;\n};\n\nexport async function runAst(\n lc: LogContext,\n clientSchema: ClientSchema,\n ast: AST,\n isTransformed: boolean,\n options: RunAstOptions,\n): Promise<AnalyzeQueryResult> {\n const {clientToServerMapper, permissions, host} = options;\n const result: AnalyzeQueryResult = {\n warnings: [],\n syncedRows: undefined,\n syncedRowCount: 0,\n start: 0,\n end: 0,\n afterPermissions: undefined,\n readRows: undefined,\n readRowCountsByQuery: {},\n readRowCount: undefined,\n };\n\n if (!isTransformed) {\n // map the AST to server names if not already transformed\n ast = mapAST(ast, must(clientToServerMapper));\n }\n if (options.applyPermissions) {\n result.warnings.push(\n 'Permissions are deprecated and will be removed in an upcoming release. See: https://zero.rocicorp.dev/docs/auth.',\n );\n\n const authData = options.authData ? JSON.parse(options.authData) : {};\n if (!options.authData) {\n result.warnings.push(\n 'No auth data provided. Permission rules will compare to `NULL` wherever an auth data field is referenced.',\n );\n }\n const auth: JWTAuth = {type: 'jwt', raw: '', decoded: authData};\n ast = transformAndHashQuery(\n lc,\n 'clientGroupIDForAnalyze',\n ast,\n must(\n permissions,\n 'Permissions are required when applyPermissions is true',\n ),\n auth,\n false,\n ).transformedAst;\n result.afterPermissions = await formatOutput(ast.table + astToZQL(ast));\n }\n const pipeline = buildPipeline(ast, host, 'query-id');\n\n const start = performance.now();\n\n let syncedRowCount = 0;\n const rowsByTable: Record<string, Row[]> = {};\n const seenByTable: Set<string> = new Set();\n for (const rowChange of hydrate(pipeline, hashOfAST(ast), clientSchema)) {\n if (rowChange === 'yield') {\n continue;\n }\n assert(rowChange.type === 'add');\n\n let rows: Row[] = rowsByTable[rowChange.table];\n const s = rowChange.table + '.' + JSON.stringify(rowChange.row);\n if (seenByTable.has(s)) {\n continue; // skip duplicates\n }\n syncedRowCount++;\n seenByTable.add(s);\n if (options.syncedRows) {\n if (!rows) {\n rows = [];\n rowsByTable[rowChange.table] = rows;\n }\n rows.push(rowChange.row);\n }\n }\n\n const end = performance.now();\n if (options.syncedRows) {\n result.syncedRows = rowsByTable;\n }\n result.start = start;\n result.end = end;\n\n // Always include the count of synced and vended rows.\n result.syncedRowCount = syncedRowCount;\n result.readRowCountsByQuery = host.debug?.getVendedRowCounts() ?? {};\n let readRowCount = 0;\n for (const c of Object.values(result.readRowCountsByQuery)) {\n for (const v of Object.values(c)) {\n readRowCount += v;\n }\n }\n result.readRowCount = readRowCount;\n\n if (options.vendedRows) {\n result.readRows = host.debug?.getVendedRows();\n }\n return result;\n}\n"],"names":[],"mappings":";;;;;;;;;AAmCA,eAAsB,OACpB,IACA,cACA,KACA,eACA,SAC6B;AAC7B,QAAM,EAAC,sBAAsB,aAAa,KAAA,IAAQ;AAClD,QAAM,SAA6B;AAAA,IACjC,UAAU,CAAA;AAAA,IACV,YAAY;AAAA,IACZ,gBAAgB;AAAA,IAChB,OAAO;AAAA,IACP,KAAK;AAAA,IACL,kBAAkB;AAAA,IAClB,UAAU;AAAA,IACV,sBAAsB,CAAA;AAAA,IACtB,cAAc;AAAA,EAAA;AAGhB,MAAI,CAAC,eAAe;AAElB,UAAM,OAAO,KAAK,KAAK,oBAAoB,CAAC;AAAA,EAC9C;AACA,MAAI,QAAQ,kBAAkB;AAC5B,WAAO,SAAS;AAAA,MACd;AAAA,IAAA;AAGF,UAAM,WAAW,QAAQ,WAAW,KAAK,MAAM,QAAQ,QAAQ,IAAI,CAAA;AACnE,QAAI,CAAC,QAAQ,UAAU;AACrB,aAAO,SAAS;AAAA,QACd;AAAA,MAAA;AAAA,IAEJ;AACA,UAAM,OAAgB,EAAuB,SAAS,SAAA;AACtD,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,QACE;AAAA,QACA;AAAA,MAAA;AAAA,MAEF;AAAA,MACA;AAAA,IAAA,EACA;AACF,WAAO,mBAAmB,MAAM,aAAa,IAAI,QAAQ,SAAS,GAAG,CAAC;AAAA,EACxE;AACA,QAAM,WAAW,cAAc,KAAK,MAAM,UAAU;AAEpD,QAAM,QAAQ,YAAY,IAAA;AAE1B,MAAI,iBAAiB;AACrB,QAAM,cAAqC,CAAA;AAC3C,QAAM,kCAA+B,IAAA;AACrC,aAAW,aAAa,QAAQ,UAAU,UAAU,GAAG,GAAG,YAAY,GAAG;AACvE,QAAI,cAAc,SAAS;AACzB;AAAA,IACF;AACA,WAAO,UAAU,SAAS,KAAK;AAE/B,QAAI,OAAc,YAAY,UAAU,KAAK;AAC7C,UAAM,IAAI,UAAU,QAAQ,MAAM,KAAK,UAAU,UAAU,GAAG;AAC9D,QAAI,YAAY,IAAI,CAAC,GAAG;AACtB;AAAA,IACF;AACA;AACA,gBAAY,IAAI,CAAC;AACjB,QAAI,QAAQ,YAAY;AACtB,UAAI,CAAC,MAAM;AACT,eAAO,CAAA;AACP,oBAAY,UAAU,KAAK,IAAI;AAAA,MACjC;AACA,WAAK,KAAK,UAAU,GAAG;AAAA,IACzB;AAAA,EACF;AAEA,QAAM,MAAM,YAAY,IAAA;AACxB,MAAI,QAAQ,YAAY;AACtB,WAAO,aAAa;AAAA,EACtB;AACA,SAAO,QAAQ;AACf,SAAO,MAAM;AAGb,SAAO,iBAAiB;AACxB,SAAO,uBAAuB,KAAK,OAAO,mBAAA,KAAwB,CAAA;AAClE,MAAI,eAAe;AACnB,aAAW,KAAK,OAAO,OAAO,OAAO,oBAAoB,GAAG;AAC1D,eAAW,KAAK,OAAO,OAAO,CAAC,GAAG;AAChC,sBAAgB;AAAA,IAClB;AAAA,EACF;AACA,SAAO,eAAe;AAEtB,MAAI,QAAQ,YAAY;AACtB,WAAO,WAAW,KAAK,OAAO,cAAA;AAAA,EAChC;AACA,SAAO;AACT;"}
package/out/zero/package.json.js CHANGED
@@ -1,4 +1,4 @@
1
- const version = "0.26.0-canary.6";
1
+ const version = "0.26.0-canary.7";
2
2
  const packageJson = {
3
3
  version
4
4
  };
package/out/zero-cache/src/auth/auth.d.ts ADDED
@@ -0,0 +1,45 @@
1
+ import type { LogContext } from '@rocicorp/logger';
2
+ import type { JWTPayload } from 'jose';
3
+ import { type ErrorBody } from '../../../zero-protocol/src/error.ts';
4
+ /** @deprecated JWT auth is deprecated */
5
+ export type JWTAuth = {
6
+ readonly type: 'jwt';
7
+ readonly raw: string;
8
+ readonly decoded: JWTPayload;
9
+ };
10
+ export type OpaqueAuth = {
11
+ readonly type: 'opaque';
12
+ readonly raw: string;
13
+ };
14
+ export type Auth = OpaqueAuth | JWTAuth;
15
+ export interface AuthSession {
16
+ /** Update the auth session with a new userID and token from the client */
17
+ update(userID: string, wireAuth: string | undefined): Promise<AuthUpdateResult>;
18
+ /** The revision of the auth state */
19
+ get revision(): number;
20
+ /** The auth state for the session */
21
+ get auth(): Auth | undefined;
22
+ /** Clear the auth session, removing any stored auth and allowing a new userID to be bound on the next update. */
23
+ clear(): void;
24
+ }
25
+ export type AuthUpdateResult = {
26
+ readonly ok: true;
27
+ } | {
28
+ readonly ok: false;
29
+ readonly error: ErrorBody;
30
+ };
31
+ export type ValidateLegacyJWT = (token: string, ctx: {
32
+ readonly userID: string;
33
+ }) => Promise<JWTAuth>;
34
+ export declare class AuthSessionImpl implements AuthSession {
35
+ #private;
36
+ readonly id: string;
37
+ constructor(lc: LogContext, clientGroupID: string, validateLegacyJWT: ValidateLegacyJWT | undefined);
38
+ get auth(): Auth | undefined;
39
+ get revision(): number;
40
+ clear(): void;
41
+ update(userID: string, wireAuth: string | undefined): Promise<AuthUpdateResult>;
42
+ }
43
+ /** @deprecated used only in old JWT validation/rotation auth */
44
+ export declare function pickToken(lc: LogContext, previousToken: Auth | undefined, newToken: Auth | undefined | null): Auth | undefined;
45
+ //# sourceMappingURL=auth.d.ts.map
package/out/zero-cache/src/auth/auth.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../../../zero-cache/src/auth/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AACjD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,MAAM,CAAC;AAGrC,OAAO,EAGL,KAAK,SAAS,EACf,MAAM,qCAAqC,CAAC;AAE7C,yCAAyC;AACzC,MAAM,MAAM,OAAO,GAAG;IACpB,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,OAAO,EAAE,UAAU,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB,CAAC;AAEF,MAAM,MAAM,IAAI,GAAG,UAAU,GAAG,OAAO,CAAC;AAExC,MAAM,WAAW,WAAW;IAC1B,0EAA0E;IAC1E,MAAM,CACJ,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,GAC3B,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAE7B,qCAAqC;IACrC,IAAI,QAAQ,IAAI,MAAM,CAAC;IAEvB,qCAAqC;IACrC,IAAI,IAAI,IAAI,IAAI,GAAG,SAAS,CAAC;IAE7B,iHAAiH;IACjH,KAAK,IAAI,IAAI,CAAC;CACf;AAED,MAAM,MAAM,gBAAgB,GACxB;IACE,QAAQ,CAAC,EAAE,EAAE,IAAI,CAAC;CACnB,GACD;IACE,QAAQ,CAAC,EAAE,EAAE,KAAK,CAAC;IACnB,QAAQ,CAAC,KAAK,EAAE,SAAS,CAAC;CAC3B,CAAC;AAEN,MAAM,MAAM,iBAAiB,GAAG,CAC9B,KAAK,EAAE,MAAM,EACb,GAAG,EAAE;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAC,KAC3B,OAAO,CAAC,OAAO,CAAC,CAAC;AAgBtB,qBAAa,eAAgB,YAAW,WAAW;;IACjD,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;gBAQlB,EAAE,EAAE,UAAU,EACd,aAAa,EAAE,MAAM,EACrB,iBAAiB,EAAE,iBAAiB,GAAG,SAAS;IAOlD,IAAI,IAAI,IAAI,IAAI,GAAG,SAAS,CAE3B;IAED,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,KAAK,IAAI,IAAI;IAWP,MAAM,CACV,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GAAG,SAAS,GAC3B,OAAO,CAAC,gBAAgB,CAAC;CAoF7B;AAED,gEAAgE;AAChE,wBAAgB,SAAS,CACvB,EAAE,EAAE,UAAU,EACd,aAAa,EAAE,IAAI,GAAG,SAAS,EAC/B,QAAQ,EAAE,IAAI,GAAG,SAAS,GAAG,IAAI,oBAgFlC"}
package/out/zero-cache/src/auth/auth.js ADDED
@@ -0,0 +1,179 @@
1
+ import { Unauthorized, AuthInvalidated } from "../../../zero-protocol/src/error-kind-enum.js";
2
+ import { ZeroCache } from "../../../zero-protocol/src/error-origin-enum.js";
3
+ import { isProtocolError, ProtocolError } from "../../../zero-protocol/src/error.js";
4
+ function isProvidedAuth(wireAuth) {
5
+ return wireAuth !== void 0 && wireAuth !== "";
6
+ }
7
+ function authEquals(a, b) {
8
+ if (a === b) {
9
+ return true;
10
+ }
11
+ if (!a || !b) {
12
+ return false;
13
+ }
14
+ return a.type === b.type && a.raw === b.raw;
15
+ }
16
+ class AuthSessionImpl {
17
+ id;
18
+ #lc;
19
+ #validateLegacyJWT;
20
+ #auth = void 0;
21
+ #boundUserID;
22
+ #revision = 0;
23
+ constructor(lc, clientGroupID, validateLegacyJWT) {
24
+ this.id = clientGroupID;
25
+ this.#lc = lc;
26
+ this.#validateLegacyJWT = validateLegacyJWT;
27
+ }
28
+ get auth() {
29
+ return this.#auth;
30
+ }
31
+ get revision() {
32
+ return this.#revision;
33
+ }
34
+ clear() {
35
+ const lc = this.#lc.withContext(
36
+ "boundUserID",
37
+ this.#boundUserID ?? "unknown"
38
+ );
39
+ lc.debug?.(`Clearing auth session`);
40
+ this.#auth = void 0;
41
+ this.#boundUserID = void 0;
42
+ this.#revision = 0;
43
+ }
44
+ async update(userID, wireAuth) {
45
+ try {
46
+ const lc = this.#lc.withContext("newUserID", userID);
47
+ if (this.#boundUserID && this.#boundUserID !== userID) {
48
+ return {
49
+ ok: false,
50
+ error: {
51
+ kind: Unauthorized,
52
+ message: "Client groups are pinned to a single user. Connection userID does not match existing client group userID.",
53
+ origin: ZeroCache
54
+ }
55
+ };
56
+ }
57
+ const previousAuth = this.#auth;
58
+ const hasProvidedAuth = isProvidedAuth(wireAuth);
59
+ let nextAuth = previousAuth;
60
+ if (previousAuth) {
61
+ lc.debug?.(`Attempting to update auth from previous value`);
62
+ } else {
63
+ lc.debug?.(`Attempting to initialize auth`);
64
+ }
65
+ if (!hasProvidedAuth && previousAuth) {
66
+ return {
67
+ ok: false,
68
+ error: {
69
+ kind: Unauthorized,
70
+ message: "No token provided. An unauthenticated client cannot connect to an authenticated client group.",
71
+ origin: ZeroCache
72
+ }
73
+ };
74
+ }
75
+ if (!hasProvidedAuth) {
76
+ nextAuth = void 0;
77
+ lc.debug?.(`Cleared auth`);
78
+ } else if (this.#validateLegacyJWT !== void 0) {
79
+ const verifiedToken = await this.#validateLegacyJWT(wireAuth, { userID });
80
+ nextAuth = pickToken(this.#lc, this.#auth, verifiedToken);
81
+ lc.debug?.(`Updated auth with JWT`);
82
+ } else {
83
+ if (this.#auth?.type === "jwt") {
84
+ throw new Error(
85
+ "Cannot change auth type from legacy to opaque token"
86
+ );
87
+ }
88
+ nextAuth = {
89
+ type: "opaque",
90
+ raw: wireAuth
91
+ };
92
+ lc.debug?.(`Updated auth with opaque token`);
93
+ }
94
+ this.#auth = nextAuth;
95
+ this.#boundUserID ??= userID;
96
+ if (!authEquals(previousAuth, nextAuth)) {
97
+ this.#revision++;
98
+ }
99
+ } catch (e) {
100
+ if (isProtocolError(e)) {
101
+ return {
102
+ ok: false,
103
+ error: e.errorBody
104
+ };
105
+ }
106
+ return {
107
+ ok: false,
108
+ error: {
109
+ kind: AuthInvalidated,
110
+ message: `Failed to decode auth token: ${String(e)}`,
111
+ origin: ZeroCache
112
+ }
113
+ };
114
+ }
115
+ return { ok: true };
116
+ }
117
+ }
118
+ function pickToken(lc, previousToken, newToken) {
119
+ if (newToken === null) {
120
+ return void 0;
121
+ }
122
+ if (previousToken?.type && newToken?.type && previousToken?.type !== newToken?.type) {
123
+ throw new ProtocolError({
124
+ kind: Unauthorized,
125
+ message: "Token type cannot change. Client groups are pinned to a single token type.",
126
+ origin: ZeroCache
127
+ });
128
+ }
129
+ if (previousToken === void 0) {
130
+ lc.debug?.(`No previous token, using new token`);
131
+ return newToken;
132
+ }
133
+ if (newToken?.type === "opaque") {
134
+ return newToken;
135
+ }
136
+ if (previousToken.type === "opaque") {
137
+ throw new ProtocolError({
138
+ kind: Unauthorized,
139
+ message: "Token type cannot change from opaque to JWT. Client groups are pinned to a single token type.",
140
+ origin: ZeroCache
141
+ });
142
+ }
143
+ if (newToken) {
144
+ if (previousToken.decoded.sub !== newToken.decoded.sub) {
145
+ throw new ProtocolError({
146
+ kind: Unauthorized,
147
+ message: "The user id in the new token does not match the previous token. Client groups are pinned to a single user.",
148
+ origin: ZeroCache
149
+ });
150
+ }
151
+ if (previousToken.decoded.iat === void 0) {
152
+ lc.debug?.(`No issued at time for the existing token, using new token`);
153
+ return newToken;
154
+ }
155
+ if (newToken.decoded.iat === void 0) {
156
+ throw new ProtocolError({
157
+ kind: Unauthorized,
158
+ message: "The new token does not have an issued at time but the prior token does. Tokens for a client group must either all have issued at times or all not have issued at times",
159
+ origin: ZeroCache
160
+ });
161
+ }
162
+ if (previousToken.decoded.iat < newToken.decoded.iat) {
163
+ lc.debug?.(`New token is newer, using it`);
164
+ return newToken;
165
+ }
166
+ lc.debug?.(`New token is older or the same, using existing token`);
167
+ return previousToken;
168
+ }
169
+ throw new ProtocolError({
170
+ kind: Unauthorized,
171
+ message: "No token provided. An unauthenticated client cannot connect to an authenticated client group.",
172
+ origin: ZeroCache
173
+ });
174
+ }
175
+ export {
176
+ AuthSessionImpl,
177
+ pickToken
178
+ };
179
+ //# sourceMappingURL=auth.js.map
package/out/zero-cache/src/auth/auth.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth.js","sources":["../../../../../zero-cache/src/auth/auth.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport type {JWTPayload} from 'jose';\nimport {ErrorKind} from '../../../zero-protocol/src/error-kind.ts';\nimport {ErrorOrigin} from '../../../zero-protocol/src/error-origin.ts';\nimport {\n isProtocolError,\n ProtocolError,\n type ErrorBody,\n} from '../../../zero-protocol/src/error.ts';\n\n/** @deprecated JWT auth is deprecated */\nexport type JWTAuth = {\n readonly type: 'jwt';\n readonly raw: string;\n readonly decoded: JWTPayload;\n};\n\nexport type OpaqueAuth = {\n readonly type: 'opaque';\n readonly raw: string;\n};\n\nexport type Auth = OpaqueAuth | JWTAuth;\n\nexport interface AuthSession {\n /** Update the auth session with a new userID and token from the client */\n update(\n userID: string,\n wireAuth: string | undefined,\n ): Promise<AuthUpdateResult>;\n\n /** The revision of the auth state */\n get revision(): number;\n\n /** The auth state for the session */\n get auth(): Auth | undefined;\n\n /** Clear the auth session, removing any stored auth and allowing a new userID to be bound on the next update. */\n clear(): void;\n}\n\nexport type AuthUpdateResult =\n | {\n readonly ok: true;\n }\n | {\n readonly ok: false;\n readonly error: ErrorBody;\n };\n\nexport type ValidateLegacyJWT = (\n token: string,\n ctx: {readonly userID: string},\n) => Promise<JWTAuth>;\n\nfunction isProvidedAuth(wireAuth: string | undefined): wireAuth is string {\n return wireAuth !== undefined && wireAuth !== '';\n}\n\nfunction authEquals(a: Auth | null | undefined, b: Auth | null | undefined) {\n if (a === b) {\n return true;\n }\n if (!a || !b) {\n return false;\n }\n return a.type === b.type && a.raw === b.raw;\n}\n\nexport class AuthSessionImpl implements AuthSession {\n readonly id: string;\n readonly #lc: LogContext;\n readonly #validateLegacyJWT: ValidateLegacyJWT | undefined;\n #auth: Auth | undefined = undefined;\n #boundUserID: string | undefined;\n #revision = 0;\n\n constructor(\n lc: LogContext,\n clientGroupID: string,\n validateLegacyJWT: ValidateLegacyJWT | undefined,\n ) {\n this.id = clientGroupID;\n this.#lc = lc;\n this.#validateLegacyJWT = validateLegacyJWT;\n }\n\n get auth(): Auth | undefined {\n return this.#auth;\n }\n\n get revision(): number {\n return this.#revision;\n }\n\n clear(): void {\n const lc = this.#lc.withContext(\n 'boundUserID',\n this.#boundUserID ?? 'unknown',\n );\n lc.debug?.(`Clearing auth session`);\n this.#auth = undefined;\n this.#boundUserID = undefined;\n this.#revision = 0;\n }\n\n async update(\n userID: string,\n wireAuth: string | undefined,\n ): Promise<AuthUpdateResult> {\n try {\n const lc = this.#lc.withContext('newUserID', userID);\n\n // check if the auth update is trying to change the bound userID for this client group\n if (this.#boundUserID && this.#boundUserID !== userID) {\n return {\n ok: false,\n error: {\n kind: ErrorKind.Unauthorized,\n message:\n 'Client groups are pinned to a single user. Connection userID does not match existing client group userID.',\n origin: ErrorOrigin.ZeroCache,\n },\n };\n }\n\n const previousAuth = this.#auth;\n const hasProvidedAuth = isProvidedAuth(wireAuth);\n let nextAuth = previousAuth;\n\n if (previousAuth) {\n lc.debug?.(`Attempting to update auth from previous value`);\n } else {\n lc.debug?.(`Attempting to initialize auth`);\n }\n\n if (!hasProvidedAuth && previousAuth) {\n return {\n ok: false,\n error: {\n kind: ErrorKind.Unauthorized,\n message:\n 'No token provided. An unauthenticated client cannot connect to an authenticated client group.',\n origin: ErrorOrigin.ZeroCache,\n },\n };\n }\n\n if (!hasProvidedAuth) {\n nextAuth = undefined;\n lc.debug?.(`Cleared auth`);\n } else if (this.#validateLegacyJWT !== undefined) {\n const verifiedToken = await this.#validateLegacyJWT(wireAuth, {userID});\n nextAuth = pickToken(this.#lc, this.#auth, verifiedToken);\n lc.debug?.(`Updated auth with JWT`);\n } else {\n if (this.#auth?.type === 'jwt') {\n throw new Error(\n 'Cannot change auth type from legacy to opaque token',\n );\n }\n nextAuth = {\n type: 'opaque',\n raw: wireAuth,\n };\n lc.debug?.(`Updated auth with opaque token`);\n }\n\n this.#auth = nextAuth;\n this.#boundUserID ??= userID;\n\n if (!authEquals(previousAuth, nextAuth)) {\n this.#revision++;\n }\n } catch (e) {\n if (isProtocolError(e)) {\n return {\n ok: false,\n error: e.errorBody,\n };\n }\n return {\n ok: false,\n error: {\n kind: ErrorKind.AuthInvalidated,\n message: `Failed to decode auth token: ${String(e)}`,\n origin: ErrorOrigin.ZeroCache,\n },\n };\n }\n\n return {ok: true};\n }\n}\n\n/** @deprecated used only in old JWT validation/rotation auth */\nexport function pickToken(\n lc: LogContext,\n previousToken: Auth | undefined,\n newToken: Auth | undefined | null,\n) {\n if (newToken === null) {\n return undefined;\n }\n\n if (\n previousToken?.type &&\n newToken?.type &&\n previousToken?.type !== newToken?.type\n ) {\n throw new ProtocolError({\n kind: ErrorKind.Unauthorized,\n message:\n 'Token type cannot change. Client groups are pinned to a single token type.',\n origin: ErrorOrigin.ZeroCache,\n });\n }\n\n if (previousToken === undefined) {\n lc.debug?.(`No previous token, using new token`);\n return newToken;\n }\n\n if (newToken?.type === 'opaque') {\n return newToken;\n }\n\n if (previousToken.type === 'opaque') {\n throw new ProtocolError({\n kind: ErrorKind.Unauthorized,\n message:\n 'Token type cannot change from opaque to JWT. Client groups are pinned to a single token type.',\n origin: ErrorOrigin.ZeroCache,\n });\n }\n\n if (newToken) {\n if (previousToken.decoded.sub !== newToken.decoded.sub) {\n throw new ProtocolError({\n kind: ErrorKind.Unauthorized,\n message:\n 'The user id in the new token does not match the previous token. Client groups are pinned to a single user.',\n origin: ErrorOrigin.ZeroCache,\n });\n }\n\n if (previousToken.decoded.iat === undefined) {\n lc.debug?.(`No issued at time for the existing token, using new token`);\n // No issued at time for the existing token? We take the most recently received token.\n return newToken;\n }\n\n if (newToken.decoded.iat === undefined) {\n throw new ProtocolError({\n kind: ErrorKind.Unauthorized,\n message:\n 'The new token does not have an issued at time but the prior token does. Tokens for a client group must either all have issued at times or all not have issued at times',\n origin: ErrorOrigin.ZeroCache,\n });\n }\n\n // The new token is newer, so we take it.\n if (previousToken.decoded.iat < newToken.decoded.iat) {\n lc.debug?.(`New token is newer, using it`);\n return newToken;\n }\n\n // if the new token is older or the same, we keep the existing token.\n lc.debug?.(`New token is older or the same, using existing token`);\n return previousToken;\n }\n\n // previousToken !== undefined but newToken is undefined\n throw new ProtocolError({\n kind: ErrorKind.Unauthorized,\n message:\n 'No token provided. An unauthenticated client cannot connect to an authenticated client group.',\n origin: ErrorOrigin.ZeroCache,\n });\n}\n"],"names":["ErrorKind.Unauthorized","ErrorOrigin.ZeroCache","ErrorKind.AuthInvalidated"],"mappings":";;;AAuDA,SAAS,eAAe,UAAkD;AACxE,SAAO,aAAa,UAAa,aAAa;AAChD;AAEA,SAAS,WAAW,GAA4B,GAA4B;AAC1E,MAAI,MAAM,GAAG;AACX,WAAO;AAAA,EACT;AACA,MAAI,CAAC,KAAK,CAAC,GAAG;AACZ,WAAO;AAAA,EACT;AACA,SAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE;AAC1C;AAEO,MAAM,gBAAuC;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACT,QAA0B;AAAA,EAC1B;AAAA,EACA,YAAY;AAAA,EAEZ,YACE,IACA,eACA,mBACA;AACA,SAAK,KAAK;AACV,SAAK,MAAM;AACX,SAAK,qBAAqB;AAAA,EAC5B;AAAA,EAEA,IAAI,OAAyB;AAC3B,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,IAAI,WAAmB;AACrB,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,QAAc;AACZ,UAAM,KAAK,KAAK,IAAI;AAAA,MAClB;AAAA,MACA,KAAK,gBAAgB;AAAA,IAAA;AAEvB,OAAG,QAAQ,uBAAuB;AAClC,SAAK,QAAQ;AACb,SAAK,eAAe;AACpB,SAAK,YAAY;AAAA,EACnB;AAAA,EAEA,MAAM,OACJ,QACA,UAC2B;AAC3B,QAAI;AACF,YAAM,KAAK,KAAK,IAAI,YAAY,aAAa,MAAM;AAGnD,UAAI,KAAK,gBAAgB,KAAK,iBAAiB,QAAQ;AACrD,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO;AAAA,YACL,MAAMA;AAAAA,YACN,SACE;AAAA,YACF,QAAQC;AAAAA,UAAY;AAAA,QACtB;AAAA,MAEJ;AAEA,YAAM,eAAe,KAAK;AAC1B,YAAM,kBAAkB,eAAe,QAAQ;AAC/C,UAAI,WAAW;AAEf,UAAI,cAAc;AAChB,WAAG,QAAQ,+CAA+C;AAAA,MAC5D,OAAO;AACL,WAAG,QAAQ,+BAA+B;AAAA,MAC5C;AAEA,UAAI,CAAC,mBAAmB,cAAc;AACpC,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO;AAAA,YACL,MAAMD;AAAAA,YACN,SACE;AAAA,YACF,QAAQC;AAAAA,UAAY;AAAA,QACtB;AAAA,MAEJ;AAEA,UAAI,CAAC,iBAAiB;AACpB,mBAAW;AACX,WAAG,QAAQ,cAAc;AAAA,MAC3B,WAAW,KAAK,uBAAuB,QAAW;AAChD,cAAM,gBAAgB,MAAM,KAAK,mBAAmB,UAAU,EAAC,QAAO;AACtE,mBAAW,UAAU,KAAK,KAAK,KAAK,OAAO,aAAa;AACxD,WAAG,QAAQ,uBAAuB;AAAA,MACpC,OAAO;AACL,YAAI,KAAK,OAAO,SAAS,OAAO;AAC9B,gBAAM,IAAI;AAAA,YACR;AAAA,UAAA;AAAA,QAEJ;AACA,mBAAW;AAAA,UACT,MAAM;AAAA,UACN,KAAK;AAAA,QAAA;AAEP,WAAG,QAAQ,gCAAgC;AAAA,MAC7C;AAEA,WAAK,QAAQ;AACb,WAAK,iBAAiB;AAEtB,UAAI,CAAC,WAAW,cAAc,QAAQ,GAAG;AACvC,aAAK;AAAA,MACP;AAAA,IACF,SAAS,GAAG;AACV,UAAI,gBAAgB,CAAC,GAAG;AACtB,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,OAAO,EAAE;AAAA,QAAA;AAAA,MAEb;AACA,aAAO;AAAA,QACL,IAAI;AAAA,QACJ,OAAO;AAAA,UACL,MAAMC;AAAAA,UACN,SAAS,gCAAgC,OAAO,CAAC,CAAC;AAAA,UAClD,QAAQD;AAAAA,QAAY;AAAA,MACtB;AAAA,IAEJ;AAEA,WAAO,EAAC,IAAI,KAAA;AAAA,EACd;AACF;AAGO,SAAS,UACd,IACA,eACA,UACA;AACA,MAAI,aAAa,MAAM;AACrB,WAAO;AAAA,EACT;AAEA,MACE,eAAe,QACf,UAAU,QACV,eAAe,SAAS,UAAU,MAClC;AACA,UAAM,IAAI,cAAc;AAAA,MACtB,MAAMD;AAAAA,MACN,SACE;AAAA,MACF,QAAQC;AAAAA,IAAY,CACrB;AAAA,EACH;AAEA,MAAI,kBAAkB,QAAW;AAC/B,OAAG,QAAQ,oCAAoC;AAC/C,WAAO;AAAA,EACT;AAEA,MAAI,UAAU,SAAS,UAAU;AAC/B,WAAO;AAAA,EACT;AAEA,MAAI,cAAc,SAAS,UAAU;AACnC,UAAM,IAAI,cAAc;AAAA,MACtB,MAAMD;AAAAA,MACN,SACE;AAAA,MACF,QAAQC;AAAAA,IAAY,CACrB;AAAA,EACH;AAEA,MAAI,UAAU;AACZ,QAAI,cAAc,QAAQ,QAAQ,SAAS,QAAQ,KAAK;AACtD,YAAM,IAAI,cAAc;AAAA,QACtB,MAAMD;AAAAA,QACN,SACE;AAAA,QACF,QAAQC;AAAAA,MAAY,CACrB;AAAA,IACH;AAEA,QAAI,cAAc,QAAQ,QAAQ,QAAW;AAC3C,SAAG,QAAQ,2DAA2D;AAEtE,aAAO;AAAA,IACT;AAEA,QAAI,SAAS,QAAQ,QAAQ,QAAW;AACtC,YAAM,IAAI,cAAc;AAAA,QACtB,MAAMD;AAAAA,QACN,SACE;AAAA,QACF,QAAQC;AAAAA,MAAY,CACrB;AAAA,IACH;AAGA,QAAI,cAAc,QAAQ,MAAM,SAAS,QAAQ,KAAK;AACpD,SAAG,QAAQ,8BAA8B;AACzC,aAAO;AAAA,IACT;AAGA,OAAG,QAAQ,sDAAsD;AACjE,WAAO;AAAA,EACT;AAGA,QAAM,IAAI,cAAc;AAAA,IACtB,MAAMD;AAAAA,IACN,SACE;AAAA,IACF,QAAQC;AAAAA,EAAY,CACrB;AACH;"}
package/out/zero-cache/src/auth/read-authorizer.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  import type { LogContext } from '@rocicorp/logger';
2
- import type { JWTPayload } from 'jose';
3
2
  import type { AST } from '../../../zero-protocol/src/ast.ts';
4
3
  import type { PermissionsConfig } from '../../../zero-schema/src/compiled-permissions.ts';
4
+ import type { JWTAuth } from './auth.ts';
5
5
  export type TransformedAndHashed = {
6
6
  id: string;
7
7
  transformedAst: AST;
@@ -16,9 +16,9 @@ export type TransformedAndHashed = {
16
16
  * would be excluded without running the query.
17
17
  * E.g., the user is trying to query a table that is not readable.
18
18
  */
19
- export declare function transformAndHashQuery(lc: LogContext, id: string, query: AST, permissionRules: PermissionsConfig, authData: JWTPayload | undefined, internalQuery: boolean | null | undefined): TransformedAndHashed;
19
+ export declare function transformAndHashQuery(lc: LogContext, id: string, query: AST, permissionRules: PermissionsConfig, auth: JWTAuth | undefined, internalQuery: boolean | null | undefined): TransformedAndHashed;
20
20
  /**
21
21
  * For a given AST, apply the read-auth rules and bind static auth data.
22
22
  */
23
- export declare function transformQuery(lc: LogContext, query: AST, permissionRules: PermissionsConfig, authData: JWTPayload | undefined): AST;
23
+ export declare function transformQuery(lc: LogContext, query: AST, permissionRules: PermissionsConfig, auth: JWTAuth | undefined): AST;
24
24
  //# sourceMappingURL=read-authorizer.d.ts.map
package/out/zero-cache/src/auth/read-authorizer.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"read-authorizer.d.ts","sourceRoot":"","sources":["../../../../../zero-cache/src/auth/read-authorizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AACjD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,MAAM,CAAC;AAErC,OAAO,KAAK,EAAC,GAAG,EAAY,MAAM,mCAAmC,CAAC;AAEtE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,kDAAkD,CAAC;AAIxF,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,GAAG,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AACF;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CACnC,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,GAAG,EACV,eAAe,EAAE,iBAAiB,EAClC,QAAQ,EAAE,UAAU,GAAG,SAAS,EAChC,aAAa,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GACxC,oBAAoB,CAStB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,GAAG,EACV,eAAe,EAAE,iBAAiB,EAClC,QAAQ,EAAE,UAAU,GAAG,SAAS,GAC/B,GAAG,CASL"}
1
+ {"version":3,"file":"read-authorizer.d.ts","sourceRoot":"","sources":["../../../../../zero-cache/src/auth/read-authorizer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAEjD,OAAO,KAAK,EAAC,GAAG,EAAY,MAAM,mCAAmC,CAAC;AAEtE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,kDAAkD,CAAC;AAGxF,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,WAAW,CAAC;AAEvC,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,cAAc,EAAE,GAAG,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;CAC5B,CAAC;AACF;;;;;;;;GAQG;AACH,wBAAgB,qBAAqB,CACnC,EAAE,EAAE,UAAU,EACd,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,GAAG,EACV,eAAe,EAAE,iBAAiB,EAClC,IAAI,EAAE,OAAO,GAAG,SAAS,EACzB,aAAa,EAAE,OAAO,GAAG,IAAI,GAAG,SAAS,GACxC,oBAAoB,CAStB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAC5B,EAAE,EAAE,UAAU,EACd,KAAK,EAAE,GAAG,EACV,eAAe,EAAE,iBAAiB,EAClC,IAAI,EAAE,OAAO,GAAG,SAAS,GACxB,GAAG,CASL"}
package/out/zero-cache/src/auth/read-authorizer.js CHANGED
@@ -1,22 +1,22 @@
1
1
  import { hashOfAST } from "../../../zero-protocol/src/query-hash.js";
2
2
  import { bindStaticParameters } from "../../../zql/src/builder/builder.js";
3
3
  import { simplifyCondition } from "../../../zql/src/query/expression.js";
4
- function transformAndHashQuery(lc, id, query, permissionRules, authData, internalQuery) {
5
- const transformed = internalQuery ? query : transformQuery(lc, query, permissionRules, authData);
4
+ function transformAndHashQuery(lc, id, query, permissionRules, auth, internalQuery) {
5
+ const transformed = internalQuery ? query : transformQuery(lc, query, permissionRules, auth);
6
6
  return {
7
7
  id,
8
8
  transformedAst: transformed,
9
9
  transformationHash: hashOfAST(transformed)
10
10
  };
11
11
  }
12
- function transformQuery(lc, query, permissionRules, authData) {
12
+ function transformQuery(lc, query, permissionRules, auth) {
13
13
  const queryWithPermissions = transformQueryInternal(
14
14
  lc,
15
15
  query,
16
16
  permissionRules
17
17
  );
18
18
  return bindStaticParameters(queryWithPermissions, {
19
- authData
19
+ authData: auth ? auth.decoded : {}
20
20
  });
21
21
  }
22
22
  function transformQueryInternal(lc, query, permissionRules) {
package/out/zero-cache/src/auth/read-authorizer.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"read-authorizer.js","sources":["../../../../../zero-cache/src/auth/read-authorizer.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport type {JWTPayload} from 'jose';\nimport type {JSONValue} from '../../../shared/src/json.ts';\nimport type {AST, Condition} from '../../../zero-protocol/src/ast.ts';\nimport {hashOfAST} from '../../../zero-protocol/src/query-hash.ts';\nimport type {PermissionsConfig} from '../../../zero-schema/src/compiled-permissions.ts';\nimport {bindStaticParameters} from '../../../zql/src/builder/builder.ts';\nimport {simplifyCondition} from '../../../zql/src/query/expression.ts';\n\nexport type TransformedAndHashed = {\n id: string;\n transformedAst: AST;\n transformationHash: string;\n};\n/**\n * Adds permission rules to the given query so it only returns rows that the\n * user is allowed to read.\n *\n * If the returned query is `undefined` that means that user cannot run\n * the query at all. This is only the case if we can infer that all rows\n * would be excluded without running the query.\n * E.g., the user is trying to query a table that is not readable.\n */\nexport function transformAndHashQuery(\n lc: LogContext,\n id: string,\n query: AST,\n permissionRules: PermissionsConfig,\n authData: JWTPayload | undefined,\n internalQuery: boolean | null | undefined,\n): TransformedAndHashed {\n const transformed = internalQuery\n ? query // application permissions do not apply to internal queries\n : transformQuery(lc, query, permissionRules, authData);\n return {\n id,\n transformedAst: transformed,\n transformationHash: hashOfAST(transformed),\n };\n}\n\n/**\n * For a given AST, apply the read-auth rules and bind static auth data.\n */\nexport function transformQuery(\n lc: LogContext,\n query: AST,\n permissionRules: PermissionsConfig,\n authData: JWTPayload | undefined,\n): AST {\n const queryWithPermissions = transformQueryInternal(\n lc,\n query,\n permissionRules,\n );\n return bindStaticParameters(queryWithPermissions, {\n authData: authData as Record<string, JSONValue>,\n });\n}\n\nfunction transformQueryInternal(\n lc: LogContext,\n query: AST,\n permissionRules: PermissionsConfig,\n): AST {\n let rowSelectRules = permissionRules?.tables?.[query.table]?.row?.select;\n\n if (!rowSelectRules || rowSelectRules.length === 0) {\n // If there are no rules, we default to not allowing any rows to be selected.\n lc.warn?.(\n \"No permission rules found for table '\" +\n query.table +\n \"'. No rows will be returned. Use ANYONE_CAN to allow all users to access all rows.\",\n );\n rowSelectRules = [\n [\n 'allow',\n {\n type: 'or',\n conditions: [],\n },\n ],\n ];\n }\n\n const updatedWhere = addRulesToWhere(\n query.where\n ? transformCondition(lc, query.where, permissionRules)\n : undefined,\n rowSelectRules,\n );\n return {\n ...query,\n where: simplifyCondition(updatedWhere),\n related: query.related?.map(sq => {\n const subquery = transformQueryInternal(lc, sq.subquery, permissionRules);\n return {\n ...sq,\n subquery,\n };\n }),\n };\n}\n\nfunction addRulesToWhere(\n where: Condition | undefined,\n rowSelectRules: ['allow', Condition][],\n): Condition {\n return {\n type: 'and',\n conditions: [\n ...(where ? [where] : []),\n {\n type: 'or',\n conditions: rowSelectRules.map(([_, condition]) => condition),\n },\n ],\n };\n}\n\n// We must augment conditions so we do not provide an oracle to users.\n// E.g.,\n// `issue.whereExists('secret', s => s.where('value', 'sdf'))`\n// Not applying read policies to subqueries in the where position\n// would allow users to infer the existence of rows, and their contents,\n// that they cannot read.\nfunction transformCondition(\n lc: LogContext,\n cond: Condition,\n auth: PermissionsConfig,\n): Condition {\n switch (cond.type) {\n case 'simple':\n return cond;\n case 'and':\n case 'or':\n return {\n ...cond,\n conditions: cond.conditions.map(c => transformCondition(lc, c, auth)),\n };\n case 'correlatedSubquery': {\n const query = transformQueryInternal(lc, cond.related.subquery, auth);\n return {\n ...cond,\n related: {\n ...cond.related,\n subquery: query,\n },\n };\n }\n case 'scalarSubquery': {\n const query = transformQueryInternal(lc, cond.subquery, auth);\n return {\n ...cond,\n subquery: query,\n };\n }\n }\n}\n"],"names":[],"mappings":";;;AAuBO,SAAS,sBACd,IACA,IACA,OACA,iBACA,UACA,eACsB;AACtB,QAAM,cAAc,gBAChB,QACA,eAAe,IAAI,OAAO,iBAAiB,QAAQ;AACvD,SAAO;AAAA,IACL;AAAA,IACA,gBAAgB;AAAA,IAChB,oBAAoB,UAAU,WAAW;AAAA,EAAA;AAE7C;AAKO,SAAS,eACd,IACA,OACA,iBACA,UACK;AACL,QAAM,uBAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,EAAA;AAEF,SAAO,qBAAqB,sBAAsB;AAAA,IAChD;AAAA,EAAA,CACD;AACH;AAEA,SAAS,uBACP,IACA,OACA,iBACK;AACL,MAAI,iBAAiB,iBAAiB,SAAS,MAAM,KAAK,GAAG,KAAK;AAElE,MAAI,CAAC,kBAAkB,eAAe,WAAW,GAAG;AAElD,OAAG;AAAA,MACD,0CACE,MAAM,QACN;AAAA,IAAA;AAEJ,qBAAiB;AAAA,MACf;AAAA,QACE;AAAA,QACA;AAAA,UACE,MAAM;AAAA,UACN,YAAY,CAAA;AAAA,QAAC;AAAA,MACf;AAAA,IACF;AAAA,EAEJ;AAEA,QAAM,eAAe;AAAA,IACnB,MAAM,QACF,mBAAmB,IAAI,MAAM,OAAO,eAAe,IACnD;AAAA,IACJ;AAAA,EAAA;AAEF,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO,kBAAkB,YAAY;AAAA,IACrC,SAAS,MAAM,SAAS,IAAI,CAAA,OAAM;AAChC,YAAM,WAAW,uBAAuB,IAAI,GAAG,UAAU,eAAe;AACxE,aAAO;AAAA,QACL,GAAG;AAAA,QACH;AAAA,MAAA;AAAA,IAEJ,CAAC;AAAA,EAAA;AAEL;AAEA,SAAS,gBACP,OACA,gBACW;AACX,SAAO;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA,MACV,GAAI,QAAQ,CAAC,KAAK,IAAI,CAAA;AAAA,MACtB;AAAA,QACE,MAAM;AAAA,QACN,YAAY,eAAe,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,SAAS;AAAA,MAAA;AAAA,IAC9D;AAAA,EACF;AAEJ;AAQA,SAAS,mBACP,IACA,MACA,MACW;AACX,UAAQ,KAAK,MAAA;AAAA,IACX,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,QACL,GAAG;AAAA,QACH,YAAY,KAAK,WAAW,IAAI,OAAK,mBAAmB,IAAI,GAAG,IAAI,CAAC;AAAA,MAAA;AAAA,IAExE,KAAK,sBAAsB;AACzB,YAAM,QAAQ,uBAAuB,IAAI,KAAK,QAAQ,UAAU,IAAI;AACpE,aAAO;AAAA,QACL,GAAG;AAAA,QACH,SAAS;AAAA,UACP,GAAG,KAAK;AAAA,UACR,UAAU;AAAA,QAAA;AAAA,MACZ;AAAA,IAEJ;AAAA,IACA,KAAK,kBAAkB;AACrB,YAAM,QAAQ,uBAAuB,IAAI,KAAK,UAAU,IAAI;AAC5D,aAAO;AAAA,QACL,GAAG;AAAA,QACH,UAAU;AAAA,MAAA;AAAA,IAEd;AAAA,EAAA;AAEJ;"}
1
+ {"version":3,"file":"read-authorizer.js","sources":["../../../../../zero-cache/src/auth/read-authorizer.ts"],"sourcesContent":["import type {LogContext} from '@rocicorp/logger';\nimport type {JSONValue} from '../../../shared/src/json.ts';\nimport type {AST, Condition} from '../../../zero-protocol/src/ast.ts';\nimport {hashOfAST} from '../../../zero-protocol/src/query-hash.ts';\nimport type {PermissionsConfig} from '../../../zero-schema/src/compiled-permissions.ts';\nimport {bindStaticParameters} from '../../../zql/src/builder/builder.ts';\nimport {simplifyCondition} from '../../../zql/src/query/expression.ts';\nimport type {JWTAuth} from './auth.ts';\n\nexport type TransformedAndHashed = {\n id: string;\n transformedAst: AST;\n transformationHash: string;\n};\n/**\n * Adds permission rules to the given query so it only returns rows that the\n * user is allowed to read.\n *\n * If the returned query is `undefined` that means that user cannot run\n * the query at all. This is only the case if we can infer that all rows\n * would be excluded without running the query.\n * E.g., the user is trying to query a table that is not readable.\n */\nexport function transformAndHashQuery(\n lc: LogContext,\n id: string,\n query: AST,\n permissionRules: PermissionsConfig,\n auth: JWTAuth | undefined,\n internalQuery: boolean | null | undefined,\n): TransformedAndHashed {\n const transformed = internalQuery\n ? query // application permissions do not apply to internal queries\n : transformQuery(lc, query, permissionRules, auth);\n return {\n id,\n transformedAst: transformed,\n transformationHash: hashOfAST(transformed),\n };\n}\n\n/**\n * For a given AST, apply the read-auth rules and bind static auth data.\n */\nexport function transformQuery(\n lc: LogContext,\n query: AST,\n permissionRules: PermissionsConfig,\n auth: JWTAuth | undefined,\n): AST {\n const queryWithPermissions = transformQueryInternal(\n lc,\n query,\n permissionRules,\n );\n return bindStaticParameters(queryWithPermissions, {\n authData: auth ? (auth.decoded as Record<string, JSONValue>) : {},\n });\n}\n\nfunction transformQueryInternal(\n lc: LogContext,\n query: AST,\n permissionRules: PermissionsConfig,\n): AST {\n let rowSelectRules = permissionRules?.tables?.[query.table]?.row?.select;\n\n if (!rowSelectRules || rowSelectRules.length === 0) {\n // If there are no rules, we default to not allowing any rows to be selected.\n lc.warn?.(\n \"No permission rules found for table '\" +\n query.table +\n \"'. No rows will be returned. Use ANYONE_CAN to allow all users to access all rows.\",\n );\n rowSelectRules = [\n [\n 'allow',\n {\n type: 'or',\n conditions: [],\n },\n ],\n ];\n }\n\n const updatedWhere = addRulesToWhere(\n query.where\n ? transformCondition(lc, query.where, permissionRules)\n : undefined,\n rowSelectRules,\n );\n return {\n ...query,\n where: simplifyCondition(updatedWhere),\n related: query.related?.map(sq => {\n const subquery = transformQueryInternal(lc, sq.subquery, permissionRules);\n return {\n ...sq,\n subquery,\n };\n }),\n };\n}\n\nfunction addRulesToWhere(\n where: Condition | undefined,\n rowSelectRules: ['allow', Condition][],\n): Condition {\n return {\n type: 'and',\n conditions: [\n ...(where ? [where] : []),\n {\n type: 'or',\n conditions: rowSelectRules.map(([_, condition]) => condition),\n },\n ],\n };\n}\n\n// We must augment conditions so we do not provide an oracle to users.\n// E.g.,\n// `issue.whereExists('secret', s => s.where('value', 'sdf'))`\n// Not applying read policies to subqueries in the where position\n// would allow users to infer the existence of rows, and their contents,\n// that they cannot read.\nfunction transformCondition(\n lc: LogContext,\n cond: Condition,\n auth: PermissionsConfig,\n): Condition {\n switch (cond.type) {\n case 'simple':\n return cond;\n case 'and':\n case 'or':\n return {\n ...cond,\n conditions: cond.conditions.map(c => transformCondition(lc, c, auth)),\n };\n case 'correlatedSubquery': {\n const query = transformQueryInternal(lc, cond.related.subquery, auth);\n return {\n ...cond,\n related: {\n ...cond.related,\n subquery: query,\n },\n };\n }\n case 'scalarSubquery': {\n const query = transformQueryInternal(lc, cond.subquery, auth);\n return {\n ...cond,\n subquery: query,\n };\n }\n }\n}\n"],"names":[],"mappings":";;;AAuBO,SAAS,sBACd,IACA,IACA,OACA,iBACA,MACA,eACsB;AACtB,QAAM,cAAc,gBAChB,QACA,eAAe,IAAI,OAAO,iBAAiB,IAAI;AACnD,SAAO;AAAA,IACL;AAAA,IACA,gBAAgB;AAAA,IAChB,oBAAoB,UAAU,WAAW;AAAA,EAAA;AAE7C;AAKO,SAAS,eACd,IACA,OACA,iBACA,MACK;AACL,QAAM,uBAAuB;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,EAAA;AAEF,SAAO,qBAAqB,sBAAsB;AAAA,IAChD,UAAU,OAAQ,KAAK,UAAwC,CAAA;AAAA,EAAC,CACjE;AACH;AAEA,SAAS,uBACP,IACA,OACA,iBACK;AACL,MAAI,iBAAiB,iBAAiB,SAAS,MAAM,KAAK,GAAG,KAAK;AAElE,MAAI,CAAC,kBAAkB,eAAe,WAAW,GAAG;AAElD,OAAG;AAAA,MACD,0CACE,MAAM,QACN;AAAA,IAAA;AAEJ,qBAAiB;AAAA,MACf;AAAA,QACE;AAAA,QACA;AAAA,UACE,MAAM;AAAA,UACN,YAAY,CAAA;AAAA,QAAC;AAAA,MACf;AAAA,IACF;AAAA,EAEJ;AAEA,QAAM,eAAe;AAAA,IACnB,MAAM,QACF,mBAAmB,IAAI,MAAM,OAAO,eAAe,IACnD;AAAA,IACJ;AAAA,EAAA;AAEF,SAAO;AAAA,IACL,GAAG;AAAA,IACH,OAAO,kBAAkB,YAAY;AAAA,IACrC,SAAS,MAAM,SAAS,IAAI,CAAA,OAAM;AAChC,YAAM,WAAW,uBAAuB,IAAI,GAAG,UAAU,eAAe;AACxE,aAAO;AAAA,QACL,GAAG;AAAA,QACH;AAAA,MAAA;AAAA,IAEJ,CAAC;AAAA,EAAA;AAEL;AAEA,SAAS,gBACP,OACA,gBACW;AACX,SAAO;AAAA,IACL,MAAM;AAAA,IACN,YAAY;AAAA,MACV,GAAI,QAAQ,CAAC,KAAK,IAAI,CAAA;AAAA,MACtB;AAAA,QACE,MAAM;AAAA,QACN,YAAY,eAAe,IAAI,CAAC,CAAC,GAAG,SAAS,MAAM,SAAS;AAAA,MAAA;AAAA,IAC9D;AAAA,EACF;AAEJ;AAQA,SAAS,mBACP,IACA,MACA,MACW;AACX,UAAQ,KAAK,MAAA;AAAA,IACX,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AAAA,IACL,KAAK;AACH,aAAO;AAAA,QACL,GAAG;AAAA,QACH,YAAY,KAAK,WAAW,IAAI,OAAK,mBAAmB,IAAI,GAAG,IAAI,CAAC;AAAA,MAAA;AAAA,IAExE,KAAK,sBAAsB;AACzB,YAAM,QAAQ,uBAAuB,IAAI,KAAK,QAAQ,UAAU,IAAI;AACpE,aAAO;AAAA,QACL,GAAG;AAAA,QACH,SAAS;AAAA,UACP,GAAG,KAAK;AAAA,UACR,UAAU;AAAA,QAAA;AAAA,MACZ;AAAA,IAEJ;AAAA,IACA,KAAK,kBAAkB;AACrB,YAAM,QAAQ,uBAAuB,IAAI,KAAK,UAAU,IAAI;AAC5D,aAAO;AAAA,QACL,GAAG;AAAA,QACH,UAAU;AAAA,MAAA;AAAA,IAEd;AAAA,EAAA;AAEJ;"}
package/out/zero-cache/src/config/zero-config.d.ts CHANGED
@@ -353,6 +353,10 @@ export declare const zeroOptions: {
353
353
  type: v.Type<number>;
354
354
  desc: string[];
355
355
  };
356
+ backPressureLimitHeapProportion: {
357
+ type: v.Type<number>;
358
+ desc: string[];
359
+ };
356
360
  };
357
361
  taskID: {
358
362
  type: v.Optional<string>;
package/out/zero-cache/src/config/zero-config.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"zero-config.d.ts","sourceRoot":"","sources":["../../../../../zero-cache/src/config/zero-config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,EAGL,KAAK,MAAM,EACX,KAAK,YAAY,EAClB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,CAAC,MAAM,+BAA+B,CAAC;AASnD,OAAO,EAGL,KAAK,oBAAoB,EAC1B,MAAM,gBAAgB,CAAC;AACxB,YAAY,EAAC,SAAS,EAAC,MAAM,kCAAkC,CAAC;AAEhE,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAE3C,eAAO,MAAM,UAAU;;;;;;;;;CA+CtB,CAAC;AAEF,eAAO,MAAM,YAAY;;;;;;;;;;CAwBxB,CAAC;AAEF,QAAA,MAAM,cAAc;;;;;;;;;CAmBnB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,cAAc,CAAC,CAAC;AAE3D,QAAA,MAAM,oBAAoB;;;;;;;;;CAczB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAE5D,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;CAgDhB,CAAC;AAuGF,kBAAkB;AAClB,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,WAAW,CAAC,CAAC;AAKpD,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;IAwCtB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGlB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuHlB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA6ChB,kBAAkB;;;;;;QASlB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAsRpB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgEnB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,WAAW,CAAC,CAAC;AAIpD,wBAAgB,aAAa,CAC3B,IAAI,GAAE,IAAI,CAAC,YAAY,EAAE,eAAe,CAAM,GAC7C,UAAU,CAaZ;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,GAAE,IAAI,CAAC,YAAY,EAAE,eAAe,CAAM,GAC7C,oBAAoB,CAItB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,GAAG,SAAS,GACpD,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAClC,EAAE,EAAE,UAAU,EACd,MAAM,EAAE,IAAI,CAAC,oBAAoB,EAAE,eAAe,CAAC,EACnD,QAAQ,EAAE,MAAM,GAAG,SAAS,WAwC7B;AAYD,wBAAgB,kBAAkB,SAEjC"}
1
+ {"version":3,"file":"zero-config.d.ts","sourceRoot":"","sources":["../../../../../zero-cache/src/config/zero-config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,EAGL,KAAK,MAAM,EACX,KAAK,YAAY,EAClB,MAAM,gCAAgC,CAAC;AACxC,OAAO,KAAK,CAAC,MAAM,+BAA+B,CAAC;AASnD,OAAO,EAGL,KAAK,oBAAoB,EAC1B,MAAM,gBAAgB,CAAC;AACxB,YAAY,EAAC,SAAS,EAAC,MAAM,kCAAkC,CAAC;AAEhE,eAAO,MAAM,mBAAmB,UAAU,CAAC;AAE3C,eAAO,MAAM,UAAU;;;;;;;;;CA+CtB,CAAC;AAEF,eAAO,MAAM,YAAY;;;;;;;;;;CAwBxB,CAAC;AAEF,QAAA,MAAM,cAAc;;;;;;;;;CAmBnB,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,cAAc,CAAC,CAAC;AAE3D,QAAA,MAAM,oBAAoB;;;;;;;;;CAczB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAE5D,QAAA,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;CAgDhB,CAAC;AAuGF,kBAAkB;AAClB,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,WAAW,CAAC,CAAC;AAKpD,eAAO,MAAM,WAAW;;;;;;;;;;;;;;;;;;;;IAwCtB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAGlB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAuHlB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA6ChB,kBAAkB;;;;;;QASlB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IA8SpB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgEnB,CAAC;AAEF,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,WAAW,CAAC,CAAC;AAIpD,wBAAgB,aAAa,CAC3B,IAAI,GAAE,IAAI,CAAC,YAAY,EAAE,eAAe,CAAM,GAC7C,UAAU,CAaZ;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,IAAI,GAAE,IAAI,CAAC,YAAY,EAAE,eAAe,CAAM,GAC7C,oBAAoB,CAItB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,eAAe,CAAC,GAAG,SAAS,GACpD,MAAM,CAER;AAED,wBAAgB,oBAAoB,CAClC,EAAE,EAAE,UAAU,EACd,MAAM,EAAE,IAAI,CAAC,oBAAoB,EAAE,eAAe,CAAC,EACnD,QAAQ,EAAE,MAAM,GAAG,SAAS,WAwC7B;AAYD,wBAAgB,kBAAkB,SAEjC"}
package/out/zero-cache/src/config/zero-config.js CHANGED
@@ -472,6 +472,29 @@ const zeroOptions = {
472
472
  `is received during this interval, the delay will be canceled and the takeover will happen`,
473
473
  `immediately, since the incoming request indicates that the task is registered as a target.`
474
474
  ]
475
+ },
476
+ backPressureLimitHeapProportion: {
477
+ type: number().default(0.04),
478
+ desc: [
479
+ `The percentage of {bold --max-old-space-size} to use as a buffer for absorbing replication`,
480
+ `stream spikes. When the estimated amount of queued data exceeds this threshold, back pressure`,
481
+ `is applied to the replication stream, delaying downstream sync as a result.`,
482
+ ``,
483
+ `The threshold was determined empirically with load testing. Higher thresholds have resulted`,
484
+ `in OOMs. Note also that the byte-counting logic in the queue is strictly an underestimate of`,
485
+ `actual memory usage (but importantly, proportionally correct), so the queue is actually`,
486
+ `using more than what this proportion suggests.`,
487
+ ``,
488
+ `This parameter is exported as an emergency knob to reduce the size of the buffer in the`,
489
+ `event that the server OOMs from back pressure. Resist the urge to {italic increase} this`,
490
+ `proportion, as it is mainly useful for absorbing periodic spikes and does not meaningfully`,
491
+ `affect steady-state replication throughput; the latter is determined by other factors such`,
492
+ `as object serialization and PG throughput`,
493
+ ``,
494
+ `In other words, the back pressure limit does not constrain replication throughput;`,
495
+ `rather, it protects the system when the upstream throughput exceeds the downstream`,
496
+ `throughput.`
497
+ ]
475
498
  }
476
499
  },
477
500
  taskID: {