npm - @sunboyoo/supabase-rbac - Versions diffs - 1.0.3 → 1.0.4 - Mend

@sunboyoo/supabase-rbac 1.0.3 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/migrations/20251229000006_fix_rbac_has_perm_guc.sql +132 -0
package/package.json +2 -2

package/migrations/20251229000006_fix_rbac_has_perm_guc.sql ADDED Viewed

@@ -0,0 +1,132 @@
+/*
+Fix: ensure GUC keys used in rbac.has_perm always start with a letter.
+Postgres requires each dot-separated GUC segment to start with [A-Za-z_].
+Prefixing the md5 with 'h' avoids invalid configuration parameter name errors.
+*/
+create or replace function rbac.has_perm(target_app_id text, required_perm_name text)
+returns boolean
+language plpgsql
+stable
+security definer
+set search_path = ''
+as $$
+declare
+  _res_key     text := 'rbac.res.h' || md5(coalesce(target_app_id,'') || '|' || coalesce(required_perm_name,''));
+  _t_roles_key text := 'rbac.rids.h' || md5('t|' || coalesce(target_app_id,''));
+  _g_roles_key text := 'rbac.rids.h' || md5('g|global');
+  _t_pid_key   text := 'rbac.pid.h'  || md5('t|' || coalesce(target_app_id,'') || '|' || coalesce(required_perm_name,''));
+  _g_pid_key   text := 'rbac.pid.h'  || md5('g|global|' || coalesce(required_perm_name,''));
+  _target_role_ids uuid[];
+  _global_role_ids uuid[];
+  _target_pid uuid;
+  _global_pid uuid;
+  _sentinel constant uuid := '00000000-0000-0000-0000-000000000000'::uuid;
+  _granted  boolean := false;
+  _jwt jsonb;
+begin
+  -- Level 1: final decision cache
+  if current_setting(_res_key, true) is not null then
+    return current_setting(_res_key) = 'true';
+  end if;
+  _jwt := auth.jwt();
+  -- Level 2: cache role_ids(uuid[]) for target app (never 500; fail-closed)
+  if current_setting(_t_roles_key, true) is null then
+    begin
+      select coalesce(array_agg((x.value)::uuid), '{}'::uuid[])
+        into _target_role_ids
+      from jsonb_array_elements_text(
+        coalesce(_jwt #> array['app_metadata','role_ids', target_app_id], '[]'::jsonb)
+      ) as x(value);
+    exception when others then
+      _target_role_ids := '{}'::uuid[];
+    end;
+    perform set_config(_t_roles_key, _target_role_ids::text, true);
+  else
+    begin
+      _target_role_ids := current_setting(_t_roles_key)::uuid[];
+    exception when others then
+      _target_role_ids := '{}'::uuid[];
+    end;
+  end if;
+  -- Level 2b: cache role_ids(uuid[]) for global
+  if current_setting(_g_roles_key, true) is null then
+    begin
+      select coalesce(array_agg((x.value)::uuid), '{}'::uuid[])
+        into _global_role_ids
+      from jsonb_array_elements_text(
+        coalesce(_jwt #> array['app_metadata','role_ids','global'], '[]'::jsonb)
+      ) as x(value);
+    exception when others then
+      _global_role_ids := '{}'::uuid[];
+    end;
+    perform set_config(_g_roles_key, _global_role_ids::text, true);
+  else
+    begin
+      _global_role_ids := current_setting(_g_roles_key)::uuid[];
+    exception when others then
+      _global_role_ids := '{}'::uuid[];
+    end;
+  end if;
+  -- Level 3: permission_id cache for target app (sentinel if not found)
+  if current_setting(_t_pid_key, true) is null then
+    select p.id
+      into _target_pid
+    from rbac.permissions p
+    where p.app_id = target_app_id
+      and p.name   = required_perm_name;
+    _target_pid := coalesce(_target_pid, _sentinel);
+    perform set_config(_t_pid_key, _target_pid::text, true);
+  else
+    _target_pid := current_setting(_t_pid_key)::uuid;
+  end if;
+  -- Level 3b: permission_id cache for global mirror (sentinel if not found)
+  if current_setting(_g_pid_key, true) is null then
+    select p.id
+      into _global_pid
+    from rbac.permissions p
+    where p.app_id = 'global'
+      and p.name   = required_perm_name;
+    _global_pid := coalesce(_global_pid, _sentinel);
+    perform set_config(_g_pid_key, _global_pid::text, true);
+  else
+    _global_pid := current_setting(_g_pid_key)::uuid;
+  end if;
+  -- Path A: target roles ↔ target permission
+  if _target_pid <> _sentinel and cardinality(_target_role_ids) > 0 then
+    select exists (
+      select 1
+      from rbac.role_permissions rp
+      where rp.app_id        = target_app_id
+        and rp.permission_id = _target_pid
+        and rp.role_id       = any(_target_role_ids)
+    ) into _granted;
+  end if;
+  -- Path B: global roles ↔ global mirrored permission
+  if not _granted and _global_pid <> _sentinel and cardinality(_global_role_ids) > 0 then
+    select exists (
+      select 1
+      from rbac.role_permissions rp
+      where rp.app_id        = 'global'
+        and rp.permission_id = _global_pid
+        and rp.role_id       = any(_global_role_ids)
+    ) into _granted;
+  end if;
+  perform set_config(_res_key, _granted::text, true);
+  return _granted;
+end;
+$$;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sunboyoo/supabase-rbac",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Industrial-grade RBAC helper for Supabase multi-app projects (JWT role_ids + optional permission RPC + React hooks + pg manager + CLI).",
   "license": "MIT",
   "private": false,
@@ -106,4 +106,4 @@
     "access": "public",
     "registry": "https://registry.npmjs.org/"
   }
-}
+}