@teamkeel/functions-runtime 0.321.1 → 0.322.0

package/src/ModelAPI.js

@@ -40,11 +40,9 @@ class ModelAPI {
   /**
    * @param {string} tableName The name of the table this API is for
    * @param {Function} defaultValues A function that returns the default values for a row in this table
-   * @param {import("kysely").Kysely} db
    * @param {TableConfigMap} tableConfigMap
    */
-  constructor(tableName, defaultValues, db, tableConfigMap = {}) {
-    this._db = db || getDatabase();
+  constructor(tableName, defaultValues, tableConfigMap = {}) {
     this._defaultValues = defaultValues;
     this._tableName = tableName;
     this._tableConfigMap = tableConfigMap;
@@ -53,11 +51,12 @@ class ModelAPI {
 
   async create(values) {
     const name = spanName(this._modelName, "create");
+    const db = getDatabase();
 
     return tracing.withSpan(name, async (span) => {
       try {
         const defaults = this._defaultValues();
-        const query = this._db
+        const query = db
           .insertInto(this._tableName)
           .values(
             snakeCaseObject({
@@ -79,9 +78,10 @@ class ModelAPI {
 
   async findOne(where = {}) {
     const name = spanName(this._modelName, "findOne");
+    const db = getDatabase();
 
     return tracing.withSpan(name, async (span) => {
-      let builder = this._db
+      let builder = db
         .selectFrom(this._tableName)
         .distinctOn(`${this._tableName}.id`)
         .selectAll(this._tableName);
@@ -103,9 +103,10 @@ class ModelAPI {
 
   async findMany(where = {}) {
     const name = spanName(this._modelName, "findMany");
+    const db = getDatabase();
 
     return tracing.withSpan(name, async (span) => {
-      let builder = this._db
+      let builder = db
         .selectFrom(this._tableName)
         .distinctOn(`${this._tableName}.id`)
         .selectAll(this._tableName);
@@ -124,9 +125,10 @@ class ModelAPI {
 
   async update(where, values) {
     const name = spanName(this._modelName, "update");
+    const db = getDatabase();
 
     return tracing.withSpan(name, async (span) => {
-      let builder = this._db.updateTable(this._tableName).returningAll();
+      let builder = db.updateTable(this._tableName).returningAll();
 
       builder = builder.set(snakeCaseObject(values));
 
@@ -148,9 +150,10 @@ class ModelAPI {
 
   async delete(where) {
     const name = spanName(this._modelName, "delete");
+    const db = getDatabase();
 
     return tracing.withSpan(name, async (span) => {
-      let builder = this._db.deleteFrom(this._tableName).returning(["id"]);
+      let builder = db.deleteFrom(this._tableName).returning(["id"]);
 
       const context = new QueryContext([this._tableName], this._tableConfigMap);
 
@@ -168,7 +171,9 @@ class ModelAPI {
   }
 
   where(where) {
-    let builder = this._db
+    const db = getDatabase();
+
+    let builder = db
       .selectFrom(this._tableName)
       .distinctOn(`${this._tableName}.id`)
       .selectAll(this._tableName);

package/src/ModelAPI.test.js

@@ -62,7 +62,6 @@ beforeEach(async () => {
         date: new Date("2022-01-01"),
       };
     },
-    db,
     tableConfigMap
   );
 
@@ -73,7 +72,6 @@ beforeEach(async () => {
         id: KSUID.randomSync().string,
       };
     },
-    db,
     tableConfigMap
   );
 
@@ -84,7 +82,6 @@ beforeEach(async () => {
         id: KSUID.randomSync().string,
       };
     },
-    db,
     tableConfigMap
   );
 });

package/src/database.js

@@ -1,4 +1,5 @@
 const { Kysely, PostgresDialect } = require("kysely");
+const { AsyncLocalStorage } = require("async_hooks");
 const pg = require("pg");
 
 function mustEnv(key) {
@@ -25,8 +26,16 @@ function getDialect() {
 }
 
 let db = null;
+const dbInstance = new AsyncLocalStorage();
 
+// getDatabase will first check for an instance of Kysely in AsyncLocalStorage,
+// otherwise it will create a new instance and reuse it..
 function getDatabase() {
+  let fromStore = dbInstance.getStore();
+  if (fromStore) {
+    return fromStore;
+  }
+
   if (db) {
     return db;
   }
@@ -38,4 +47,5 @@ function getDatabase() {
   return db;
 }
 
+module.exports.dbInstance = dbInstance;
 module.exports.getDatabase = getDatabase;

package/src/handleRequest.js

@@ -3,15 +3,15 @@ const {
   createJSONRPCSuccessResponse,
   JSONRPCErrorCode,
 } = require("json-rpc-2.0");
-
-const { getDatabase } = require("./database");
+const { getDatabase, dbInstance } = require("./database");
 const {
   PERMISSION_STATE,
+  Permissions,
   PermissionError,
   checkBuiltInPermissions,
+  permissionsApiInstance,
 } = require("./permissions");
 const { PROTO_ACTION_TYPES } = require("./consts");
-
 const { errorToJSONRPCResponse, RuntimeErrors } = require("./errors");
 const opentelemetry = require("@opentelemetry/api");
 const { getTracer, withSpan } = require("./tracing");
@@ -31,13 +31,8 @@ async function handleRequest(request, config) {
     // Wrapping span for the whole request
     return withSpan(request.method, async (span) => {
       try {
-        const {
-          createFunctionAPI,
-          createContextAPI,
-          functions,
-          permissions,
-          actionTypes,
-        } = config;
+        const { createContextAPI, functions, permissionFns, actionTypes } =
+          config;
 
         if (!(request.method in functions)) {
           const message = `no corresponding function found for '${request.method}'`;
@@ -55,77 +50,85 @@ async function handleRequest(request, config) {
         // headers reference passed to custom function where object data can be modified
         const headers = new Headers();
 
-        const db = getDatabase();
+        // The ctx argument passed into the custom function.
+        const ctx = createContextAPI({
+          responseHeaders: headers,
+          meta: request.meta,
+        });
 
-        // We want to wrap the execution of the custom function in a transaction so that any call the user makes
-        // to any of the model apis we provide to the custom function is processed in a transaction.
-        // This is useful for permissions where we want to only proceed with database writes if all permission rules
-        // have been validated.
-        const result = await db.transaction().execute(async (transaction) => {
-          const ctx = createContextAPI({
-            responseHeaders: headers,
-            meta: request.meta,
-          });
-          const api = createFunctionAPI({
-            meta: request.meta,
-            db: transaction,
-          });
+        const permitted =
+          request.meta && request.meta.permissionState.status === "granted"
+            ? true
+            : null;
 
-          const customFunction = functions[request.method];
-
-          // Call the user's custom function!
-          const fnResult = await customFunction(ctx, request.params, api);
-
-          // api.permissions maintains an internal state of whether the current operation has been *explicitly* permitted/denied by the user in the course of their custom function, or if execution has already been permitted by a role based permission (evaluated in the main runtime).
-          // we need to check that the final state is permitted or unpermitted. if it's not, then it means that the user has taken no explicit action to permit/deny
-          // and therefore we default to checking the permissions defined in the schema automatically.
-          switch (api.permissions.getState()) {
-            case PERMISSION_STATE.PERMITTED:
-              return fnResult;
-            case PERMISSION_STATE.UNPERMITTED:
-              throw new PermissionError(
-                `Not permitted to access ${request.method}`
-              );
-            default:
-              // unknown state, proceed with checking against the built in permissions in the schema
-              const relevantPermissions = permissions[request.method];
-
-              const actionType = actionTypes[request.method];
-
-              const peakInsideTransaction =
-                actionType === PROTO_ACTION_TYPES.CREATE;
-
-              let rowsForPermissions = [];
-              switch (actionType) {
-                case PROTO_ACTION_TYPES.LIST:
-                  rowsForPermissions = fnResult;
-
-                  break;
-                case PROTO_ACTION_TYPES.DELETE:
-                  rowsForPermissions = [{ id: fnResult }];
-                  break;
-                default:
-                  rowsForPermissions = [fnResult];
-                  break;
-              }
-
-              // check will throw a PermissionError if a permission rule is invalid
-              await checkBuiltInPermissions({
-                rows: rowsForPermissions,
-                permissions: relevantPermissions,
-                // it is important that we pass db here as db represents the connection to the database
-                // *outside* of the current transaction. Given that any changes inside of a transaction
-                // are opaque to the outside, we can utilize this when running permission rules and then deciding to
-                // rollback any changes if they do not pass. However, for creates we need to be able to 'peak' inside the transaction to read the created record, as this won't exist outside of the transaction.
-                db: peakInsideTransaction ? transaction : db,
-                ctx,
-                functionName: request.method,
+        const db = getDatabase();
+        const permissions = new Permissions();
+
+        const result = await permissionsApiInstance.run(
+          { permitted: permitted },
+          () => {
+            // We want to wrap the execution of the custom function in a transaction so that any call the user makes
+            // to any of the model apis we provide to the custom function is processed in a transaction.
+            // This is useful for permissions where we want to only proceed with database writes if all permission rules
+            // have been validated.
+
+            return db.transaction().execute(async (transaction) => {
+              return dbInstance.run(transaction, async () => {
+                // Call the user's custom function!
+                const customFunction = functions[request.method];
+                const fnResult = await customFunction(ctx, request.params);
+
+                // api.permissions maintains an internal state of whether the current operation has been *explicitly* permitted/denied by the user in the course of their custom function, or if execution has already been permitted by a role based permission (evaluated in the main runtime).
+                // we need to check that the final state is permitted or unpermitted. if it's not, then it means that the user has taken no explicit action to permit/deny
+                // and therefore we default to checking the permissions defined in the schema automatically.
+                switch (permissions.getState()) {
+                  case PERMISSION_STATE.PERMITTED:
+                    return fnResult;
+                  case PERMISSION_STATE.UNPERMITTED:
+                    throw new PermissionError(
+                      `Not permitted to access ${request.method}`
+                    );
+                  default:
+                    // unknown state, proceed with checking against the built in permissions in the schema
+                    const relevantPermissions = permissionFns[request.method];
+                    const actionType = actionTypes[request.method];
+
+                    const peakInsideTransaction =
+                      actionType === PROTO_ACTION_TYPES.CREATE;
+
+                    let rowsForPermissions = [];
+                    switch (actionType) {
+                      case PROTO_ACTION_TYPES.LIST:
+                        rowsForPermissions = fnResult;
+                        break;
+                      case PROTO_ACTION_TYPES.DELETE:
+                        rowsForPermissions = [{ id: fnResult }];
+                        break;
+                      default:
+                        rowsForPermissions = [fnResult];
+                        break;
+                    }
+
+                    // check will throw a PermissionError if a permission rule is invalid
+                    await checkBuiltInPermissions({
+                      rows: rowsForPermissions,
+                      permissionFns: relevantPermissions,
+                      // it is important that we pass db here as db represents the connection to the database
+                      // *outside* of the current transaction. Given that any changes inside of a transaction
+                      // are opaque to the outside, we can utilize this when running permission rules and then deciding to
+                      // rollback any changes if they do not pass. However, for creates we need to be able to 'peak' inside the transaction to read the created record, as this won't exist outside of the transaction.
+                      db: peakInsideTransaction ? transaction : db,
+                      ctx,
+                      functionName: request.method,
+                    });
+
+                    // If the built in permission check above doesn't throw, then it means that the request is permitted and we can continue returning the return value from the custom function out of the transaction
+                    return fnResult;
+                }
               });
-
-              // If the built in permission check above doesn't throw, then it means that the request is permitted and we can continue returning the return value from the custom function out of the transaction
-              return fnResult;
+            });
           }
-        });
+        );
 
         if (result === undefined) {
           // no result returned from custom function

package/src/handleRequest.test.js

@@ -4,9 +4,8 @@ import { handleRequest, RuntimeErrors } from "./handleRequest";
 import { test, expect, beforeEach, describe } from "vitest";
 import { ModelAPI } from "./ModelAPI";
 import { getDatabase } from "./database";
-import { Permissions } from "./permissions";
+const { Permissions } = require("./permissions");
 import { PROTO_ACTION_TYPES } from "./consts";
-
 import KSUID from "ksuid";
 
 process.env.KEEL_DB_CONN_TYPE = "pg";
@@ -15,8 +14,9 @@ process.env.KEEL_DB_CONN = `postgresql://postgres:postgres@localhost:5432/functi
 test("when the custom function returns expected value", async () => {
   const config = {
     functions: {
-      createPost: async (ctx, inputs, api) => {
-        api.permissions.allow();
+      createPost: async (ctx, inputs) => {
+        new Permissions().allow();
+
         return {
           title: "a post",
           id: "abcde",
@@ -26,11 +26,6 @@ test("when the custom function returns expected value", async () => {
     actionTypes: {
       createPost: PROTO_ACTION_TYPES.CREATE,
     },
-    createFunctionAPI: ({ db }) => {
-      return {
-        permissions: new Permissions(),
-      };
-    },
     createContextAPI: () => {},
   };
 
@@ -52,19 +47,14 @@ test("when the custom function returns expected value", async () => {
 test("when the custom function doesnt return a value", async () => {
   const config = {
     functions: {
-      createPost: async (ctx, inputs, api) => {
-        api.permissions.allow();
+      createPost: async (ctx, inputs) => {
+        new Permissions().allow();
       },
     },
     permissions: {},
     actionTypes: {
       createPost: PROTO_ACTION_TYPES.CREATE,
     },
-    createFunctionAPI: ({ db }) => {
-      return {
-        permissions: new Permissions(),
-      };
-    },
     createContextAPI: () => {},
   };
 
@@ -83,16 +73,11 @@ test("when the custom function doesnt return a value", async () => {
 test("when there is no matching function for the path", async () => {
   const config = {
     functions: {
-      createPost: async (ctx, inputs, api) => {},
+      createPost: async (ctx, inputs) => {},
     },
     actionTypes: {
       createPost: PROTO_ACTION_TYPES.CREATE,
     },
-    createFunctionAPI: ({ db }) => {
-      return {
-        permissions: new Permissions(),
-      };
-    },
     createContextAPI: () => {},
   };
 
@@ -111,20 +96,13 @@ test("when there is no matching function for the path", async () => {
 test("when there is an unexpected error in the custom function", async () => {
   const config = {
     functions: {
-      createPost: async (ctx, inputs, api) => {
-        api.permissions.allow();
-
+      createPost: async (ctx, inputs) => {
         throw new Error("oopsie daisy");
       },
     },
     actionTypes: {
       createPost: PROTO_ACTION_TYPES.CREATE,
     },
-    createFunctionAPI: ({ db }) => {
-      return {
-        permissions: new Permissions(),
-      };
-    },
     createContextAPI: () => {},
   };
 
@@ -152,16 +130,16 @@ test("when a role based permission has already been granted by the main runtime"
     actionTypes: {
       createPost: PROTO_ACTION_TYPES.CREATE,
     },
-    createFunctionAPI: ({ db }) => {
-      return {
-        permissions: new Permissions({ status: "granted", reason: "role" }),
-      };
-    },
+    createModelAPI: () => {},
     createContextAPI: () => {},
   };
 
-  const rpcReq = createJSONRPCRequest("123", "createPost", { title: "a post" });
+  let rpcReq = createJSONRPCRequest("123", "createPost", { title: "a post" });
 
+  Object.assign(rpcReq, {
+    ...rpcReq,
+    meta: { permissionState: { status: "granted", reason: "role" } },
+  });
   expect(await handleRequest(rpcReq, config)).toEqual({
     id: "123",
     jsonrpc: "2.0",
@@ -177,19 +155,13 @@ test("when a role based permission has already been granted by the main runtime"
 test("when there is an unexpected object thrown in the custom function", async () => {
   const config = {
     functions: {
-      createPost: async (ctx, inputs, api) => {
-        api.permissions.allow();
+      createPost: async (ctx, inputs) => {
         throw { err: "oopsie daisy" };
       },
     },
     actionTypes: {
       createPost: PROTO_ACTION_TYPES.CREATE,
     },
-    createFunctionAPI: ({ db }) => {
-      return {
-        permissions: new Permissions(),
-      };
-    },
     createContextAPI: () => {},
   };
 
@@ -238,47 +210,44 @@ describe("ModelAPI error handling", () => {
       INSERT INTO author (id, name) VALUES ('adam', 'adam bull')
     `.execute(db);
 
+    const models = {
+      post: new ModelAPI(
+        "post",
+        () => {
+          return {
+            id: KSUID.randomSync().string,
+          };
+        },
+        {
+          post: {
+            author: {
+              relationshipType: "belongsTo",
+              foreignKey: "author_id",
+              referencesTable: "person",
+            },
+          },
+        }
+      ),
+    };
+
     functionConfig = {
-      permissions: {},
+      permissionFns: {},
       functions: {
-        createPost: async (ctx, inputs, api) => {
-          api.permissions.allow();
+        createPost: async (ctx, inputs) => {
+          new Permissions().allow();
 
-          const post = await api.models.post.create(inputs);
+          const post = await models.post.create(inputs);
 
           return post;
         },
-        deletePost: async (ctx, inputs, api) => {
-          api.permissions.allow();
+        deletePost: async (ctx, inputs) => {
+          new Permissions().allow();
 
-          const deleted = await api.models.post.delete(inputs);
+          const deleted = await models.post.delete(inputs);
 
           return deleted;
         },
       },
-      createFunctionAPI: ({ db }) => ({
-        permissions: new Permissions(),
-        models: {
-          post: new ModelAPI(
-            "post",
-            () => {
-              return {
-                id: KSUID.randomSync().string,
-              };
-            },
-            db,
-            {
-              post: {
-                author: {
-                  relationshipType: "belongsTo",
-                  foreignKey: "author_id",
-                  referencesTable: "person",
-                },
-              },
-            }
-          ),
-        },
-      }),
       createContextAPI: () => ({}),
     };
   });

package/src/permissions.js

@@ -1,3 +1,5 @@
+const { AsyncLocalStorage } = require("async_hooks");
+
 class PermissionError extends Error {}
 
 const PERMISSION_STATE = {
@@ -6,45 +8,34 @@ const PERMISSION_STATE = {
   UNPERMITTED: "unpermitted",
 };
 
-const defaultState = {
-  status: "unknown",
-};
+const permissionsApiInstance = new AsyncLocalStorage();
 
 class Permissions {
-  // The permissionState here is the prior state passed in from the Go runtime
   // The Go runtime performs role based permission rule checks prior to calling the functions
   // runtime, so the status could already be granted. If already granted, then we need to inherit that permission state as the state is later used to decide whether to run in process permission checks
   // TLDR if a role based permission is relevant and it is granted, then it is effectively the same as the end user calling api.permissions.allow() explicitly in terms of behaviour.
-  constructor(permissionState = defaultState) {
-    this.state = {
-      // permitted starts off as null to indicate that the end user
-      // hasn't explicitly marked a function execution as permitted yet
-      permitted:
-        permissionState !== null && permissionState.status === "granted"
-          ? true
-          : null,
-    };
-  }
 
   allow() {
-    this.state.permitted = true;
+    const store = (permissionsApiInstance.getStore().permitted = true);
   }
 
   deny() {
     // if a user is explicitly calling deny() then we want to throw an error
     // so that any further execution of the custom function stops abruptly
-    this.state.permitted = false;
+    permissionsApiInstance.getStore().permitted = false;
 
     throw new PermissionError();
   }
 
   getState() {
+    const permitted = permissionsApiInstance.getStore().permitted;
+
     switch (true) {
-      case this.state.permitted === false:
+      case permitted === false:
         return PERMISSION_STATE.UNPERMITTED;
-      case this.state.permitted === null:
+      case permitted === null:
         return PERMISSION_STATE.UNKNOWN;
-      case this.state.permitted === true:
+      case permitted === true:
         return PERMISSION_STATE.PERMITTED;
     }
   }
@@ -52,12 +43,12 @@ class Permissions {
 
 const checkBuiltInPermissions = async ({
   rows,
-  permissions,
+  permissionFns,
   ctx,
   db,
   functionName,
 }) => {
-  for (const permissionFn of permissions) {
+  for (const permissionFn of permissionFns) {
     const result = await permissionFn(rows, ctx, db);
 
     // if any of the permission functions return true,
@@ -70,6 +61,7 @@ const checkBuiltInPermissions = async ({
   throw new PermissionError(`Not permitted to access ${functionName}`);
 };
 
+module.exports.permissionsApiInstance = permissionsApiInstance;
 module.exports.checkBuiltInPermissions = checkBuiltInPermissions;
 module.exports.PermissionError = PermissionError;
 module.exports.PERMISSION_STATE = PERMISSION_STATE;