graphile-settings 4.18.10 → 4.20.0

package/bucket-provisioner-resolver.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Bucket provisioner resolver for the Constructive bucket provisioner plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions -> pgpmDefaults + config files + env vars) and lazily
+ * returns a StorageConnectionConfig on first use.
+ *
+ * Follows the same lazy-init pattern as presigned-url-resolver.ts.
+ */
+import type { StorageConnectionConfig } from 'graphile-bucket-provisioner-plugin';
+/**
+ * Lazily initialize and return the StorageConnectionConfig for the
+ * bucket provisioner plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults -> config file -> env vars) and caches the result.
+ * Same CDN config source as presigned-url-resolver.ts.
+ */
+export declare function getBucketProvisionerConnection(): StorageConnectionConfig;

package/bucket-provisioner-resolver.js

@@ -0,0 +1,40 @@
+"use strict";
+/**
+ * Bucket provisioner resolver for the Constructive bucket provisioner plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions -> pgpmDefaults + config files + env vars) and lazily
+ * returns a StorageConnectionConfig on first use.
+ *
+ * Follows the same lazy-init pattern as presigned-url-resolver.ts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getBucketProvisionerConnection = getBucketProvisionerConnection;
+const graphql_env_1 = require("@constructive-io/graphql-env");
+const logger_1 = require("@pgpmjs/logger");
+const log = new logger_1.Logger('bucket-provisioner-resolver');
+let connectionConfig = null;
+/**
+ * Lazily initialize and return the StorageConnectionConfig for the
+ * bucket provisioner plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults -> config file -> env vars) and caches the result.
+ * Same CDN config source as presigned-url-resolver.ts.
+ */
+function getBucketProvisionerConnection() {
+    if (connectionConfig)
+        return connectionConfig;
+    const { cdn } = (0, graphql_env_1.getEnvOptions)();
+    // cdn is guaranteed populated — pgpmDefaults provides all CDN fields
+    const { provider, awsRegion, awsAccessKey, awsSecretKey, endpoint } = cdn;
+    log.info(`[bucket-provisioner-resolver] Initializing: provider=${provider} endpoint=${endpoint}`);
+    connectionConfig = {
+        provider: provider || 'minio',
+        region: awsRegion || 'us-east-1',
+        accessKeyId: awsAccessKey,
+        secretAccessKey: awsSecretKey,
+        ...(endpoint ? { endpoint, forcePathStyle: true } : {}),
+    };
+    return connectionConfig;
+}

package/esm/bucket-provisioner-resolver.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Bucket provisioner resolver for the Constructive bucket provisioner plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions -> pgpmDefaults + config files + env vars) and lazily
+ * returns a StorageConnectionConfig on first use.
+ *
+ * Follows the same lazy-init pattern as presigned-url-resolver.ts.
+ */
+import type { StorageConnectionConfig } from 'graphile-bucket-provisioner-plugin';
+/**
+ * Lazily initialize and return the StorageConnectionConfig for the
+ * bucket provisioner plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults -> config file -> env vars) and caches the result.
+ * Same CDN config source as presigned-url-resolver.ts.
+ */
+export declare function getBucketProvisionerConnection(): StorageConnectionConfig;

package/esm/bucket-provisioner-resolver.js

@@ -0,0 +1,37 @@
+/**
+ * Bucket provisioner resolver for the Constructive bucket provisioner plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions -> pgpmDefaults + config files + env vars) and lazily
+ * returns a StorageConnectionConfig on first use.
+ *
+ * Follows the same lazy-init pattern as presigned-url-resolver.ts.
+ */
+import { getEnvOptions } from '@constructive-io/graphql-env';
+import { Logger } from '@pgpmjs/logger';
+const log = new Logger('bucket-provisioner-resolver');
+let connectionConfig = null;
+/**
+ * Lazily initialize and return the StorageConnectionConfig for the
+ * bucket provisioner plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults -> config file -> env vars) and caches the result.
+ * Same CDN config source as presigned-url-resolver.ts.
+ */
+export function getBucketProvisionerConnection() {
+    if (connectionConfig)
+        return connectionConfig;
+    const { cdn } = getEnvOptions();
+    // cdn is guaranteed populated — pgpmDefaults provides all CDN fields
+    const { provider, awsRegion, awsAccessKey, awsSecretKey, endpoint } = cdn;
+    log.info(`[bucket-provisioner-resolver] Initializing: provider=${provider} endpoint=${endpoint}`);
+    connectionConfig = {
+        provider: provider || 'minio',
+        region: awsRegion || 'us-east-1',
+        accessKeyId: awsAccessKey,
+        secretAccessKey: awsSecretKey,
+        ...(endpoint ? { endpoint, forcePathStyle: true } : {}),
+    };
+    return connectionConfig;
+}

package/esm/index.d.ts

@@ -34,3 +34,5 @@ export * from './plugins/index';
 export * from './presets/index';
 export { makePgService };
 export { streamToStorage } from './upload-resolver';
+export { getPresignedUrlS3Config } from './presigned-url-resolver';
+export { getBucketProvisionerConnection } from './bucket-provisioner-resolver';

package/esm/index.js

@@ -50,3 +50,7 @@ export * from './presets/index';
 export { makePgService };
 // Upload utilities
 export { streamToStorage } from './upload-resolver';
+// Presigned URL utilities
+export { getPresignedUrlS3Config } from './presigned-url-resolver';
+// Bucket provisioner utilities
+export { getBucketProvisionerConnection } from './bucket-provisioner-resolver';

package/esm/presets/constructive-preset.d.ts

@@ -17,6 +17,9 @@ import type { GraphileConfig } from 'graphile-config';
  * - PostGIS support (geometry/geography types, GeoJSON scalar — auto-detects PostGIS extension)
  * - PostGIS connection filter operators (spatial filtering on geometry/geography columns)
  * - Upload plugin (file upload to S3/MinIO for image, upload, attachment domain columns)
+ * - Presigned URL plugin (requestUploadUrl, confirmUpload mutations + downloadUrl computed field)
+ * - Bucket provisioner plugin (auto-provisions S3 buckets on @storageBuckets table mutations,
+ *   CORS management, provisionBucket mutation for manual/retry)
  * - SQL expression validator (validates @sqlExpression columns in mutations)
  * - PG type mappings (maps custom types like email, url to GraphQL scalars)
  * - pgvector search (auto-discovers vector columns: filter fields, distance computed fields,

package/esm/presets/constructive-preset.js

@@ -3,8 +3,12 @@ import { MinimalPreset, InflektPreset, ConflictDetectorPreset, InflectorLoggerPr
 import { UnifiedSearchPreset, createMatchesOperatorFactory, createTrgmOperatorFactories } from 'graphile-search';
 import { GraphilePostgisPreset, createPostgisOperatorFactory } from 'graphile-postgis';
 import { UploadPreset } from 'graphile-upload-plugin';
+import { PresignedUrlPreset } from 'graphile-presigned-url-plugin';
+import { BucketProvisionerPreset } from 'graphile-bucket-provisioner-plugin';
 import { SqlExpressionValidatorPreset } from 'graphile-sql-expression-validator';
 import { constructiveUploadFieldDefinitions } from '../upload-resolver';
+import { getPresignedUrlS3Config, createBucketNameResolver, createEnsureBucketProvisioned, getAllowedOrigins } from '../presigned-url-resolver';
+import { getBucketProvisionerConnection } from '../bucket-provisioner-resolver';
 /**
  * Constructive PostGraphile v5 Preset
  *
@@ -23,6 +27,9 @@ import { constructiveUploadFieldDefinitions } from '../upload-resolver';
  * - PostGIS support (geometry/geography types, GeoJSON scalar — auto-detects PostGIS extension)
  * - PostGIS connection filter operators (spatial filtering on geometry/geography columns)
  * - Upload plugin (file upload to S3/MinIO for image, upload, attachment domain columns)
+ * - Presigned URL plugin (requestUploadUrl, confirmUpload mutations + downloadUrl computed field)
+ * - Bucket provisioner plugin (auto-provisions S3 buckets on @storageBuckets table mutations,
+ *   CORS management, provisionBucket mutation for manual/retry)
  * - SQL expression validator (validates @sqlExpression columns in mutations)
  * - PG type mappings (maps custom types like email, url to GraphQL scalars)
  * - pgvector search (auto-discovers vector columns: filter fields, distance computed fields,
@@ -70,6 +77,15 @@ export const ConstructivePreset = {
             uploadFieldDefinitions: constructiveUploadFieldDefinitions,
             maxFileSize: 10 * 1024 * 1024, // 10MB
         }),
+        PresignedUrlPreset({
+            s3: getPresignedUrlS3Config,
+            resolveBucketName: createBucketNameResolver(),
+            ensureBucketProvisioned: createEnsureBucketProvisioned(),
+        }),
+        BucketProvisionerPreset({
+            connection: getBucketProvisionerConnection,
+            allowedOrigins: getAllowedOrigins(),
+        }),
         SqlExpressionValidatorPreset(),
         PgTypeMappingsPreset,
         RequiredInputPreset,

package/esm/presigned-url-resolver.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Presigned URL resolver for the Constructive presigned URL plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions → pgpmDefaults + config files + env vars) and lazily
+ * initializes an S3Client on first use.
+ *
+ * Also provides a per-database bucket name resolver that derives the
+ * S3 bucket name from the database UUID + a configurable prefix.
+ *
+ * Follows the same lazy-init pattern as upload-resolver.ts.
+ */
+import type { S3Config, BucketNameResolver, EnsureBucketProvisioned } from 'graphile-presigned-url-plugin';
+/**
+ * Lazily initialize and return the S3Config for the presigned URL plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults → config file → env vars), creates an S3Client, and caches
+ * the result. Same CDN config as upload-resolver.ts.
+ *
+ * NOTE: The `bucket` field here is the global fallback bucket name
+ * (from BUCKET_NAME env var). When `resolveBucketName` is provided,
+ * per-database bucket names take precedence for all S3 operations.
+ */
+export declare function getPresignedUrlS3Config(): S3Config;
+/**
+ * Create a per-database bucket name resolver.
+ *
+ * Uses the BUCKET_NAME env var as a prefix. For each database, the S3 bucket
+ * name becomes `{prefix}-{databaseId}` (e.g., "myapp-abc123def456").
+ *
+ * In local development with MinIO (default BUCKET_NAME="test-bucket"),
+ * all databases share the same bucket for simplicity — the resolver
+ * returns the prefix as-is when it looks like a local dev bucket.
+ *
+ * In production, set BUCKET_NAME to your org prefix (e.g., "myapp")
+ * and each database gets its own isolated S3 bucket.
+ */
+export declare function createBucketNameResolver(): BucketNameResolver;
+/**
+ * Resolve CORS allowed origins from the env/config system.
+ *
+ * Reads SERVER_ORIGIN from the standard env hierarchy
+ * (pgpmDefaults → config file → env vars) and wraps it in an array.
+ * Falls back to ['http://localhost:3000'] for local development.
+ */
+export declare function getAllowedOrigins(): string[];
+/**
+ * Create a lazy bucket provisioner callback for the presigned URL plugin.
+ *
+ * On the first upload to an S3 bucket that doesn't exist yet, this callback
+ * uses the BucketProvisioner to create and fully configure the bucket
+ * (Block Public Access, CORS, policies, lifecycle rules for temp buckets).
+ *
+ * Uses the same S3 connection config as the bucket provisioner plugin
+ * (getBucketProvisionerConnection) and reads CORS origins from
+ * SERVER_ORIGIN env var (falls back to localhost for local dev).
+ */
+export declare function createEnsureBucketProvisioned(): EnsureBucketProvisioned;

package/esm/presigned-url-resolver.js

@@ -0,0 +1,119 @@
+/**
+ * Presigned URL resolver for the Constructive presigned URL plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions → pgpmDefaults + config files + env vars) and lazily
+ * initializes an S3Client on first use.
+ *
+ * Also provides a per-database bucket name resolver that derives the
+ * S3 bucket name from the database UUID + a configurable prefix.
+ *
+ * Follows the same lazy-init pattern as upload-resolver.ts.
+ */
+import { S3Client } from '@aws-sdk/client-s3';
+import { getEnvOptions } from '@constructive-io/graphql-env';
+import { Logger } from '@pgpmjs/logger';
+import { BucketProvisioner } from '@constructive-io/bucket-provisioner';
+import { getBucketProvisionerConnection } from './bucket-provisioner-resolver';
+const log = new Logger('presigned-url-resolver');
+let s3Config = null;
+/**
+ * Lazily initialize and return the S3Config for the presigned URL plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults → config file → env vars), creates an S3Client, and caches
+ * the result. Same CDN config as upload-resolver.ts.
+ *
+ * NOTE: The `bucket` field here is the global fallback bucket name
+ * (from BUCKET_NAME env var). When `resolveBucketName` is provided,
+ * per-database bucket names take precedence for all S3 operations.
+ */
+export function getPresignedUrlS3Config() {
+    if (s3Config)
+        return s3Config;
+    const { cdn } = getEnvOptions();
+    // cdn is guaranteed populated — pgpmDefaults provides all CDN fields
+    const { bucketName, awsRegion, awsAccessKey, awsSecretKey, endpoint, publicUrlPrefix } = cdn;
+    log.info(`[presigned-url-resolver] Initializing: bucket=${bucketName} endpoint=${endpoint}`);
+    const client = new S3Client({
+        region: awsRegion,
+        credentials: { accessKeyId: awsAccessKey, secretAccessKey: awsSecretKey },
+        ...(endpoint ? { endpoint, forcePathStyle: true } : {}),
+    });
+    s3Config = {
+        client,
+        bucket: bucketName,
+        region: awsRegion,
+        publicUrlPrefix,
+        ...(endpoint ? { endpoint, forcePathStyle: true } : {}),
+    };
+    return s3Config;
+}
+/**
+ * Create a per-database bucket name resolver.
+ *
+ * Uses the BUCKET_NAME env var as a prefix. For each database, the S3 bucket
+ * name becomes `{prefix}-{databaseId}` (e.g., "myapp-abc123def456").
+ *
+ * In local development with MinIO (default BUCKET_NAME="test-bucket"),
+ * all databases share the same bucket for simplicity — the resolver
+ * returns the prefix as-is when it looks like a local dev bucket.
+ *
+ * In production, set BUCKET_NAME to your org prefix (e.g., "myapp")
+ * and each database gets its own isolated S3 bucket.
+ */
+export function createBucketNameResolver() {
+    const { cdn } = getEnvOptions();
+    const prefix = cdn?.bucketName || 'test-bucket';
+    return (databaseId) => {
+        return `${prefix}-${databaseId}`;
+    };
+}
+/**
+ * Resolve CORS allowed origins from the env/config system.
+ *
+ * Reads SERVER_ORIGIN from the standard env hierarchy
+ * (pgpmDefaults → config file → env vars) and wraps it in an array.
+ * Falls back to ['http://localhost:3000'] for local development.
+ */
+export function getAllowedOrigins() {
+    const { server } = getEnvOptions();
+    if (server?.origin)
+        return [server.origin];
+    return ['*'];
+}
+/**
+ * Create a lazy bucket provisioner callback for the presigned URL plugin.
+ *
+ * On the first upload to an S3 bucket that doesn't exist yet, this callback
+ * uses the BucketProvisioner to create and fully configure the bucket
+ * (Block Public Access, CORS, policies, lifecycle rules for temp buckets).
+ *
+ * Uses the same S3 connection config as the bucket provisioner plugin
+ * (getBucketProvisionerConnection) and reads CORS origins from
+ * SERVER_ORIGIN env var (falls back to localhost for local dev).
+ */
+export function createEnsureBucketProvisioned() {
+    let provisioner = null;
+    return async (bucketName, accessType, databaseId, allowedOrigins) => {
+        // Per-database origins from storage_module, falling back to global SERVER_ORIGIN
+        const effectiveOrigins = (allowedOrigins && allowedOrigins.length > 0)
+            ? allowedOrigins
+            : getAllowedOrigins();
+        if (!provisioner) {
+            provisioner = new BucketProvisioner({
+                connection: getBucketProvisionerConnection(),
+                allowedOrigins: effectiveOrigins,
+            });
+        }
+        log.info(`[lazy-provision] Provisioning S3 bucket "${bucketName}" ` +
+            `(type=${accessType}) for database ${databaseId}`);
+        await provisioner.provision({
+            bucketName,
+            accessType,
+            versioning: false,
+            allowedOrigins: effectiveOrigins,
+        });
+        log.info(`[lazy-provision] S3 bucket "${bucketName}" provisioned successfully`);
+    };
+}

package/esm/upload-resolver.d.ts

@@ -13,7 +13,7 @@
  *   AWS_REGION       - AWS region (default: 'us-east-1')
  *   AWS_ACCESS_KEY   - access key (default: 'minioadmin')
  *   AWS_SECRET_KEY   - secret key (default: 'minioadmin')
- *   MINIO_ENDPOINT   - MinIO endpoint (default: 'http://localhost:9000')
+ *   CDN_ENDPOINT     - S3-compatible endpoint (default: 'http://localhost:9000')
  */
 import type { Readable } from 'stream';
 import type { UploadFieldDefinition } from 'graphile-upload-plugin';

package/esm/upload-resolver.js

@@ -13,7 +13,7 @@
  *   AWS_REGION       - AWS region (default: 'us-east-1')
  *   AWS_ACCESS_KEY   - access key (default: 'minioadmin')
  *   AWS_SECRET_KEY   - secret key (default: 'minioadmin')
- *   MINIO_ENDPOINT   - MinIO endpoint (default: 'http://localhost:9000')
+ *   CDN_ENDPOINT     - S3-compatible endpoint (default: 'http://localhost:9000')
  */
 import Streamer from '@constructive-io/s3-streamer';
 import uploadNames from '@constructive-io/upload-names';
@@ -34,7 +34,7 @@ function getStreamer() {
     const awsRegion = cdn.awsRegion || 'us-east-1';
     const awsAccessKey = cdn.awsAccessKey || 'minioadmin';
     const awsSecretKey = cdn.awsSecretKey || 'minioadmin';
-    const minioEndpoint = cdn.minioEndpoint || 'http://localhost:9000';
+    const endpoint = cdn.endpoint || 'http://localhost:9000';
     if (process.env.NODE_ENV === 'production') {
         if (!cdn.awsAccessKey || !cdn.awsSecretKey) {
             log.warn('[upload-resolver] WARNING: Using default credentials in production.');
@@ -46,7 +46,7 @@ function getStreamer() {
         awsRegion,
         awsSecretKey,
         awsAccessKey,
-        minioEndpoint,
+        endpoint,
         provider,
     });
     return streamer;

package/index.d.ts

@@ -34,3 +34,5 @@ export * from './plugins/index';
 export * from './presets/index';
 export { makePgService };
 export { streamToStorage } from './upload-resolver';
+export { getPresignedUrlS3Config } from './presigned-url-resolver';
+export { getBucketProvisionerConnection } from './bucket-provisioner-resolver';

package/index.js

@@ -42,7 +42,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.streamToStorage = exports.makePgService = exports.ConstructivePreset = void 0;
+exports.getBucketProvisionerConnection = exports.getPresignedUrlS3Config = exports.streamToStorage = exports.makePgService = exports.ConstructivePreset = void 0;
 const pg_1 = require("postgraphile/adaptors/pg");
 Object.defineProperty(exports, "makePgService", { enumerable: true, get: function () { return pg_1.makePgService; } });
 // Import modules for type augmentation
@@ -65,3 +65,9 @@ __exportStar(require("./presets/index"), exports);
 // Upload utilities
 var upload_resolver_1 = require("./upload-resolver");
 Object.defineProperty(exports, "streamToStorage", { enumerable: true, get: function () { return upload_resolver_1.streamToStorage; } });
+// Presigned URL utilities
+var presigned_url_resolver_1 = require("./presigned-url-resolver");
+Object.defineProperty(exports, "getPresignedUrlS3Config", { enumerable: true, get: function () { return presigned_url_resolver_1.getPresignedUrlS3Config; } });
+// Bucket provisioner utilities
+var bucket_provisioner_resolver_1 = require("./bucket-provisioner-resolver");
+Object.defineProperty(exports, "getBucketProvisionerConnection", { enumerable: true, get: function () { return bucket_provisioner_resolver_1.getBucketProvisionerConnection; } });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "graphile-settings",
-  "version": "4.18.10",
+  "version": "4.20.0",
   "author": "Constructive <developers@constructive.io>",
   "description": "graphile settings",
   "main": "index.js",
@@ -29,26 +29,30 @@
     "test:watch": "jest --watch"
   },
   "dependencies": {
-    "@constructive-io/graphql-env": "^3.5.3",
-    "@constructive-io/graphql-types": "^3.4.3",
-    "@constructive-io/s3-streamer": "^2.17.3",
+    "@aws-sdk/client-s3": "^3.1009.0",
+    "@constructive-io/bucket-provisioner": "^0.2.0",
+    "@constructive-io/graphql-env": "^3.5.4",
+    "@constructive-io/graphql-types": "^3.4.4",
+    "@constructive-io/s3-streamer": "^2.17.4",
     "@constructive-io/upload-names": "^2.10.2",
     "@dataplan/json": "1.0.0",
     "@dataplan/pg": "1.0.0",
     "@graphile-contrib/pg-many-to-many": "2.0.0-rc.2",
     "@pgpmjs/logger": "^2.5.2",
-    "@pgpmjs/types": "^2.20.3",
+    "@pgpmjs/types": "^2.21.0",
     "@pgsql/quotes": "^17.1.0",
     "cors": "^2.8.6",
     "express": "^5.2.1",
     "grafast": "1.0.0",
     "grafserv": "1.0.0",
+    "graphile-bucket-provisioner-plugin": "0.2.0",
     "graphile-build": "5.0.0",
     "graphile-build-pg": "5.0.0",
     "graphile-config": "1.0.0",
-    "graphile-connection-filter": "^1.3.7",
-    "graphile-postgis": "^2.9.9",
-    "graphile-search": "^1.5.9",
+    "graphile-connection-filter": "^1.4.0",
+    "graphile-postgis": "^2.10.0",
+    "graphile-presigned-url-plugin": "^0.4.0",
+    "graphile-search": "^1.6.0",
     "graphile-sql-expression-validator": "^2.6.2",
     "graphile-upload-plugin": "^2.5.2",
     "graphile-utils": "5.0.0",
@@ -67,10 +71,10 @@
     "@types/express": "^5.0.6",
     "@types/pg": "^8.18.0",
     "@types/request-ip": "^0.0.41",
-    "graphile-test": "^4.7.7",
+    "graphile-test": "^4.8.0",
     "makage": "^0.3.0",
     "nodemon": "^3.1.14",
-    "pgsql-test": "^4.7.7",
+    "pgsql-test": "^4.8.0",
     "ts-node": "^10.9.2"
   },
   "keywords": [
@@ -80,5 +84,5 @@
     "constructive",
     "graphql"
   ],
-  "gitHead": "9356877ea3ea61013b28b1496f015776e82ccb85"
+  "gitHead": "3bf7c522cf9f9d2595750ac7cea81d470b3e6c30"
 }

package/presets/constructive-preset.d.ts

@@ -17,6 +17,9 @@ import type { GraphileConfig } from 'graphile-config';
  * - PostGIS support (geometry/geography types, GeoJSON scalar — auto-detects PostGIS extension)
  * - PostGIS connection filter operators (spatial filtering on geometry/geography columns)
  * - Upload plugin (file upload to S3/MinIO for image, upload, attachment domain columns)
+ * - Presigned URL plugin (requestUploadUrl, confirmUpload mutations + downloadUrl computed field)
+ * - Bucket provisioner plugin (auto-provisions S3 buckets on @storageBuckets table mutations,
+ *   CORS management, provisionBucket mutation for manual/retry)
  * - SQL expression validator (validates @sqlExpression columns in mutations)
  * - PG type mappings (maps custom types like email, url to GraphQL scalars)
  * - pgvector search (auto-discovers vector columns: filter fields, distance computed fields,

package/presets/constructive-preset.js

@@ -6,8 +6,12 @@ const plugins_1 = require("../plugins");
 const graphile_search_1 = require("graphile-search");
 const graphile_postgis_1 = require("graphile-postgis");
 const graphile_upload_plugin_1 = require("graphile-upload-plugin");
+const graphile_presigned_url_plugin_1 = require("graphile-presigned-url-plugin");
+const graphile_bucket_provisioner_plugin_1 = require("graphile-bucket-provisioner-plugin");
 const graphile_sql_expression_validator_1 = require("graphile-sql-expression-validator");
 const upload_resolver_1 = require("../upload-resolver");
+const presigned_url_resolver_1 = require("../presigned-url-resolver");
+const bucket_provisioner_resolver_1 = require("../bucket-provisioner-resolver");
 /**
  * Constructive PostGraphile v5 Preset
  *
@@ -26,6 +30,9 @@ const upload_resolver_1 = require("../upload-resolver");
  * - PostGIS support (geometry/geography types, GeoJSON scalar — auto-detects PostGIS extension)
  * - PostGIS connection filter operators (spatial filtering on geometry/geography columns)
  * - Upload plugin (file upload to S3/MinIO for image, upload, attachment domain columns)
+ * - Presigned URL plugin (requestUploadUrl, confirmUpload mutations + downloadUrl computed field)
+ * - Bucket provisioner plugin (auto-provisions S3 buckets on @storageBuckets table mutations,
+ *   CORS management, provisionBucket mutation for manual/retry)
  * - SQL expression validator (validates @sqlExpression columns in mutations)
  * - PG type mappings (maps custom types like email, url to GraphQL scalars)
  * - pgvector search (auto-discovers vector columns: filter fields, distance computed fields,
@@ -73,6 +80,15 @@ exports.ConstructivePreset = {
             uploadFieldDefinitions: upload_resolver_1.constructiveUploadFieldDefinitions,
             maxFileSize: 10 * 1024 * 1024, // 10MB
         }),
+        (0, graphile_presigned_url_plugin_1.PresignedUrlPreset)({
+            s3: presigned_url_resolver_1.getPresignedUrlS3Config,
+            resolveBucketName: (0, presigned_url_resolver_1.createBucketNameResolver)(),
+            ensureBucketProvisioned: (0, presigned_url_resolver_1.createEnsureBucketProvisioned)(),
+        }),
+        (0, graphile_bucket_provisioner_plugin_1.BucketProvisionerPreset)({
+            connection: bucket_provisioner_resolver_1.getBucketProvisionerConnection,
+            allowedOrigins: (0, presigned_url_resolver_1.getAllowedOrigins)(),
+        }),
         (0, graphile_sql_expression_validator_1.SqlExpressionValidatorPreset)(),
         plugins_1.PgTypeMappingsPreset,
         plugins_1.RequiredInputPreset,

package/presigned-url-resolver.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Presigned URL resolver for the Constructive presigned URL plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions → pgpmDefaults + config files + env vars) and lazily
+ * initializes an S3Client on first use.
+ *
+ * Also provides a per-database bucket name resolver that derives the
+ * S3 bucket name from the database UUID + a configurable prefix.
+ *
+ * Follows the same lazy-init pattern as upload-resolver.ts.
+ */
+import type { S3Config, BucketNameResolver, EnsureBucketProvisioned } from 'graphile-presigned-url-plugin';
+/**
+ * Lazily initialize and return the S3Config for the presigned URL plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults → config file → env vars), creates an S3Client, and caches
+ * the result. Same CDN config as upload-resolver.ts.
+ *
+ * NOTE: The `bucket` field here is the global fallback bucket name
+ * (from BUCKET_NAME env var). When `resolveBucketName` is provided,
+ * per-database bucket names take precedence for all S3 operations.
+ */
+export declare function getPresignedUrlS3Config(): S3Config;
+/**
+ * Create a per-database bucket name resolver.
+ *
+ * Uses the BUCKET_NAME env var as a prefix. For each database, the S3 bucket
+ * name becomes `{prefix}-{databaseId}` (e.g., "myapp-abc123def456").
+ *
+ * In local development with MinIO (default BUCKET_NAME="test-bucket"),
+ * all databases share the same bucket for simplicity — the resolver
+ * returns the prefix as-is when it looks like a local dev bucket.
+ *
+ * In production, set BUCKET_NAME to your org prefix (e.g., "myapp")
+ * and each database gets its own isolated S3 bucket.
+ */
+export declare function createBucketNameResolver(): BucketNameResolver;
+/**
+ * Resolve CORS allowed origins from the env/config system.
+ *
+ * Reads SERVER_ORIGIN from the standard env hierarchy
+ * (pgpmDefaults → config file → env vars) and wraps it in an array.
+ * Falls back to ['http://localhost:3000'] for local development.
+ */
+export declare function getAllowedOrigins(): string[];
+/**
+ * Create a lazy bucket provisioner callback for the presigned URL plugin.
+ *
+ * On the first upload to an S3 bucket that doesn't exist yet, this callback
+ * uses the BucketProvisioner to create and fully configure the bucket
+ * (Block Public Access, CORS, policies, lifecycle rules for temp buckets).
+ *
+ * Uses the same S3 connection config as the bucket provisioner plugin
+ * (getBucketProvisionerConnection) and reads CORS origins from
+ * SERVER_ORIGIN env var (falls back to localhost for local dev).
+ */
+export declare function createEnsureBucketProvisioned(): EnsureBucketProvisioned;

package/presigned-url-resolver.js

@@ -0,0 +1,125 @@
+"use strict";
+/**
+ * Presigned URL resolver for the Constructive presigned URL plugin.
+ *
+ * Reads CDN/S3 configuration from the standard env system
+ * (getEnvOptions → pgpmDefaults + config files + env vars) and lazily
+ * initializes an S3Client on first use.
+ *
+ * Also provides a per-database bucket name resolver that derives the
+ * S3 bucket name from the database UUID + a configurable prefix.
+ *
+ * Follows the same lazy-init pattern as upload-resolver.ts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getPresignedUrlS3Config = getPresignedUrlS3Config;
+exports.createBucketNameResolver = createBucketNameResolver;
+exports.getAllowedOrigins = getAllowedOrigins;
+exports.createEnsureBucketProvisioned = createEnsureBucketProvisioned;
+const client_s3_1 = require("@aws-sdk/client-s3");
+const graphql_env_1 = require("@constructive-io/graphql-env");
+const logger_1 = require("@pgpmjs/logger");
+const bucket_provisioner_1 = require("@constructive-io/bucket-provisioner");
+const bucket_provisioner_resolver_1 = require("./bucket-provisioner-resolver");
+const log = new logger_1.Logger('presigned-url-resolver');
+let s3Config = null;
+/**
+ * Lazily initialize and return the S3Config for the presigned URL plugin.
+ *
+ * Reads CDN config on first call via getEnvOptions() (which already merges
+ * pgpmDefaults → config file → env vars), creates an S3Client, and caches
+ * the result. Same CDN config as upload-resolver.ts.
+ *
+ * NOTE: The `bucket` field here is the global fallback bucket name
+ * (from BUCKET_NAME env var). When `resolveBucketName` is provided,
+ * per-database bucket names take precedence for all S3 operations.
+ */
+function getPresignedUrlS3Config() {
+    if (s3Config)
+        return s3Config;
+    const { cdn } = (0, graphql_env_1.getEnvOptions)();
+    // cdn is guaranteed populated — pgpmDefaults provides all CDN fields
+    const { bucketName, awsRegion, awsAccessKey, awsSecretKey, endpoint, publicUrlPrefix } = cdn;
+    log.info(`[presigned-url-resolver] Initializing: bucket=${bucketName} endpoint=${endpoint}`);
+    const client = new client_s3_1.S3Client({
+        region: awsRegion,
+        credentials: { accessKeyId: awsAccessKey, secretAccessKey: awsSecretKey },
+        ...(endpoint ? { endpoint, forcePathStyle: true } : {}),
+    });
+    s3Config = {
+        client,
+        bucket: bucketName,
+        region: awsRegion,
+        publicUrlPrefix,
+        ...(endpoint ? { endpoint, forcePathStyle: true } : {}),
+    };
+    return s3Config;
+}
+/**
+ * Create a per-database bucket name resolver.
+ *
+ * Uses the BUCKET_NAME env var as a prefix. For each database, the S3 bucket
+ * name becomes `{prefix}-{databaseId}` (e.g., "myapp-abc123def456").
+ *
+ * In local development with MinIO (default BUCKET_NAME="test-bucket"),
+ * all databases share the same bucket for simplicity — the resolver
+ * returns the prefix as-is when it looks like a local dev bucket.
+ *
+ * In production, set BUCKET_NAME to your org prefix (e.g., "myapp")
+ * and each database gets its own isolated S3 bucket.
+ */
+function createBucketNameResolver() {
+    const { cdn } = (0, graphql_env_1.getEnvOptions)();
+    const prefix = cdn?.bucketName || 'test-bucket';
+    return (databaseId) => {
+        return `${prefix}-${databaseId}`;
+    };
+}
+/**
+ * Resolve CORS allowed origins from the env/config system.
+ *
+ * Reads SERVER_ORIGIN from the standard env hierarchy
+ * (pgpmDefaults → config file → env vars) and wraps it in an array.
+ * Falls back to ['http://localhost:3000'] for local development.
+ */
+function getAllowedOrigins() {
+    const { server } = (0, graphql_env_1.getEnvOptions)();
+    if (server?.origin)
+        return [server.origin];
+    return ['*'];
+}
+/**
+ * Create a lazy bucket provisioner callback for the presigned URL plugin.
+ *
+ * On the first upload to an S3 bucket that doesn't exist yet, this callback
+ * uses the BucketProvisioner to create and fully configure the bucket
+ * (Block Public Access, CORS, policies, lifecycle rules for temp buckets).
+ *
+ * Uses the same S3 connection config as the bucket provisioner plugin
+ * (getBucketProvisionerConnection) and reads CORS origins from
+ * SERVER_ORIGIN env var (falls back to localhost for local dev).
+ */
+function createEnsureBucketProvisioned() {
+    let provisioner = null;
+    return async (bucketName, accessType, databaseId, allowedOrigins) => {
+        // Per-database origins from storage_module, falling back to global SERVER_ORIGIN
+        const effectiveOrigins = (allowedOrigins && allowedOrigins.length > 0)
+            ? allowedOrigins
+            : getAllowedOrigins();
+        if (!provisioner) {
+            provisioner = new bucket_provisioner_1.BucketProvisioner({
+                connection: (0, bucket_provisioner_resolver_1.getBucketProvisionerConnection)(),
+                allowedOrigins: effectiveOrigins,
+            });
+        }
+        log.info(`[lazy-provision] Provisioning S3 bucket "${bucketName}" ` +
+            `(type=${accessType}) for database ${databaseId}`);
+        await provisioner.provision({
+            bucketName,
+            accessType,
+            versioning: false,
+            allowedOrigins: effectiveOrigins,
+        });
+        log.info(`[lazy-provision] S3 bucket "${bucketName}" provisioned successfully`);
+    };
+}

package/upload-resolver.d.ts

@@ -13,7 +13,7 @@
  *   AWS_REGION       - AWS region (default: 'us-east-1')
  *   AWS_ACCESS_KEY   - access key (default: 'minioadmin')
  *   AWS_SECRET_KEY   - secret key (default: 'minioadmin')
- *   MINIO_ENDPOINT   - MinIO endpoint (default: 'http://localhost:9000')
+ *   CDN_ENDPOINT     - S3-compatible endpoint (default: 'http://localhost:9000')
  */
 import type { Readable } from 'stream';
 import type { UploadFieldDefinition } from 'graphile-upload-plugin';

package/upload-resolver.js

@@ -14,7 +14,7 @@
  *   AWS_REGION       - AWS region (default: 'us-east-1')
  *   AWS_ACCESS_KEY   - access key (default: 'minioadmin')
  *   AWS_SECRET_KEY   - secret key (default: 'minioadmin')
- *   MINIO_ENDPOINT   - MinIO endpoint (default: 'http://localhost:9000')
+ *   CDN_ENDPOINT     - S3-compatible endpoint (default: 'http://localhost:9000')
  */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
@@ -41,7 +41,7 @@ function getStreamer() {
     const awsRegion = cdn.awsRegion || 'us-east-1';
     const awsAccessKey = cdn.awsAccessKey || 'minioadmin';
     const awsSecretKey = cdn.awsSecretKey || 'minioadmin';
-    const minioEndpoint = cdn.minioEndpoint || 'http://localhost:9000';
+    const endpoint = cdn.endpoint || 'http://localhost:9000';
     if (process.env.NODE_ENV === 'production') {
         if (!cdn.awsAccessKey || !cdn.awsSecretKey) {
             log.warn('[upload-resolver] WARNING: Using default credentials in production.');
@@ -53,7 +53,7 @@ function getStreamer() {
         awsRegion,
         awsSecretKey,
         awsAccessKey,
-        minioEndpoint,
+        endpoint,
         provider,
     });
     return streamer;