insforge 1.2.10 → 1.3.0

package/backend/src/infra/database/migrations/013_create-auth-schema-functions.sql

@@ -1,44 +1,44 @@
--- Migration: 013 - Create auth schema and copy helper functions
--- Creates auth schema if it doesn't exist and copies JWT helper functions
-
--- Create auth schema if not exists
-CREATE SCHEMA IF NOT EXISTS auth;
-
--- Function to get current user ID from JWT (in auth schema)
-CREATE OR REPLACE FUNCTION auth.uid()
-RETURNS uuid
-LANGUAGE sql STABLE
-AS $$
-  SELECT
-  nullif(
-    coalesce(
-      current_setting('request.jwt.claim.sub', true),
-      (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')
-    ),
-    ''
-  )::uuid
-$$;
-
--- Function to get current user role from JWT (in auth schema)
-CREATE OR REPLACE FUNCTION auth.role()
-RETURNS text
-LANGUAGE sql STABLE
-AS $$
-  SELECT
-  coalesce(
-    current_setting('request.jwt.claim.role', true),
-    (current_setting('request.jwt.claims', true)::jsonb ->> 'role')
-  )::text
-$$;
-
--- Function to get current user email from JWT (in auth schema)
-CREATE OR REPLACE FUNCTION auth.email()
-RETURNS text
-LANGUAGE sql STABLE
-AS $$
-  SELECT
-  coalesce(
-    current_setting('request.jwt.claim.email', true),
-    (current_setting('request.jwt.claims', true)::jsonb ->> 'email')
-  )::text
-$$;
+-- Migration: 013 - Create auth schema and copy helper functions
+-- Creates auth schema if it doesn't exist and copies JWT helper functions
+
+-- Create auth schema if not exists
+CREATE SCHEMA IF NOT EXISTS auth;
+
+-- Function to get current user ID from JWT (in auth schema)
+CREATE OR REPLACE FUNCTION auth.uid()
+RETURNS uuid
+LANGUAGE sql STABLE
+AS $$
+  SELECT
+  nullif(
+    coalesce(
+      current_setting('request.jwt.claim.sub', true),
+      (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')
+    ),
+    ''
+  )::uuid
+$$;
+
+-- Function to get current user role from JWT (in auth schema)
+CREATE OR REPLACE FUNCTION auth.role()
+RETURNS text
+LANGUAGE sql STABLE
+AS $$
+  SELECT
+  coalesce(
+    current_setting('request.jwt.claim.role', true),
+    (current_setting('request.jwt.claims', true)::jsonb ->> 'role')
+  )::text
+$$;
+
+-- Function to get current user email from JWT (in auth schema)
+CREATE OR REPLACE FUNCTION auth.email()
+RETURNS text
+LANGUAGE sql STABLE
+AS $$
+  SELECT
+  coalesce(
+    current_setting('request.jwt.claim.email', true),
+    (current_setting('request.jwt.claims', true)::jsonb ->> 'email')
+  )::text
+$$;

package/backend/src/infra/database/migrations/014_add-updated-at-trigger-user-table.sql

@@ -1,8 +1,8 @@
--- Migration: 014 - Add updated_at trigger to users table
--- Adds the updated_at trigger to the users table for automatic timestamp management
-
-
-DROP TRIGGER IF EXISTS update_users_updated_at ON users;
-CREATE TRIGGER update_users_updated_at
-BEFORE UPDATE ON users
+-- Migration: 014 - Add updated_at trigger to users table
+-- Adds the updated_at trigger to the users table for automatic timestamp management
+
+
+DROP TRIGGER IF EXISTS update_users_updated_at ON users;
+CREATE TRIGGER update_users_updated_at
+BEFORE UPDATE ON users
 FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();

package/backend/src/infra/database/migrations/015_create-auth-config-and-email-otp-tables.sql

@@ -1,60 +1,60 @@
--- Migration: 015 - Create email OTP verification table and email auth configs
--- This migration creates:
--- 1. _email_otps: Stores one-time tokens for email verification purposes
---    - Supports both short numeric codes (6 digits) for manual entry
---    - Supports long cryptographic tokens (64 chars) for magic links
---    - Uses dual hashing strategy:
---      * NUMERIC_CODE (6 digits): Bcrypt hash (slow, defense against brute force)
---      * LINK_TOKEN (64 hex chars): SHA-256 hash (fast, enables direct O(1) lookup)
--- 2. _auth_configs: Stores email authentication configuration (single-row table)
-
--- 1. Create email OTP verification table
-CREATE TABLE IF NOT EXISTS _email_otps (
-  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
-  email TEXT NOT NULL,
-  purpose TEXT NOT NULL,
-  otp_hash TEXT NOT NULL, -- Hash of OTP: bcrypt for NUMERIC_CODE, SHA-256 for LINK_TOKEN
-  expires_at TIMESTAMPTZ NOT NULL,
-  consumed_at TIMESTAMPTZ,
-  attempts_count INTEGER DEFAULT 0 NOT NULL,
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW(),
-  UNIQUE (email, purpose) -- Only one active token per email/purpose combination
-);
-
--- Create indexes for better query performance
-CREATE INDEX IF NOT EXISTS idx_email_otps_email_purpose ON _email_otps(email, purpose);
-CREATE INDEX IF NOT EXISTS idx_email_otps_expires_at ON _email_otps(expires_at);
-CREATE INDEX IF NOT EXISTS idx_email_otps_otp_hash ON _email_otps(otp_hash); -- For direct LINK_TOKEN lookup
-
--- Add trigger for updated_at
-DROP TRIGGER IF EXISTS update__email_otps_updated_at ON _email_otps;
-CREATE TRIGGER update__email_otps_updated_at
-BEFORE UPDATE ON _email_otps
-FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
-
--- 2. Create email authentication configuration table (single-row design)
--- This table stores global email authentication settings for the project
-CREATE TABLE IF NOT EXISTS _auth_configs (
-  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
-  require_email_verification BOOLEAN DEFAULT FALSE NOT NULL,
-  password_min_length INTEGER DEFAULT 6 NOT NULL CHECK (password_min_length >= 4 AND password_min_length <= 128),
-  require_number BOOLEAN DEFAULT FALSE NOT NULL,
-  require_lowercase BOOLEAN DEFAULT FALSE NOT NULL,
-  require_uppercase BOOLEAN DEFAULT FALSE NOT NULL,
-  require_special_char BOOLEAN DEFAULT FALSE NOT NULL,
-  verify_email_redirect_to TEXT, -- Custom URL to redirect after successful email verification (defaults to no redirect if NULL)
-  reset_password_redirect_to TEXT, -- Custom URL to redirect after successful password reset (defaults to no redirect if NULL)
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW()
-);
-
--- Ensure only one row exists (singleton pattern)
--- This constraint prevents multiple configuration rows
-CREATE UNIQUE INDEX IF NOT EXISTS idx_auth_configs_singleton ON _auth_configs ((1));
-
--- Add trigger for updated_at
-DROP TRIGGER IF EXISTS update__auth_configs_updated_at ON _auth_configs;
-CREATE TRIGGER update__auth_configs_updated_at
-BEFORE UPDATE ON _auth_configs
+-- Migration: 015 - Create email OTP verification table and email auth configs
+-- This migration creates:
+-- 1. _email_otps: Stores one-time tokens for email verification purposes
+--    - Supports both short numeric codes (6 digits) for manual entry
+--    - Supports long cryptographic tokens (64 chars) for magic links
+--    - Uses dual hashing strategy:
+--      * NUMERIC_CODE (6 digits): Bcrypt hash (slow, defense against brute force)
+--      * LINK_TOKEN (64 hex chars): SHA-256 hash (fast, enables direct O(1) lookup)
+-- 2. _auth_configs: Stores email authentication configuration (single-row table)
+
+-- 1. Create email OTP verification table
+CREATE TABLE IF NOT EXISTS _email_otps (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  email TEXT NOT NULL,
+  purpose TEXT NOT NULL,
+  otp_hash TEXT NOT NULL, -- Hash of OTP: bcrypt for NUMERIC_CODE, SHA-256 for LINK_TOKEN
+  expires_at TIMESTAMPTZ NOT NULL,
+  consumed_at TIMESTAMPTZ,
+  attempts_count INTEGER DEFAULT 0 NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW(),
+  UNIQUE (email, purpose) -- Only one active token per email/purpose combination
+);
+
+-- Create indexes for better query performance
+CREATE INDEX IF NOT EXISTS idx_email_otps_email_purpose ON _email_otps(email, purpose);
+CREATE INDEX IF NOT EXISTS idx_email_otps_expires_at ON _email_otps(expires_at);
+CREATE INDEX IF NOT EXISTS idx_email_otps_otp_hash ON _email_otps(otp_hash); -- For direct LINK_TOKEN lookup
+
+-- Add trigger for updated_at
+DROP TRIGGER IF EXISTS update__email_otps_updated_at ON _email_otps;
+CREATE TRIGGER update__email_otps_updated_at
+BEFORE UPDATE ON _email_otps
+FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+-- 2. Create email authentication configuration table (single-row design)
+-- This table stores global email authentication settings for the project
+CREATE TABLE IF NOT EXISTS _auth_configs (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  require_email_verification BOOLEAN DEFAULT FALSE NOT NULL,
+  password_min_length INTEGER DEFAULT 6 NOT NULL CHECK (password_min_length >= 4 AND password_min_length <= 128),
+  require_number BOOLEAN DEFAULT FALSE NOT NULL,
+  require_lowercase BOOLEAN DEFAULT FALSE NOT NULL,
+  require_uppercase BOOLEAN DEFAULT FALSE NOT NULL,
+  require_special_char BOOLEAN DEFAULT FALSE NOT NULL,
+  verify_email_redirect_to TEXT, -- Custom URL to redirect after successful email verification (defaults to no redirect if NULL)
+  reset_password_redirect_to TEXT, -- Custom URL to redirect after successful password reset (defaults to no redirect if NULL)
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Ensure only one row exists (singleton pattern)
+-- This constraint prevents multiple configuration rows
+CREATE UNIQUE INDEX IF NOT EXISTS idx_auth_configs_singleton ON _auth_configs ((1));
+
+-- Add trigger for updated_at
+DROP TRIGGER IF EXISTS update__auth_configs_updated_at ON _auth_configs;
+CREATE TRIGGER update__auth_configs_updated_at
+BEFORE UPDATE ON _auth_configs
 FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();

package/backend/src/infra/database/migrations/016_update-auth-config-and-email-otp.sql

@@ -1,24 +1,24 @@
--- Migration 016: Update _email_otps and _auth_configs tables
---
--- Changes:
--- 1. _email_otps table:
---    - Remove attempts_count column (brute force protection moved to API rate limiter)
--- 2. _auth_configs table:
---    - Remove verify_email_redirect_to and reset_password_redirect_to columns
---    - Add verify_email_method and reset_password_method columns (code or link)
---    - Add sign_in_redirect_to column
-
--- Update _email_otps: Remove attempts_count column
-ALTER TABLE _email_otps DROP COLUMN IF EXISTS attempts_count;
-
--- Update _auth_configs: Remove old redirect columns
-ALTER TABLE _auth_configs
-  DROP COLUMN IF EXISTS verify_email_redirect_to,
-  DROP COLUMN IF EXISTS reset_password_redirect_to;
-
--- Add new columns to _auth_configs
--- Note: DEFAULT 'code' NOT NULL ensures existing rows automatically get 'code' value
-ALTER TABLE _auth_configs
-  ADD COLUMN IF NOT EXISTS verify_email_method TEXT DEFAULT 'code' NOT NULL CHECK (verify_email_method IN ('code', 'link')),
-  ADD COLUMN IF NOT EXISTS reset_password_method TEXT DEFAULT 'code' NOT NULL CHECK (reset_password_method IN ('code', 'link')),
-  ADD COLUMN IF NOT EXISTS sign_in_redirect_to TEXT;
+-- Migration 016: Update _email_otps and _auth_configs tables
+--
+-- Changes:
+-- 1. _email_otps table:
+--    - Remove attempts_count column (brute force protection moved to API rate limiter)
+-- 2. _auth_configs table:
+--    - Remove verify_email_redirect_to and reset_password_redirect_to columns
+--    - Add verify_email_method and reset_password_method columns (code or link)
+--    - Add sign_in_redirect_to column
+
+-- Update _email_otps: Remove attempts_count column
+ALTER TABLE _email_otps DROP COLUMN IF EXISTS attempts_count;
+
+-- Update _auth_configs: Remove old redirect columns
+ALTER TABLE _auth_configs
+  DROP COLUMN IF EXISTS verify_email_redirect_to,
+  DROP COLUMN IF EXISTS reset_password_redirect_to;
+
+-- Add new columns to _auth_configs
+-- Note: DEFAULT 'code' NOT NULL ensures existing rows automatically get 'code' value
+ALTER TABLE _auth_configs
+  ADD COLUMN IF NOT EXISTS verify_email_method TEXT DEFAULT 'code' NOT NULL CHECK (verify_email_method IN ('code', 'link')),
+  ADD COLUMN IF NOT EXISTS reset_password_method TEXT DEFAULT 'code' NOT NULL CHECK (reset_password_method IN ('code', 'link')),
+  ADD COLUMN IF NOT EXISTS sign_in_redirect_to TEXT;

package/backend/src/infra/database/migrations/017_create-realtime-schema.sql

@@ -0,0 +1,233 @@
+-- Migration 017: Create Realtime Schema
+--
+-- Creates the realtime schema with:
+-- 1. channels table - Channel definitions with webhook configuration
+-- 2. messages table - All realtime messages with delivery statistics
+-- 3. publish() function - Called by developer triggers to publish events
+--
+-- Permission Model (Supabase pattern):
+-- - SELECT on channels = 'subscribe' permission (subscribe to channel)
+-- - INSERT on messages = 'publish' permission (publish to channel)
+-- Developers define RLS policies on channels/messages table to control access.
+
+-- ============================================================================
+-- CREATE SCHEMA
+-- ============================================================================
+
+CREATE SCHEMA IF NOT EXISTS realtime;
+
+-- ============================================================================
+-- CHANNELS TABLE
+-- ============================================================================
+-- Stores channel definitions with delivery configuration.
+-- RLS policies control subscribe permissions.
+-- - SELECT policy = 'subscribe' permission (can subscribe to channel)
+-- Channel names use : as separator and % for wildcards (LIKE pattern).
+-- Examples: "orders", "order:%", "chat:%:messages"
+
+CREATE TABLE IF NOT EXISTS realtime.channels (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+
+  -- Channel name pattern (e.g., "orders", "order:%", "chat:%:messages")
+  -- Convention: use : as separator, % for wildcards (LIKE pattern)
+  pattern TEXT UNIQUE NOT NULL,
+
+  -- Human-readable description
+  description TEXT,
+
+  -- Webhook URLs to POST events to (NULL or empty array = no webhooks)
+  webhook_urls TEXT[],
+
+  -- Whether this channel is active
+  enabled BOOLEAN DEFAULT TRUE NOT NULL,
+
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- ============================================================================
+-- MESSAGES TABLE
+-- ============================================================================
+-- Stores all realtime messages published through the system.
+-- RLS policies on this table control publish permissions:
+-- - INSERT policy = 'publish' permission (can publish to channel)
+
+CREATE TABLE IF NOT EXISTS realtime.messages (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+
+  -- Event metadata
+  event_name TEXT NOT NULL,
+
+  -- Channel reference (SET NULL on delete to preserve history)
+  channel_id UUID REFERENCES realtime.channels(id) ON DELETE SET NULL,
+  channel_name TEXT NOT NULL, -- Denormalized for query convenience after channel deletion
+
+  -- Event payload (stored for audit/replay purposes)
+  payload JSONB DEFAULT '{}'::jsonb NOT NULL,
+
+  -- Sender information
+  -- 'system' = triggered by database trigger (via publish() function)
+  -- 'user' = published by client via WebSocket
+  sender_type TEXT DEFAULT 'system' NOT NULL CHECK (sender_type IN ('system', 'user')),
+  sender_id UUID, -- User ID for 'user' type, NULL for 'system' type
+
+  -- Delivery statistics for WebSocket
+  ws_audience_count INTEGER DEFAULT 0 NOT NULL, -- How many clients were subscribed
+
+  -- Delivery statistics for Webhooks
+  wh_audience_count INTEGER DEFAULT 0 NOT NULL, -- How many webhook URLs configured
+  wh_delivered_count INTEGER DEFAULT 0 NOT NULL, -- How many succeeded (2xx response)
+
+  created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- ============================================================================
+-- INDEXES
+-- ============================================================================
+
+CREATE INDEX IF NOT EXISTS idx_realtime_channels_pattern ON realtime.channels(pattern);
+CREATE INDEX IF NOT EXISTS idx_realtime_channels_enabled ON realtime.channels(enabled);
+CREATE INDEX IF NOT EXISTS idx_realtime_messages_channel_id ON realtime.messages(channel_id);
+CREATE INDEX IF NOT EXISTS idx_realtime_messages_channel_name ON realtime.messages(channel_name);
+CREATE INDEX IF NOT EXISTS idx_realtime_messages_created_at ON realtime.messages(created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_realtime_messages_event_name ON realtime.messages(event_name);
+CREATE INDEX IF NOT EXISTS idx_realtime_messages_sender ON realtime.messages(sender_type, sender_id);
+
+-- ============================================================================
+-- UPDATED_AT TRIGGER
+-- ============================================================================
+
+CREATE OR REPLACE FUNCTION realtime.update_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.updated_at = NOW();
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS trg_channels_updated_at ON realtime.channels;
+CREATE TRIGGER trg_channels_updated_at
+BEFORE UPDATE ON realtime.channels
+FOR EACH ROW EXECUTE FUNCTION realtime.update_updated_at();
+
+-- ============================================================================
+-- ROW LEVEL SECURITY (DISABLED BY DEFAULT)
+-- ============================================================================
+-- RLS is disabled by default for the best developer experience.
+-- Channels and messages are open to all authenticated/anon users out of the box.
+--
+-- To enable access control, developers can:
+--   1. Enable RLS: ALTER TABLE realtime.channels ENABLE ROW LEVEL SECURITY;
+--   2. Add policies using the helper function realtime.channel_name()
+--
+-- See documentation for policy examples.
+
+-- ============================================================================
+-- HELPER FUNCTIONS FOR RLS POLICIES
+-- ============================================================================
+
+-- Returns the channel name being accessed (set by backend during permission checks)
+-- Developers use this in policies instead of writing current_setting directly
+CREATE OR REPLACE FUNCTION realtime.channel_name()
+RETURNS TEXT AS $$
+  SELECT current_setting('realtime.channel_name', true);
+$$ LANGUAGE SQL STABLE;
+
+-- ============================================================================
+-- PUBLISH FUNCTION
+-- ============================================================================
+-- Called by developer triggers to publish events to channels.
+-- This function can only be executed by the backend (SECURITY DEFINER).
+--
+-- Usage in a trigger:
+--   PERFORM realtime.publish(
+--     'order:' || NEW.id::text,  -- channel name (resolved instance)
+--     'order_updated',           -- event name
+--     jsonb_build_object('id', NEW.id, 'status', NEW.status)  -- payload
+--   );
+
+CREATE OR REPLACE FUNCTION realtime.publish(
+  p_channel_name TEXT,
+  p_event_name TEXT,
+  p_payload JSONB
+)
+RETURNS UUID AS $$
+DECLARE
+  v_channel_id UUID;
+  v_message_id UUID;
+BEGIN
+  -- Find matching channel: exact match first, then wildcard pattern match
+  -- For wildcard patterns like "order:%", check if p_channel_name LIKE pattern
+  SELECT id INTO v_channel_id
+  FROM realtime.channels
+  WHERE enabled = TRUE
+    AND (pattern = p_channel_name OR p_channel_name LIKE pattern)
+  ORDER BY pattern = p_channel_name DESC
+  LIMIT 1;
+
+  -- If no channel found, raise a warning and return NULL
+  IF v_channel_id IS NULL THEN
+    RAISE WARNING 'Realtime: No matching channel found for "%"', p_channel_name;
+    RETURN NULL;
+  END IF;
+
+  -- Insert message record (system-triggered, so sender_type = 'system')
+  INSERT INTO realtime.messages (
+    event_name,
+    channel_id,
+    channel_name,
+    payload,
+    sender_type
+  ) VALUES (
+    p_event_name,
+    v_channel_id,
+    p_channel_name,
+    p_payload,
+    'system'
+  )
+  RETURNING id INTO v_message_id;
+
+  RETURN v_message_id;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+-- Revoke execute from public, only backend can call this
+REVOKE ALL ON FUNCTION realtime.publish FROM PUBLIC;
+
+-- ============================================================================
+-- TRIGGER FOR PG_NOTIFY
+-- ============================================================================
+-- Trigger function that sends pg_notify for every new message (both system and client).
+
+CREATE OR REPLACE FUNCTION realtime.notify_on_message_insert()
+RETURNS TRIGGER AS $$
+BEGIN
+  -- Send only message_id to bypass pg_notify 8KB payload limit
+  -- Backend will fetch full message from DB
+  PERFORM pg_notify('realtime_message', NEW.id::text);
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Create trigger on messages table
+DROP TRIGGER IF EXISTS trg_message_notify ON realtime.messages;
+CREATE TRIGGER trg_message_notify
+  AFTER INSERT ON realtime.messages
+  FOR EACH ROW
+  EXECUTE FUNCTION realtime.notify_on_message_insert();
+
+-- ============================================================================
+-- GRANTS
+-- ============================================================================
+
+-- Grant schema access to both authenticated and anonymous users
+GRANT USAGE ON SCHEMA realtime TO authenticated, anon;
+
+-- Grant SELECT on channels table (allows subscribe)
+GRANT SELECT ON realtime.channels TO authenticated, anon;
+
+-- Grant INSERT on messages table (allows publish)
+GRANT INSERT ON realtime.messages TO authenticated, anon;
+
+-- Grant execution permission on helper function (used when RLS is enabled)
+GRANT EXECUTE ON FUNCTION realtime.channel_name() TO authenticated, anon;