insforge 1.2.10 → 1.3.0

package/backend/src/services/realtime/realtime-message.service.ts

@@ -0,0 +1,260 @@
+import { Pool } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
+import logger from '@/utils/logger.js';
+import type { RealtimeMessage, RoleSchema } from '@insforge/shared-schemas';
+import { RealtimeChannelService } from './realtime-channel.service.js';
+import { RealtimeAuthService } from './realtime-auth.service.js';
+
+export class RealtimeMessageService {
+  private static instance: RealtimeMessageService;
+  private pool: Pool | null = null;
+
+  private constructor() {}
+
+  static getInstance(): RealtimeMessageService {
+    if (!RealtimeMessageService.instance) {
+      RealtimeMessageService.instance = new RealtimeMessageService();
+    }
+    return RealtimeMessageService.instance;
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  /**
+   * Insert a message into the channel (client-initiated send).
+   * RLS INSERT policy controls who can send to which channels.
+   * pg_notify is automatically triggered by database trigger on insert.
+   *
+   * @returns The inserted message data for broadcasting, or null if RLS denied the insert
+   */
+  async insertMessage(
+    channelName: string,
+    eventName: string,
+    payload: Record<string, unknown>,
+    userId: string | undefined,
+    userRole: RoleSchema
+  ): Promise<{
+    channelId: string;
+    channelName: string;
+    eventName: string;
+    payload: Record<string, unknown>;
+    senderId: string | null;
+  } | null> {
+    // Get channel info
+    const channelService = RealtimeChannelService.getInstance();
+    const channel = await channelService.getByName(channelName);
+
+    if (!channel) {
+      logger.debug('Channel not found for message insert', { channelName });
+      return null;
+    }
+
+    const client = await this.getPool().connect();
+
+    try {
+      // Begin transaction to ensure settings persist across queries
+      await client.query('BEGIN');
+
+      // Switch to specified role to enforce RLS policies
+      await client.query(`SET LOCAL ROLE ${userRole}`);
+
+      // Set user context for RLS policy evaluation
+      const authService = RealtimeAuthService.getInstance();
+      await authService.setUserContext(client, userId, channelName);
+
+      // Attempt INSERT with sender info - RLS will allow/deny based on policies
+      // No RETURNING clause needed - trigger handles pg_notify
+      await client.query(
+        `INSERT INTO realtime.messages (event_name, channel_id, channel_name, payload, sender_type, sender_id)
+         VALUES ($1, $2, $3, $4, 'user', $5)`,
+        [eventName, channel.id, channelName, JSON.stringify(payload), userId || null]
+      );
+
+      // Commit transaction - insert succeeded
+      await client.query('COMMIT');
+
+      logger.debug('Client message inserted', {
+        channelName,
+        eventName,
+        userId,
+      });
+
+      return {
+        channelId: channel.id,
+        channelName,
+        eventName,
+        payload,
+        senderId: userId || null,
+      };
+    } catch (error) {
+      // Rollback transaction on error
+      await client.query('ROLLBACK').catch(() => {});
+
+      // RLS policy denied the INSERT or other error
+      logger.debug('Message insert denied or failed', { channelName, eventName, userId, error });
+      return null;
+    } finally {
+      // Reset role back to default before releasing connection
+      await client.query('RESET ROLE');
+      client.release();
+    }
+  }
+
+  /**
+   * Get a message by ID (used by RealtimeManager after pg_notify)
+   */
+  async getById(id: string): Promise<RealtimeMessage | null> {
+    const result = await this.getPool().query(
+      `SELECT
+        id,
+        event_name as "eventName",
+        channel_id as "channelId",
+        channel_name as "channelName",
+        payload,
+        sender_type as "senderType",
+        sender_id as "senderId",
+        ws_audience_count as "wsAudienceCount",
+        wh_audience_count as "whAudienceCount",
+        wh_delivered_count as "whDeliveredCount",
+        created_at as "createdAt"
+      FROM realtime.messages
+      WHERE id = $1`,
+      [id]
+    );
+    return result.rows[0] || null;
+  }
+
+  async list(
+    options: {
+      channelId?: string;
+      eventName?: string;
+      limit?: number;
+      offset?: number;
+    } = {}
+  ): Promise<RealtimeMessage[]> {
+    const { channelId, eventName, limit = 100, offset = 0 } = options;
+
+    let query = `
+      SELECT
+        id,
+        event_name as "eventName",
+        channel_id as "channelId",
+        channel_name as "channelName",
+        payload,
+        sender_type as "senderType",
+        sender_id as "senderId",
+        ws_audience_count as "wsAudienceCount",
+        wh_audience_count as "whAudienceCount",
+        wh_delivered_count as "whDeliveredCount",
+        created_at as "createdAt"
+      FROM realtime.messages
+      WHERE 1=1
+    `;
+
+    const params: (string | number)[] = [];
+    let paramIndex = 1;
+
+    if (channelId) {
+      query += ` AND channel_id = $${paramIndex++}`;
+      params.push(channelId);
+    }
+
+    if (eventName) {
+      query += ` AND event_name = $${paramIndex++}`;
+      params.push(eventName);
+    }
+
+    query += ` ORDER BY created_at DESC LIMIT $${paramIndex++} OFFSET $${paramIndex++}`;
+    params.push(limit, offset);
+
+    const result = await this.getPool().query(query, params);
+    return result.rows;
+  }
+
+  /**
+   * Update message record with delivery statistics
+   */
+  async updateDeliveryStats(
+    messageId: string,
+    stats: {
+      wsAudienceCount: number;
+      whAudienceCount: number;
+      whDeliveredCount: number;
+    }
+  ): Promise<void> {
+    await this.getPool().query(
+      `UPDATE realtime.messages
+       SET
+         ws_audience_count = $2,
+         wh_audience_count = $3,
+         wh_delivered_count = $4
+       WHERE id = $1`,
+      [messageId, stats.wsAudienceCount, stats.whAudienceCount, stats.whDeliveredCount]
+    );
+  }
+
+  async getStats(
+    options: {
+      channelId?: string;
+      since?: Date;
+    } = {}
+  ): Promise<{
+    totalMessages: number;
+    whDeliveryRate: number;
+    topEvents: { eventName: string; count: number }[];
+  }> {
+    const { channelId, since } = options;
+
+    let whereClause = '1=1';
+    const params: (string | Date)[] = [];
+    let paramIndex = 1;
+
+    if (channelId) {
+      whereClause += ` AND channel_id = $${paramIndex++}`;
+      params.push(channelId);
+    }
+
+    if (since) {
+      whereClause += ` AND created_at >= $${paramIndex++}`;
+      params.push(since);
+    }
+
+    const statsResult = await this.getPool().query(
+      `SELECT
+        COUNT(*) as total_messages,
+        SUM(wh_audience_count) as wh_audience_total,
+        SUM(wh_delivered_count) as wh_delivered_total
+      FROM realtime.messages
+      WHERE ${whereClause}`,
+      params
+    );
+
+    const topEventsResult = await this.getPool().query(
+      `SELECT event_name, COUNT(*) as count
+       FROM realtime.messages
+       WHERE ${whereClause}
+       GROUP BY event_name
+       ORDER BY count DESC
+       LIMIT 10`,
+      params
+    );
+
+    const stats = statsResult.rows[0];
+    const whAudienceTotal = parseInt(stats.wh_audience_total) || 0;
+    const whDeliveredTotal = parseInt(stats.wh_delivered_total) || 0;
+
+    return {
+      totalMessages: parseInt(stats.total_messages) || 0,
+      whDeliveryRate: whAudienceTotal > 0 ? whDeliveredTotal / whAudienceTotal : 0,
+      topEvents: topEventsResult.rows.map((row) => ({
+        eventName: row.event_name,
+        count: parseInt(row.count),
+      })),
+    };
+  }
+}

package/backend/src/types/auth.ts

@@ -135,6 +135,16 @@ export interface XUserInfo {
   created_at?: string;
 }
 
+export interface AppleUserInfo {
+  sub: string;
+  email: string;
+  email_verified?: boolean;
+  is_private_email?: boolean;
+  name?: string;
+  given_name?: string;
+  family_name?: string;
+}
+
 // Generic OAuth user data returned by provider services
 export interface OAuthUserData {
   provider: string;
@@ -150,5 +160,6 @@ export interface OAuthUserData {
     | FacebookUserInfo
     | MicrosoftUserInfo
     | XUserInfo
+    | AppleUserInfo
     | Record<string, unknown>;
 }

package/backend/src/types/realtime.ts

@@ -0,0 +1,18 @@
+/**
+ * Realtime feature types - Backend-only types
+ *
+ * Shared types should be imported directly from @insforge/shared-schemas.
+ */
+
+// ============================================================================
+// Backend-Only Types (Internal Use)
+// ============================================================================
+
+/**
+ * Delivery statistics after message processing
+ */
+export interface DeliveryResult {
+  wsAudienceCount: number;
+  whAudienceCount: number;
+  whDeliveredCount: number;
+}

package/backend/src/types/socket.ts

@@ -10,24 +10,18 @@ export enum ServerEvents {
   NOTIFICATION = 'notification',
   DATA_UPDATE = 'data:update',
   MCP_CONNECTED = 'mcp:connected',
+  // Realtime events
+  REALTIME_ERROR = 'realtime:error',
 }
 
 /**
  * Client-to-Server events
  */
 export enum ClientEvents {
-  SUBSCRIBE = 'subscribe',
-  UNSUBSCRIBE = 'unsubscribe',
-}
-
-/**
- * Generic message interface
- */
-export interface SocketMessage<T = unknown> {
-  type: string;
-  payload?: T;
-  timestamp: number;
-  id?: string;
+  // Realtime events
+  REALTIME_SUBSCRIBE = 'realtime:subscribe',
+  REALTIME_UNSUBSCRIBE = 'realtime:unsubscribe',
+  REALTIME_PUBLISH = 'realtime:publish',
 }
 
 /**
@@ -43,27 +37,9 @@ export interface NotificationPayload {
 export enum DataUpdateResourceType {
   DATABASE = 'database',
   USERS = 'users',
-  RECORDS = 'records',
   BUCKETS = 'buckets',
   FUNCTIONS = 'functions',
-}
-
-export interface DataUpdatePayload {
-  resource: DataUpdateResourceType;
-  action: 'created' | 'updated' | 'deleted';
-  data: unknown;
-}
-
-/**
- * Client event payloads
- */
-export interface SubscribePayload {
-  channel: string;
-  filters?: Record<string, unknown>;
-}
-
-export interface UnsubscribePayload {
-  channel: string;
+  REALTIME = 'realtime',
 }
 
 /**

package/backend/src/utils/cookies.ts

@@ -0,0 +1,35 @@
+import { Response } from 'express';
+import { isProduction } from './environment';
+
+/**
+ * Cookie names
+ */
+export const REFRESH_TOKEN_COOKIE_NAME = 'insforge_refresh_token';
+
+/**
+ * Set an auth cookie on response
+ * @param name - Cookie name
+ * @param value - Cookie value
+ */
+export function setAuthCookie(res: Response, name: string, value: string): void {
+  res.cookie(name, value, {
+    httpOnly: true,
+    secure: isProduction(),
+    sameSite: 'none',
+    path: '/api/auth',
+    maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
+  });
+}
+
+/**
+ * Clear an auth cookie on response
+ * IMPORTANT: Must use the same options (especially path) as when setting the cookie
+ */
+export function clearAuthCookie(res: Response, name: string): void {
+  res.clearCookie(name, {
+    httpOnly: true,
+    secure: isProduction(),
+    sameSite: 'none',
+    path: '/api/auth',
+  });
+}

package/backend/src/utils/s3-config-loader.ts

@@ -0,0 +1,64 @@
+import { S3Client, GetObjectCommand } from '@aws-sdk/client-s3';
+import logger from '@/utils/logger.js';
+
+// TODO: make these configurable in env variables in cloud backend
+const CONFIG_BUCKET = process.env.AWS_CONFIG_BUCKET || 'insforge-config';
+const CONFIG_REGION = process.env.AWS_CONFIG_REGION || 'us-east-2';
+
+let s3Client: S3Client | null = null;
+
+/**
+ * Get or create S3 client for config loading
+ */
+function getS3Client(): S3Client {
+  if (s3Client) {
+    return s3Client;
+  }
+
+  const s3Config: {
+    region: string;
+    credentials?: { accessKeyId: string; secretAccessKey: string };
+  } = {
+    region: CONFIG_REGION,
+  };
+
+  // Use explicit credentials if provided, otherwise IAM role
+  if (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) {
+    s3Config.credentials = {
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+    };
+  }
+
+  s3Client = new S3Client(s3Config);
+  return s3Client;
+}
+
+/**
+ * Fetches a JSON config file from the S3 config bucket
+ * @param key - The S3 object key (e.g., 'default-ai-models.json')
+ * @returns Parsed JSON content or null if fetch fails
+ */
+export async function fetchS3Config<T>(key: string): Promise<T | null> {
+  try {
+    const command = new GetObjectCommand({
+      Bucket: CONFIG_BUCKET,
+      Key: key,
+    });
+
+    const response = await getS3Client().send(command);
+    const body = await response.Body?.transformToString();
+
+    if (!body) {
+      logger.warn(`Empty config file from S3: ${key}`);
+      return null;
+    }
+
+    return JSON.parse(body) as T;
+  } catch (error) {
+    logger.warn(`Failed to fetch config from S3: ${key}`, {
+      error: error instanceof Error ? error.message : String(error),
+    });
+    return null;
+  }
+}