insforge 1.2.10 → 1.4.8

package/backend/src/services/email/email.service.ts

@@ -1,6 +1,7 @@
 import { EmailProvider } from '@/providers/email/base.provider.js';
 import { CloudEmailProvider } from '@/providers/email/cloud.provider.js';
 import { EmailTemplate } from '@/types/email.js';
+import { SendRawEmailRequest } from '@insforge/shared-schemas';
 import logger from '@/utils/logger.js';
 
 /**
@@ -53,17 +54,14 @@ export class EmailService {
   }
 
   /**
-   * Send raw email (if provider supports it)
-   * @param to - Recipient email address
-   * @param subject - Email subject
-   * @param html - HTML email body
-   * @param text - Plain text email body (optional)
+   * Send custom/raw email
+   * @param options - Email options (to, subject, html, cc, bcc, from, replyTo)
    */
-  public async sendRaw(to: string, subject: string, html: string, text?: string): Promise<void> {
+  public async sendRaw(options: SendRawEmailRequest): Promise<void> {
     if (!this.provider.sendRaw) {
       throw new Error('Current email provider does not support raw email sending');
     }
-    return this.provider.sendRaw(to, subject, html, text);
+    return this.provider.sendRaw(options);
   }
 
   /**

package/backend/src/services/functions/function.service.ts

@@ -1,8 +1,10 @@
 import { DatabaseManager } from '@/infra/database/database.manager.js';
 import {
   EdgeFunctionMetadataSchema,
-  FunctionUploadRequest,
-  FunctionUpdateRequest,
+  UploadFunctionRequest,
+  UpdateFunctionRequest,
+  FunctionSchema,
+  ListFunctionsResponse,
 } from '@insforge/shared-schemas';
 import logger from '@/utils/logger.js';
 import { DatabaseError, Pool } from 'pg';
@@ -10,13 +12,6 @@ import fetch from 'node-fetch';
 import { AppError } from '@/api/middlewares/error.js';
 import { ERROR_CODES } from '@/types/error-constants.js';
 
-export interface FunctionWithRuntime {
-  functions: Record<string, unknown>[];
-  runtime: {
-    status: 'running' | 'unavailable';
-  };
-}
-
 export class FunctionService {
   private static instance: FunctionService;
   private pool: Pool | null = null;
@@ -41,13 +36,19 @@ export class FunctionService {
   /**
    * List all functions with runtime health check
    */
-  async listFunctions(): Promise<FunctionWithRuntime> {
+  async listFunctions(): Promise<ListFunctionsResponse> {
     try {
       const result = await this.getPool().query(
         `SELECT
-          id, slug, name, description, status,
-          created_at, updated_at, deployed_at
-        FROM _functions
+          id,
+          slug,
+          name,
+          description,
+          status,
+          created_at as "createdAt",
+          updated_at as "updatedAt",
+          deployed_at as "deployedAt"
+        FROM functions.definitions
         ORDER BY created_at DESC`
       );
 
@@ -86,13 +87,20 @@ export class FunctionService {
   /**
    * Get a specific function by slug
    */
-  async getFunction(slug: string): Promise<Record<string, unknown> | undefined> {
+  async getFunction(slug: string): Promise<FunctionSchema | undefined> {
     try {
       const result = await this.getPool().query(
         `SELECT
-          id, slug, name, description, code, status,
-          created_at, updated_at, deployed_at
-        FROM _functions
+          id,
+          slug,
+          name,
+          description,
+          code,
+          status,
+          created_at as "createdAt",
+          updated_at as "updatedAt",
+          deployed_at as "deployedAt"
+        FROM functions.definitions
         WHERE slug = $1`,
         [slug]
       );
@@ -111,7 +119,7 @@ export class FunctionService {
   /**
    * Create a new function
    */
-  async createFunction(data: FunctionUploadRequest): Promise<Record<string, unknown>> {
+  async createFunction(data: UploadFunctionRequest): Promise<FunctionSchema> {
     const client = await this.getPool().connect();
     try {
       const { name, code, description, status } = data;
@@ -125,22 +133,23 @@ export class FunctionService {
 
       // Insert function
       await client.query(
-        `INSERT INTO _functions (id, slug, name, description, code, status)
+        `INSERT INTO functions.definitions (id, slug, name, description, code, status)
         VALUES ($1, $2, $3, $4, $5, $6)`,
         [id, slug, name, description || null, code, status]
       );
 
       // If status is active, update deployed_at
       if (status === 'active') {
-        await client.query(`UPDATE _functions SET deployed_at = CURRENT_TIMESTAMP WHERE id = $1`, [
-          id,
-        ]);
+        await client.query(
+          `UPDATE functions.definitions SET deployed_at = CURRENT_TIMESTAMP WHERE id = $1`,
+          [id]
+        );
       }
 
       // Fetch the created function
       const result = await client.query(
-        `SELECT id, slug, name, description, status, created_at
-        FROM _functions WHERE id = $1`,
+        `SELECT id, slug, name, description, status, created_at as "createdAt"
+        FROM functions.definitions WHERE id = $1`,
         [id]
       );
 
@@ -176,14 +185,15 @@ export class FunctionService {
    */
   async updateFunction(
     slug: string,
-    updates: FunctionUpdateRequest
-  ): Promise<Record<string, unknown> | null> {
+    updates: UpdateFunctionRequest
+  ): Promise<FunctionSchema | null> {
     const client = await this.getPool().connect();
     try {
       // Check if function exists
-      const existingResult = await client.query('SELECT id FROM _functions WHERE slug = $1', [
-        slug,
-      ]);
+      const existingResult = await client.query(
+        'SELECT id FROM functions.definitions WHERE slug = $1',
+        [slug]
+      );
       if (existingResult.rows.length === 0) {
         return null;
       }
@@ -195,22 +205,28 @@ export class FunctionService {
 
       // Update fields
       if (updates.name !== undefined) {
-        await client.query('UPDATE _functions SET name = $1 WHERE slug = $2', [updates.name, slug]);
+        await client.query('UPDATE functions.definitions SET name = $1 WHERE slug = $2', [
+          updates.name,
+          slug,
+        ]);
       }
 
       if (updates.description !== undefined) {
-        await client.query('UPDATE _functions SET description = $1 WHERE slug = $2', [
+        await client.query('UPDATE functions.definitions SET description = $1 WHERE slug = $2', [
           updates.description,
           slug,
         ]);
       }
 
       if (updates.code !== undefined) {
-        await client.query('UPDATE _functions SET code = $1 WHERE slug = $2', [updates.code, slug]);
+        await client.query('UPDATE functions.definitions SET code = $1 WHERE slug = $2', [
+          updates.code,
+          slug,
+        ]);
       }
 
       if (updates.status !== undefined) {
-        await client.query('UPDATE _functions SET status = $1 WHERE slug = $2', [
+        await client.query('UPDATE functions.definitions SET status = $1 WHERE slug = $2', [
           updates.status,
           slug,
         ]);
@@ -218,21 +234,22 @@ export class FunctionService {
         // Update deployed_at if status changes to active
         if (updates.status === 'active') {
           await client.query(
-            'UPDATE _functions SET deployed_at = CURRENT_TIMESTAMP WHERE slug = $1',
+            'UPDATE functions.definitions SET deployed_at = CURRENT_TIMESTAMP WHERE slug = $1',
             [slug]
           );
         }
       }
 
       // Update updated_at
-      await client.query('UPDATE _functions SET updated_at = CURRENT_TIMESTAMP WHERE slug = $1', [
-        slug,
-      ]);
+      await client.query(
+        'UPDATE functions.definitions SET updated_at = CURRENT_TIMESTAMP WHERE slug = $1',
+        [slug]
+      );
 
       // Fetch updated function
       const result = await client.query(
-        `SELECT id, slug, name, description, status, updated_at
-        FROM _functions WHERE slug = $1`,
+        `SELECT id, slug, name, description, status, updated_at as "updatedAt", deployed_at as "deployedAt"
+        FROM functions.definitions WHERE slug = $1`,
         [slug]
       );
 
@@ -254,7 +271,10 @@ export class FunctionService {
    */
   async deleteFunction(slug: string): Promise<boolean> {
     try {
-      const result = await this.getPool().query('DELETE FROM _functions WHERE slug = $1', [slug]);
+      const result = await this.getPool().query(
+        'DELETE FROM functions.definitions WHERE slug = $1',
+        [slug]
+      );
 
       if (result.rowCount === 0) {
         return false;
@@ -278,7 +298,7 @@ export class FunctionService {
     try {
       const result = await this.getPool().query(
         `SELECT slug, name, description, status
-        FROM _functions
+        FROM functions.definitions
         ORDER BY created_at DESC`
       );
 

package/backend/src/services/logs/audit.service.ts

@@ -35,7 +35,7 @@ export class AuditService {
     try {
       const pool = this.getPool();
       const result = await pool.query(
-        `INSERT INTO _audit_logs (actor, action, module, details, ip_address)
+        `INSERT INTO system.audit_logs (actor, action, module, details, ip_address)
          VALUES ($1, $2, $3, $4, $5)
          RETURNING *`,
         [
@@ -109,12 +109,12 @@ export class AuditService {
       }
 
       // Get total count first
-      const countSql = `SELECT COUNT(*) as count FROM _audit_logs ${whereClause}`;
+      const countSql = `SELECT COUNT(*) as count FROM system.audit_logs ${whereClause}`;
       const countResult = await pool.query(countSql, params);
       const total = parseInt(countResult.rows[0].count, 10);
 
       // Get paginated records
-      let dataSql = `SELECT * FROM _audit_logs ${whereClause} ORDER BY created_at DESC`;
+      let dataSql = `SELECT * FROM system.audit_logs ${whereClause} ORDER BY created_at DESC`;
       const dataParams = [...params];
 
       if (query.limit) {
@@ -154,7 +154,7 @@ export class AuditService {
   async getById(id: string): Promise<AuditLogSchema | null> {
     try {
       const pool = this.getPool();
-      const result = await pool.query('SELECT * FROM _audit_logs WHERE id = $1', [id]);
+      const result = await pool.query('SELECT * FROM system.audit_logs WHERE id = $1', [id]);
 
       const row = result.rows[0];
 
@@ -186,30 +186,30 @@ export class AuditService {
       startDate.setDate(startDate.getDate() - days);
 
       const totalLogsResult = await pool.query(
-        'SELECT COUNT(*) as count FROM _audit_logs WHERE created_at >= $1',
+        'SELECT COUNT(*) as count FROM system.audit_logs WHERE created_at >= $1',
         [startDate.toISOString()]
       );
 
       const uniqueActorsResult = await pool.query(
-        'SELECT COUNT(DISTINCT actor) as count FROM _audit_logs WHERE created_at >= $1',
+        'SELECT COUNT(DISTINCT actor) as count FROM system.audit_logs WHERE created_at >= $1',
         [startDate.toISOString()]
       );
 
       const uniqueModulesResult = await pool.query(
-        'SELECT COUNT(DISTINCT module) as count FROM _audit_logs WHERE created_at >= $1',
+        'SELECT COUNT(DISTINCT module) as count FROM system.audit_logs WHERE created_at >= $1',
         [startDate.toISOString()]
       );
 
       const actionsByModuleResult = await pool.query(
         `SELECT module, COUNT(*) as count
-         FROM _audit_logs
+         FROM system.audit_logs
          WHERE created_at >= $1
          GROUP BY module`,
         [startDate.toISOString()]
       );
 
       const recentActivityResult = await pool.query(
-        `SELECT * FROM _audit_logs
+        `SELECT * FROM system.audit_logs
          WHERE created_at >= $1
          ORDER BY created_at DESC
          LIMIT 10`,
@@ -253,7 +253,7 @@ export class AuditService {
       cutoffDate.setDate(cutoffDate.getDate() - daysToKeep);
 
       const result = await pool.query(
-        'DELETE FROM _audit_logs WHERE created_at < $1 RETURNING id',
+        'DELETE FROM system.audit_logs WHERE created_at < $1 RETURNING id',
         [cutoffDate.toISOString()]
       );
 

package/backend/src/services/realtime/index.ts

@@ -0,0 +1,3 @@
+export { RealtimeChannelService } from './realtime-channel.service.js';
+export { RealtimeAuthService } from './realtime-auth.service.js';
+export { RealtimeMessageService } from './realtime-message.service.js';

package/backend/src/services/realtime/realtime-auth.service.ts

@@ -0,0 +1,104 @@
+import { Pool, PoolClient } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
+import logger from '@/utils/logger.js';
+import { RoleSchema } from '@insforge/shared-schemas';
+
+/**
+ * Handles channel authorization by checking RLS policies on the messages table.
+ *
+ * Permission Model (Supabase pattern):
+ * - SELECT on messages = 'join' permission (can subscribe to channel)
+ * - INSERT on messages = 'send' permission (can publish to channel)
+ *
+ * Developers define RLS policies on realtime.messages that check:
+ * - current_setting('request.jwt.claim.sub', true) = user ID
+ * - current_setting('request.jwt.claim.role', true) = user role
+ * - channel_name for channel-specific access
+ */
+export class RealtimeAuthService {
+  private static instance: RealtimeAuthService;
+  private pool: Pool | null = null;
+
+  private constructor() {}
+
+  static getInstance(): RealtimeAuthService {
+    if (!RealtimeAuthService.instance) {
+      RealtimeAuthService.instance = new RealtimeAuthService();
+    }
+    return RealtimeAuthService.instance;
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  /**
+   * Check if user has permission to subscribe to a channel.
+   * Tests SELECT permission on channels table via RLS.
+   *
+   * @param channelName - The channel to check access for
+   * @param userId - The user ID (undefined for anonymous users)
+   * @param role - The database role to use (authenticated or anon)
+   * @returns true if user can subscribe, false otherwise
+   */
+  async checkSubscribePermission(
+    channelName: string,
+    userId: string | undefined,
+    role: RoleSchema
+  ): Promise<boolean> {
+    const client = await this.getPool().connect();
+    try {
+      // Begin transaction to ensure settings persist across queries
+      await client.query('BEGIN');
+      // Switch to specified role to enforce RLS policies
+      await client.query(`SET LOCAL ROLE ${role}`);
+      await this.setUserContext(client, userId, channelName);
+
+      // Test SELECT permission via RLS on channels table
+      const result = await client.query(
+        `SELECT 1 FROM realtime.channels
+         WHERE enabled = TRUE
+           AND (pattern = $1 OR $1 LIKE pattern)
+         LIMIT 1`,
+        [channelName]
+      );
+
+      // Commit transaction
+      await client.query('COMMIT');
+
+      // If query returns a row, user has permission
+      return result.rowCount !== null && result.rowCount > 0;
+    } catch (error) {
+      // Rollback transaction on error
+      await client.query('ROLLBACK').catch(() => {});
+      logger.debug('Subscribe permission denied', { channelName, userId, error });
+      return false;
+    } finally {
+      // Reset role back to default before releasing connection
+      await client.query('RESET ROLE');
+      client.release();
+    }
+  }
+
+  /**
+   * Set user context variables for RLS policy evaluation.
+   * Can be used by other services that need to execute queries with user context.
+   */
+  async setUserContext(
+    client: PoolClient,
+    userId: string | undefined,
+    channelName: string
+  ): Promise<void> {
+    if (userId) {
+      await client.query("SELECT set_config('request.jwt.claim.sub', $1, true)", [userId]);
+    } else {
+      await client.query("SELECT set_config('request.jwt.claim.sub', '', true)");
+    }
+
+    // Set the channel being accessed (used by realtime.channel_name())
+    await client.query("SELECT set_config('realtime.channel_name', $1, true)", [channelName]);
+  }
+}

package/backend/src/services/realtime/realtime-channel.service.ts

@@ -0,0 +1,237 @@
+import { Pool } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
+import { AppError } from '@/api/middlewares/error.js';
+import { ERROR_CODES } from '@/types/error-constants.js';
+import logger from '@/utils/logger.js';
+import type {
+  RealtimeChannel,
+  CreateChannelRequest,
+  UpdateChannelRequest,
+  RealtimeMetadataSchema,
+  RlsPolicy,
+  RealtimePermissionsResponse,
+} from '@insforge/shared-schemas';
+
+const SYSTEM_POLICIES = ['project_admin_policy'];
+
+export class RealtimeChannelService {
+  private static instance: RealtimeChannelService;
+  private pool: Pool | null = null;
+
+  private constructor() {}
+
+  static getInstance(): RealtimeChannelService {
+    if (!RealtimeChannelService.instance) {
+      RealtimeChannelService.instance = new RealtimeChannelService();
+    }
+    return RealtimeChannelService.instance;
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  async list(): Promise<RealtimeChannel[]> {
+    const result = await this.getPool().query(`
+      SELECT
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"
+      FROM realtime.channels
+      ORDER BY created_at DESC
+    `);
+    return result.rows;
+  }
+
+  async getById(id: string): Promise<RealtimeChannel | null> {
+    const result = await this.getPool().query(
+      `SELECT
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"
+      FROM realtime.channels
+      WHERE id = $1`,
+      [id]
+    );
+    return result.rows[0] || null;
+  }
+
+  /**
+   * Find a channel by name (exact match or wildcard pattern match).
+   * For wildcard patterns like "order:%", checks if channelName matches the pattern.
+   * Returns the matching channel if found and enabled, null otherwise.
+   */
+  async getByName(channelName: string): Promise<RealtimeChannel | null> {
+    const result = await this.getPool().query(
+      `SELECT
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"
+      FROM realtime.channels
+      WHERE enabled = TRUE
+        AND (pattern = $1 OR $1 LIKE pattern)
+      ORDER BY pattern = $1 DESC
+      LIMIT 1`,
+      [channelName]
+    );
+    return result.rows[0] || null;
+  }
+
+  async create(input: CreateChannelRequest): Promise<RealtimeChannel> {
+    this.validateChannelPattern(input.pattern);
+
+    const result = await this.getPool().query(
+      `INSERT INTO realtime.channels (
+        pattern, description, webhook_urls, enabled
+      ) VALUES ($1, $2, $3, $4)
+      RETURNING
+        id,
+        pattern,
+        description,
+        webhook_urls as "webhookUrls",
+        enabled,
+        created_at as "createdAt",
+        updated_at as "updatedAt"`,
+      [input.pattern, input.description || null, input.webhookUrls || null, input.enabled ?? true]
+    );
+
+    logger.info('Realtime channel created', { pattern: input.pattern });
+    return result.rows[0];
+  }
+
+  async update(id: string, input: UpdateChannelRequest): Promise<RealtimeChannel> {
+    const existing = await this.getById(id);
+    if (!existing) {
+      throw new AppError('Channel not found', 404, ERROR_CODES.NOT_FOUND);
+    }
+
+    if (input.pattern) {
+      this.validateChannelPattern(input.pattern);
+    }
+
+    const result = await this.getPool().query(
+      `UPDATE realtime.channels
+       SET
+         pattern = COALESCE($2, pattern),
+         description = COALESCE($3, description),
+         webhook_urls = COALESCE($4, webhook_urls),
+         enabled = COALESCE($5, enabled)
+       WHERE id = $1
+       RETURNING
+         id,
+         pattern,
+         description,
+         webhook_urls as "webhookUrls",
+         enabled,
+         created_at as "createdAt",
+         updated_at as "updatedAt"`,
+      [id, input.pattern, input.description, input.webhookUrls, input.enabled]
+    );
+
+    logger.info('Realtime channel updated', { id });
+    return result.rows[0];
+  }
+
+  async delete(id: string): Promise<void> {
+    const existing = await this.getById(id);
+    if (!existing) {
+      throw new AppError('Channel not found', 404, ERROR_CODES.NOT_FOUND);
+    }
+
+    await this.getPool().query('DELETE FROM realtime.channels WHERE id = $1', [id]);
+    logger.info('Realtime channel deleted', { id, pattern: existing.pattern });
+  }
+
+  /**
+   * Get realtime metadata including channels and permissions
+   */
+  async getMetadata(): Promise<RealtimeMetadataSchema> {
+    const [channels, permissions] = await Promise.all([this.list(), this.getPermissions()]);
+
+    return {
+      channels,
+      permissions,
+    };
+  }
+
+  // ============================================================================
+  // Permissions Methods
+  // ============================================================================
+
+  /**
+   * Get RLS policies for a table in the realtime schema, excluding system policies
+   */
+  private async getPolicies(tableName: string): Promise<RlsPolicy[]> {
+    const result = await this.getPool().query(
+      `SELECT
+         policyname as "policyName",
+         tablename as "tableName",
+         cmd as "command",
+         roles,
+         qual as "using",
+         with_check as "withCheck"
+       FROM pg_policies
+       WHERE schemaname = 'realtime'
+         AND tablename = $1
+       ORDER BY policyname`,
+      [tableName]
+    );
+
+    // Filter out system policies
+    return result.rows.filter((policy) => !SYSTEM_POLICIES.includes(policy.policyName));
+  }
+
+  /**
+   * Get all realtime permissions (RLS policies for channels and messages tables)
+   *
+   * - Subscribe permission: RLS policies on realtime.channels (SELECT)
+   * - Publish permission: RLS policies on realtime.messages (INSERT)
+   */
+  async getPermissions(): Promise<RealtimePermissionsResponse> {
+    const [channelsPolicies, messagesPolicies] = await Promise.all([
+      this.getPolicies('channels'),
+      this.getPolicies('messages'),
+    ]);
+
+    return {
+      subscribe: {
+        policies: channelsPolicies,
+      },
+      publish: {
+        policies: messagesPolicies,
+      },
+    };
+  }
+
+  // ============================================================================
+  // Validation
+  // ============================================================================
+
+  private validateChannelPattern(pattern: string): void {
+    // Allow alphanumeric, colons, hyphens, and % for wildcards
+    // Note: underscore is not allowed as it's a SQL wildcard character
+    const validPattern = /^[a-zA-Z0-9-]+(:[a-zA-Z0-9%:-]+)*$/;
+    if (!validPattern.test(pattern)) {
+      throw new AppError(
+        'Invalid channel pattern. Use alphanumeric characters, colons, hyphens, and % for wildcards.',
+        400,
+        ERROR_CODES.INVALID_INPUT
+      );
+    }
+  }
+}