insforge 1.2.10 → 1.4.8

package/backend/src/services/realtime/realtime-message.service.ts

@@ -0,0 +1,260 @@
+import { Pool } from 'pg';
+import { DatabaseManager } from '@/infra/database/database.manager.js';
+import logger from '@/utils/logger.js';
+import type { RealtimeMessage, RoleSchema } from '@insforge/shared-schemas';
+import { RealtimeChannelService } from './realtime-channel.service.js';
+import { RealtimeAuthService } from './realtime-auth.service.js';
+
+export class RealtimeMessageService {
+  private static instance: RealtimeMessageService;
+  private pool: Pool | null = null;
+
+  private constructor() {}
+
+  static getInstance(): RealtimeMessageService {
+    if (!RealtimeMessageService.instance) {
+      RealtimeMessageService.instance = new RealtimeMessageService();
+    }
+    return RealtimeMessageService.instance;
+  }
+
+  private getPool(): Pool {
+    if (!this.pool) {
+      this.pool = DatabaseManager.getInstance().getPool();
+    }
+    return this.pool;
+  }
+
+  /**
+   * Insert a message into the channel (client-initiated send).
+   * RLS INSERT policy controls who can send to which channels.
+   * pg_notify is automatically triggered by database trigger on insert.
+   *
+   * @returns The inserted message data for broadcasting, or null if RLS denied the insert
+   */
+  async insertMessage(
+    channelName: string,
+    eventName: string,
+    payload: Record<string, unknown>,
+    userId: string | undefined,
+    userRole: RoleSchema
+  ): Promise<{
+    channelId: string;
+    channelName: string;
+    eventName: string;
+    payload: Record<string, unknown>;
+    senderId: string | null;
+  } | null> {
+    // Get channel info
+    const channelService = RealtimeChannelService.getInstance();
+    const channel = await channelService.getByName(channelName);
+
+    if (!channel) {
+      logger.debug('Channel not found for message insert', { channelName });
+      return null;
+    }
+
+    const client = await this.getPool().connect();
+
+    try {
+      // Begin transaction to ensure settings persist across queries
+      await client.query('BEGIN');
+
+      // Switch to specified role to enforce RLS policies
+      await client.query(`SET LOCAL ROLE ${userRole}`);
+
+      // Set user context for RLS policy evaluation
+      const authService = RealtimeAuthService.getInstance();
+      await authService.setUserContext(client, userId, channelName);
+
+      // Attempt INSERT with sender info - RLS will allow/deny based on policies
+      // No RETURNING clause needed - trigger handles pg_notify
+      await client.query(
+        `INSERT INTO realtime.messages (event_name, channel_id, channel_name, payload, sender_type, sender_id)
+         VALUES ($1, $2, $3, $4, 'user', $5)`,
+        [eventName, channel.id, channelName, JSON.stringify(payload), userId || null]
+      );
+
+      // Commit transaction - insert succeeded
+      await client.query('COMMIT');
+
+      logger.debug('Client message inserted', {
+        channelName,
+        eventName,
+        userId,
+      });
+
+      return {
+        channelId: channel.id,
+        channelName,
+        eventName,
+        payload,
+        senderId: userId || null,
+      };
+    } catch (error) {
+      // Rollback transaction on error
+      await client.query('ROLLBACK').catch(() => {});
+
+      // RLS policy denied the INSERT or other error
+      logger.debug('Message insert denied or failed', { channelName, eventName, userId, error });
+      return null;
+    } finally {
+      // Reset role back to default before releasing connection
+      await client.query('RESET ROLE');
+      client.release();
+    }
+  }
+
+  /**
+   * Get a message by ID (used by RealtimeManager after pg_notify)
+   */
+  async getById(id: string): Promise<RealtimeMessage | null> {
+    const result = await this.getPool().query(
+      `SELECT
+        id,
+        event_name as "eventName",
+        channel_id as "channelId",
+        channel_name as "channelName",
+        payload,
+        sender_type as "senderType",
+        sender_id as "senderId",
+        ws_audience_count as "wsAudienceCount",
+        wh_audience_count as "whAudienceCount",
+        wh_delivered_count as "whDeliveredCount",
+        created_at as "createdAt"
+      FROM realtime.messages
+      WHERE id = $1`,
+      [id]
+    );
+    return result.rows[0] || null;
+  }
+
+  async list(
+    options: {
+      channelId?: string;
+      eventName?: string;
+      limit?: number;
+      offset?: number;
+    } = {}
+  ): Promise<RealtimeMessage[]> {
+    const { channelId, eventName, limit = 100, offset = 0 } = options;
+
+    let query = `
+      SELECT
+        id,
+        event_name as "eventName",
+        channel_id as "channelId",
+        channel_name as "channelName",
+        payload,
+        sender_type as "senderType",
+        sender_id as "senderId",
+        ws_audience_count as "wsAudienceCount",
+        wh_audience_count as "whAudienceCount",
+        wh_delivered_count as "whDeliveredCount",
+        created_at as "createdAt"
+      FROM realtime.messages
+      WHERE 1=1
+    `;
+
+    const params: (string | number)[] = [];
+    let paramIndex = 1;
+
+    if (channelId) {
+      query += ` AND channel_id = $${paramIndex++}`;
+      params.push(channelId);
+    }
+
+    if (eventName) {
+      query += ` AND event_name = $${paramIndex++}`;
+      params.push(eventName);
+    }
+
+    query += ` ORDER BY created_at DESC LIMIT $${paramIndex++} OFFSET $${paramIndex++}`;
+    params.push(limit, offset);
+
+    const result = await this.getPool().query(query, params);
+    return result.rows;
+  }
+
+  /**
+   * Update message record with delivery statistics
+   */
+  async updateDeliveryStats(
+    messageId: string,
+    stats: {
+      wsAudienceCount: number;
+      whAudienceCount: number;
+      whDeliveredCount: number;
+    }
+  ): Promise<void> {
+    await this.getPool().query(
+      `UPDATE realtime.messages
+       SET
+         ws_audience_count = $2,
+         wh_audience_count = $3,
+         wh_delivered_count = $4
+       WHERE id = $1`,
+      [messageId, stats.wsAudienceCount, stats.whAudienceCount, stats.whDeliveredCount]
+    );
+  }
+
+  async getStats(
+    options: {
+      channelId?: string;
+      since?: Date;
+    } = {}
+  ): Promise<{
+    totalMessages: number;
+    whDeliveryRate: number;
+    topEvents: { eventName: string; count: number }[];
+  }> {
+    const { channelId, since } = options;
+
+    let whereClause = '1=1';
+    const params: (string | Date)[] = [];
+    let paramIndex = 1;
+
+    if (channelId) {
+      whereClause += ` AND channel_id = $${paramIndex++}`;
+      params.push(channelId);
+    }
+
+    if (since) {
+      whereClause += ` AND created_at >= $${paramIndex++}`;
+      params.push(since);
+    }
+
+    const statsResult = await this.getPool().query(
+      `SELECT
+        COUNT(*) as total_messages,
+        SUM(wh_audience_count) as wh_audience_total,
+        SUM(wh_delivered_count) as wh_delivered_total
+      FROM realtime.messages
+      WHERE ${whereClause}`,
+      params
+    );
+
+    const topEventsResult = await this.getPool().query(
+      `SELECT event_name, COUNT(*) as count
+       FROM realtime.messages
+       WHERE ${whereClause}
+       GROUP BY event_name
+       ORDER BY count DESC
+       LIMIT 10`,
+      params
+    );
+
+    const stats = statsResult.rows[0];
+    const whAudienceTotal = parseInt(stats.wh_audience_total) || 0;
+    const whDeliveredTotal = parseInt(stats.wh_delivered_total) || 0;
+
+    return {
+      totalMessages: parseInt(stats.total_messages) || 0,
+      whDeliveryRate: whAudienceTotal > 0 ? whDeliveredTotal / whAudienceTotal : 0,
+      topEvents: topEventsResult.rows.map((row) => ({
+        eventName: row.event_name,
+        count: parseInt(row.count),
+      })),
+    };
+  }
+}

package/backend/src/services/secrets/secret.service.ts

@@ -3,21 +3,9 @@ import crypto from 'crypto';
 import { DatabaseManager } from '@/infra/database/database.manager.js';
 import logger from '@/utils/logger.js';
 import { EncryptionManager } from '@/infra/security/encryption.manager.js';
+import { SecretSchema, CreateSecretRequest } from '@insforge/shared-schemas';
 
-export interface SecretSchema {
-  id: string;
-  key: string;
-  isActive: boolean;
-  isReserved: boolean;
-  lastUsedAt: Date | null;
-  expiresAt: Date | null;
-  createdAt: Date;
-  updatedAt: Date;
-}
-
-export interface CreateSecretInput {
-  key: string;
-  value: string;
+export interface CreateSecretInput extends CreateSecretRequest {
   isReserved?: boolean;
   expiresAt?: Date;
 }
@@ -59,7 +47,7 @@ export class SecretService {
       const encryptedValue = EncryptionManager.encrypt(input.value);
 
       const result = await this.getPool().query(
-        `INSERT INTO _secrets (key, value_ciphertext, is_reserved, expires_at)
+        `INSERT INTO system.secrets (key, value_ciphertext, is_reserved, expires_at)
          VALUES ($1, $2, $3, $4)
          RETURNING id`,
         [input.key, encryptedValue, input.isReserved || false, input.expiresAt || null]
@@ -79,7 +67,7 @@ export class SecretService {
   async getSecretById(id: string): Promise<string | null> {
     try {
       const result = await this.getPool().query(
-        `UPDATE _secrets
+        `UPDATE system.secrets
          SET last_used_at = NOW()
          WHERE id = $1 AND is_active = true
          AND (expires_at IS NULL OR expires_at > NOW())
@@ -106,7 +94,7 @@ export class SecretService {
   async getSecretByKey(key: string): Promise<string | null> {
     try {
       const result = await this.getPool().query(
-        `UPDATE _secrets
+        `UPDATE system.secrets
          SET last_used_at = NOW()
          WHERE key = $1 AND is_active = true
          AND (expires_at IS NULL OR expires_at > NOW())
@@ -142,7 +130,7 @@ export class SecretService {
           expires_at as "expiresAt",
           created_at as "createdAt",
           updated_at as "updatedAt"
-         FROM _secrets
+         FROM system.secrets
          ORDER BY created_at DESC`
       );
 
@@ -183,10 +171,14 @@ export class SecretService {
         values.push(input.expiresAt);
       }
 
+      if (updates.length === 0) {
+        return false;
+      }
+
       values.push(id);
 
       const result = await this.getPool().query(
-        `UPDATE _secrets
+        `UPDATE system.secrets
          SET ${updates.join(', ')}
          WHERE id = $${paramCount}`,
         values
@@ -203,6 +195,81 @@ export class SecretService {
     }
   }
 
+  /**
+   * Update a secret by key
+   */
+  async updateSecretByKey(key: string, input: UpdateSecretInput): Promise<boolean> {
+    try {
+      const updates: string[] = [];
+      const values: (string | boolean | Date | null)[] = [];
+      let paramCount = 1;
+
+      if (input.value !== undefined) {
+        const encryptedValue = EncryptionManager.encrypt(input.value);
+        updates.push(`value_ciphertext = $${paramCount++}`);
+        values.push(encryptedValue);
+      }
+
+      if (input.isActive !== undefined) {
+        updates.push(`is_active = $${paramCount++}`);
+        values.push(input.isActive);
+      }
+
+      if (input.isReserved !== undefined) {
+        updates.push(`is_reserved = $${paramCount++}`);
+        values.push(input.isReserved);
+      }
+
+      if (input.expiresAt !== undefined) {
+        updates.push(`expires_at = $${paramCount++}`);
+        values.push(input.expiresAt);
+      }
+
+      if (updates.length === 0) {
+        return false;
+      }
+
+      values.push(key);
+
+      const result = await this.getPool().query(
+        `UPDATE system.secrets
+         SET ${updates.join(', ')}
+         WHERE key = $${paramCount}`,
+        values
+      );
+
+      const success = (result.rowCount ?? 0) > 0;
+      if (success) {
+        logger.info('Secret updated by key', { key });
+      }
+      return success;
+    } catch (error) {
+      logger.error('Failed to update secret by key', { error, key });
+      throw new Error('Failed to update secret');
+    }
+  }
+
+  /**
+   * Delete a secret by key
+   */
+  async deleteSecretByKey(key: string): Promise<boolean> {
+    try {
+      const result = await this.getPool().query(
+        'DELETE FROM system.secrets WHERE key = $1 AND is_reserved = false',
+        [key]
+      );
+
+      const success = (result.rowCount ?? 0) > 0;
+      if (success) {
+        logger.info('Secret deleted by key', { key });
+      }
+      return success;
+    } catch (error) {
+      logger.error('Failed to delete secret by key', { error, key });
+      throw new Error('Failed to delete secret');
+    }
+  }
+
   /**
    * Check if a secret value matches the stored value
    */
@@ -210,7 +277,7 @@ export class SecretService {
     try {
       // Optimized: Single query that retrieves and updates in one operation
       const result = await this.getPool().query(
-        `UPDATE _secrets
+        `UPDATE system.secrets
          SET last_used_at = NOW()
          WHERE key = $1
          AND is_active = true
@@ -225,7 +292,12 @@ export class SecretService {
       }
 
       const decryptedValue = EncryptionManager.decrypt(result.rows[0].value_ciphertext);
-      const matches = decryptedValue === value;
+      // Use constant-time comparison to prevent timing attacks
+      const decryptedBuffer = Buffer.from(decryptedValue);
+      const valueBuffer = Buffer.from(value);
+      const matches =
+        decryptedBuffer.length === valueBuffer.length &&
+        crypto.timingSafeEqual(decryptedBuffer, valueBuffer);
 
       if (matches) {
         logger.info('Secret check successful', { key });
@@ -247,7 +319,7 @@ export class SecretService {
     try {
       // Optimized: Single query with WHERE clause to prevent deleting reserved secrets
       const result = await this.getPool().query(
-        'DELETE FROM _secrets WHERE id = $1 AND is_reserved = false',
+        'DELETE FROM system.secrets WHERE id = $1 AND is_reserved = false',
         [id]
       );
 
@@ -257,7 +329,7 @@ export class SecretService {
       } else {
         // Check if it exists but is reserved
         const checkResult = await this.getPool().query(
-          'SELECT is_reserved FROM _secrets WHERE id = $1',
+          'SELECT is_reserved FROM system.secrets WHERE id = $1',
           [id]
         );
         if (checkResult.rows.length && checkResult.rows[0].is_reserved) {
@@ -279,7 +351,9 @@ export class SecretService {
     try {
       await client.query('BEGIN');
 
-      const oldSecretResult = await client.query(`SELECT key FROM _secrets WHERE id = $1`, [id]);
+      const oldSecretResult = await client.query(`SELECT key FROM system.secrets WHERE id = $1`, [
+        id,
+      ]);
 
       if (!oldSecretResult.rows.length) {
         throw new Error('Secret not found');
@@ -288,7 +362,7 @@ export class SecretService {
       const secretKey = oldSecretResult.rows[0].key;
 
       await client.query(
-        `UPDATE _secrets
+        `UPDATE system.secrets
          SET is_active = false,
              expires_at = NOW() + INTERVAL '24 hours'
          WHERE id = $1`,
@@ -297,7 +371,7 @@ export class SecretService {
 
       const encryptedValue = EncryptionManager.encrypt(newValue);
       const newSecretResult = await client.query(
-        `INSERT INTO _secrets (key, value_ciphertext)
+        `INSERT INTO system.secrets (key, value_ciphertext)
          VALUES ($1, $2)
          RETURNING id`,
         [secretKey, encryptedValue]
@@ -327,7 +401,7 @@ export class SecretService {
   async cleanupExpiredSecrets(): Promise<number> {
     try {
       const result = await this.getPool().query(
-        `DELETE FROM _secrets
+        `DELETE FROM system.secrets
          WHERE expires_at IS NOT NULL
          AND expires_at < NOW()
          RETURNING id`

package/backend/src/services/storage/storage.service.ts

@@ -109,7 +109,7 @@ export class StorageService {
     // This query finds all files matching the pattern and extracts the counter number
     const result = await this.getPool().query(
       `
-        SELECT key FROM _storage
+        SELECT key FROM storage.objects
         WHERE bucket = $1
         AND (key = $2 OR key LIKE $3)
       `,
@@ -169,7 +169,7 @@ export class StorageService {
       // Save metadata to database and return the timestamp in one operation
       const result = await client.query(
         `
-        INSERT INTO _storage (bucket, key, size, mime_type, uploaded_by)
+        INSERT INTO storage.objects (bucket, key, size, mime_type, uploaded_by)
         VALUES ($1, $2, $3, $4, $5)
         RETURNING uploaded_at as "uploadedAt"
       `,
@@ -207,7 +207,7 @@ export class StorageService {
     this.validateKey(key);
 
     const result = await this.getPool().query(
-      'SELECT * FROM _storage WHERE bucket = $1 AND key = $2',
+      'SELECT * FROM storage.objects WHERE bucket = $1 AND key = $2',
       [bucket, key]
     );
 
@@ -249,7 +249,7 @@ export class StorageService {
       // Check permissions
       if (!isAdmin) {
         const fileResult = await client.query(
-          'SELECT uploaded_by FROM _storage WHERE bucket = $1 AND key = $2',
+          'SELECT uploaded_by FROM storage.objects WHERE bucket = $1 AND key = $2',
           [bucket, key]
         );
 
@@ -273,10 +273,10 @@ export class StorageService {
       await this.provider.deleteObject(bucket, key);
 
       // Delete from database
-      const result = await client.query('DELETE FROM _storage WHERE bucket = $1 AND key = $2', [
-        bucket,
-        key,
-      ]);
+      const result = await client.query(
+        'DELETE FROM storage.objects WHERE bucket = $1 AND key = $2',
+        [bucket, key]
+      );
 
       return result.rowCount !== null && result.rowCount > 0;
     } finally {
@@ -295,8 +295,8 @@ export class StorageService {
 
     const client = await this.getPool().connect();
     try {
-      let query = 'SELECT * FROM _storage WHERE bucket = $1';
-      let countQuery = 'SELECT COUNT(*) as count FROM _storage WHERE bucket = $1';
+      let query = 'SELECT * FROM storage.objects WHERE bucket = $1';
+      let countQuery = 'SELECT COUNT(*) as count FROM storage.objects WHERE bucket = $1';
       const params: (string | number)[] = [bucket];
       let paramIndex = 2;
 
@@ -338,7 +338,7 @@ export class StorageService {
 
   async isBucketPublic(bucket: string): Promise<boolean> {
     const result = await this.getPool().query(
-      'SELECT public FROM _storage_buckets WHERE name = $1',
+      'SELECT public FROM storage.buckets WHERE name = $1',
       [bucket]
     );
     return result.rows[0]?.public || false;
@@ -348,7 +348,7 @@ export class StorageService {
     const client = await this.getPool().connect();
     try {
       // Check if bucket exists
-      const bucketResult = await client.query('SELECT name FROM _storage_buckets WHERE name = $1', [
+      const bucketResult = await client.query('SELECT name FROM storage.buckets WHERE name = $1', [
         bucket,
       ]);
 
@@ -356,9 +356,9 @@ export class StorageService {
         throw new Error(`Bucket "${bucket}" does not exist`);
       }
 
-      // Update bucket visibility in _storage_buckets table
+      // Update bucket visibility in storage.buckets table
       await client.query(
-        'UPDATE _storage_buckets SET public = $1, updated_at = CURRENT_TIMESTAMP WHERE name = $2',
+        'UPDATE storage.buckets SET public = $1, updated_at = CURRENT_TIMESTAMP WHERE name = $2',
         [isPublic, bucket]
       );
 
@@ -370,9 +370,9 @@ export class StorageService {
   }
 
   async listBuckets(): Promise<StorageBucketSchema[]> {
-    // Get all buckets with their metadata from _storage_buckets table
+    // Get all buckets with their metadata from storage.buckets table
     const result = await this.getPool().query(
-      'SELECT name, public, created_at as "createdAt" FROM _storage_buckets ORDER BY name'
+      'SELECT name, public, created_at as "createdAt" FROM storage.buckets ORDER BY name'
     );
 
     return result.rows as StorageBucketSchema[];
@@ -384,7 +384,7 @@ export class StorageService {
     const client = await this.getPool().connect();
     try {
       // Check if bucket already exists
-      const existing = await client.query('SELECT name FROM _storage_buckets WHERE name = $1', [
+      const existing = await client.query('SELECT name FROM storage.buckets WHERE name = $1', [
         bucket,
       ]);
 
@@ -392,8 +392,8 @@ export class StorageService {
         throw new Error(`Bucket "${bucket}" already exists`);
       }
 
-      // Insert bucket into _storage_buckets table
-      await client.query('INSERT INTO _storage_buckets (name, public) VALUES ($1, $2)', [
+      // Insert bucket into storage.buckets table
+      await client.query('INSERT INTO storage.buckets (name, public) VALUES ($1, $2)', [
         bucket,
         isPublic,
       ]);
@@ -414,7 +414,7 @@ export class StorageService {
     const client = await this.getPool().connect();
     try {
       // Check if bucket exists
-      const bucketResult = await client.query('SELECT name FROM _storage_buckets WHERE name = $1', [
+      const bucketResult = await client.query('SELECT name FROM storage.buckets WHERE name = $1', [
         bucket,
       ]);
 
@@ -425,8 +425,8 @@ export class StorageService {
       // Delete bucket using backend (handles all files)
       await this.provider.deleteBucket(bucket);
 
-      // Delete from storage table (cascade will handle _storage entries)
-      await client.query('DELETE FROM _storage_buckets WHERE name = $1', [bucket]);
+      // Delete from storage table (cascade will handle storage.objects entries)
+      await client.query('DELETE FROM storage.buckets WHERE name = $1', [bucket]);
 
       // Update storage metadata
       // Metadata is now updated on-demand
@@ -451,7 +451,7 @@ export class StorageService {
     const client = await this.getPool().connect();
     try {
       // Check if bucket exists
-      const bucketResult = await client.query('SELECT name FROM _storage_buckets WHERE name = $1', [
+      const bucketResult = await client.query('SELECT name FROM storage.buckets WHERE name = $1', [
         bucket,
       ]);
 
@@ -503,7 +503,7 @@ export class StorageService {
     try {
       // Check if already confirmed
       const existingResult = await client.query(
-        'SELECT key FROM _storage WHERE bucket = $1 AND key = $2',
+        'SELECT key FROM storage.objects WHERE bucket = $1 AND key = $2',
         [bucket, key]
       );
 
@@ -514,7 +514,7 @@ export class StorageService {
       // Save metadata to database and return the timestamp in one operation
       const result = await client.query(
         `
-        INSERT INTO _storage (bucket, key, size, mime_type, uploaded_by)
+        INSERT INTO storage.objects (bucket, key, size, mime_type, uploaded_by)
         VALUES ($1, $2, $3, $4, $5)
         RETURNING uploaded_at as "uploadedAt"
       `,
@@ -548,9 +548,9 @@ export class StorageService {
    * Get storage metadata
    */
   async getMetadata(): Promise<StorageMetadataSchema> {
-    // Get storage buckets from _storage_buckets table
+    // Get storage buckets from storage.buckets table
     const result = await this.getPool().query(
-      'SELECT name, public, created_at as "createdAt" FROM _storage_buckets ORDER BY name'
+      'SELECT name, public, created_at as "createdAt" FROM storage.buckets ORDER BY name'
     );
 
     const storageBuckets = result.rows as StorageBucketSchema[];
@@ -572,7 +572,7 @@ export class StorageService {
     try {
       // Query to get object count for each bucket
       const result = await this.getPool().query(
-        'SELECT bucket, COUNT(*) as count FROM _storage GROUP BY bucket'
+        'SELECT bucket, COUNT(*) as count FROM storage.objects GROUP BY bucket'
       );
 
       const bucketCounts = result.rows as { bucket: string; count: string }[];
@@ -595,11 +595,11 @@ export class StorageService {
 
   private async getStorageSizeInGB(): Promise<number> {
     try {
-      // Query the _storage table to sum all file sizes
+      // Query the storage.objects table to sum all file sizes
       const result = await this.getPool().query(
         `
         SELECT COALESCE(SUM(size), 0) as total_size
-        FROM _storage
+        FROM storage.objects
       `
       );