insforge 1.3.0 → 1.4.8

package/backend/src/services/database/database-advance.service.ts

@@ -9,7 +9,7 @@ import {
 } from '@insforge/shared-schemas';
 import logger from '@/utils/logger.js';
 import { ERROR_CODES } from '@/types/error-constants.js';
-import { parseSQLStatements } from '@/utils/sql-parser.js';
+import { parseSQLStatements, checkAuthSchemaOperations } from '@/utils/sql-parser.js';
 import { validateTableName } from '@/utils/validations.js';
 import format from 'pg-format';
 import { parse } from 'csv-parse/sync';
@@ -66,28 +66,26 @@ export class DatabaseAdvanceService {
   /**
    * Sanitize query with strict or relaxed mode
    *
-   * BOTH MODES block:
+   * Blocks:
    * - DROP DATABASE, CREATE DATABASE, ALTER DATABASE
    * - pg_catalog and information_schema access
+   * - DELETE operations on auth schema (prevents user deletion via raw SQL)
+   * - TRUNCATE operations on auth schema (prevents mass user deletion)
+   * - DROP operations on auth schema (prevents destruction of tables, indexes, triggers, functions, views, sequences, schemas, policies, types, domains)
    *
-   * STRICT MODE blocks:
-   * - ALL operations on system tables (tables starting with _)
-   * - DROP or RENAME operations on users table
-   *
-   * RELAXED MODE allows:
-   * - SELECT and INSERT into system tables and users table
-   * RELAXED MODE blocks:
-   * - UPDATE/DELETE/DROP/CREATE/ALTER system tables
-   * - UPDATE/DELETE/DROP/RENAME users table
+   * Allows:
+   * - SELECT queries on auth schema (for reading user data)
+   * - INSERT operations on auth schema (for test users)
+   * - CREATE TRIGGER on auth tables (for automatic profile creation, etc.)
+   * - Other DDL operations on auth schema (ALTER TABLE for indexes, etc.)
    */
-  sanitizeQuery(query: string, mode: 'strict' | 'relaxed' = 'strict'): string {
-    // Both modes: Block database-level operations
+  sanitizeQuery(query: string, _mode: 'strict' | 'relaxed' = 'strict'): string {
+    // Block database-level operations
     const dangerousPatterns = [
       /DROP\s+DATABASE/i,
       /CREATE\s+DATABASE/i,
       /ALTER\s+DATABASE/i,
       /pg_catalog/i,
-      /information_schema/i,
     ];
 
     for (const pattern of dangerousPatterns) {
@@ -96,47 +94,13 @@ export class DatabaseAdvanceService {
       }
     }
 
-    // Check for RENAME TO system table
-    const renameToSystemTablePattern = /RENAME\s+TO\s+(?:\w+\.)?["']?_\w+/im;
-    if (renameToSystemTablePattern.test(query)) {
-      throw new AppError(
-        'Cannot rename tables to system table names (tables starting with underscore)',
-        403,
-        ERROR_CODES.FORBIDDEN
-      );
-    }
-
-    // Check for DROP or RENAME operations on 'users' table
-    const usersTablePattern =
-      /(?:^|\n|;)\s*(?:DROP\s+(?:TABLE\s+)?(?:IF\s+EXISTS\s+)?(?:\w+\.)?["']?users["']?|ALTER\s+TABLE\s+(?:IF\s+EXISTS\s+)?(?:\w+\.)?["']?users["']?\s+RENAME\s+TO)/im;
-    if (usersTablePattern.test(query)) {
-      throw new AppError('Cannot drop or rename the users table', 403, ERROR_CODES.FORBIDDEN);
-    }
-
-    if (mode === 'strict') {
-      // Check for system table operations (tables starting with underscore)
-      // This pattern checks each statement in multi-statement queries, including schema-qualified names
-      const systemTablePattern =
-        /(?:^|\n|;)\s*(?:CREATE|ALTER|DROP|INSERT\s+INTO|UPDATE|DELETE\s+FROM|TRUNCATE)\s+(?:TABLE\s+)?(?:IF\s+(?:NOT\s+)?EXISTS\s+)?(?:\w+\.)?["']?_\w+/im;
-      if (systemTablePattern.test(query)) {
-        throw new AppError(
-          'Cannot modify or create system tables (tables starting with underscore)',
-          403,
-          ERROR_CODES.FORBIDDEN
-        );
-      }
-    } else {
-      // Relaxed mode: Allow only SELECT and INSERT into system tables and users table
-      // Block UPDATE, DELETE, DROP, CREATE, ALTER, TRUNCATE
-      const systemTableDestructivePattern =
-        /(?:^|\n|;)\s*(?:CREATE|ALTER|DROP|TRUNCATE|UPDATE|DELETE\s+FROM)\s+(?:TABLE\s+)?(?:IF\s+(?:NOT\s+)?EXISTS\s+)?(?:\w+\.)?["']?_\w+/im;
-      if (systemTableDestructivePattern.test(query)) {
-        throw new AppError(
-          'Cannot UPDATE/DELETE/DROP/CREATE/ALTER system tables (tables starting with underscore)',
-          403,
-          ERROR_CODES.FORBIDDEN
-        );
-      }
+    // Use parser-based check for auth schema operations
+    const authError = checkAuthSchemaOperations(query);
+    if (authError) {
+      logger.warn('Blocked operation on auth schema', {
+        query: query.substring(0, 100),
+      });
+      throw new AppError(authError, 403, ERROR_CODES.FORBIDDEN);
     }
 
     return query;

package/backend/src/services/database/database-table.service.ts

@@ -30,8 +30,6 @@ const reservedColumns = {
   updated_at: ColumnType.DATETIME,
 };
 
-const userTableFrozenColumns = ['nickname', 'avatar_url'];
-
 const SAFE_FUNCS = new Set(['now()', 'gen_random_uuid()']);
 
 function getSafeDollarQuotedLiteral(s: string) {
@@ -105,7 +103,6 @@ export class DatabaseTableService {
         FROM information_schema.tables
         WHERE table_schema = 'public'
         AND table_type = 'BASE TABLE'
-        AND table_name NOT LIKE '\\_%'
       `
     );
 
@@ -122,15 +119,6 @@ export class DatabaseTableService {
   ): Promise<CreateTableResponse> {
     // Validate table name
     validateIdentifier(table_name, 'table');
-    // Prevent creation of system tables
-    if (table_name.startsWith('_')) {
-      throw new AppError(
-        'Cannot create system tables',
-        403,
-        ERROR_CODES.FORBIDDEN,
-        'Table names starting with underscore are reserved for system tables'
-      );
-    }
 
     // Filter out reserved fields with matching types, throw error for mismatched types
     const validatedColumns = this.validateReservedFields(columns);
@@ -245,7 +233,7 @@ export class DatabaseTableService {
         `
           CREATE TRIGGER ${this.quoteIdentifier(table_name + '_update_timestamp')}
           BEFORE UPDATE ON ${this.quoteIdentifier(table_name)}
-          FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+          FOR EACH ROW EXECUTE FUNCTION system.update_updated_at();
         `
       );
 
@@ -304,6 +292,7 @@ export class DatabaseTableService {
           SELECT
             column_name,
             data_type,
+            udt_name,
             is_nullable,
             column_default,
             character_maximum_length
@@ -374,17 +363,21 @@ export class DatabaseTableService {
 
       return {
         tableName: table,
-        columns: columns.map((col: ColumnInfo) => ({
-          columnName: col.column_name,
-          type: convertSqlTypeToColumnType(col.data_type),
-          isNullable: col.is_nullable === 'YES',
-          isPrimaryKey: pkSet.has(col.column_name),
-          isUnique: pkSet.has(col.column_name) || uniqueSet.has(col.column_name),
-          defaultValue: this.parseDefaultValue(col.column_default),
-          ...(foreignKeyMap.has(col.column_name) && {
-            foreignKey: foreignKeyMap.get(col.column_name),
-          }),
-        })),
+        columns: columns.map((col: ColumnInfo) => {
+          // For USER-DEFINED types (extensions like pgvector), use udt_name
+          const effectiveType = col.data_type === 'USER-DEFINED' ? col.udt_name : col.data_type;
+          return {
+            columnName: col.column_name,
+            type: convertSqlTypeToColumnType(effectiveType),
+            isNullable: col.is_nullable === 'YES',
+            isPrimaryKey: pkSet.has(col.column_name),
+            isUnique: pkSet.has(col.column_name) || uniqueSet.has(col.column_name),
+            defaultValue: this.parseDefaultValue(col.column_default),
+            ...(foreignKeyMap.has(col.column_name) && {
+              foreignKey: foreignKeyMap.get(col.column_name),
+            }),
+          };
+        }),
         recordCount: row_count,
       };
     } finally {
@@ -402,16 +395,6 @@ export class DatabaseTableService {
     const { addColumns, dropColumns, updateColumns, addForeignKeys, dropForeignKeys, renameTable } =
       operations;
 
-    // Prevent modification of system tables
-    if (tableName.startsWith('_')) {
-      throw new AppError(
-        'System tables cannot be modified',
-        403,
-        ERROR_CODES.DATABASE_FORBIDDEN,
-        'System tables cannot be modified. System tables are prefixed with underscore.'
-      );
-    }
-
     const client = await this.getPool().connect();
     try {
       // Check if table exists
@@ -492,14 +475,6 @@ export class DatabaseTableService {
               `You cannot drop the system column '${col}'`
             );
           }
-          if (tableName === 'users' && userTableFrozenColumns.includes(col)) {
-            throw new AppError(
-              'cannot drop frozen users columns',
-              403,
-              ERROR_CODES.FORBIDDEN,
-              `You cannot drop the frozen users column '${col}'`
-            );
-          }
           await client.query(
             `
               ALTER TABLE ${safeTableName}
@@ -522,14 +497,6 @@ export class DatabaseTableService {
               `You cannot update the system column '${column.columnName}'`
             );
           }
-          if (tableName === 'users' && userTableFrozenColumns.includes(column.columnName)) {
-            throw new AppError(
-              'cannot update frozen user columns',
-              403,
-              ERROR_CODES.FORBIDDEN,
-              `You cannot update the frozen users column '${column.columnName}'`
-            );
-          }
 
           // Handle default value changes
           if (column.defaultValue !== undefined) {
@@ -620,19 +587,6 @@ export class DatabaseTableService {
       }
 
       if (renameTable && renameTable.newTableName) {
-        if (tableName === 'users') {
-          throw new AppError('Cannot rename users table', 403, ERROR_CODES.FORBIDDEN);
-        }
-        // Prevent renaming to system tables
-        if (renameTable.newTableName.startsWith('_')) {
-          throw new AppError(
-            'Cannot rename to system table',
-            403,
-            ERROR_CODES.FORBIDDEN,
-            'Table names starting with underscore are reserved for system tables'
-          );
-        }
-
         const safeNewTableName = this.quoteIdentifier(renameTable.newTableName);
         // Rename the table
         await client.query(
@@ -669,19 +623,6 @@ export class DatabaseTableService {
    * Delete a table
    */
   async deleteTable(table: string): Promise<DeleteTableResponse> {
-    // Prevent deletion of system tables
-    if (table.startsWith('_')) {
-      throw new AppError(
-        'System tables cannot be deleted',
-        403,
-        ERROR_CODES.DATABASE_FORBIDDEN,
-        'System tables cannot be deleted. System tables are prefixed with underscore.'
-      );
-    }
-    if (table === 'users') {
-      throw new AppError('Cannot delete users table', 403, ERROR_CODES.DATABASE_FORBIDDEN);
-    }
-
     const client = await this.getPool().connect();
     try {
       await client.query(`DROP TABLE IF EXISTS ${this.quoteIdentifier(table)} CASCADE`);
@@ -712,6 +653,15 @@ export class DatabaseTableService {
     return `"${identifier.replace(/"/g, '""')}"`;
   }
 
+  // Quote a table reference, with special handling for auth.users
+  private quoteTableReference(tableRef: string): string {
+    // Only allow auth.users as a cross-schema reference
+    if (tableRef === 'auth.users') {
+      return '"auth"."users"';
+    }
+    return this.quoteIdentifier(tableRef);
+  }
+
   private validateReservedFields(columns: ColumnSchema[]): ColumnSchema[] {
     return columns.filter((col: ColumnSchema) => {
       const reservedType = reservedColumns[col.columnName as keyof typeof reservedColumns];
@@ -743,14 +693,16 @@ export class DatabaseTableService {
     }
     // Store foreign_key in a const to avoid repeated non-null assertions
     const fk = col.foreignKey;
-    const constraintName = `fk_${col.columnName}_${fk.referenceTable}_${fk.referenceColumn}`;
+    // Use "auth_users" in constraint name for auth.users references
+    const safeTableName = fk.referenceTable === 'auth.users' ? 'auth_users' : fk.referenceTable;
+    const constraintName = `fk_${col.columnName}_${safeTableName}_${fk.referenceColumn}`;
     const onDelete = fk.onDelete || 'RESTRICT';
     const onUpdate = fk.onUpdate || 'RESTRICT';
 
     if (include_source_column) {
-      return `CONSTRAINT ${this.quoteIdentifier(constraintName)} FOREIGN KEY (${this.quoteIdentifier(col.columnName)}) REFERENCES ${this.quoteIdentifier(fk.referenceTable)}(${this.quoteIdentifier(fk.referenceColumn)}) ON DELETE ${onDelete} ON UPDATE ${onUpdate}`;
+      return `CONSTRAINT ${this.quoteIdentifier(constraintName)} FOREIGN KEY (${this.quoteIdentifier(col.columnName)}) REFERENCES ${this.quoteTableReference(fk.referenceTable)}(${this.quoteIdentifier(fk.referenceColumn)}) ON DELETE ${onDelete} ON UPDATE ${onUpdate}`;
     } else {
-      return `CONSTRAINT ${this.quoteIdentifier(constraintName)} REFERENCES ${this.quoteIdentifier(fk.referenceTable)}(${this.quoteIdentifier(fk.referenceColumn)}) ON DELETE ${onDelete} ON UPDATE ${onUpdate}`;
+      return `CONSTRAINT ${this.quoteIdentifier(constraintName)} REFERENCES ${this.quoteTableReference(fk.referenceTable)}(${this.quoteIdentifier(fk.referenceColumn)}) ON DELETE ${onDelete} ON UPDATE ${onUpdate}`;
     }
   }
 
@@ -760,6 +712,7 @@ export class DatabaseTableService {
         SELECT
           tc.constraint_name,
           kcu.column_name as from_column,
+          ccu.table_schema AS foreign_schema,
           ccu.table_name AS foreign_table,
           ccu.column_name AS foreign_column,
           rc.delete_rule as on_delete,
@@ -770,7 +723,6 @@ export class DatabaseTableService {
           AND tc.table_schema = kcu.table_schema
         JOIN information_schema.constraint_column_usage AS ccu
           ON ccu.constraint_name = tc.constraint_name
-          AND ccu.table_schema = tc.table_schema
         JOIN information_schema.referential_constraints AS rc
           ON rc.constraint_name = tc.constraint_name
           AND rc.constraint_schema = tc.table_schema
@@ -785,13 +737,14 @@ export class DatabaseTableService {
     // Create a map of column names to their foreign key info
     const foreignKeyMap = new Map<string, ForeignKeyInfo>();
     foreignKeys.forEach((fk: ForeignKeyRow) => {
-      if (fk.foreign_table.startsWith('_')) {
-        // hiden internal table.
-        return;
-      }
+      // Prefix table name with schema if not public (e.g., "auth.users")
+      const referenceTable =
+        fk.foreign_schema !== 'public'
+          ? `${fk.foreign_schema}.${fk.foreign_table}`
+          : fk.foreign_table;
       foreignKeyMap.set(fk.from_column, {
         constraint_name: fk.constraint_name,
-        referenceTable: fk.foreign_table,
+        referenceTable,
         referenceColumn: fk.foreign_column,
         onDelete: fk.on_delete as OnDeleteActionSchema,
         onUpdate: fk.on_update as OnUpdateActionSchema,

package/backend/src/services/database/postgrest-proxy.service.ts

@@ -0,0 +1,165 @@
+import axios, { AxiosResponse } from 'axios';
+import http from 'http';
+import https from 'https';
+import { TokenManager } from '@/infra/security/token.manager.js';
+import { SecretService } from '@/services/secrets/secret.service.js';
+import logger from '@/utils/logger.js';
+
+const postgrestUrl = process.env.POSTGREST_BASE_URL || 'http://localhost:5430';
+
+// Connection pooling for PostgREST
+const httpAgent = new http.Agent({
+  keepAlive: true,
+  keepAliveMsecs: 5000,
+  maxSockets: 20,
+  maxFreeSockets: 5,
+  timeout: 10000,
+});
+
+const httpsAgent = new https.Agent({
+  keepAlive: true,
+  keepAliveMsecs: 5000,
+  maxSockets: 20,
+  maxFreeSockets: 5,
+  timeout: 10000,
+});
+
+const postgrestAxios = axios.create({
+  httpAgent,
+  httpsAgent,
+  timeout: 10000,
+  maxRedirects: 0,
+  headers: {
+    Connection: 'keep-alive',
+    'Keep-Alive': 'timeout=5, max=10',
+  },
+});
+
+export interface ProxyRequest {
+  method: string;
+  path: string;
+  query?: Record<string, unknown>;
+  headers?: Record<string, string | string[] | undefined>;
+  body?: unknown;
+  apiKey?: string;
+}
+
+export interface ProxyResponse {
+  data: unknown;
+  status: number;
+  headers: Record<string, unknown>;
+}
+
+/**
+ * Headers that should not be forwarded to the client
+ */
+const EXCLUDED_HEADERS = new Set([
+  'content-length',
+  'transfer-encoding',
+  'connection',
+  'content-encoding',
+]);
+
+export class PostgrestProxyService {
+  private static instance: PostgrestProxyService;
+  private tokenManager = TokenManager.getInstance();
+  private secretService = SecretService.getInstance();
+  private adminToken: string;
+
+  private constructor() {
+    this.adminToken = this.tokenManager.generateAdminToken();
+  }
+
+  public static getInstance(): PostgrestProxyService {
+    if (!PostgrestProxyService.instance) {
+      PostgrestProxyService.instance = new PostgrestProxyService();
+    }
+    return PostgrestProxyService.instance;
+  }
+
+  /**
+   * Filter headers for forwarding to client (excludes problematic ones)
+   */
+  static filterHeaders(headers: Record<string, unknown>): Record<string, string> {
+    const filtered: Record<string, string> = {};
+    for (const [key, value] of Object.entries(headers)) {
+      if (!EXCLUDED_HEADERS.has(key.toLowerCase()) && value !== undefined) {
+        filtered[key] = value as string;
+      }
+    }
+    return filtered;
+  }
+
+  /**
+   * Forward request to PostgREST with retry logic
+   */
+  async forward(request: ProxyRequest): Promise<ProxyResponse> {
+    const targetUrl = `${postgrestUrl}${request.path}`;
+
+    const axiosConfig: {
+      method: string;
+      url: string;
+      params?: Record<string, unknown>;
+      headers: Record<string, string | string[] | undefined>;
+      data?: unknown;
+    } = {
+      method: request.method,
+      url: targetUrl,
+      params: request.query,
+      headers: {
+        ...request.headers,
+        host: undefined,
+        'content-length': undefined,
+      },
+    };
+
+    // Use admin token if valid API key provided
+    if (request.apiKey) {
+      const isValid = await this.secretService.verifyApiKey(request.apiKey);
+      if (isValid) {
+        axiosConfig.headers.authorization = `Bearer ${this.adminToken}`;
+      }
+    }
+
+    if (request.body !== undefined) {
+      axiosConfig.data = request.body;
+    }
+
+    // Retry logic
+    let response: AxiosResponse | undefined;
+    let lastError: unknown;
+    const maxRetries = 3;
+
+    for (let attempt = 1; attempt <= maxRetries; attempt++) {
+      try {
+        response = await postgrestAxios(axiosConfig);
+        break;
+      } catch (error) {
+        lastError = error;
+        const shouldRetry = axios.isAxiosError(error) && !error.response && attempt < maxRetries;
+
+        if (shouldRetry) {
+          logger.warn(`PostgREST request failed, retrying (attempt ${attempt}/${maxRetries})`, {
+            url: targetUrl,
+            errorCode: (error as NodeJS.ErrnoException).code,
+            message: (error as Error).message,
+          });
+          const backoffDelay = Math.min(200 * Math.pow(2.5, attempt - 1), 1000);
+          await new Promise((resolve) => setTimeout(resolve, backoffDelay));
+        } else {
+          throw error;
+        }
+      }
+    }
+
+    if (!response) {
+      throw lastError || new Error('Failed to get response from PostgREST');
+    }
+
+    return {
+      data: response.data,
+      status: response.status,
+      headers: response.headers as Record<string, unknown>,
+    };
+  }
+}