insforge 1.3.0 → 1.4.8

package/backend/src/utils/sql-parser.ts

@@ -92,6 +92,132 @@ function extractChange(stmt: Record<string, unknown>): DatabaseResourceUpdate |
   return { type };
 }
 
+/**
+ * Extract schema name from a relation/RangeVar node in the AST
+ */
+function getSchemaName(relation: Record<string, unknown> | undefined): string | null {
+  if (!relation) {
+    return null;
+  }
+
+  // Direct schemaname property (for DeleteStmt.relation)
+  if (relation.schemaname) {
+    return relation.schemaname as string;
+  }
+
+  // RangeVar structure (for TruncateStmt.relations)
+  if (relation.RangeVar) {
+    const rangeVar = relation.RangeVar as Record<string, unknown>;
+    if (rangeVar.schemaname) {
+      return rangeVar.schemaname as string;
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Check if a query contains dangerous operations on the auth schema
+ * Returns an error message if blocked, null if allowed
+ */
+export function checkAuthSchemaOperations(query: string): string | null {
+  try {
+    const { stmts } = parseSync(query);
+
+    for (const stmtWrapper of stmts) {
+      const stmt = stmtWrapper.stmt as Record<string, unknown>;
+      const [stmtType, data] = Object.entries(stmt)[0] as [string, Record<string, unknown>];
+
+      // Check DELETE statements
+      if (stmtType === 'DeleteStmt') {
+        const relation = data.relation as Record<string, unknown> | undefined;
+        const schemaName = getSchemaName(relation);
+        if (schemaName?.toLowerCase() === 'auth') {
+          return 'DELETE operations on auth schema are not allowed. User deletion must be done through dedicated authentication APIs.';
+        }
+      }
+
+      // Check TRUNCATE statements
+      if (stmtType === 'TruncateStmt') {
+        const relations = (data.relations as Array<Record<string, unknown>>) || [];
+        for (const relation of relations) {
+          const schemaName = getSchemaName(relation);
+          if (schemaName?.toLowerCase() === 'auth') {
+            return 'TRUNCATE operations on auth schema are not allowed. This would delete all users and must be done through dedicated authentication APIs.';
+          }
+        }
+      }
+
+      // Check DROP statements
+      if (stmtType === 'DropStmt') {
+        const objects = (data.objects as Array<unknown>) || [];
+        for (const obj of objects) {
+          if (typeof obj === 'object' && obj !== null) {
+            const objRecord = obj as Record<string, unknown>;
+            let schemaName: string | null = null;
+
+            // DROP SCHEMA: direct String object
+            if (objRecord.String) {
+              const stringObj = objRecord.String as Record<string, unknown>;
+              if (stringObj.sval) {
+                schemaName = stringObj.sval as string;
+              }
+            }
+            // DROP TABLE/INDEX/VIEW/etc: List with [schema, name] items
+            else if (objRecord.List) {
+              const list = objRecord.List as Record<string, unknown>;
+              const items = (list.items as Array<Record<string, unknown>>) || [];
+              // First item is typically the schema name
+              if (items.length > 0) {
+                const firstItem = items[0];
+                if (firstItem.String) {
+                  const stringObj = firstItem.String as Record<string, unknown>;
+                  schemaName = stringObj.sval as string;
+                }
+              }
+            }
+            // DROP FUNCTION/PROCEDURE: ObjectWithArgs with objname array
+            else if (objRecord.ObjectWithArgs) {
+              const objectWithArgs = objRecord.ObjectWithArgs as Record<string, unknown>;
+              const objname = (objectWithArgs.objname as Array<Record<string, unknown>>) || [];
+              // First item is typically the schema name
+              if (objname.length > 0) {
+                const firstItem = objname[0];
+                if (firstItem.String) {
+                  const stringObj = firstItem.String as Record<string, unknown>;
+                  schemaName = stringObj.sval as string;
+                }
+              }
+            }
+            // DROP TYPE/DOMAIN: TypeName with names array
+            else if (objRecord.TypeName) {
+              const typeName = objRecord.TypeName as Record<string, unknown>;
+              const names = (typeName.names as Array<Record<string, unknown>>) || [];
+              // First item is typically the schema name
+              if (names.length > 0) {
+                const firstItem = names[0];
+                if (firstItem.String) {
+                  const stringObj = firstItem.String as Record<string, unknown>;
+                  schemaName = stringObj.sval as string;
+                }
+              }
+            }
+
+            if (schemaName?.toLowerCase() === 'auth') {
+              return 'DROP operations on auth schema are not allowed. This would destroy authentication resources and break the system.';
+            }
+          }
+        }
+      }
+    }
+
+    return null; // No dangerous operations found
+  } catch (parseError) {
+    logger.warn('SQL parse error in checkAuthSchemaOperations, letting query through:', parseError);
+    return null;
+  }
+}
+
 /**
  * Parse a SQL string into individual statements, properly handling:
  * - String literals with embedded semicolons

package/backend/src/utils/utils.ts

@@ -1,114 +1,114 @@
-import crypto from 'crypto';
-import { ColumnType, type AuthConfigSchema } from '@insforge/shared-schemas';
-
-/**
- * Generates a user-friendly error message listing all password requirements
- * @param config - Authentication configuration with password requirements
- * @returns A formatted message listing all enabled password requirements
- */
-export function getPasswordRequirementsMessage(config: AuthConfigSchema): string {
-  const requirements: string[] = [];
-
-  requirements.push(`at least ${config.passwordMinLength} characters long`);
-
-  if (config.requireNumber) {
-    requirements.push('at least one number');
-  }
-
-  if (config.requireLowercase) {
-    requirements.push('at least one lowercase letter');
-  }
-
-  if (config.requireUppercase) {
-    requirements.push('at least one uppercase letter');
-  }
-
-  if (config.requireSpecialChar) {
-    requirements.push('at least one special character');
-  }
-
-  return `Password must contain ${requirements.join(', ')}`;
-}
-
-export const convertSqlTypeToColumnType = (sqlType: string): ColumnType | string => {
-  switch (sqlType.toLowerCase()) {
-    case 'uuid':
-      return ColumnType.UUID;
-    case 'timestamptz':
-    case 'timestamp with time zone':
-      return ColumnType.DATETIME;
-    case 'date':
-      return ColumnType.DATE;
-    case 'integer':
-    case 'bigint':
-    case 'smallint':
-    case 'int':
-    case 'int2':
-    case 'int4':
-    case 'serial':
-    case 'serial2':
-    case 'serial4':
-    case 'serial8':
-    case 'smallserial':
-    case 'bigserial':
-      return ColumnType.INTEGER;
-    case 'double precision':
-    case 'real':
-    case 'numeric':
-    case 'float':
-    case 'float4':
-    case 'float8':
-    case 'decimal':
-      return ColumnType.FLOAT;
-    case 'boolean':
-    case 'bool':
-      return ColumnType.BOOLEAN;
-    case 'json':
-    case 'jsonb':
-    case 'array':
-      return ColumnType.JSON;
-    case 'text':
-    case 'varchar':
-    case 'char':
-    case 'character varying':
-    case 'character':
-      return ColumnType.STRING;
-    default:
-      return sqlType.slice(0, 5);
-  }
-};
-
-/**
- * Generate a UUID v4
- * @returns A UUID v4 string
- */
-export function generateUUID(): string {
-  return crypto.randomUUID();
-}
-
-/**
- * Generate a random numeric string of specified length
- * @param length - The length of the numeric string to generate
- * @returns A random string containing only digits (0-9)
- */
-export function generateNumericCode(length: number): string {
-  // Generate each digit independently
-  let result = '';
-  for (let i = 0; i < length; i++) {
-    result += crypto.randomInt(0, 10).toString();
-  }
-
-  return result;
-}
-
-/**
- * Generate a cryptographically secure random token
- * @param bytes - Number of random bytes to generate (default: 32)
- * @returns Hex-encoded string (length = bytes * 2 characters)
- * @example
- * generateSecureToken(32) // Returns 64-character hex string (256 bits entropy)
- * generateSecureToken(16) // Returns 32-character hex string (128 bits entropy)
- */
-export function generateSecureToken(bytes: number = 32): string {
-  return crypto.randomBytes(bytes).toString('hex');
-}
+import crypto from 'crypto';
+import { ColumnType, type AuthConfigSchema } from '@insforge/shared-schemas';
+
+/**
+ * Generates a user-friendly error message listing all password requirements
+ * @param config - Authentication configuration with password requirements
+ * @returns A formatted message listing all enabled password requirements
+ */
+export function getPasswordRequirementsMessage(config: AuthConfigSchema): string {
+  const requirements: string[] = [];
+
+  requirements.push(`at least ${config.passwordMinLength} characters long`);
+
+  if (config.requireNumber) {
+    requirements.push('at least one number');
+  }
+
+  if (config.requireLowercase) {
+    requirements.push('at least one lowercase letter');
+  }
+
+  if (config.requireUppercase) {
+    requirements.push('at least one uppercase letter');
+  }
+
+  if (config.requireSpecialChar) {
+    requirements.push('at least one special character');
+  }
+
+  return `Password must contain ${requirements.join(', ')}`;
+}
+
+export const convertSqlTypeToColumnType = (sqlType: string): ColumnType | string => {
+  switch (sqlType.toLowerCase()) {
+    case 'uuid':
+      return ColumnType.UUID;
+    case 'timestamptz':
+    case 'timestamp with time zone':
+      return ColumnType.DATETIME;
+    case 'date':
+      return ColumnType.DATE;
+    case 'integer':
+    case 'bigint':
+    case 'smallint':
+    case 'int':
+    case 'int2':
+    case 'int4':
+    case 'serial':
+    case 'serial2':
+    case 'serial4':
+    case 'serial8':
+    case 'smallserial':
+    case 'bigserial':
+      return ColumnType.INTEGER;
+    case 'double precision':
+    case 'real':
+    case 'numeric':
+    case 'float':
+    case 'float4':
+    case 'float8':
+    case 'decimal':
+      return ColumnType.FLOAT;
+    case 'boolean':
+    case 'bool':
+      return ColumnType.BOOLEAN;
+    case 'json':
+    case 'jsonb':
+    case 'array':
+      return ColumnType.JSON;
+    case 'text':
+    case 'varchar':
+    case 'char':
+    case 'character varying':
+    case 'character':
+      return ColumnType.STRING;
+    default:
+      return sqlType.slice(0, 8);
+  }
+};
+
+/**
+ * Generate a UUID v4
+ * @returns A UUID v4 string
+ */
+export function generateUUID(): string {
+  return crypto.randomUUID();
+}
+
+/**
+ * Generate a random numeric string of specified length
+ * @param length - The length of the numeric string to generate
+ * @returns A random string containing only digits (0-9)
+ */
+export function generateNumericCode(length: number): string {
+  // Generate each digit independently
+  let result = '';
+  for (let i = 0; i < length; i++) {
+    result += crypto.randomInt(0, 10).toString();
+  }
+
+  return result;
+}
+
+/**
+ * Generate a cryptographically secure random token
+ * @param bytes - Number of random bytes to generate (default: 32)
+ * @returns Hex-encoded string (length = bytes * 2 characters)
+ * @example
+ * generateSecureToken(32) // Returns 64-character hex string (256 bits entropy)
+ * generateSecureToken(16) // Returns 32-character hex string (128 bits entropy)
+ */
+export function generateSecureToken(bytes: number = 32): string {
+  return crypto.randomBytes(bytes).toString('hex');
+}

package/backend/src/utils/validations.ts

@@ -100,17 +100,17 @@ export function isValidIdentifier(identifier: string): boolean {
  */
 export function validateTableName(tableName: string): boolean {
   validateIdentifier(tableName, 'table');
+  return true;
+}
 
-  // Prevent access to all other system tables (starting with _)
-  if (tableName.startsWith('_')) {
-    throw new AppError(
-      'Access to system tables is not allowed',
-      403,
-      ERROR_CODES.FORBIDDEN,
-      'System tables (starting with _) cannot be accessed directly'
-    );
-  }
-
+/**
+ * Validates PostgreSQL function name for RPC calls
+ * @param functionName - The function name to validate
+ * @returns true if valid
+ * @throws AppError if invalid
+ */
+export function validateFunctionName(functionName: string): boolean {
+  validateIdentifier(functionName, 'function');
   return true;
 }
 

package/backend/tests/local/test-rpc.sh

@@ -0,0 +1,141 @@
+#!/bin/bash
+
+# RPC endpoint test script
+
+# Get the directory where this script is located
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Source the test configuration
+source "$SCRIPT_DIR/../test-config.sh"
+
+echo "🧪 Testing RPC endpoint..."
+
+# Configuration
+API_BASE="$TEST_API_BASE"
+AUTH_TOKEN=""
+TEST_FUNC="test_rpc_add_$(date +%s)"
+
+# 1. Login to get token
+echo "🔑 Logging in to get authentication token..."
+AUTH_TOKEN=$(get_admin_token)
+
+if [ -n "$AUTH_TOKEN" ]; then
+    print_success "Login successful"
+else
+    print_fail "Login failed"
+    echo "Please ensure the service is running and admin account exists"
+    exit 1
+fi
+
+# 2. Create test PostgreSQL function
+echo ""
+print_info "📝 Creating test RPC function ($TEST_FUNC)..."
+
+create_func_response=$(curl -s -X POST "$API_BASE/database/advance/rawsql/unrestricted" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{"query": "CREATE OR REPLACE FUNCTION '"$TEST_FUNC"'(a integer, b integer) RETURNS integer LANGUAGE sql AS $$ SELECT a + b; $$;"}')
+
+if echo "$create_func_response" | grep -q '"error"'; then
+    print_fail "Failed to create test function"
+    echo "Response: $create_func_response"
+    exit 1
+else
+    print_success "Test function created"
+fi
+
+# Wait for PostgREST schema cache to refresh
+echo "⏳ Waiting for schema cache refresh..."
+sleep 3
+
+# 3. Test RPC POST with JSON body
+echo ""
+print_info "🔧 Test 1: RPC POST with JSON body"
+
+rpc_post_response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/database/rpc/$TEST_FUNC" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{"a": 5, "b": 3}')
+
+body=$(echo "$rpc_post_response" | sed '$d')
+status=$(echo "$rpc_post_response" | tail -n 1)
+
+if [ "$status" -eq 200 ] && [ "$body" = "8" ]; then
+    print_success "RPC POST: 5 + 3 = $body"
+else
+    print_fail "RPC POST failed (status: $status)"
+    echo "Expected: 8, Got: $body"
+fi
+
+# 4. Test RPC GET with query params
+echo ""
+print_info "🔧 Test 2: RPC GET with query params"
+
+rpc_get_response=$(curl -s -w "\n%{http_code}" "$API_BASE/database/rpc/$TEST_FUNC?a=10&b=20" \
+    -H "Authorization: Bearer $AUTH_TOKEN")
+
+body=$(echo "$rpc_get_response" | sed '$d')
+status=$(echo "$rpc_get_response" | tail -n 1)
+
+if [ "$status" -eq 200 ] && [ "$body" = "30" ]; then
+    print_success "RPC GET: 10 + 20 = $body"
+else
+    print_fail "RPC GET failed (status: $status)"
+    echo "Expected: 30, Got: $body"
+fi
+
+# 5. Test RPC with non-existent function (should return 404)
+echo ""
+print_info "🔧 Test 3: RPC call to non-existent function (expect 404)"
+
+rpc_404_response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/database/rpc/nonexistent_function_xyz" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{}')
+
+body=$(echo "$rpc_404_response" | sed '$d')
+status=$(echo "$rpc_404_response" | tail -n 1)
+
+if [ "$status" -eq 404 ]; then
+    print_success "Non-existent function returns 404"
+else
+    print_fail "Expected 404, got $status"
+    echo "Response: $body"
+fi
+
+# 6. Test RPC with wrong parameter types
+echo ""
+print_info "🔧 Test 4: RPC with wrong parameter types (expect error)"
+
+rpc_error_response=$(curl -s -w "\n%{http_code}" -X POST "$API_BASE/database/rpc/$TEST_FUNC" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{"a": "not_a_number", "b": 3}')
+
+body=$(echo "$rpc_error_response" | sed '$d')
+status=$(echo "$rpc_error_response" | tail -n 1)
+
+if [ "$status" -ge 400 ]; then
+    print_success "Invalid params return error ($status)"
+else
+    print_fail "Expected error status, got $status"
+    echo "Response: $body"
+fi
+
+# 7. Cleanup - drop the test function
+echo ""
+print_info "🧹 Cleaning up test function..."
+
+cleanup_response=$(curl -s -X POST "$API_BASE/database/advance/rawsql/unrestricted" \
+    -H "Authorization: Bearer $AUTH_TOKEN" \
+    -H "Content-Type: application/json" \
+    -d '{"query": "DROP FUNCTION IF EXISTS '"$TEST_FUNC"'(integer, integer);"}')
+
+if echo "$cleanup_response" | grep -q '"error"'; then
+    print_fail "Cleanup failed"
+else
+    print_success "Test function dropped"
+fi
+
+echo ""
+echo -e "${GREEN}🎉 RPC endpoint tests completed!${NC}"

package/backend/tests/local/test-secrets.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Test secrets API endpoints (refactored to use _secrets table)
+# Test secrets API endpoints (uses system.secrets table)
 # Tests CRUD operations for secrets and edge function integration
 
 # Get the directory where this script is located