orange-orm 4.9.0 → 4.10.0-beta.0

package/README.md

@@ -309,6 +309,31 @@ await pool.close();         // closes all pooled connections
 __Why close ?__  
 In serverless environments (e.g. AWS Lambda, Vercel, Cloudflare Workers) execution contexts are frequently frozen and resumed. Explicitly closing the client or pool ensures that file handles are released promptly and prevents “database locked” errors between invocations.  
 
+__SQLite user-defined functions__  
+You can register custom SQLite functions on the connection using `db.function(name, fn)`.  
+
+```javascript
+import map from './map';
+const db = map.sqlite('demo.db');
+
+db.function('add_prefix', (text, prefix) => `${prefix}${text}`);
+
+const rows = await db.query(
+  "select id, name, add_prefix(name, '[VIP] ') as prefixedName from customer"
+);
+```
+
+If you need the function inside a transaction, register it within the transaction callback to ensure it is available on that connection.  
+
+```javascript
+await db.transaction(async (db) => {
+  db.function('add_prefix', (text, prefix) => `${prefix}${text}`);
+  return db.query(
+    "select id, name, add_prefix(name, '[VIP] ') as prefixedName from customer"
+  );
+});
+```
+
 __From the browser__  
 You can securely use Orange from the browser by utilizing the Express plugin, which serves to safeguard sensitive database credentials from exposure at the client level. This technique bypasses the need to transmit raw SQL queries directly from the client to the server. Instead, it logs method calls initiated by the client, which are later replayed and authenticated on the server. This not only reinforces security by preventing the disclosure of raw SQL queries on the client side but also facilitates a smoother operation. Essentially, this method mirrors a traditional REST API, augmented with advanced TypeScript tooling for enhanced functionality. You can read more about it in the section called [In the browser](#user-content-in-the-browser)  
 <sub>📄 server.ts</sub>
@@ -1273,6 +1298,101 @@ async function updateRows() {
 
 }
 
+```
+
+__Row Level Security (Postgres)__  
+You can enforce tenant isolation at the database level by combining Postgres RLS with Express hooks. The example below mirrors the “Interceptors and base filter” style by putting the tenant id in a (fake) token on the client, then extracting it on the server and setting it inside the transaction. This is convenient for a demo because we can seed data and prove rows are filtered. In a real application you must validate signatures and derive tenant id from a trusted identity source, not from arbitrary client input.  
+
+<sub>📄 setup.sql</sub>
+
+```sql
+create role rls_app_user nologin;
+
+create table tenant_data (
+  id serial primary key,
+  tenant_id int not null,
+  value text not null
+);
+
+alter table tenant_data enable row level security;
+create policy tenant_data_tenant on tenant_data
+  using (tenant_id = current_setting('app.tenant_id', true)::int);
+
+grant select, insert, update, delete on tenant_data to rls_app_user;
+
+insert into tenant_data (tenant_id, value) values
+  (1, 'alpha'),
+  (1, 'beta'),
+  (2, 'gamma');
+```
+
+<sub>📄 server.ts</sub>
+
+```javascript
+import map from './map';
+import { json } from 'body-parser';
+import express from 'express';
+import cors from 'cors';
+
+const db = map.postgres('postgres://postgres:postgres@localhost/postgres');
+
+express().disable('x-powered-by')
+  .use(json({ limit: '100mb' }))
+  .use(cors())
+  .use('/orange', validateToken)
+  .use('/orange', db.express({
+    hooks: {
+      transaction: {
+        afterBegin: async (db, req) => {
+          const tenantId = Number.parseInt(String(req.user?.tenantId ?? ''), 10);
+          if (!Number.isFinite(tenantId)) throw new Error('Missing tenant id');
+          await db.query('set local role rls_app_user');
+          await db.query({
+            sql: 'select set_config(\'app.tenant_id\', ?, true)',
+            parameters: [String(tenantId)]
+          });
+        }
+      }
+    }
+  }))
+  .listen(3000, () => console.log('Example app listening on port 3000!'));
+
+function validateToken(req, res, next) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader) return res.status(401).json({ error: 'Authorization header missing' });
+  try {
+    const token = authHeader.replace(/^Bearer\s+/i, '');
+    const payload = decodeFakeJwt(token); // demo-only, do not use in production
+    req.user = { tenantId: String(payload.tenantId) };
+    return next();
+  } catch (error) {
+    return res.status(401).json({ error: 'Invalid token' });
+  }
+}
+
+function decodeFakeJwt(token) {
+  // Demo-only format: "tenant:<id>"
+  const match = /^tenant:(\d+)$/.exec(token);
+  if (!match) throw new Error('Invalid demo token');
+  return { tenantId: Number(match[1]) };
+}
+```
+
+<sub>📄 browser.ts</sub>
+
+```javascript
+import map from './map';
+
+const db = map.http('http://localhost:3000/orange');
+
+db.interceptors.request.use((config) => {
+  // Demo-only token: payload carries the tenant id so we can verify filtering
+  config.headers.Authorization = 'Bearer tenant:1';
+  return config;
+});
+
+const rows = await db.tenant_data.getMany();
+// rows => [{ id: 1, tenant_id: 1, value: 'alpha' }, { id: 2, tenant_id: 1, value: 'beta' }]
 ```
 </details>
 

package/deno.lock

@@ -0,0 +1,76 @@
+{
+  "version": "5",
+  "specifiers": {
+    "jsr:@std/assert@*": "1.0.17",
+    "jsr:@std/assert@^1.0.17": "1.0.17",
+    "jsr:@std/internal@^1.0.12": "1.0.12",
+    "jsr:@std/path@*": "1.1.4",
+    "jsr:@std/testing@*": "1.0.17"
+  },
+  "jsr": {
+    "@std/assert@1.0.17": {
+      "integrity": "df5ebfffe77c03b3fa1401e11c762cc8f603d51021c56c4d15a8c7ab45e90dbe",
+      "dependencies": [
+        "jsr:@std/internal"
+      ]
+    },
+    "@std/internal@1.0.12": {
+      "integrity": "972a634fd5bc34b242024402972cd5143eac68d8dffaca5eaa4dba30ce17b027"
+    },
+    "@std/path@1.1.4": {
+      "integrity": "1d2d43f39efb1b42f0b1882a25486647cb851481862dc7313390b2bb044314b5",
+      "dependencies": [
+        "jsr:@std/internal"
+      ]
+    },
+    "@std/testing@1.0.17": {
+      "integrity": "87bdc2700fa98249d48a17cd72413352d3d3680dcfbdb64947fd0982d6bbf681",
+      "dependencies": [
+        "jsr:@std/assert@^1.0.17",
+        "jsr:@std/internal"
+      ]
+    }
+  },
+  "workspace": {
+    "packageJson": {
+      "dependencies": [
+        "npm:@cloudflare/workers-types@^4.20241106.0",
+        "npm:@electric-sql/pglite@0.3",
+        "npm:@lroal/on-change@^4.0.2",
+        "npm:@rollup/plugin-commonjs@^28.0.2",
+        "npm:@rollup/plugin-json@^6.1.0",
+        "npm:@rollup/plugin-node-resolve@13",
+        "npm:@tediousjs/connection-string@~0.4.1",
+        "npm:@types/express@^4.17.13",
+        "npm:@types/oracledb@^6.0.4",
+        "npm:@types/tedious@^4.0.14",
+        "npm:@typescript-eslint/eslint-plugin@6",
+        "npm:@typescript-eslint/parser@6",
+        "npm:@vitest/coverage-v8@^3.2.4",
+        "npm:ajv@^8.17.1",
+        "npm:axios@^1.6.2",
+        "npm:better-sqlite3@^11.8.1",
+        "npm:cors@^2.8.5",
+        "npm:eslint-plugin-jest@^27.1.7",
+        "npm:eslint@^8.57.0",
+        "npm:express@^4.18.2",
+        "npm:fast-json-patch@^3.1.1",
+        "npm:findup-sync@5",
+        "npm:glob@^10.3.4 || ^11.0.2",
+        "npm:module-definition@4 || 5 || * || 6",
+        "npm:msnodesqlv8@^4.1.0",
+        "npm:mysql2@^3.9.4",
+        "npm:oracledb@^6.3.0",
+        "npm:owasp-dependency-check@^0.0.21",
+        "npm:pg-query-stream@^3.3.2",
+        "npm:pg@^8.5.1",
+        "npm:rfdc@^1.2.0",
+        "npm:rollup@^2.52.7",
+        "npm:tedious@19",
+        "npm:typescript@^5.4.5",
+        "npm:uuid@^8.3.2 || 9 || 10 || ^11.1.0",
+        "npm:vitest@^3.2.4"
+      ]
+    }
+  }
+}