postbase 0.1.0

package/backend/lib/postbase/package.json

@@ -0,0 +1,19 @@
+{
+    "name": "@postbase/backend",
+    "version": "0.1.0",
+    "type": "module",
+    "scripts": {
+        "migrate:up": "node-pg-migrate up",
+        "migrate:down": "node-pg-migrate down",
+        "migrate:redo": "node-pg-migrate redo",
+        "migrate:create": "node-pg-migrate create",
+        "test": "jest"
+    },
+    "devDependencies": {
+        "express": "^4.21.2",
+        "jest": "^30.2.0",
+        "node-pg-migrate": "^8.0.3",
+        "supertest": "^7.1.4",
+        "ws": "^8.20.0"
+    }
+}

package/backend/lib/postbase/rtdb/router.js

@@ -0,0 +1,190 @@
+import express from 'express';
+
+import { makeRtdbEvaluator } from './rulesEngine.js';
+
+/**
+ * rtdb_nodes schema assumptions:
+ * - path TEXT PRIMARY KEY
+ * - parent_path TEXT
+ * - key TEXT
+ * - value JSONB
+ * - version BIGINT
+ * - updated_at TIMESTAMPTZ
+ */
+
+export function createRtdbRouter({ pool, notify, rulesModule }) {
+    const rules = makeRtdbEvaluator(rulesModule);
+
+    const router = express.Router();
+
+    const clean = p => (p || '').replace(/^\/+|\/+$/g, '');
+
+    const splitPath = path => {
+        const parts = path.split('/');
+        return {
+            key: parts.at(-1),
+            parent: parts.length > 1 ? parts.slice(0, -1).join('/') : null,
+        };
+    };
+
+    // =====================================================
+    // GET node
+    // =====================================================
+    router.get('/*', async (req, res) => {
+        const path = clean(req.params[0]);
+
+        const r = await pool.query(
+            `SELECT value FROM rtdb_nodes WHERE path = $1`,
+            [path]
+        );
+
+        if (!r.rowCount) return res.sendStatus(404);
+
+        const allowed = await rules.evaluate("read", {
+            auth: req.auth || null,
+            method: "GET"
+        }, {
+            path,
+            value: r
+        });
+
+        if (!allowed) return res.sendStatus(403);
+
+        res.json(r.rows[0].value);
+    });
+
+    // =====================================================
+    // SET (replace node)
+    // =====================================================
+    router.put('/*', async (req, res) => {
+        const path = clean(req.params[0]);
+        const value = req.body ?? {};
+
+        const allowed = await rules.evaluate("write", {
+            auth: req.auth || null,
+            method: "PUT",
+            body: value
+        }, {
+            path,
+            newValue: value
+        });
+
+        if (!allowed) return res.sendStatus(403);
+
+        const { key, parent } = splitPath(path);
+
+        const q = `
+            INSERT INTO rtdb_nodes (path, parent_path, key, value)
+            VALUES ($1, $2, $3, $4)
+            ON CONFLICT (path)
+            DO UPDATE SET
+              value = EXCLUDED.value,
+              version = rtdb_nodes.version + 1,
+              updated_at = now() at time zone 'UTC'
+            RETURNING value
+        `;
+
+        const r = await pool.query(q, [path, parent, key, value]);
+
+        await notify(path, value);
+        res.json(r.rows[0].value);
+    });
+
+    // =====================================================
+    // UPDATE (merge)
+    // =====================================================
+    router.patch('/*', async (req, res) => {
+        const path = clean(req.params[0]);
+        const patch = req.body ?? {};
+
+        const allowed = await rules.evaluate("write", {
+            auth: req.auth || null,
+            method: "PATCH",
+            body: patch
+        }, {
+            path,
+            newValue: patch
+        });
+
+        if (!allowed) return res.sendStatus(403);
+
+        const cur = await pool.query(
+            `SELECT value FROM rtdb_nodes WHERE path = $1`,
+            [path]
+        );
+        if (!cur.rowCount) return res.sendStatus(404);
+
+        const oldValue = cur.rows[0].value;
+        const newValue = { ...oldValue, ...patch };
+
+        if (JSON.stringify(oldValue) === JSON.stringify(newValue)) {
+            return res.status(204).end();
+        }
+
+        await pool.query(
+            `
+            UPDATE rtdb_nodes
+            SET value = $1,
+                version = version + 1,
+                updated_at = now() at time zone 'UTC'
+            WHERE path = $2
+            `,
+            [newValue, path]
+        );
+
+        await notify(path, newValue, oldValue);
+        res.json(newValue);
+    });
+
+    // =====================================================
+    // DELETE node + subtree
+    // =====================================================
+    router.delete('/*', async (req, res) => {
+        const path = clean(req.params[0]);
+
+        const allowed = await rules.evaluate("delete", {
+            auth: req.auth || null,
+            method: "DELETE",
+            body: patch
+        }, {
+            path,
+            newValue: req.body ?? {},
+        });
+
+        if (!allowed) return res.sendStatus(403);
+
+        await pool.query(
+            `
+            DELETE FROM rtdb_nodes
+            WHERE path = $1 OR parent_path LIKE $2
+            `,
+            [path, `${path}/%`]
+        );
+
+        await notify(path, null);
+        res.json({ ok: true });
+    });
+
+    // =====================================================
+    // PUSH (generate child key)
+    // =====================================================
+    router.post('/*/push', async (req, res) => {
+        const parent = clean(req.params[0]);
+        const key = Math.random().toString(36).slice(2, 10);
+        const path = `${parent}/${key}`;
+        const value = req.body ?? {};
+
+        await pool.query(
+            `
+            INSERT INTO rtdb_nodes (path, parent_path, key, value)
+            VALUES ($1, $2, $3, $4)
+            `,
+            [path, parent, key, value]
+        );
+
+        await notify(path, value);
+        res.status(201).json({ key, path });
+    });
+
+    return router;
+}

package/backend/lib/postbase/rtdb/rulesEngine.js

@@ -0,0 +1,63 @@
+// backend/lib/postbase/rtdb/rulesEngine.js
+
+/**
+ * Extract /users/$uid → { uid: "u1" }
+ */
+function matchPathRule(rulePath, actualPath) {
+    const rSeg = rulePath.split("/").filter(Boolean);
+    const aSeg = actualPath.split("/").filter(Boolean);
+
+    if (rSeg.length !== aSeg.length) return null;
+
+    const params = {};
+
+    for (let i = 0; i < rSeg.length; i++) {
+        const r = rSeg[i];
+        const a = aSeg[i];
+
+        if (r.startsWith("$")) {
+            params[r.slice(1)] = a;
+        } else if (r !== a) {
+            return null;
+        }
+    }
+
+    return params;
+}
+
+export function makeRtdbEvaluator(rulesModule) {
+    const rulePaths = Object.entries(rulesModule.paths || {});
+    const defaults = rulesModule.default || { read: false, write: false };
+
+    /**
+     * op = "read" or "write"
+     */
+    async function evaluate(op, request, context) {
+        const { path } = context;
+
+        // Find matching rule
+        for (const [rulePath, ruleDef] of rulePaths) {
+            const params = matchPathRule(rulePath, path);
+            if (params) {
+                context.params = params;
+                const fn = ruleDef[op];
+
+                if (typeof fn === "function") {
+                    const r = fn(request, context);
+                    return r instanceof Promise ? await r : !!r;
+                }
+                if (typeof fn === "boolean") return fn;
+            }
+        }
+
+        // Apply defaults
+        const def = defaults[op];
+        if (typeof def === "function") {
+            const r = def(request, context);
+            return r instanceof Promise ? await r : !!r;
+        }
+        return !!def;
+    }
+
+    return { evaluate };
+}

package/backend/lib/postbase/rtdb/ws.js

@@ -0,0 +1,84 @@
+export function createRtdbWs(wss) {
+    const exact = new Map();    // path → Set<ws>
+    const prefixes = new Map(); // prefix → Set<ws>
+    const fields = new Map();   // path|field → Set<ws>
+
+    const clean = p => (p || '').replace(/^\/+|\/+$/g, '');
+
+    const add = (map, key, ws) => {
+        if (!map.has(key)) map.set(key, new Set());
+        map.get(key).add(ws);
+    };
+
+    const removeAll = ws => {
+        for (const map of [exact, prefixes, fields]) {
+            for (const [k, set] of map) {
+                set.delete(ws);
+                if (!set.size) map.delete(k);
+            }
+        }
+    };
+
+    wss.on('connection', ws => {
+        ws.on('message', msg => {
+            try {
+                const data = JSON.parse(msg.toString());
+                const path = clean(data.path);
+
+                if (data.type === 'sub') {
+                    if (data.field)
+                        add(fields, `${path}|${data.field}`, ws);
+                    else if (data.prefix)
+                        add(prefixes, `${path}/`, ws);
+                    else
+                        add(exact, path, ws);
+                }
+
+                if (data.type === 'unsub') removeAll(ws);
+            } catch {}
+        });
+
+        ws.on('close', () => removeAll(ws));
+    });
+
+    // -----------------------------------------------------
+    // Notifier (called by REST)
+    // -----------------------------------------------------
+    async function notify(path, newVal, oldVal = null) {
+        const p = clean(path);
+
+        // exact listeners
+        if (exact.has(p)) {
+            const msg = JSON.stringify({ path: p, value: newVal });
+            exact.get(p).forEach(ws => ws.send(msg));
+        }
+
+        // prefix listeners
+        for (const [pre, set] of prefixes) {
+            if (p.startsWith(pre)) {
+                const msg = JSON.stringify({ path: p, value: newVal });
+                set.forEach(ws => ws.send(msg));
+            }
+        }
+
+        // field listeners
+        if (newVal) {
+            for (const [k, set] of fields) {
+                const [fp, field] = k.split('|');
+                if (fp !== p) continue;
+
+                const oldFieldValue = oldVal ? oldVal[field] : undefined;
+                if (newVal[field] !== oldFieldValue) {
+                    const msg = JSON.stringify({
+                        path: p,
+                        field,
+                        value: newVal[field],
+                    });
+                    set.forEach(ws => ws.send(msg));
+                }
+            }
+        }
+    }
+
+    return { notify };
+}

package/backend/lib/postbase/rulesEngine.js

@@ -0,0 +1,62 @@
+/**
+ * Simple rules engine. Rules are plain javascript functions that receive:
+ * - request: {auth, method, params, query, body, ip}
+ * - resource: for read/update/delete: current row (object); for create: incoming data
+ *
+ * Rules file should export default object:
+ * {
+ *   tables: {
+ *     posts: {
+ *       read: (request, resource) => boolean | Promise<boolean>,
+ *       create: (request, resource) => boolean | Promise<boolean>,
+ *       update: ...,
+ *       delete: ...
+ *     }
+ *   },
+ *   default: { read: true, create: false, update: false, delete: false }
+ * }
+ */
+
+export function makeEvaluator(rulesModule = {}) {
+    const tables = (rulesModule && rulesModule.tables) || {};
+    const defaults = (rulesModule && rulesModule.default) || { read: true, create: true, update: true, delete: true };
+
+    async function evaluate(tableName, op, request, resource = null) {
+        const tableRules = tables[tableName];
+        let fn;
+        if (tableRules && typeof tableRules[op] === 'function') {
+            fn = tableRules[op];
+        } else if (defaults && typeof defaults[op] === 'function') {
+            fn = defaults[op];
+        } else {
+            // boolean default allowed/denied
+            const val = (defaults && defaults[op]);
+            if (typeof val === 'boolean') return val;
+            // fallback allow
+            return true;
+        }
+        const result = fn(request, resource);
+        if (result && typeof result.then === 'function') {
+            return await result;
+        }
+        return !!result;
+    }
+
+    return { evaluate };
+}
+
+/**
+ * Helper functions you can import into your rules file to keep rules concise.
+ */
+export const RuleHelpers = {
+    isAuth: (request) => !!request.auth,
+    uidEquals: (request, propOrValue) => {
+        if (!request.auth) return false;
+        // propOrValue can be a function(resource) or a string path
+        if (typeof propOrValue === 'function') return request.auth.id === propOrValue(request.resource);
+        return request.auth.id === propOrValue;
+    },
+    allowIf: (pred) => (request, resource) => !!pred(request, resource),
+    and: (...preds) => (req, res) => preds.every(p => p(req, res)),
+    or: (...preds) => (req, res) => preds.some(p => p(req, res)),
+};

package/backend/lib/postbase/storage.js

@@ -0,0 +1,130 @@
+// server/storage.js
+import express from 'express';
+import multer from 'multer';
+import path from 'path';
+import fs from 'fs';
+import { makeEvaluator } from './rulesEngine.js';
+
+export function createStorageRouter(uploadDestination, bucket, rulesModule) {
+    const router = express.Router();
+    const upload = multer({ storage: multer.memoryStorage() });
+
+    const evaluator = makeEvaluator(rulesModule);
+
+    // --- Helper functions ---
+    function metaPathFor(filePath) {
+        return path.join(uploadDestination, `${filePath}.meta.json`);
+    }
+
+    async function loadMetadata(filePath) {
+        try {
+            const data = await fs.promises.readFile(metaPathFor(filePath), 'utf8');
+            return JSON.parse(data);
+        } catch {
+            return null;
+        }
+    }
+
+    async function saveMetadata(filePath, meta) {
+        await fs.promises.mkdir(path.dirname(metaPathFor(filePath)), { recursive: true });
+        await fs.promises.writeFile(metaPathFor(filePath), JSON.stringify(meta, null, 2), 'utf8');
+    }
+
+    // --- Routes ---
+
+    // Upload file
+    router.post('/upload', upload.single('file'), async (req, res) => {
+        const file = req.file;
+        const filePath = (req.query.path || '').replace(/^\/+/, '');
+
+        if (!file) return res.status(400).json({ error: 'Missing file' });
+        if (!filePath) return res.status(400).json({ error: 'Missing ?path=' });
+
+        let incomingMeta = {};
+        try {
+            incomingMeta = req.body.metadata ? JSON.parse(req.body.metadata) : {};
+        } catch {
+            incomingMeta = {};
+        }
+
+        const resource = { ...incomingMeta, path: filePath };
+        const request = { auth: req.auth, method: req.method, body: req.body, query: req.query, ip: req.ip };
+
+        // Security check: can this user create this file?
+        const allowed = await evaluator.evaluate('files', 'create', request, resource);
+        if (!allowed) return res.status(403).json({ error: 'Permission denied' });
+
+        try {
+            const fileObj = bucket.file(filePath);
+            await fileObj.save(file.buffer, { contentType: file.mimetype });
+
+            const owner = incomingMeta.owner || req.auth?.id;
+            const allowedUsers = incomingMeta.allowedUsers || [owner];
+
+            const meta = {
+                owner,
+                allowedUsers: allowedUsers.map(String),
+                contentType: file.mimetype,
+                size: file.size,
+                createdAt: new Date().toISOString(),
+                path: filePath,
+                publicUrl: fileObj.publicUrl(),
+            };
+
+            await saveMetadata(filePath, meta);
+            res.status(201).json({ publicUrl: meta.publicUrl, metadata: meta });
+        } catch (err) {
+            console.error('upload error', err);
+            res.status(500).json({ error: 'Failed to save file' });
+        }
+    });
+
+    // Get file metadata
+    router.get('/metadata', async (req, res) => {
+        const filePath = (req.query.path || '').replace(/^\/+/, '');
+        const meta = await loadMetadata(filePath);
+        if (!meta) return res.status(404).json({ error: 'Not found' });
+
+        const request = { auth: req.auth, method: req.method, query: req.query, ip: req.ip };
+        const allowed = await evaluator.evaluate('files', 'read', request, meta);
+        if (!allowed) return res.status(403).json({ error: 'Permission denied' });
+
+        res.json(meta);
+    });
+
+    // Download file (rule-checked)
+    router.get('/download', async (req, res) => {
+        const filePath = (req.query.path || '').replace(/^\/+/, '');
+        const meta = await loadMetadata(filePath);
+        if (!meta) return res.status(404).json({ error: 'Not found' });
+
+        const request = { auth: req.auth, method: req.method, query: req.query, ip: req.ip };
+        const allowed = await evaluator.evaluate('files', 'read', request, meta);
+        if (!allowed) return res.status(403).json({ error: 'Permission denied' });
+
+        const fullPath = path.join(uploadDestination, filePath);
+        res.sendFile(fullPath);
+    });
+
+    // Delete file
+    router.delete('/file', async (req, res) => {
+        const filePath = (req.query.path || '').replace(/^\/+/, '');
+        const meta = await loadMetadata(filePath);
+        if (!meta) return res.status(404).json({ error: 'Not found' });
+
+        const request = { auth: req.auth, method: req.method, query: req.query, ip: req.ip };
+        const allowed = await evaluator.evaluate('files', 'delete', request, meta);
+        if (!allowed) return res.status(403).json({ error: 'Permission denied' });
+
+        try {
+            await fs.promises.unlink(path.join(uploadDestination, filePath));
+            await fs.promises.unlink(metaPathFor(filePath)).catch(() => { });
+            res.json({ deleted: true });
+        } catch (err) {
+            console.error(err);
+            res.status(500).json({ error: 'Delete failed' });
+        }
+    });
+
+    return router;
+}

package/backend/lib/postbase/tests/README.md

@@ -0,0 +1,22 @@
+# Tests
+
+Don't forget to create a database and run migrations first
+
+## Create Database
+
+```
+PGPASSWORD=yoursecretpassword psql -h localhost -U postgres -c 'create database postbase_test;'
+```
+
+## Run Migrations
+
+```
+cd backend/lib/postbase/
+npm run migrate:up
+```
+
+## Run test
+
+```
+npm test
+```

package/backend/lib/postbase/tests/db.js

@@ -0,0 +1,9 @@
+import { Pool } from 'pg';
+
+export const pool = new Pool({
+    connectionString: process.env.TEST_DB_URL,
+});
+
+export async function resetDb() {
+    await pool.query(`TRUNCATE rtdb_nodes`);
+}

package/backend/lib/postbase/tests/rtdb.rest.test.js

@@ -0,0 +1,46 @@
+import request from 'supertest';
+import { startTestServer } from './testServer.js';
+
+let srv;
+
+beforeAll(async () => {
+    srv = await startTestServer();
+});
+
+afterAll(() => srv.close());
+
+test('PUT + GET node', async () => {
+    await request(srv.url)
+        .put('/rtdb/users/u1')
+        .send({ name: 'Alice' })
+        .expect(200);
+
+    const r = await request(srv.url)
+        .get('/rtdb/users/u1')
+        .expect(200);
+
+    expect(r.body).toEqual({ name: 'Alice' });
+});
+
+test('PATCH merges value', async () => {
+    await request(srv.url)
+        .patch('/rtdb/users/u1')
+        .send({ age: 20 })
+        .expect(200);
+
+    const r = await request(srv.url)
+        .get('/rtdb/users/u1')
+        .expect(200);
+
+    expect(r.body).toEqual({ name: 'Alice', age: 20 });
+});
+
+test('PUSH creates child', async () => {
+    const r = await request(srv.url)
+        .post('/rtdb/users/u1/posts/push')
+        .send({ title: 'hello' })
+        .expect(201);
+
+    expect(r.body.key).toBeDefined();
+    expect(r.body.path).toMatch(/users\/u1\/posts\/.+/);
+});