prostgles-server 4.2.167 → 4.2.169

package/lib/DboBuilder/dboBuilderUtils.ts

@@ -49,19 +49,22 @@ export const getErrorAsObject = (rawError: any, includeStack = false) => {
 
 type GetSerializedClientErrorFromPGErrorArgs = {
   type: "sql";
+  localParams: LocalParams | undefined;
 } | {
   type: "tableMethod";
   localParams: LocalParams | undefined;
   view: ViewHandler | Partial<TableHandler> | undefined;
   allowedKeys?: string[];
-  canRunSql?: boolean;
 } | {
   type: "method";
   localParams: LocalParams | undefined; 
   allowedKeys?: string[]; 
   view?: undefined;
-  canRunSql?: boolean;
-}
+};
+
+const sensitiveErrorKeys = ["hint", "detail", "context"] as const;
+const otherKeys = ["column", "code", "code_info", "table", "constraint", "severity", "message", "name"] as const;
+
 export function getSerializedClientErrorFromPGError(rawError: any, args: GetSerializedClientErrorFromPGErrorArgs): AnyObject {
   const err = getErrorAsObject(rawError);
   if(err.code) {
@@ -71,18 +74,19 @@ export function getSerializedClientErrorFromPGError(rawError: any, args: GetSeri
     console.trace(err)
   }
 
-  const isServerSideRequest = args.type !== "sql" && !args.localParams;
-  if(args.type === "sql" || isServerSideRequest){
+  const isServerSideRequest = !args.localParams;
+  //TODO: add a rawSQL check for HTTP requests
+  const showFullError = isServerSideRequest || args.type === "sql" || args.localParams?.socket?.prostgles?.rawSQL;
+  if(showFullError){
     return err;
   }
   const { view, allowedKeys } = args;
 
-
-  const sensitiveErrorKeys = ["hint", "detail", "context"];
-  const otherKeys = ["column", "code", "code_info", "table", "constraint", "severity", "message", "name"];
-  const finalKeys = otherKeys
-    .concat(allowedKeys ?? [])
-    .concat(args.canRunSql? sensitiveErrorKeys : []);
+  const finalKeys = [
+    ...otherKeys,
+    ...(allowedKeys ?? []),
+    ...(showFullError? sensitiveErrorKeys : [])
+  ];
 
   const errObject = pickKeys(err, finalKeys);
   if (view?.dboBuilder?.constraints && errObject.constraint && !errObject.column) {

package/lib/Prostgles.ts

@@ -24,13 +24,12 @@ export type PGP = pgPromise.IMain<{}, pg.IClient>;
 import {
   CHANNELS,
   ClientSchema,
-  DBSchemaTable,
-  SQLRequest, TableSchemaForClient,
+  SQLRequest,
   isObject, omitKeys, tryCatch
 } from "prostgles-types";
 import { DBEventsManager } from "./DBEventsManager";
 import { PublishParser } from "./PublishParser/PublishParser";
-export { sendEmail, getOrSetTransporter } from "./Auth/sendEmail";
+export { getOrSetTransporter, sendEmail } from "./Auth/sendEmail";
 
 export type DB = pgPromise.IDatabase<{}, pg.IClient>;
 export type DBorTx = DB | pgPromise.ITask<{}>
@@ -62,7 +61,6 @@ const DEFAULT_KEYWORDS = {
 
 import { randomUUID } from "crypto";
 import * as fs from 'fs';
-import { sendEmail } from "./Auth/sendEmail";
 
 export class Prostgles {
   /**
@@ -376,10 +374,7 @@ export class Prostgles {
       if(!this.authHandler) throw "this.authHandler missing";
       const userData = await this.authHandler.getClientInfo(clientInfo); 
       const { publishParser } = this;
-      let fullSchema: {
-        schema: TableSchemaForClient;
-        tables: DBSchemaTable[];
-      } | undefined;
+      let fullSchema: Awaited<ReturnType<PublishParser["getSchemaFromPublish"]>> | undefined;
       let publishValidationError;
 
       try {
@@ -395,7 +390,7 @@ export class Prostgles {
         rawSQL = allowed;
       }
 
-      const { schema, tables } = fullSchema ?? { schema: {}, tables: [] };
+      const { schema, tables, tableSchemaErrors } = fullSchema ?? { schema: {}, tables: [], tableSchemaErrors: {} };
       const joinTables2: string[][] = [];
       if (this.opts.joins) {
         const _joinTables2 = this.dboBuilder.getAllJoinPaths()
@@ -433,6 +428,7 @@ export class Prostgles {
         tableSchema: tables,
         rawSQL,
         joinTables: joinTables2,
+        tableSchemaErrors,
         auth,
         version,
         err: publishValidationError? "Server Error: User publish validation failed." : undefined
@@ -460,8 +456,7 @@ export class Prostgles {
 
     try {
       const clientSchema = await this.getClientSchema({ socket });
-      socket.prostgles = socket.prostgles || {};
-      socket.prostgles.schema = clientSchema.schema;
+      socket.prostgles = clientSchema;
       if (clientSchema.rawSQL) {
         socket.removeAllListeners(CHANNELS.SQL)
         socket.on(CHANNELS.SQL, async ({ query, params, options }: SQLRequest, cb = (..._callback: any) => { /* Empty */ }) => {

package/lib/PublishParser/PublishParser.ts

@@ -108,9 +108,9 @@ export class PublishParser {
     if (!this.publish) throw "publish is missing";
 
     /* Get any publish errors for socket */
-    const schm = localParams?.socket?.prostgles?.schema?.[tableName]?.[command];
+    const errorInfo = localParams?.socket?.prostgles?.tableSchemaErrors?.[tableName]?.[command];
 
-    if (schm && schm.err) throw schm.err;
+    if (errorInfo) throw errorInfo.error;
 
     const table_rule = await this.getTableRules({ tableName, localParams }, clientInfo);
     if (!table_rule) throw { stack: ["getValidatedRequestRule()"], message: "Invalid or disallowed table: " + tableName };

package/lib/PublishParser/getSchemaFromPublish.ts

@@ -1,4 +1,4 @@
-import { DBSchemaTable, MethodKey, TableInfo, TableSchemaForClient, getKeys, pickKeys } from "prostgles-types";
+import { DBSchemaTable, MethodKey, TableInfo, TableSchemaErrors, TableSchemaForClient, getKeys, pickKeys } from "prostgles-types";
 import { AuthResult, ExpressReq } from "../Auth/AuthTypes";
 import { getErrorAsObject, PRGLIOSocket } from "../DboBuilder/DboBuilder";
 import { PublishObject, PublishParser } from "./PublishParser"
@@ -13,8 +13,10 @@ type Args = ({
 }) & {
   userData: AuthResult | undefined;
 }
-export async function getSchemaFromPublish(this: PublishParser, { userData, ...clientReq }: Args): Promise<{ schema: TableSchemaForClient; tables: DBSchemaTable[] }> {
+
+export async function getSchemaFromPublish(this: PublishParser, { userData, ...clientReq }: Args): Promise<{ schema: TableSchemaForClient; tables: DBSchemaTable[]; tableSchemaErrors: TableSchemaErrors }> {
   const schema: TableSchemaForClient = {};
+  const tableSchemaErrors: TableSchemaErrors = {};
   let tables: DBSchemaTable[] = []
 
   try {
@@ -92,9 +94,8 @@ export async function getSchemaFromPublish(this: PublishParser, { userData, ...c
                     }
 
                   } catch (e) {
-                    tableSchema[method] = { 
-                      err: "Internal publish error. Check server logs"
-                    };
+                    tableSchemaErrors[tableName] ??= {};
+                    tableSchemaErrors[tableName]![method] = { error: "Internal publish error. Check server logs" };
 
                     throw {
                       ...getErrorAsObject(e),
@@ -137,5 +138,5 @@ export async function getSchemaFromPublish(this: PublishParser, { userData, ...c
   }
 
   tables = tables.sort((a, b) => a.name.localeCompare(b.name));
-  return { schema, tables };
+  return { schema, tables, tableSchemaErrors };
 }

package/lib/RestApi.ts

@@ -92,7 +92,7 @@ export class RestApi {
       const data = await runClientSqlRequest.bind(this.prostgles)({ type: "http", httpReq: req, query, args, options });
       res.json(data);
     } catch(rawError){ 
-      const error = getSerializedClientErrorFromPGError(rawError, { type: "sql" });
+      const error = getSerializedClientErrorFromPGError(rawError, { type: "sql", localParams: { httpReq: req } });
       res.status(400).json({ error });
     }
   }

package/lib/SyncReplication.ts

@@ -219,7 +219,7 @@ export async function syncData (this: PubSubManager, sync: SyncParams, clientDat
 
               updateData.push([syncSafeFilter, omitKeys(upd, id_fields)])
             }));
-            await tbl.updateBatch(updateData, { fixIssues: true }, table_rules);
+            await tbl.updateBatch(updateData, { fixIssues: true }, undefined, table_rules);
           } else {
             updates = [];
           }

package/lib/runClientRequest.ts

@@ -1,9 +1,13 @@
-import { AnyObject, TableHandler, UserLike, getKeys, pickKeys } from "prostgles-types";
+import { AnyObject, 
+  TableHandler, 
+  UserLike, getKeys, pickKeys } from "prostgles-types";
 import { ExpressReq } from "./Auth/AuthTypes";
 import { LocalParams, PRGLIOSocket } from "./DboBuilder/DboBuilder";
 import { parseFieldFilter } from "./DboBuilder/ViewHandler/parseFieldFilter";
 import { canRunSQL } from "./DboBuilder/runSQL";
 import { Prostgles } from "./Prostgles";
+import { TableHandler as TableHandlerServer } from "./DboBuilder/TableHandler/TableHandler";
+import { TableRule } from "./PublishParser/publishTypesAndUtils";
  
 type ReqInfo = {
   type: "socket";
@@ -19,6 +23,27 @@ type ReqInfoClient = {
 } | {
   httpReq: ExpressReq;
 }
+
+const TABLE_METHODS = {
+  find: 1, 
+  findOne: 1, 
+  count: 1, 
+  size: 1, 
+  update: 1,
+  updateBatch: 1, 
+  delete: 1, 
+  upsert: 1, 
+  insert: 1, 
+  subscribe: 1, 
+  subscribeOne: 1, 
+  getColumns: 1, 
+  getInfo: 1,
+  sync: 1,
+} as const satisfies Record<(keyof (TableHandler & Pick<TableHandlerServer, "sync">)), 1>;
+
+const TABLE_METHODS_KEYS = getKeys(TABLE_METHODS);
+const SOCKET_ONLY_COMMANDS = ["subscribe", "subscribeOne", "sync"] as const satisfies typeof TABLE_METHODS_KEYS;
+
 type Args = ReqInfo & {
   tableName: string; 
   command: string;
@@ -26,7 +51,6 @@ type Args = ReqInfo & {
   param2: any;
   param3: any;
 };
-const SOCKET_ONLY_COMMANDS = ["subscribe", "subscribeOne", "sync"];
 
 const getReqInfoClient = (reqInfo: ReqInfo): ReqInfoClient => {
   if(reqInfo.type === "socket"){
@@ -34,43 +58,57 @@ const getReqInfoClient = (reqInfo: ReqInfo): ReqInfoClient => {
   }
   return { httpReq: reqInfo.httpReq };
 }
+
+type TableMethodFunctionWithRulesAndLocalParams = ((arg1: any, arg2: any, arg3: any, tableRule: TableRule, localParams: LocalParams) => any);
+
 export const runClientRequest = async function(this: Prostgles, args: Args){
   /* Channel name will only include client-sent params so we ignore table_rules enforced params */
   if ((args.type === "socket" && !args.socket) || (args.type === "http" && !args.httpReq) || !this.authHandler || !this.publishParser || !this.dbo) {
     throw "socket/httpReq or authhandler missing";
   }
 
-  const { tableName, command, param1, param2, param3 } = args;
-
-  if(args.type !== "socket" && SOCKET_ONLY_COMMANDS.includes(command)){
+  const { tableName, command: nonValidatedCommand, param1, param2, param3 } = args;
+  if(!TABLE_METHODS_KEYS.some(v => v === nonValidatedCommand)){
+    throw `Invalid command: ${nonValidatedCommand}. Expecting one of: ${TABLE_METHODS_KEYS};`
+  }
+  const command = nonValidatedCommand as keyof TableHandler;
+  if(args.type !== "socket" && SOCKET_ONLY_COMMANDS.some(v => v === command)){
     throw "The following commands cannot be completed over a non-websocket connection: " + SOCKET_ONLY_COMMANDS;
   }
+
   const reqInfo = getReqInfoClient(args);
   const clientInfo = await this.authHandler.getClientInfo(args);
-  const valid_table_command_rules = await this.publishParser.getValidatedRequestRule({ tableName, command, localParams: reqInfo }, clientInfo);
-  if (valid_table_command_rules) {
-    const sessionUser: UserLike | undefined = !clientInfo?.user? undefined : {
-      ...parseFieldFilter(clientInfo.sessionFields ?? [] as any, false, Object.keys(clientInfo.user)),
-      ...pickKeys(clientInfo.user, ["id", "type"]) as UserLike,
-    }
-    const localParams: LocalParams = { ...reqInfo, isRemoteRequest: { user: sessionUser } }
-    if(param3 && (param3 as LocalParams).returnQuery){
-      const isAllowed = await canRunSQL(this, localParams);
-      if(isAllowed){
-        localParams.returnQuery = (param3 as LocalParams).returnQuery;
-      } else {
-        throw "Must be allowed to run sql to use returnQuery";
-      }
-    }
-    const tableHandler = this.dbo[tableName];
-    if(!tableHandler || !tableHandler.column_names) throw `Invalid tableName ${tableName} provided`;
-    const method = tableHandler[command as keyof TableHandler];
-    if(!method) throw `Invalid command ${command} provided`;
-    //@ts-ignore
-    return this.dbo[tableName][command](param1, param2, param3, valid_table_command_rules, localParams);
-  } else {
+  const validRules = await this.publishParser.getValidatedRequestRule({ tableName, command, localParams: reqInfo }, clientInfo);
+  if (!validRules) {
     throw `Invalid OR disallowed request: ${tableName}.${command} `;
   }
+
+  const sessionUser: UserLike | undefined = !clientInfo?.user? undefined : {
+    ...parseFieldFilter(clientInfo.sessionFields ?? [] as any, false, Object.keys(clientInfo.user)),
+    ...pickKeys(clientInfo.user, ["id", "type"]) as UserLike,
+  }
+  const localParams: LocalParams = { ...reqInfo, isRemoteRequest: { user: sessionUser } }
+  if(param3 && (param3 as LocalParams).returnQuery){
+    const isAllowed = await canRunSQL(this, localParams);
+    if(isAllowed){
+      localParams.returnQuery = (param3 as LocalParams).returnQuery;
+    } else {
+      throw "Must be allowed to run sql to use returnQuery";
+    }
+  }
+  const tableHandler = this.dbo[tableName];
+  if(!tableHandler || !tableHandler.column_names) throw `Invalid tableName ${tableName} provided`;
+
+  /**
+   * satisfies check is used to ensure rules arguments are correctly passed to each method
+   */
+  const tableCommand = tableHandler[command] satisfies undefined | TableMethodFunctionWithRulesAndLocalParams;
+  if(!tableCommand) throw `Invalid or disallowed command provided: ${command}`;
+  //TODO: why does this not work?
+  // const result = await (tableCommand as TableMethodFunctionWithRulesAndLocalParams)(param1, param2, param3, validRules, localParams);
+  // return result;
+  //@ts-ignore
+  return this.dbo[tableName][command](param1, param2, param3, validRules, localParams);
 }
 
 export const clientCanRunSqlRequest = async function(this: Prostgles, args: ReqInfo){

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "prostgles-server",
-  "version": "4.2.167",
+  "version": "4.2.169",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -54,7 +54,7 @@
     "pg": "^8.11.5",
     "pg-cursor": "^2.11.0",
     "pg-promise": "^11.9.1",
-    "prostgles-types": "^4.0.107"
+    "prostgles-types": "^4.0.109"
   },
   "devDependencies": {
     "@types/express": "^4.17.21",