supa-forge 0.1.1

package/examples/Only CLS/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "example-only-cls",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "generate": "vite-node src/index.ts --generate",
+    "apply": "vite-node src/index.ts --apply",
+    "temp:generate": "vite-node src/index.ts --temp --generate",
+    "temp:apply": "vite-node src/index.ts --temp --apply",
+    "migration:create": "vite-node src/index.ts migration:create",
+    "docgen": "vite-node src/index.ts --docgen",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "supaforge": "file:../.."
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typeorm": "^0.3.17",
+    "typescript": "^5.0.0",
+    "vite": "^5.0.0",
+    "vite-node": "^1.0.0",
+    "vitest": "0.34.6"
+  }
+}

package/examples/Only CLS/src/employee.test.ts

@@ -0,0 +1,109 @@
+import 'reflect-metadata';
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import 'dotenv/config';
+import { DataSource, QueryRunner } from 'supaforge/typeorm';
+import { runSupaforge, applyGeneratedMigrations, runAsRole } from 'supaforge';
+import { Employee } from './entities/Employee.entity';
+import * as path from 'path';
+import * as fs from 'fs';
+import { fileURLToPath } from 'url';
+import process from 'process';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+describe('Employee CLS Tests (RLS Off)', () => {
+  let dataSource: DataSource;
+  let queryRunner: QueryRunner;
+
+  const DB_CONFIG = {
+    host: process.env.DB_HOST || 'localhost',
+    port: Number(process.env.DB_PORT) || 5432,
+    user: process.env.DB_USER || 'postgres',
+    password: process.env.DB_PASSWORD || 'postgres',
+    database: process.env.DB_NAME || 'postgres',
+  };
+
+  const EMP_ID = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
+
+  beforeAll(async () => {
+    const migrationDir = path.join(process.cwd(), 'migrations');
+    if (fs.existsSync(migrationDir)) {
+      fs.rmSync(migrationDir, { recursive: true, force: true });
+    }
+
+    const options = {
+      dbConfig: DB_CONFIG,
+      entityPath: path.join(__dirname, 'entities'),
+      outputDir: migrationDir,
+      syncSchema: true,
+      migrationName: 'EmployeeInit',
+      rls: false,
+      cls: true
+    };
+
+    await runSupaforge(options);
+    await applyGeneratedMigrations(options);
+
+    dataSource = new DataSource({
+      type: 'postgres',
+      ...DB_CONFIG,
+      username: DB_CONFIG.user,
+      entities: [Employee],
+    });
+
+    await dataSource.initialize();
+    queryRunner = dataSource.createQueryRunner();
+    await queryRunner.connect();
+
+    await queryRunner.query('DELETE FROM employees');
+    await queryRunner.query("INSERT INTO employees (id, name, department, salary, private_phone) VALUES ($1, 'John Doe', 'Engineering', 5000, '+1-555-0199')", [EMP_ID]);
+  }, 45000);
+
+  afterAll(async () => {
+    if (queryRunner) await queryRunner.release();
+    if (dataSource) await dataSource.destroy();
+  });
+
+  it('Anon should see name and department but NOT salary', async () => {
+    const data = await runAsRole(queryRunner, 'anon', '00000000-0000-0000-0000-000000000000',
+      'SELECT id, name, department FROM employees'
+    );
+    expect(data).toHaveLength(1);
+    expect(data[0].name).toBe('John Doe');
+    expect(data[0].salary).toBeUndefined();
+
+    const operation = runAsRole(queryRunner, 'anon', '00000000-0000-0000-0000-000000000000',
+      'SELECT salary FROM employees'
+    );
+    await expect(operation).rejects.toThrow(/permission denied/);
+  });
+
+  it('Authenticated user should see name but NOT private_phone', async () => {
+    const data = await runAsRole(queryRunner, 'authenticated', '11111111-1111-1111-1111-111111111111',
+      'SELECT name FROM employees'
+    );
+    expect(data[0].name).toBe('John Doe');
+
+    const operation = runAsRole(queryRunner, 'authenticated', '11111111-1111-1111-1111-111111111111',
+      'SELECT private_phone FROM employees'
+    );
+    await expect(operation).rejects.toThrow(/permission denied/);
+  });
+
+  it('Admin should see EVERYTHING (salary and phone)', async () => {
+    const data = await runAsRole(queryRunner, 'admin', '22222222-2222-2222-2222-222222222222',
+      'SELECT name, salary, private_phone FROM employees'
+    );
+    expect(data).toHaveLength(1);
+    expect(data[0].salary).toBe('5000');
+    expect(data[0].private_phone).toBe('+1-555-0199');
+  });
+
+  it('Select * should fail for anon due to column zero-trust', async () => {
+    const operation = runAsRole(queryRunner, 'anon', '00000000-0000-0000-0000-000000000000',
+      'SELECT * FROM employees'
+    );
+    await expect(operation).rejects.toThrow(/permission denied/);
+  });
+});

package/examples/Only CLS/src/entities/Employee.entity.ts

@@ -0,0 +1,27 @@
+import 'reflect-metadata';
+import { Entity, PrimaryGeneratedColumn, Column } from 'supaforge/typeorm';
+import { security, cls } from 'supaforge';
+
+@Entity('employees')
+@security()
+export class Employee {
+  @PrimaryGeneratedColumn('uuid')
+  @cls({ anon: 'r', authenticated: 'r', admin: 'r' })
+  id!: string;
+
+  @Column({ type: 'text' })
+  @cls({ anon: 'r', authenticated: 'r', admin: 'r' })
+  name!: string;
+
+  @Column({ type: 'text' })
+  @cls({ anon: 'r', authenticated: 'r', admin: 'r' })
+  department!: string;
+
+  @Column({ type: 'numeric', nullable: true })
+  @cls({ admin: 'r' })
+  salary!: number;
+
+  @Column({ type: 'text', nullable: true })
+  @cls({ admin: 'r' })
+  private_phone!: string;
+}

package/examples/Only CLS/src/index.ts

@@ -0,0 +1,45 @@
+import 'reflect-metadata';
+import * as path from 'path';
+import 'dotenv/config';
+import { runSupaforge, applyGeneratedMigrations, extractCliOptions, RunnerOptions } from 'supaforge';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+async function main() {
+  const flags = process.argv;
+  const cliOptions = extractCliOptions(flags);
+
+  const options: RunnerOptions = {
+    ...cliOptions,
+    dbConfig: {
+      host: process.env.DB_HOST || 'localhost',
+      port: Number(process.env.DB_PORT) || 5432,
+      user: process.env.DB_USER || 'postgres',
+      password: process.env.DB_PASSWORD || 'postgres',
+      database: flags.includes('--temp') ? 'temp_cls' : (process.env.DB_NAME || 'postgres'),
+    },
+    entityPath: path.join(__dirname, 'entities'),
+    outputDir: path.join(process.cwd(), 'migrations'),
+    syncSchema: cliOptions.syncSchema || flags.includes('--temp'),
+    cls: true,
+    rls: false,
+  };
+
+  try {
+    if (flags.includes('--apply')) {
+      return await applyGeneratedMigrations(options);
+    }
+    if (flags.includes('--generate')) {
+      await runSupaforge(options);
+      console.log('CLS Migration generated.');
+      return;
+    }
+  } catch (error) {
+    console.error('\nError:', error);
+    process.exit(1);
+  }
+}
+
+main();

package/examples/Only CLS/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "noImplicitAny": true,
+    "outDir": "./dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*"]
+}

package/examples/Only CLS/vite.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from 'vitest/config.js';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+  },
+});