supa-forge 0.1.1

package/examples/RBAC + CLS + RLS/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "example-full-security",
+  "version": "1.0.0",
+  "private": true,
+  "scripts": {
+    "generate": "vite-node src/index.ts --generate",
+    "apply": "vite-node src/index.ts --apply",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "supaforge": "file:../.."
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typeorm": "^0.3.17",
+    "typescript": "^5.0.0",
+    "vite": "^5.0.0",
+    "vite-node": "^1.0.0",
+    "vitest": "0.34.6"
+  }
+}

package/examples/RBAC + CLS + RLS/src/entities/Project.entity.ts

@@ -0,0 +1,47 @@
+import 'reflect-metadata';
+import { Entity, PrimaryGeneratedColumn, Column, ManyToOne, JoinColumn } from 'supaforge/typeorm';
+import { security, rls, cls, runSql } from 'supaforge';
+import { UserView } from './User.entity';
+
+@Entity('projects')
+@security()
+export class Project {
+  @PrimaryGeneratedColumn('uuid')
+  @cls({ admin: 'r', manager: 'r', employee: 'r' })
+  id!: string;
+
+  @Column({ type: 'text' })
+  @cls({ admin: 'r', manager: 'r', employee: 'r' })
+  name!: string;
+
+  @Column({ type: 'text' })
+  @cls({ admin: 'r', manager: 'r', employee: 'r' })
+  description!: string;
+
+  @Column({ type: 'numeric', nullable: true })
+  @cls({ admin: 'r', manager: 'r' })
+  budget!: number;
+
+  @Column({ type: 'uuid' })
+  @cls({ admin: 'r', manager: 'r', employee: 'r' })
+  manager_id!: string;
+
+  @ManyToOne(() => UserView)
+  @JoinColumn({ name: 'manager_id' })
+  manager?: UserView;
+
+  @rls('crud')
+  static adminAccess() {
+    return { role: 'admin', expression: 'true' };
+  }
+
+  @rls('crud')
+  static managerAccess() {
+    return { role: 'manager', expression: 'auth.uid()::text = manager_id::text' };
+  }
+
+  @rls('r')
+  static employeeAccess() {
+    return { role: 'employee', expression: 'true' };
+  }
+}

package/examples/RBAC + CLS + RLS/src/entities/User.entity.ts

@@ -0,0 +1,31 @@
+import { ViewEntity, ViewColumn } from 'supaforge/typeorm';
+
+@ViewEntity({
+  name: 'auth_users',
+  schema: 'public',
+  expression: `
+    SELECT
+      id,
+      email,
+      raw_user_meta_data,
+      created_at,
+      last_sign_in_at
+    FROM auth.users
+  `
+})
+export class UserView {
+  @ViewColumn()
+  id!: string;
+
+  @ViewColumn()
+  email!: string;
+
+  @ViewColumn()
+  raw_user_meta_data!: any;
+
+  @ViewColumn()
+  created_at!: Date;
+
+  @ViewColumn()
+  last_sign_in_at!: Date;
+}

package/examples/RBAC + CLS + RLS/src/entities/UserRole.entity.ts

@@ -0,0 +1,110 @@
+import { Entity, PrimaryGeneratedColumn, Column, OneToOne, JoinColumn } from 'supaforge/typeorm';
+import { security, rls, cls, runSql } from 'supaforge';
+import { UserView } from './User.entity';
+
+@Entity({ name: 'user_roles' })
+@security()
+export class UserRole {
+  @PrimaryGeneratedColumn('identity', { type: 'bigint' })
+  @cls({ admin: 'r' })
+  id!: string;
+
+  @Column('uuid', { name: 'user_id', nullable: false })
+  @cls({ admin: 'cru', manager: 'r', employee: 'r' })
+  user_id!: string;
+
+  @OneToOne('UserView')
+  @JoinColumn({ name: 'user_id' })
+  user?: UserView;
+
+  @Column('text')
+  @cls({ admin: 'cru' })
+  role!: string;
+
+  @rls('r')
+  static ownRole() {
+    return {
+      role: ['authenticated', 'admin', 'manager', 'employee'],
+      expression: '((select auth.uid()) = user_id)'
+    };
+  }
+
+  @rls('cru')
+  static adminControl() {
+    return {
+      role: 'admin',
+      expression: 'true'
+    };
+  }
+
+  @runSql()
+  static setupSyncTrigger() {
+    return `
+      CREATE OR REPLACE FUNCTION public.handle_auth_user_sync()
+      RETURNS TRIGGER AS $$
+      BEGIN
+        -- Default all new users to 'authenticated' which maps to 'employee' or base access.
+        -- In FullSecurity, roles are usually assigned manually by admins.
+        INSERT INTO public.user_roles (user_id, role)
+        VALUES (new.id, 'authenticated')
+        ON CONFLICT (user_id) DO NOTHING;
+        RETURN new;
+      END;
+      $$ LANGUAGE plpgsql SECURITY DEFINER SET search_path = '';
+
+      DROP TRIGGER IF EXISTS on_auth_user_sync_user_roles ON auth.users;
+      CREATE TRIGGER on_auth_user_sync_user_roles
+        AFTER INSERT OR UPDATE ON auth.users
+        FOR EACH ROW EXECUTE PROCEDURE public.handle_auth_user_sync();
+    `;
+  }
+
+  @runSql()
+  static setupAuthHook() {
+    return `
+      CREATE OR REPLACE FUNCTION public.custom_access_token_hook(event jsonb)
+      RETURNS jsonb
+      LANGUAGE plpgsql
+      STABLE
+      SECURITY DEFINER
+      AS $$
+        DECLARE
+          claims jsonb;
+          user_roles_arr jsonb;
+          primary_role text;
+        BEGIN
+          -- Fetch roles from user_roles table
+          SELECT jsonb_agg(role) INTO user_roles_arr FROM public.user_roles WHERE user_id = (event->>'user_id')::uuid;
+          SELECT role INTO primary_role FROM public.user_roles WHERE user_id = (event->>'user_id')::uuid LIMIT 1;
+          claims := event->'claims';
+
+          IF user_roles_arr IS NOT NULL THEN
+            claims := jsonb_set(claims, '{user_roles}', user_roles_arr);
+            claims := jsonb_set(claims, '{user_role}', to_jsonb(primary_role));
+          ELSE
+            claims := jsonb_set(claims, '{user_roles}', '[]'::jsonb);
+            claims := jsonb_set(claims, '{user_role}', 'null');
+          END IF;
+          event := jsonb_set(event, '{claims}', claims);
+          RETURN event;
+        END;
+      $$;
+
+      GRANT USAGE ON SCHEMA public TO supabase_auth_admin;
+      GRANT EXECUTE ON FUNCTION public.custom_access_token_hook TO supabase_auth_admin;
+      REVOKE EXECUTE ON FUNCTION public.custom_access_token_hook FROM authenticated, anon, public;
+
+      GRANT SELECT ON TABLE public.user_roles TO supabase_auth_admin;
+
+      DO $$
+      BEGIN
+        IF EXISTS (SELECT 1 FROM pg_tables WHERE schemaname = 'public' AND tablename = 'user_roles') THEN
+          ALTER TABLE public.user_roles ENABLE ROW LEVEL SECURITY;
+          DROP POLICY IF EXISTS "Allow auth admin to read roles" ON public.user_roles;
+          CREATE POLICY "Allow auth admin to read roles" ON public.user_roles
+            AS PERMISSIVE FOR SELECT TO supabase_auth_admin USING (true);
+        END IF;
+      END $$;
+    `;
+  }
+}

package/examples/RBAC + CLS + RLS/src/index.ts

@@ -0,0 +1,42 @@
+import 'reflect-metadata';
+import * as path from 'path';
+import 'dotenv/config';
+import { runSupaforge, applyGeneratedMigrations, extractCliOptions, RunnerOptions } from 'supaforge';
+import { fileURLToPath } from 'url';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+async function main() {
+  const flags = process.argv;
+  const cliOptions = extractCliOptions(flags);
+
+  const options: RunnerOptions = {
+    ...cliOptions,
+    dbConfig: {
+      host: process.env.DB_HOST || 'localhost',
+      port: Number(process.env.DB_PORT) || 5432,
+      user: process.env.DB_USER || 'postgres',
+      password: process.env.DB_PASSWORD || 'postgres',
+      database: flags.includes('--temp') ? 'temp_full' : (process.env.DB_NAME || 'postgres'),
+    },
+    entityPath: path.join(__dirname, 'entities'),
+    outputDir: path.join(process.cwd(), 'migrations'),
+    syncSchema: cliOptions.syncSchema || flags.includes('--temp'),
+    cls: true,
+    rls: true,
+  };
+
+  try {
+    if (flags.includes('--apply')) {
+      return await applyGeneratedMigrations(options);
+    }
+    await runSupaforge(options);
+    console.log('Full Security Migration generated.');
+  } catch (error) {
+    console.error('\nError:', error);
+    process.exit(1);
+  }
+}
+
+main();

package/examples/RBAC + CLS + RLS/src/project.test.ts

@@ -0,0 +1,117 @@
+import 'reflect-metadata';
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import 'dotenv/config';
+import { DataSource, QueryRunner } from 'supaforge/typeorm';
+import { runSupaforge, applyGeneratedMigrations, runAsRole } from 'supaforge';
+import { Project } from './entities/Project.entity';
+import { UserView } from './entities/User.entity';
+import { UserRole } from './entities/UserRole.entity';
+import * as path from 'path';
+import * as fs from 'fs';
+import { fileURLToPath } from 'url';
+import process from 'process';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+describe('Full Security (RLS+CLS+RBAC) Tests', () => {
+  let dataSource: DataSource;
+  let queryRunner: QueryRunner;
+
+  const DB_CONFIG = {
+    host: process.env.DB_HOST || 'localhost',
+    port: Number(process.env.DB_PORT) || 5432,
+    user: process.env.DB_USER || 'postgres',
+    password: process.env.DB_PASSWORD || 'postgres',
+    database: process.env.DB_NAME || 'postgres',
+  };
+
+  const USER_MANAGER_A = '10000000-0000-0000-0000-000000000001';
+  const USER_MANAGER_B = '20000000-0000-0000-0000-000000000002';
+  const USER_EMPLOYEE = '30000000-0000-0000-0000-000000000003';
+  const AT_A = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
+  const AT_B = 'bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb';
+
+  beforeAll(async () => {
+    const migrationDir = path.join(process.cwd(), 'migrations');
+    if (fs.existsSync(migrationDir)) {
+      fs.rmSync(migrationDir, { recursive: true, force: true });
+    }
+
+    const options = {
+      dbConfig: DB_CONFIG,
+      entityPath: path.join(__dirname, 'entities'),
+      outputDir: migrationDir,
+      syncSchema: true,
+      migrationName: 'FullSecurityInit',
+      rls: true,
+      cls: true
+    };
+
+    await runSupaforge(options);
+    await applyGeneratedMigrations(options);
+
+    dataSource = new DataSource({
+      type: 'postgres',
+      ...DB_CONFIG,
+      username: DB_CONFIG.user,
+      entities: [Project, UserView, UserRole],
+    });
+
+    await dataSource.initialize();
+    queryRunner = dataSource.createQueryRunner();
+    await queryRunner.connect();
+
+    await queryRunner.query('DROP TRIGGER IF EXISTS on_auth_user_sync_user_roles ON auth.users');
+    await queryRunner.query('DROP FUNCTION IF EXISTS public.handle_auth_user_sync() CASCADE');
+    await queryRunner.query('DELETE FROM projects');
+    await queryRunner.query('DELETE FROM auth.users CASCADE');
+    await queryRunner.query("INSERT INTO auth.users (id, email) VALUES ($1, 'managerA@example.com'), ($2, 'managerB@example.com'), ($3, 'employee@example.com')", [USER_MANAGER_A, USER_MANAGER_B, USER_EMPLOYEE]);
+
+    await queryRunner.query("INSERT INTO projects (id, name, description, budget, manager_id) VALUES ($1, 'Space Mission', 'Very expensive project', 1000000, $2)", [AT_A, USER_MANAGER_A]);
+    await queryRunner.query("INSERT INTO projects (id, name, description, budget, manager_id) VALUES ($1, 'Office Renovation', 'Paint the walls', 500, $2)", [AT_B, USER_MANAGER_B]);
+  }, 45000);
+
+  afterAll(async () => {
+    if (queryRunner) await queryRunner.release();
+    if (dataSource) await dataSource.destroy();
+  });
+
+  it('Admin should see all rows and budget', async () => {
+    const results = await runAsRole(queryRunner, 'admin', 'admin-id',
+      'SELECT name, budget FROM projects'
+    );
+    expect(results).toHaveLength(2);
+    expect(results.some(r => r.name === 'Space Mission' && r.budget === '1000000')).toBe(true);
+  });
+
+  it('Manager A should ONLY see Space Mission and its budget', async () => {
+    const results = await runAsRole(queryRunner, 'manager', USER_MANAGER_A,
+      'SELECT name, budget FROM projects'
+    );
+    expect(results).toHaveLength(1);
+    expect(results[0].name).toBe('Space Mission');
+    expect(results[0].budget).toBe('1000000');
+  });
+
+  it('Manager B should ONLY see Office Renovation and its budget', async () => {
+    const results = await runAsRole(queryRunner, 'manager', USER_MANAGER_B,
+      'SELECT name, budget FROM projects'
+    );
+    expect(results).toHaveLength(1);
+    expect(results[0].name).toBe('Office Renovation');
+    expect(results[0].budget).toBe('500');
+  });
+
+  it('Employee should see all projects but NOT budget (CLS)', async () => {
+    const results = await runAsRole(queryRunner, 'employee', USER_EMPLOYEE,
+      'SELECT name, description FROM projects'
+    );
+    expect(results).toHaveLength(2);
+
+    const operation = runAsRole(queryRunner, 'employee', USER_EMPLOYEE,
+      'SELECT budget FROM projects'
+    );
+    await expect(operation).rejects.toThrow(/permission denied/);
+  });
+});

package/examples/RBAC + CLS + RLS/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ESNext",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "strict": true,
+    "esModuleInterop": true,
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "noImplicitAny": true,
+    "outDir": "./dist",
+    "types": ["node"]
+  },
+  "include": ["src/**/*"]
+}

package/examples/RBAC + CLS + RLS/vite.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+  },
+});