feat(gates/postgres): withPostgres and withPostgresAdmin#75
Draft
tomaspozo wants to merge 3 commits into
Draft
Conversation
RLS-scoped (ctx.postgres) and RLS-bypassing (ctx.postgresAdmin) pg clients, exposed at the ./gates/postgres subpath. Node/Deno-only; the pg import is confined to this module so the package root stays edge-safe. Each operation owns its connection lifecycle (self-contained short transactions), so no after-handler cleanup hook is required. The user client's connection role is clamped to authenticated/anon and never service_role.
Integration suite self-skips unless SUPABASE_DB_URL is set. Covers RLS-scoped reads, multi-statement tx commit/rollback, admin RLS-bypass, anon role for null claims, a connection-leak baseline, and a compile-fail assertion that withPostgres requires an upstream jwtClaims.
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a
postgresgate pair at the@supabase/server/gates/postgressubpath — direct Postgres access from a handler while keeping Supabase's auth model.What's added
withPostgres→ctx.postgres: RLS-scopedpgclient. Each operation runs as the caller's JWT (claims + connection role pinned to a single transaction, PostgREST-style), soauth.uid()and RLS policies behave exactly as through PostgREST. Requires upstreamjwtClaims(composing it outsidewithSupabaseis a compile-time error).withPostgresAdmin→ctx.postgresAdmin: RLS-bypassing client. No prerequisites.query(text, params?)(its own auth-scoped transaction) andtx(fn)(multi-statement atomicity). No implicit request-wide transaction; every operation is a self-contained short transaction, so no after-handler cleanup hook is needed.Notes for review
pg(node-postgres) → the subpath is Node/Deno-only, not Workers/edge. Thepgimport is confined to this module; verified the package root never pullspginto its bundle.pgadded todependencies,@types/pgtodevDependencies.authenticated/anonand can never be flipped toservice_roleby a token claim — RLS bypass is exclusivelywithPostgresAdmin's job.Testing
index.test.ts) self-skips unlessSUPABASE_DB_URLis set; the@ts-expect-errorcompile-fail assertion runs in CI via typecheck regardless. Validated against a real Postgres 16 container: RLS scoping, cross-user isolation, tx commit/rollback, admin RLS-bypass, anon role for null claims, connection-leak baseline.pnpm typecheck,lint,test, and the JSR slow-type check are clean (gate exports carry explicitGate<…>annotations).Stacks on
FUNC-577/gates-core.🤖 Generated with Claude Code