mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 19:41:09 +02:00
a9529bcf1b
Defense-in-depth on top of the existing application-level WHERE clauses:
- Migrate() now ENABLE + FORCE row level security on sync_changes and
installs a policy that gates rows on current_setting('app.current_user_id').
FORCE makes the policy apply to the table owner too, so the application
role used by mana-sync cannot bypass it regardless of grants.
- New withUser(ctx, userID, fn) helper opens a transaction and calls
set_config('app.current_user_id', userID, true) before running fn.
Empty userIDs are rejected up-front so an unauthenticated request can
never reach the database with an empty RLS scope (which would match
every row).
- RecordChange / GetChangesSince / GetAllChangesSince all run inside
withUser. WITH CHECK on the policy double-validates the user_id column
on insert against the active session, so a future code path that
forgets the WHERE clause cannot leak data.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
246 lines
7.8 KiB
Go
246 lines
7.8 KiB
Go
package store
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/jackc/pgx/v5"
|
|
"github.com/jackc/pgx/v5/pgxpool"
|
|
)
|
|
|
|
// Store handles all PostgreSQL operations for the sync server.
|
|
type Store struct {
|
|
pool *pgxpool.Pool
|
|
}
|
|
|
|
// New creates a new Store with a connection pool.
|
|
func New(ctx context.Context, databaseURL string) (*Store, error) {
|
|
pool, err := pgxpool.New(ctx, databaseURL)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create pool: %w", err)
|
|
}
|
|
|
|
if err := pool.Ping(ctx); err != nil {
|
|
return nil, fmt.Errorf("failed to ping database: %w", err)
|
|
}
|
|
|
|
return &Store{pool: pool}, nil
|
|
}
|
|
|
|
// Close shuts down the connection pool.
|
|
func (s *Store) Close() {
|
|
s.pool.Close()
|
|
}
|
|
|
|
// Migrate creates the sync_changes table and enables row-level security.
|
|
//
|
|
// Defense-in-depth: every query also passes WHERE user_id = $1, but RLS makes
|
|
// it impossible for a future query (or a query injection) to read or write
|
|
// across user boundaries. The policy reads `app.current_user_id` from the
|
|
// session config — store callers wrap their work in withUser() which sets it.
|
|
func (s *Store) Migrate(ctx context.Context) error {
|
|
query := `
|
|
CREATE TABLE IF NOT EXISTS sync_changes (
|
|
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
|
|
app_id TEXT NOT NULL,
|
|
table_name TEXT NOT NULL,
|
|
record_id TEXT NOT NULL,
|
|
user_id TEXT NOT NULL,
|
|
op TEXT NOT NULL CHECK (op IN ('insert', 'update', 'delete')),
|
|
data JSONB,
|
|
field_timestamps JSONB DEFAULT '{}',
|
|
client_id TEXT NOT NULL,
|
|
created_at TIMESTAMPTZ NOT NULL DEFAULT now()
|
|
);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_sync_changes_user_app
|
|
ON sync_changes (user_id, app_id, created_at);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_sync_changes_table_record
|
|
ON sync_changes (table_name, record_id, created_at);
|
|
|
|
CREATE INDEX IF NOT EXISTS idx_sync_changes_since
|
|
ON sync_changes (user_id, app_id, table_name, created_at);
|
|
|
|
ALTER TABLE sync_changes ENABLE ROW LEVEL SECURITY;
|
|
-- FORCE makes RLS apply even to the table owner so that the application
|
|
-- role used by mana-sync cannot bypass policies, regardless of grants.
|
|
ALTER TABLE sync_changes FORCE ROW LEVEL SECURITY;
|
|
|
|
DROP POLICY IF EXISTS sync_changes_user_isolation ON sync_changes;
|
|
CREATE POLICY sync_changes_user_isolation ON sync_changes
|
|
USING (user_id = current_setting('app.current_user_id', true))
|
|
WITH CHECK (user_id = current_setting('app.current_user_id', true));
|
|
`
|
|
|
|
_, err := s.pool.Exec(ctx, query)
|
|
return err
|
|
}
|
|
|
|
// withUser runs fn inside a transaction scoped to the given user_id.
|
|
// All RLS-protected reads and writes performed via the supplied tx will be
|
|
// confined to rows owned by userID. The session-local app.current_user_id
|
|
// setting is reset automatically when the transaction ends.
|
|
//
|
|
// Empty userIDs are rejected up-front so an unauthenticated request can never
|
|
// reach the database with an empty RLS scope (which would match every row).
|
|
func (s *Store) withUser(ctx context.Context, userID string, fn func(pgx.Tx) error) error {
|
|
if userID == "" {
|
|
return fmt.Errorf("withUser: empty userID")
|
|
}
|
|
|
|
tx, err := s.pool.BeginTx(ctx, pgx.TxOptions{})
|
|
if err != nil {
|
|
return fmt.Errorf("begin tx: %w", err)
|
|
}
|
|
defer func() { _ = tx.Rollback(ctx) }()
|
|
|
|
// set_config(name, value, is_local=true) is the parameterized form of
|
|
// SET LOCAL — SET LOCAL itself does not accept bind parameters.
|
|
if _, err := tx.Exec(ctx, "SELECT set_config('app.current_user_id', $1, true)", userID); err != nil {
|
|
return fmt.Errorf("set rls user: %w", err)
|
|
}
|
|
|
|
if err := fn(tx); err != nil {
|
|
return err
|
|
}
|
|
return tx.Commit(ctx)
|
|
}
|
|
|
|
// RecordChange stores a client change in the database. The insert is performed
|
|
// inside an RLS-scoped transaction so the user_id column is double-checked
|
|
// against the policy on the way in — a mismatched user_id would fail WITH CHECK.
|
|
func (s *Store) RecordChange(ctx context.Context, appID, tableName, recordID, userID, op, clientID string, data map[string]any, fieldTimestamps map[string]string) error {
|
|
dataJSON, err := json.Marshal(data)
|
|
if err != nil {
|
|
return fmt.Errorf("marshal data: %w", err)
|
|
}
|
|
|
|
ftJSON, err := json.Marshal(fieldTimestamps)
|
|
if err != nil {
|
|
return fmt.Errorf("marshal field_timestamps: %w", err)
|
|
}
|
|
|
|
return s.withUser(ctx, userID, func(tx pgx.Tx) error {
|
|
query := `
|
|
INSERT INTO sync_changes (app_id, table_name, record_id, user_id, op, data, field_timestamps, client_id)
|
|
VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
|
|
`
|
|
_, err := tx.Exec(ctx, query, appID, tableName, recordID, userID, op, dataJSON, ftJSON, clientID)
|
|
return err
|
|
})
|
|
}
|
|
|
|
// GetChangesSince returns changes for a user+app+table since a given timestamp,
|
|
// excluding changes from the requesting client (to avoid echo).
|
|
// The limit parameter controls maximum rows returned (caller should pass limit+1 to detect hasMore).
|
|
func (s *Store) GetChangesSince(ctx context.Context, userID, appID, tableName, since, excludeClientID string, limit int) ([]ChangeRow, error) {
|
|
sinceTime, err := time.Parse(time.RFC3339Nano, since)
|
|
if err != nil {
|
|
sinceTime = time.Unix(0, 0)
|
|
}
|
|
|
|
var changes []ChangeRow
|
|
err = s.withUser(ctx, userID, func(tx pgx.Tx) error {
|
|
query := `
|
|
SELECT id, table_name, record_id, op, data, field_timestamps, client_id, created_at
|
|
FROM sync_changes
|
|
WHERE user_id = $1 AND app_id = $2 AND table_name = $3
|
|
AND created_at > $4 AND client_id != $5
|
|
ORDER BY created_at ASC
|
|
LIMIT $6
|
|
`
|
|
rows, err := tx.Query(ctx, query, userID, appID, tableName, sinceTime, excludeClientID, limit)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer rows.Close()
|
|
|
|
for rows.Next() {
|
|
var c ChangeRow
|
|
var dataJSON, ftJSON []byte
|
|
|
|
if err := rows.Scan(&c.ID, &c.TableName, &c.RecordID, &c.Op, &dataJSON, &ftJSON, &c.ClientID, &c.CreatedAt); err != nil {
|
|
return err
|
|
}
|
|
|
|
if dataJSON != nil {
|
|
if err := json.Unmarshal(dataJSON, &c.Data); err != nil {
|
|
return fmt.Errorf("unmarshal data for record %s: %w", c.RecordID, err)
|
|
}
|
|
}
|
|
if ftJSON != nil {
|
|
if err := json.Unmarshal(ftJSON, &c.FieldTimestamps); err != nil {
|
|
return fmt.Errorf("unmarshal field_timestamps for record %s: %w", c.RecordID, err)
|
|
}
|
|
}
|
|
|
|
changes = append(changes, c)
|
|
}
|
|
return rows.Err()
|
|
})
|
|
return changes, err
|
|
}
|
|
|
|
// GetAllChangesSince returns changes across all tables for a user+app.
|
|
func (s *Store) GetAllChangesSince(ctx context.Context, userID, appID, since, excludeClientID string) ([]ChangeRow, error) {
|
|
sinceTime, err := time.Parse(time.RFC3339Nano, since)
|
|
if err != nil {
|
|
sinceTime = time.Unix(0, 0)
|
|
}
|
|
|
|
var changes []ChangeRow
|
|
err = s.withUser(ctx, userID, func(tx pgx.Tx) error {
|
|
query := `
|
|
SELECT id, table_name, record_id, op, data, field_timestamps, client_id, created_at
|
|
FROM sync_changes
|
|
WHERE user_id = $1 AND app_id = $2
|
|
AND created_at > $3 AND client_id != $4
|
|
ORDER BY created_at ASC
|
|
LIMIT 5000
|
|
`
|
|
rows, err := tx.Query(ctx, query, userID, appID, sinceTime, excludeClientID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer rows.Close()
|
|
|
|
for rows.Next() {
|
|
var c ChangeRow
|
|
var dataJSON, ftJSON []byte
|
|
|
|
if err := rows.Scan(&c.ID, &c.TableName, &c.RecordID, &c.Op, &dataJSON, &ftJSON, &c.ClientID, &c.CreatedAt); err != nil {
|
|
return err
|
|
}
|
|
|
|
if dataJSON != nil {
|
|
if err := json.Unmarshal(dataJSON, &c.Data); err != nil {
|
|
return fmt.Errorf("unmarshal data for record %s: %w", c.RecordID, err)
|
|
}
|
|
}
|
|
if ftJSON != nil {
|
|
if err := json.Unmarshal(ftJSON, &c.FieldTimestamps); err != nil {
|
|
return fmt.Errorf("unmarshal field_timestamps for record %s: %w", c.RecordID, err)
|
|
}
|
|
}
|
|
|
|
changes = append(changes, c)
|
|
}
|
|
return rows.Err()
|
|
})
|
|
return changes, err
|
|
}
|
|
|
|
// ChangeRow is a row from the sync_changes table.
|
|
type ChangeRow struct {
|
|
ID string
|
|
TableName string
|
|
RecordID string
|
|
Op string
|
|
Data map[string]any
|
|
FieldTimestamps map[string]string
|
|
ClientID string
|
|
CreatedAt time.Time
|
|
}
|