till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 23:01:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/services/mana-sync/internal
History
Till JS a9529bcf1b fix(mana-sync): enable row-level security on sync_changes 
Defense-in-depth on top of the existing application-level WHERE clauses:

- Migrate() now ENABLE + FORCE row level security on sync_changes and
  installs a policy that gates rows on current_setting('app.current_user_id').
  FORCE makes the policy apply to the table owner too, so the application
  role used by mana-sync cannot bypass it regardless of grants.
- New withUser(ctx, userID, fn) helper opens a transaction and calls
  set_config('app.current_user_id', userID, true) before running fn.
  Empty userIDs are rejected up-front so an unauthenticated request can
  never reach the database with an empty RLS scope (which would match
  every row).
- RecordChange / GetChangesSince / GetAllChangesSince all run inside
  withUser. WITH CHECK on the policy double-validates the user_id column
  on insert against the active session, so a future code path that
  forgets the WHERE clause cannot leak data.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 13:07:26 +02:00
..
auth feat: rename ManaCore to Mana across entire codebase 2026-04-05 20:00:13 +02:00
config feat: rename ManaCore to Mana across entire codebase 2026-04-05 20:00:13 +02:00
store fix(mana-sync): enable row-level security on sync_changes 2026-04-07 13:07:26 +02:00
sync feat: rename ManaCore to Mana across entire codebase 2026-04-05 20:00:13 +02:00
ws feat: rename ManaCore to Mana across entire codebase 2026-04-05 20:00:13 +02:00