Merge pull request #227 from cipherstash/supabase-test-run-id

fix(test): isolate supabase tests with unique test run IDs

Author: tobyhede

local/postgres-entrypoint.sh

@@ -1,7 +1,7 @@
 import 'dotenv/config'
 import { protect } from '@cipherstash/protect'
 import { and, eq, inArray, sql } from 'drizzle-orm'
-import { integer, pgTable, timestamp } from 'drizzle-orm/pg-core'
+import { integer, pgTable, text, timestamp } from 'drizzle-orm/pg-core'
 import { drizzle } from 'drizzle-orm/postgres-js'
 import postgres from 'postgres'
 import { afterAll, beforeAll, describe, expect, it } from 'vitest'
@@ -53,6 +53,7 @@ const drizzleUsersTable = pgTable('protect-ci', {
     },
   ),
   createdAt: timestamp('created_at').defaultNow(),
+  testRunId: text('test_run_id'),
 })
 
 // Extract Protect.js schema from Drizzle table
@@ -61,6 +62,9 @@ const users = extractProtectSchema(drizzleUsersTable)
 // Hard code this as the CI database doesn't support order by on encrypted columns
 const SKIP_ORDER_BY_TEST = true
 
+// Unique identifier for this test run to isolate data from concurrent test runs
+const TEST_RUN_ID = `drizzle-test-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`
+
 // Test data interface for decrypted results
 interface DecryptedUser {
   id: number
@@ -148,9 +152,15 @@ beforeAll(async () => {
     throw new Error(`Encryption failed: ${encryptedUser.failure.message}`)
   }
 
+  // Add test_run_id to each record for test isolation
+  const dataWithTestRunId = encryptedUser.data.map((user) => ({
+    ...user,
+    testRunId: TEST_RUN_ID,
+  }))
+
   const insertedUsers = await db
     .insert(drizzleUsersTable)
-    .values(encryptedUser.data)
+    .values(dataWithTestRunId)
     .returning({
       id: drizzleUsersTable.id,
       email: drizzleUsersTable.email,
@@ -164,11 +174,10 @@ beforeAll(async () => {
 }, 60000)
 
 afterAll(async () => {
-  // Clean up test data using Drizzle
-  if (testData.length > 0) {
-    const ids = testData.map((d) => d.id)
-    await db.delete(drizzleUsersTable).where(inArray(drizzleUsersTable.id, ids))
-  }
+  // Clean up test data using test_run_id for reliable isolation
+  await db
+    .delete(drizzleUsersTable)
+    .where(eq(drizzleUsersTable.testRunId, TEST_RUN_ID))
 }, 30000)
 
 describe('Drizzle ORM Integration with Protect.js', () => {
@@ -185,7 +194,12 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
-      .where(await protectOps.eq(drizzleUsersTable.email, searchEmail))
+      .where(
+        and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
+          await protectOps.eq(drizzleUsersTable.email, searchEmail),
+        ),
+      )
 
     expect(results).toHaveLength(1)
 
@@ -212,7 +226,12 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
-      .where(await protectOps.ilike(drizzleUsersTable.email, searchText))
+      .where(
+        and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
+          await protectOps.ilike(drizzleUsersTable.email, searchText),
+        ),
+      )
 
     // Should find users with 'smith' in their email
     expect(results.length).toBeGreaterThan(0)
@@ -251,7 +270,12 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
-      .where(await protectOps.gte(drizzleUsersTable.age, minAge))
+      .where(
+        and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
+          await protectOps.gte(drizzleUsersTable.age, minAge),
+        ),
+      )
 
     // Should find users with age >= 28
     expect(results.length).toBeGreaterThan(0)
@@ -291,6 +315,7 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
+      .where(eq(drizzleUsersTable.testRunId, TEST_RUN_ID))
       .orderBy(protectOps.asc(drizzleUsersTable.age))
 
     const results = await a
@@ -336,6 +361,7 @@ describe('Drizzle ORM Integration with Protect.js', () => {
       .from(drizzleUsersTable)
       .where(
         await protectOps.and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
           protectOps.gte(drizzleUsersTable.age, minAge),
           protectOps.lte(drizzleUsersTable.age, maxAge),
           protectOps.ilike(drizzleUsersTable.email, searchText),
@@ -386,10 +412,13 @@ describe('Drizzle ORM Integration with Protect.js', () => {
       })
       .from(drizzleUsersTable)
       .where(
-        await protectOps.or(
-          protectOps.eq(drizzleUsersTable.email, targetEmails[0]),
-          protectOps.eq(drizzleUsersTable.email, targetEmails[1]),
-          eq(drizzleUsersTable.id, fallbackId),
+        await protectOps.and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
+          protectOps.or(
+            protectOps.eq(drizzleUsersTable.email, targetEmails[0]),
+            protectOps.eq(drizzleUsersTable.email, targetEmails[1]),
+            eq(drizzleUsersTable.id, fallbackId),
+          ),
         ),
       )
 
@@ -422,6 +451,7 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
+      .where(eq(drizzleUsersTable.testRunId, TEST_RUN_ID))
       .limit(1)
 
     if (!results[0]) {
@@ -457,7 +487,12 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
-      .where(await protectOps.inArray(drizzleUsersTable.email, searchEmails))
+      .where(
+        and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
+          await protectOps.inArray(drizzleUsersTable.email, searchEmails),
+        ),
+      )
 
     // Should find 2 users
     expect(results.length).toBe(2)
@@ -492,7 +527,12 @@ describe('Drizzle ORM Integration with Protect.js', () => {
         profile: drizzleUsersTable.profile,
       })
       .from(drizzleUsersTable)
-      .where(await protectOps.between(drizzleUsersTable.age, minAge, maxAge))
+      .where(
+        and(
+          eq(drizzleUsersTable.testRunId, TEST_RUN_ID),
+          await protectOps.between(drizzleUsersTable.age, minAge, maxAge),
+        ),
+      )
 
     // Should find users with age between 25 and 30
     expect(results.length).toBeGreaterThan(0)

packages/drizzle/__tests__/drizzle.test.ts

@@ -36,7 +36,7 @@ const columnConfigMap = new Map<
 
 /**
  * Creates an encrypted column type for Drizzle ORM with configurable searchable encryption options.
- * 
+ *
  * When data is encrypted, the actual stored value is an [EQL v2](/docs/reference/eql) encrypted composite type which includes any searchable encryption indexes defined for the column.
  * Importantly, the original data type is not known until it is decrypted. Therefore, this function allows specifying
  * the original data type via the `dataType` option in the configuration.
@@ -46,23 +46,23 @@ const columnConfigMap = new Map<
  * @param name - The column name in the database
  * @param config - Optional configuration for data type and searchable encryption indexes
  * @returns A Drizzle column type that can be used in pgTable definitions
- * 
+ *
  * ## Searchable Encryption Options
- * 
+ *
  * - `dataType`: Specifies the original data type of the column (e.g., 'string', 'number', 'json'). Default is 'string'.
  * - `freeTextSearch`: Enables free text search index. Can be a boolean for default options, or an object for custom configuration.
  * - `equality`: Enables equality index. Can be a boolean for default options, or an array of token filters.
  * - `orderAndRange`: Enables order and range index for sorting and range queries.
- * 
+ *
  * See {@link EncryptedColumnConfig}.
  *
  * @example
  * Defining a drizzle table schema for postgres table with encrypted columns.
- * 
+ *
  * ```typescript
  * import { pgTable, integer, timestamp } from 'drizzle-orm/pg-core'
  * import { encryptedType } from '@cipherstash/drizzle/pg'
- * 
+ *
  * const users = pgTable('users', {
  *   email: encryptedType('email', {
  *     freeTextSearch: true,

packages/drizzle/src/pg/index.ts

@@ -892,7 +892,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Equality operator - encrypts value for encrypted columns.
    * Requires either `equality` or `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users with a specific email address.
    * ```ts
@@ -905,7 +905,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Not equal operator - encrypts value for encrypted columns.
    * Requires either `equality` or `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users whose email address is not a specific value.
    * ```ts
@@ -918,7 +918,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Greater than operator for encrypted columns with ORE index.
    * Requires `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users older than a specific age.
    * ```ts
@@ -931,7 +931,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Greater than or equal operator for encrypted columns with ORE index.
    * Requires `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users older than or equal to a specific age.
    * ```ts
@@ -944,7 +944,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Less than operator for encrypted columns with ORE index.
    * Requires `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users younger than a specific age.
    * ```ts
@@ -957,7 +957,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Less than or equal operator for encrypted columns with ORE index.
    * Requires `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users younger than or equal to a specific age.
    * ```ts
@@ -966,11 +966,11 @@ export function createProtectOperators(protectClient: ProtectClient): {
    * ```
    */
   lte: (left: SQLWrapper, right: unknown) => Promise<SQL> | SQL
-  
+
   /**
    * Between operator for encrypted columns with ORE index.
    * Requires `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users within a specific age range.
    * ```ts
@@ -983,7 +983,7 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Not between operator for encrypted columns with ORE index.
    * Requires `orderAndRange` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * @example
    * Select users outside a specific age range.
    * ```ts
@@ -1000,28 +1000,28 @@ export function createProtectOperators(protectClient: ProtectClient): {
   /**
    * Like operator for encrypted columns with free text search.
    * Requires `freeTextSearch` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * > [!IMPORTANT]
    * > Case sensitivity on encrypted columns depends on the {@link EncryptedColumnConfig}.
    * > Ensure that the column is configured for case-insensitive search if needed.
-   * 
+   *
    * @example
    * Select users with email addresses matching a pattern.
    * ```ts
    * const condition = await protectOps.like(usersTable.email, '%@example.com')
    * const results = await db.select().from(usersTable).where(condition)
-   * ``` 
+   * ```
    */
   like: (left: SQLWrapper, right: unknown) => Promise<SQL> | SQL
 
   /**
    * ILike operator for encrypted columns with free text search.
    * Requires `freeTextSearch` to be set on {@link EncryptedColumnConfig}.
-   * 
+   *
    * > [!IMPORTANT]
    * > Case sensitivity on encrypted columns depends on the {@link EncryptedColumnConfig}.
    * > Ensure that the column is configured for case-insensitive search if needed.
-   * 
+   *
    * @example
    * Select users with email addresses matching a pattern (case-insensitive).
    * ```ts