Merge pull request #12 from launchql/dev/ci-supabase-cli-fix

test fix 1

Author: Jovonni

.github/workflows/ci.yml

@@ -8,34 +8,20 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
-    container: pyramation/node-sqitch:20.12.0
     continue-on-error: true
     strategy:
       fail-fast: false
       matrix:
         package:
-          - supabase
           - rls-demo
+          - supabase
 
     env:
-      PGHOST: pg_db
-      PGPORT: 5432
+      PGHOST: 127.0.0.1
+      PGPORT: 54322
       PGUSER: supabase_admin
       PGPASSWORD: postgres
-
-    services:
-      pg_db:
-        image: public.ecr.aws/supabase/postgres:17.6.1.029
-        env:
-          POSTGRES_USER: supabase_admin
-          POSTGRES_PASSWORD: postgres
-        options: >-
-          --health-cmd pg_isready
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
-        ports:
-          - 5432:5432
+      DATABASE_URL: "postgresql://postgres:[email protected]:54322/postgres"
 
     steps:
       - name: Configure Git (for tests)
@@ -46,6 +32,38 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Setup Supabase CLI
+        uses: supabase/setup-cli@v1
+        with:
+          version: latest
+
+      - name: Initialize Supabase (if needed)
+        run: test -d supabase || supabase init
+
+      - name: Start Supabase stack
+        run: supabase start
+
+      - name: Show Supabase status
+        run: supabase status
+
+      - name: Install Postgres client
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y postgresql-client
+
+      - name: Wait for Postgres
+        run: |
+          for i in {1..60}; do
+            if pg_isready -h 127.0.0.1 -p 54322 -U postgres; then
+              exit 0
+            fi
+            sleep 2
+          done
+          echo "postgres not ready in time"
+          docker ps
+          supabase status
+          exit 1
+
       - name: Enable corepack and pnpm
         run: |
           corepack enable
@@ -57,7 +75,7 @@ jobs:
         run: pnpm install
 
       - name: Install LaunchQL CLI globally
-        run: npm install -g @launchql/[email protected].1
+        run: npm install -g @launchql/[email protected].3
 
       - name: Build
         run: pnpm -r build
@@ -67,9 +85,9 @@ jobs:
       #     lql admin-users bootstrap --yes
       #     lql admin-users add --test --yes
       #   env:
-      #     PGHOST: pg_db
-      #     PGPORT: 5432
-      #     PGUSER: supabase_admin
+      #     PGHOST: 127.0.0.1
+      #     PGPORT: 54322
+      #     PGUSER: postgres
       #     PGPASSWORD: postgres
 
       - name: Test ${{ matrix.package }}

docs/USAGE.md

@@ -0,0 +1,16 @@
+
+```
+npx supabase init
+npx supabase start
+```
+
+```
+pnpm install
+cd packages/base32
+export PGPORT=54322
+export PGHOST=localhost
+export PGUSER=postgres
+export PGPASSWORD=postgres
+
+pnpm test
+```

docs/img/logos.svg

@@ -29,7 +29,6 @@
     "@types/node": "^22.10.4",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "@typescript-eslint/parser": "^8.0.0",
-    "@launchql/logger": "^1.1.0",
     "copyfiles": "^2.4.1",
     "cpy-cli": "^6.0.0",
     "eslint-config-prettier": "^9.1.0",
@@ -39,7 +38,7 @@
     "jest-in-case": "^1.0.2",
     "jest": "^29.6.2",
     "lerna": "^8.2.3",
-    "pgsql-test": "^2.11.1",
+    "pgsql-test": "^2.11.5",
     "prettier": "^3.0.2",
     "rimraf": "4.4.1",
     "ts-jest": "^29.1.1",

package.json

@@ -12,6 +12,6 @@
     "test:watch": "jest --watch"
   },
   "devDependencies": {
-    "@launchql/cli": "^4.9.0"
+    "@launchql/cli": "^4.12.3"
   }
 }

packages/rls-demo/package.json

@@ -1,3 +1,4 @@
+// @ts-nocheck
 import { getConnections, PgTestClient } from 'pgsql-test';
 
 let pg: PgTestClient;
@@ -18,11 +19,12 @@ beforeAll(async () => {
   );
   expect(authSchemaExists[0].exists).toBe(true);
 
-  // grant access to auth schema for testing
-  // grant INSERT on auth.users to service_role so we can create test users
+  // minimal grants for tests
   await pg.any(
     `GRANT USAGE ON SCHEMA auth TO public;
-     GRANT INSERT ON TABLE auth.users TO service_role;
+     GRANT USAGE ON SCHEMA storage TO public;
+     GRANT SELECT ON TABLE auth.users TO service_role;
+     GRANT SELECT ON TABLE storage.buckets TO service_role;
      GRANT EXECUTE ON FUNCTION auth.uid() TO public;
      GRANT EXECUTE ON FUNCTION auth.role() TO public;`,
     []
@@ -45,52 +47,92 @@ describe('tutorial: rls with conditional policies', () => {
   it('should verify rls policies can use case statements', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user1 = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
        RETURNING id`,
       ['[email protected]']
     );
-    
+    // ensure auth.role() sees service_role via jwt claim
+    db.setContext({
+      role: 'service_role',
+      'request.jwt.claim.role': 'service_role'
+    });
+    // case over email and auth.role()
+    const rows = await db.any(
+      `SELECT 
+         CASE WHEN email LIKE '%@example.com' THEN 'example' ELSE 'other' END AS grp,
+         CASE WHEN auth.role() = 'service_role' THEN 'visible' ELSE 'hidden' END AS visibility
+       FROM auth.users 
+       WHERE id = $1`,
+      [user1.id]
+    );
+    expect(Array.isArray(rows)).toBe(true);
+    expect(rows.length).toBe(1);
+    expect(rows[0].grp).toBe('example');
+    expect(rows[0].visibility).toBe('visible');
   });
 
   it('should verify rls policies work with multiple conditions', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
        RETURNING id`,
       ['[email protected]']
     );
-    
-    
+    // ensure auth.role() sees service_role via jwt claim
+    db.setContext({
+      role: 'service_role',
+      'request.jwt.claim.role': 'service_role'
+    });
+    // and/or combinations with auth.role()
+    const rows = await db.any(
+      `SELECT id 
+       FROM auth.users 
+       WHERE (email = $1 AND (auth.role() = 'service_role' OR auth.role() = 'authenticated'))
+         AND id = $2`,
+      ['[email protected]', user.id]
+    );
+    expect(Array.isArray(rows)).toBe(true);
+    expect(rows.length).toBe(1);
+    expect(rows[0].id).toBe(user.id);
   });
 
   it('should verify rls policies work with or conditions', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
        RETURNING id`,
       ['[email protected]']
     );
-    
-    
+    const user2 = await pg.one(
+      `INSERT INTO auth.users (id, email) 
+       VALUES (gen_random_uuid(), $1) 
+       RETURNING id`,
+      ['[email protected]']
+    );
+
+    const rows = await db.any(
+      `SELECT COUNT(*)::integer AS count
+       FROM auth.users 
+       WHERE email = $1 OR email = $2`,
+      ['[email protected]', '[email protected]']
+    );
+    expect(Array.isArray(rows)).toBe(true);
+    expect(Number(rows[0].count)).toBe(2);
   });
 
   it('should verify rls policies work with subqueries', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user1 = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
@@ -105,53 +147,86 @@ describe('tutorial: rls with conditional policies', () => {
        RETURNING id`,
       ['[email protected]']
     );
-    
-    
+    // use a subquery to resolve ids by email
+    const viaSub = await db.any(
+      `SELECT u.id 
+       FROM auth.users u
+       WHERE u.id IN (SELECT id FROM auth.users WHERE email = $1)`,
+      ['[email protected]']
+    );
+    expect(viaSub.length).toBe(1);
+    expect(viaSub[0].id).toBe(user1.id);
+
+    // correlated exists
+    const existsRows = await db.any(
+      `SELECT u.id 
+       FROM auth.users u
+       WHERE EXISTS (
+         SELECT 1 FROM auth.users i WHERE i.id = u.id AND i.email = $1
+       )`,
+      ['[email protected]']
+    );
+    expect(existsRows.length).toBeGreaterThan(0);
+    const found = existsRows.find((r: any) => r.id === user2.id);
+    expect(Boolean(found)).toBe(true);
   });
 
   it('should verify rls policies work with related table checks', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
        RETURNING id`,
       ['[email protected]']
     );
-    
-    
+    // left join storage.buckets by fk owner -> auth.users(id)
+    const rows = await db.any(
+      `SELECT u.id, b.id AS bucket_id
+       FROM auth.users u
+       LEFT JOIN storage.buckets b ON b.owner = u.id
+       WHERE u.id = $1`,
+      [user.id]
+    );
+    expect(rows.length).toBe(1);
+    // no bucket yet, so join should be null
+    expect(rows[0].bucket_id === null || rows[0].bucket_id === undefined).toBe(true);
   });
 
   it('should verify rls policies work with null checks', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
-       RETURNING id`,
-      ['[email protected]']
+       RETURNING id, email`,
+      [null]
     );
-    
-    
+    const rows = await db.any(
+      `SELECT id FROM auth.users WHERE id = $1 AND email IS NULL`,
+      [user.id]
+    );
+    expect(rows.length).toBe(1);
   });
 
   it('should verify rls policies work with coalesce functions', async () => {
     db.setContext({ role: 'service_role' });
 
-    // using auth.users (real supabase table) instead of rls_test.users (fake test table)
-    // use pg for auth.users insert since it requires superuser privileges
+    // insert into auth.users using admin connection
     const user = await pg.one(
       `INSERT INTO auth.users (id, email) 
        VALUES (gen_random_uuid(), $1) 
        RETURNING id`,
-      ['[email protected]']
+      [null]
     );
-    
-    
+    const rows = await db.any(
+      `SELECT COALESCE(email, '') AS safe_email FROM auth.users WHERE id = $1`,
+      [user.id]
+    );
+    expect(rows.length).toBe(1);
+    expect(rows[0].safe_email).toBe('');
   });
 });