|
| 1 | +import { getConnections, PgTestClient } from 'pgsql-test'; |
| 2 | + |
| 3 | +let pg: PgTestClient; |
| 4 | +let db: PgTestClient; |
| 5 | +let teardown: () => Promise<void>; |
| 6 | + |
| 7 | +let tableExists = false; |
| 8 | + |
| 9 | +beforeAll(async () => { |
| 10 | + ({ pg, db, teardown } = await getConnections()); |
| 11 | + |
| 12 | + // verify _realtime schema exists (optional schema) |
| 13 | + const realtimeSchemaExists = await pg.any( |
| 14 | + `SELECT EXISTS ( |
| 15 | + SELECT FROM information_schema.schemata |
| 16 | + WHERE schema_name = '_realtime' |
| 17 | + ) as exists` |
| 18 | + ); |
| 19 | + |
| 20 | + if (realtimeSchemaExists[0]?.exists === true) { |
| 21 | + // grant access to _realtime schema for testing |
| 22 | + await pg.any( |
| 23 | + `GRANT USAGE ON SCHEMA _realtime TO public; |
| 24 | + GRANT SELECT ON ALL TABLES IN SCHEMA _realtime TO service_role; |
| 25 | + GRANT SELECT ON ALL TABLES IN SCHEMA _realtime TO authenticated; |
| 26 | + GRANT SELECT ON ALL TABLES IN SCHEMA _realtime TO anon; |
| 27 | + ALTER DEFAULT PRIVILEGES IN SCHEMA _realtime GRANT SELECT ON TABLES TO service_role; |
| 28 | + ALTER DEFAULT PRIVILEGES IN SCHEMA _realtime GRANT SELECT ON TABLES TO authenticated; |
| 29 | + ALTER DEFAULT PRIVILEGES IN SCHEMA _realtime GRANT SELECT ON TABLES TO anon;`, |
| 30 | + [] |
| 31 | + ); |
| 32 | + |
| 33 | + // check if _realtime.schema_migrations table exists (using pg in beforeAll only) |
| 34 | + const exists = await pg.any( |
| 35 | + `SELECT EXISTS ( |
| 36 | + SELECT FROM information_schema.tables |
| 37 | + WHERE table_schema = '_realtime' AND table_name = 'schema_migrations' |
| 38 | + ) as exists` |
| 39 | + ); |
| 40 | + tableExists = exists[0]?.exists === true; |
| 41 | + } |
| 42 | +}); |
| 43 | + |
| 44 | +afterAll(async () => { |
| 45 | + await teardown(); |
| 46 | +}); |
| 47 | + |
| 48 | +beforeEach(async () => { |
| 49 | + await db.beforeEach(); |
| 50 | +}); |
| 51 | + |
| 52 | +afterEach(async () => { |
| 53 | + await db.afterEach(); |
| 54 | +}); |
| 55 | + |
| 56 | +describe('tutorial: _realtime schema_migrations table access', () => { |
| 57 | + |
| 58 | + it('should verify schema_migrations table exists', async () => { |
| 59 | + db.setContext({ role: 'service_role' }); |
| 60 | + |
| 61 | + // verify table exists in information schema |
| 62 | + const exists = await db.any( |
| 63 | + `SELECT EXISTS ( |
| 64 | + SELECT FROM information_schema.tables |
| 65 | + WHERE table_schema = '_realtime' AND table_name = 'schema_migrations' |
| 66 | + ) as exists` |
| 67 | + ); |
| 68 | + |
| 69 | + expect(Array.isArray(exists)).toBe(true); |
| 70 | + if (exists[0]?.exists === false) { |
| 71 | + expect(exists[0].exists).toBe(false); |
| 72 | + return; |
| 73 | + } |
| 74 | + expect(exists[0].exists).toBe(true); |
| 75 | + }); |
| 76 | + |
| 77 | + it('should verify service_role can read migration records', async () => { |
| 78 | + if (!tableExists) { |
| 79 | + return; |
| 80 | + } |
| 81 | + |
| 82 | + db.setContext({ role: 'service_role' }); |
| 83 | + |
| 84 | + // service_role should be able to query schema_migrations |
| 85 | + const migrations = await db.any( |
| 86 | + `SELECT * FROM _realtime.schema_migrations` |
| 87 | + ); |
| 88 | + |
| 89 | + expect(Array.isArray(migrations)).toBe(true); |
| 90 | + }); |
| 91 | + |
| 92 | + it('should verify table has version column', async () => { |
| 93 | + if (!tableExists) { |
| 94 | + return; |
| 95 | + } |
| 96 | + |
| 97 | + db.setContext({ role: 'service_role' }); |
| 98 | + |
| 99 | + // check for version column in schema_migrations table |
| 100 | + const columns = await db.any( |
| 101 | + `SELECT column_name, data_type |
| 102 | + FROM information_schema.columns |
| 103 | + WHERE table_schema = '_realtime' AND table_name = 'schema_migrations' |
| 104 | + AND column_name = 'version'` |
| 105 | + ); |
| 106 | + |
| 107 | + expect(Array.isArray(columns)).toBe(true); |
| 108 | + if (columns.length > 0) { |
| 109 | + expect(columns[0].column_name).toBe('version'); |
| 110 | + } |
| 111 | + }); |
| 112 | + |
| 113 | + it('should prevent authenticated users from accessing schema_migrations without proper permissions', async () => { |
| 114 | + if (!tableExists) { |
| 115 | + return; |
| 116 | + } |
| 117 | + |
| 118 | + // create a test user as admin using db with service_role context |
| 119 | + // using auth.users (real supabase table) instead of rls_test.users (fake test table) |
| 120 | + db.setContext({ role: 'service_role' }); |
| 121 | + const user = await db.one( |
| 122 | + `INSERT INTO auth.users (id, email) |
| 123 | + VALUES (gen_random_uuid(), $1) |
| 124 | + RETURNING id`, |
| 125 | + |
| 126 | + ); |
| 127 | + |
| 128 | + // set context to simulate authenticated user |
| 129 | + db.setContext({ |
| 130 | + role: 'authenticated', |
| 131 | + 'request.jwt.claim.sub': user.id |
| 132 | + }); |
| 133 | + |
| 134 | + // authenticated users should not be able to access schema_migrations (rls blocks) |
| 135 | + const result = await db.any( |
| 136 | + `SELECT * FROM _realtime.schema_migrations LIMIT 1` |
| 137 | + ); |
| 138 | + |
| 139 | + // rls should block access, result should be empty |
| 140 | + expect(result.length).toBe(0); |
| 141 | + }); |
| 142 | + |
| 143 | + it('should prevent anon from reading migrations', async () => { |
| 144 | + if (!tableExists) { |
| 145 | + return; |
| 146 | + } |
| 147 | + |
| 148 | + // clear context to anon role |
| 149 | + db.clearContext(); |
| 150 | + |
| 151 | + // anon should not be able to access schema_migrations (rls blocks) |
| 152 | + const result = await db.any( |
| 153 | + `SELECT * FROM _realtime.schema_migrations LIMIT 1` |
| 154 | + ); |
| 155 | + |
| 156 | + // rls should block access, result should be empty |
| 157 | + expect(result.length).toBe(0); |
| 158 | + }); |
| 159 | +}); |
| 160 | + |
0 commit comments