simplify

Author: pyramation

packages/rls-demo/__tests__/hello-world.test.ts

@@ -0,0 +1,83 @@
+import { getConnections, PgTestClient } from 'supabase-test';
+import { insertUser } from '../test-utils';
+
+let db: PgTestClient;
+let pg: PgTestClient;
+let teardown: () => Promise<void>;
+
+let user1: any;
+let user2: any;
+
+beforeAll(async () => {
+  ({ pg, db, teardown } = await getConnections());
+  user1 = await insertUser(pg, '[email protected]');
+  user2 = await insertUser(pg, '[email protected]');
+});
+
+afterAll(async () => {
+  await teardown();
+});
+
+beforeEach(async () => {
+  await db.beforeEach();
+});
+
+afterEach(async () => {
+  await db.afterEach();
+});
+
+describe('tutorial: basic rls crud operations', () => {
+  it('should allow user to create their own user record', async () => {
+    // set context to simulate authenticated user
+    db.setContext({
+      role: 'authenticated',
+      'request.jwt.claim.sub': user1.id
+    });
+
+    // user can create their own pet
+    const pet = await db.one(
+      `INSERT INTO rls_test.pets (name, breed, user_id) 
+       VALUES ($1, $2, $3) 
+       RETURNING id, name, breed, user_id`,
+      ['Fido', 'Labrador', user1.id]
+    );
+
+    expect(pet.name).toBe('Fido');
+    expect(pet.breed).toBe('Labrador');
+    expect(pet.user_id).toBe(user1.id);
+  });
+
+  it('should prevent user1 from updating user2\'s record', async () => {
+    // user2 creates a pet
+    db.setContext({
+      role: 'authenticated',
+      'request.jwt.claim.sub': user2.id
+    });
+
+    const pet = await db.one(
+      `INSERT INTO rls_test.pets (name, breed, user_id) 
+       VALUES ($1, $2, $3) 
+       RETURNING id, name, breed, user_id`,
+      ['Buddy', 'Golden Retriever', user2.id]
+    );
+
+    expect(pet.user_id).toBe(user2.id);
+
+    // user1 tries to update user2's pet - should throw
+    db.setContext({
+      role: 'authenticated',
+      'request.jwt.claim.sub': user1.id
+    });
+
+    await expect(
+      db.one(
+        `UPDATE rls_test.pets 
+         SET name = $1 
+         WHERE id = $2 
+         RETURNING id, name, breed, user_id`,
+        ['Hacked Name', pet.id]
+      )
+    ).rejects.toThrow();
+  });
+});
+

packages/rls-demo/deploy/rls-demo.sql

@@ -1,88 +1,59 @@
 -- Deploy: rls-demo to pg
 -- made with <3 @ launchql.com
 
-
 -- Create rls_test schema
 CREATE SCHEMA IF NOT EXISTS rls_test;
 
 -- Create users table
-CREATE TABLE IF NOT EXISTS rls_test.user_profiles (
+CREATE TABLE IF NOT EXISTS rls_test.pets (
     id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    email TEXT UNIQUE NOT NULL,
+    
+    -- owner_id is the user_id of the user who owns the pet
+    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+    
+    -- name is the name of the pet
     name TEXT NOT NULL,
-    created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
-    updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
-);
+    -- breed is the breed of the pet
+    breed TEXT NOT NULL,
 
--- Create products table with owner_id foreign key
-CREATE TABLE IF NOT EXISTS rls_test.products (
-    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-    name TEXT NOT NULL,
-    description TEXT,
-    price DECIMAL(10,2) NOT NULL,
-    owner_id UUID NOT NULL REFERENCES rls_test.user_profiles(id) ON DELETE CASCADE,
     created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
     updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
 );
 
 -- Enable RLS on both tables
-ALTER TABLE rls_test.user_profiles ENABLE ROW LEVEL SECURITY;
-ALTER TABLE rls_test.products ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rls_test.pets ENABLE ROW LEVEL SECURITY;
 
 -- Create RLS policies for users table
 -- Users can view their own data
-CREATE POLICY "Users can view own data" ON rls_test.user_profiles
-    FOR SELECT USING (auth.uid() = id);
+CREATE POLICY "Users can view own data" ON rls_test.pets
+    FOR SELECT USING (auth.uid() = user_id);
 
 -- Users can update their own data
-CREATE POLICY "Users can update own data" ON rls_test.user_profiles
-    FOR UPDATE USING (auth.uid() = id);
+CREATE POLICY "Users can update own data" ON rls_test.pets
+    FOR UPDATE USING (auth.uid() = user_id);
 
 -- Users can insert their own data
-CREATE POLICY "Users can insert own data" ON rls_test.user_profiles
-    FOR INSERT WITH CHECK (true);
+CREATE POLICY "Users can insert own data" ON rls_test.pets
+    FOR INSERT WITH CHECK (auth.uid() = user_id);
 
 -- Users can delete their own data
-CREATE POLICY "Users can delete own data" ON rls_test.user_profiles
-    FOR DELETE USING (auth.uid() = id);
-
--- Create RLS policies for products table
--- Users can view products they own
-CREATE POLICY "Users can view own products" ON rls_test.products
-    FOR SELECT USING (auth.uid() = owner_id);
-
--- Users can insert products they own
-CREATE POLICY "Users can insert own products" ON rls_test.products
-    FOR INSERT WITH CHECK (auth.uid() = owner_id);
-
--- Users can update products they own
-CREATE POLICY "Users can update own products" ON rls_test.products
-    FOR UPDATE USING (auth.uid() = owner_id);
-
--- Users can delete products they own
-CREATE POLICY "Users can delete own products" ON rls_test.products
-    FOR DELETE USING (auth.uid() = owner_id);
+CREATE POLICY "Users can delete own data" ON rls_test.pets
+    FOR DELETE USING (auth.uid() = user_id);
 
 -- Grant permissions to anon users
 GRANT USAGE ON SCHEMA rls_test TO anon;
-GRANT ALL ON rls_test.user_profiles TO anon;
-
--- dev (TODO: issue theres a chance we might want all anon to be not granted, but were protecting records)
-GRANT ALL ON rls_test.products TO anon;
+GRANT ALL ON rls_test.pets TO anon;
 
 -- Grant permissions to authenticated users
 GRANT USAGE ON SCHEMA rls_test TO authenticated;
-GRANT ALL ON rls_test.user_profiles TO authenticated;
-GRANT ALL ON rls_test.products TO authenticated;
+GRANT ALL ON rls_test.pets TO authenticated;
 
 -- Grant permissions to service role (for admin operations)
 GRANT USAGE ON SCHEMA rls_test TO service_role;
-GRANT ALL ON rls_test.user_profiles TO service_role;
-GRANT ALL ON rls_test.products TO service_role;
+GRANT ALL ON rls_test.pets TO service_role;
 
 -- Create indexes for better performance
-CREATE INDEX IF NOT EXISTS idx_products_owner_id ON rls_test.products(owner_id);
-CREATE INDEX IF NOT EXISTS idx_users_email ON rls_test.user_profiles(email);
+CREATE INDEX IF NOT EXISTS idx_users_user_id ON rls_test.pets(user_id);
 
 -- Create updated_at trigger function
 CREATE OR REPLACE FUNCTION rls_test.update_updated_at_column()
@@ -95,11 +66,6 @@ $$ LANGUAGE plpgsql;
 
 -- Create triggers for updated_at
 CREATE TRIGGER update_users_updated_at
-    BEFORE UPDATE ON rls_test.user_profiles
-    FOR EACH ROW
-    EXECUTE FUNCTION rls_test.update_updated_at_column();
-
-CREATE TRIGGER update_products_updated_at
-    BEFORE UPDATE ON rls_test.products
+    BEFORE UPDATE ON rls_test.pets
     FOR EACH ROW
-    EXECUTE FUNCTION rls_test.update_updated_at_column();
+    EXECUTE FUNCTION rls_test.update_updated_at_column();

packages/rls-demo/test-utils/index.ts

@@ -0,0 +1,36 @@
+import { PgTestClient } from "supabase-test";
+
+/**
+ * Helper function to insert a new user into auth.users
+ * @param client - The PgTestClient to use (pg or db)
+ * @param email - The user's email address
+ * @param options - Optional additional fields and return options
+ * @returns The inserted user object
+ */
+export async function insertUser(
+    client: PgTestClient,
+    email: string,
+    options?: {
+      id?: string;
+      returnFields?: string[];
+    }
+  ): Promise<{ id: string; email: string; [key: string]: any }> {
+    const returnFields = options?.returnFields || ['id', 'email'];
+    const fields = returnFields.join(', ');
+    
+    if (options?.id) {
+      return await client.one(
+        `INSERT INTO auth.users (id, email) 
+         VALUES ($1, $2) 
+         RETURNING ${fields}`,
+        [options.id, email]
+      );
+    } else {
+      return await client.one(
+        `INSERT INTO auth.users (id, email) 
+         VALUES (gen_random_uuid(), $1) 
+         RETURNING ${fields}`,
+        [email]
+      );
+    }
+  }