feat(rls): move ackify_app role creation from init script to migrate tool

BREAKING CHANGE: ACKIFY_APP_PASSWORD environment variable is now required for RLS support. The migrate tool creates the ackify_app role before running migrations, ensuring compatibility with existing deployments.

Changes:
- Add ensureAppRole() in cmd/migrate to create/update ackify_app role
- Remove docker/init-scripts/01-create-app-user.sh (no longer needed)
- Update compose.yml: add ACKIFY_APP_PASSWORD, backend connects as ackify_app
- Update migration 0016: remove conditional role creation
- Add RLS documentation (docs/en/configuration/rls.md, docs/fr/configuration/rls.md)
- Update configuration docs with RLS section and security checklist

Migration path for existing deployments:
1. Set ACKIFY_APP_PASSWORD in .env
2. Run docker compose up (migrate will create the role automatically)

Author: btouchard

.dockerignore

@@ -53,6 +53,7 @@ install/
 client_secret*.json
 
 # Node.js (if any frontend assets)
+**/node_modules/
 node_modules/
 npm-debug.log
 yarn-error.log

.env.example

@@ -5,10 +5,8 @@ ACKIFY_LOG_LEVEL=info
 ACKIFY_LOG_FORMAT=classic
 
 # Database Configuration
-POSTGRES_USER=ackifyr
 POSTGRES_PASSWORD=your_secure_password
-POSTGRES_DB=ackify
-ACKIFY_DB_DSN=postgres://ackifyr:your_secure_password@localhost:5432/ackify?sslmode=disable
+ACKIFY_APP_PASSWORD=ackify_app_password
 
 # ============================================================================
 # Authentication Configuration

CHANGELOG.md

@@ -5,6 +5,48 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.8] - 2025-12-15
+
+### 🔐 Multi-Tenant Security & Row Level Security
+
+Version majeure de sécurité introduisant l'isolation des données par tenant avec PostgreSQL Row Level Security (RLS).
+
+### Added
+
+- **Row Level Security (RLS)**
+  - Isolation des données au niveau PostgreSQL avec politiques RLS
+  - Protection de 11 tables : documents, signatures, expected_signers, webhooks, reminder_logs, email_queue, checksum_verifications, webhook_deliveries, oauth_sessions, magic_link_tokens, magic_link_auth_attempts
+  - Fonction `current_tenant_id()` pour récupérer le tenant de la session
+  - `FORCE ROW LEVEL SECURITY` pour appliquer les politiques même aux propriétaires des tables
+  - Comportement sécurisé par défaut : aucune donnée accessible si tenant non défini
+
+- **Support Multi-Tenant**
+  - Nouvelle table `instance_metadata` stockant l'UUID unique du tenant
+  - Colonne `tenant_id` (UUID) ajoutée à toutes les tables métier et d'authentification
+  - Index optimisés sur `tenant_id` pour des performances optimales
+  - Triggers d'immutabilité empêchant la modification du `tenant_id` après création
+  - Backfill automatique des données existantes avec le tenant de l'instance
+
+- **Gestion du Rôle Applicatif**
+  - Création automatique du rôle `ackify_app` par l'outil de migration
+  - Séparation des privilèges (rôle applicatif vs rôle superuser)
+  - Variable d'environnement `ACKIFY_APP_PASSWORD` pour définir le mot de passe du rôle
+  - Privilèges par défaut configurés pour les futures tables
+
+### Technical Details
+
+**Nouvelles migrations :**
+- `0015_add_tenant_support.{up,down}.sql` - Support multi-tenant
+- `0016_add_rls_policies.{up,down}.sql` - Politiques RLS
+
+**Fichiers modifiés :**
+- `backend/cmd/migrate/main.go` - Création du rôle `ackify_app`
+
+**Sécurité :**
+- Les politiques RLS utilisent `USING` et `WITH CHECK` pour filtrer lectures et écritures
+- Les tokens magic link acceptent `tenant_id IS NULL` pour les requêtes de login
+- Les sessions OAuth sont isolées par tenant après authentification
+
 ## [1.2.6] - 2025-12-08
 
 ### 🏗️ Architecture & CI/CD
@@ -569,6 +611,7 @@ For users upgrading from v1.1.x to v1.2.0:
 - NULL UserName handling in database operations
 - Proper string conversion for UserName field
 
+[1.2.8]: https://github.com/btouchard/ackify-ce/compare/v1.2.6...v1.2.8
 [1.2.6]: https://github.com/btouchard/ackify-ce/compare/v1.2.5...v1.2.6
 [1.2.5]: https://github.com/btouchard/ackify-ce/compare/v1.2.4...v1.2.5
 [1.2.4]: https://github.com/btouchard/ackify-ce/compare/v1.2.3...v1.2.4

backend/cmd/migrate/main.go

@@ -1,13 +1,13 @@
 package main
 
 import (
+	"database/sql"
 	"errors"
 	"flag"
 	"fmt"
 	"log"
 	"os"
-
-	"database/sql"
+	"strings"
 
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/postgres"
@@ -52,6 +52,11 @@ func main() {
 
 	switch command {
 	case "up":
+		// Ensure ackify_app role exists before running migrations (for RLS support)
+		if err := ensureAppRole(db); err != nil {
+			log.Fatal("Failed to ensure ackify_app role:", err)
+		}
+
 		err = m.Up()
 		if err != nil && !errors.Is(err, migrate.ErrNoChange) {
 			log.Fatal("Migration up failed:", err)
@@ -128,10 +133,86 @@ func printUsage() {
 	fmt.Println("  -db-dsn string         Database DSN (or DB_DSN env var)")
 	fmt.Println("  -migrations-path string Path to migrations (default: file://migrations)")
 	fmt.Println()
+	fmt.Println("Environment:")
+	fmt.Println("  ACKIFY_APP_PASSWORD    Password for the ackify_app role (required for RLS)")
+	fmt.Println()
 	fmt.Println("Examples:")
 	fmt.Println("  migrate up")
 	fmt.Println("  migrate down 2")
 	fmt.Println("  migrate goto 5")
 	fmt.Println("  migrate force 1        # For existing DB with only signatures table")
 	fmt.Println("  migrate version")
 }
+
+// ensureAppRole creates or updates the ackify_app role used for RLS.
+// The password is read from ACKIFY_APP_PASSWORD environment variable.
+// If not set, the function logs a warning and continues (for backward compatibility).
+// If set, the role is created (or password updated) before migrations run.
+func ensureAppRole(db *sql.DB) error {
+	password := strings.TrimSpace(os.Getenv("ACKIFY_APP_PASSWORD"))
+	if password == "" {
+		log.Println("WARNING: ACKIFY_APP_PASSWORD not set. ackify_app role will not be created.")
+		log.Println("         RLS migrations will fail if the role doesn't exist.")
+		log.Println("         Set ACKIFY_APP_PASSWORD to enable RLS support.")
+		return nil
+	}
+
+	// Check if role exists
+	var exists bool
+	err := db.QueryRow("SELECT EXISTS(SELECT 1 FROM pg_roles WHERE rolname = 'ackify_app')").Scan(&exists)
+	if err != nil {
+		return fmt.Errorf("failed to check if ackify_app role exists: %w", err)
+	}
+
+	if exists {
+		// Update password to ensure it matches environment
+		_, err = db.Exec(fmt.Sprintf("ALTER ROLE ackify_app WITH PASSWORD '%s'", escapePassword(password)))
+		if err != nil {
+			return fmt.Errorf("failed to update ackify_app password: %w", err)
+		}
+		log.Println("ackify_app role exists, password updated")
+	} else {
+		// Create the role with all necessary attributes
+		createSQL := fmt.Sprintf(`
+			CREATE ROLE ackify_app WITH
+				LOGIN
+				PASSWORD '%s'
+				NOCREATEDB
+				NOCREATEROLE
+				NOINHERIT
+				NOREPLICATION
+				CONNECTION LIMIT -1
+		`, escapePassword(password))
+
+		_, err = db.Exec(createSQL)
+		if err != nil {
+			return fmt.Errorf("failed to create ackify_app role: %w", err)
+		}
+		log.Println("ackify_app role created successfully")
+	}
+
+	// Grant CONNECT on database (idempotent)
+	var dbName string
+	err = db.QueryRow("SELECT current_database()").Scan(&dbName)
+	if err != nil {
+		return fmt.Errorf("failed to get current database name: %w", err)
+	}
+
+	_, err = db.Exec(fmt.Sprintf("GRANT CONNECT ON DATABASE %s TO ackify_app", dbName))
+	if err != nil {
+		return fmt.Errorf("failed to grant CONNECT to ackify_app: %w", err)
+	}
+
+	// Grant USAGE on public schema (idempotent)
+	_, err = db.Exec("GRANT USAGE ON SCHEMA public TO ackify_app")
+	if err != nil {
+		return fmt.Errorf("failed to grant USAGE on public schema: %w", err)
+	}
+
+	return nil
+}
+
+// escapePassword escapes single quotes in password for SQL
+func escapePassword(password string) string {
+	return strings.ReplaceAll(password, "'", "''")
+}

backend/internal/infrastructure/auth/session_worker.go

@@ -3,10 +3,12 @@ package auth
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"sync"
 	"time"
 
+	"github.com/btouchard/ackify-ce/backend/internal/infrastructure/tenant"
 	"github.com/btouchard/ackify-ce/backend/pkg/logger"
 )
 
@@ -16,6 +18,10 @@ type SessionWorker struct {
 	cleanupInterval time.Duration
 	cleanupAge      time.Duration
 
+	// RLS support
+	db      *sql.DB
+	tenants tenant.Provider
+
 	ctx      context.Context
 	cancel   context.CancelFunc
 	wg       sync.WaitGroup
@@ -39,7 +45,7 @@ func DefaultSessionWorkerConfig() SessionWorkerConfig {
 }
 
 // NewSessionWorker creates a new OAuth session cleanup worker
-func NewSessionWorker(sessionRepo SessionRepository, config SessionWorkerConfig) *SessionWorker {
+func NewSessionWorker(sessionRepo SessionRepository, config SessionWorkerConfig, db *sql.DB, tenants tenant.Provider) *SessionWorker {
 	// Apply defaults
 	if config.CleanupInterval <= 0 {
 		config.CleanupInterval = 24 * time.Hour
@@ -54,6 +60,8 @@ func NewSessionWorker(sessionRepo SessionRepository, config SessionWorkerConfig)
 		sessionRepo:     sessionRepo,
 		cleanupInterval: config.CleanupInterval,
 		cleanupAge:      config.CleanupAge,
+		db:              db,
+		tenants:         tenants,
 		ctx:             ctx,
 		cancel:          cancel,
 		stopChan:        make(chan struct{}),
@@ -148,7 +156,28 @@ func (w *SessionWorker) performCleanup() {
 	logger.Logger.Debug("Starting OAuth session cleanup",
 		"older_than", w.cleanupAge)
 
-	deleted, err := w.sessionRepo.DeleteExpired(ctx, w.cleanupAge)
+	var deleted int64
+	var err error
+
+	// Use RLS context if db and tenants are available
+	if w.db != nil && w.tenants != nil {
+		tenantID, tenantErr := w.tenants.CurrentTenant(ctx)
+		if tenantErr != nil {
+			logger.Logger.Error("Failed to get tenant for session cleanup",
+				"error", tenantErr.Error())
+			return
+		}
+
+		err = tenant.WithTenantContext(ctx, w.db, tenantID, func(txCtx context.Context) error {
+			var cleanupErr error
+			deleted, cleanupErr = w.sessionRepo.DeleteExpired(txCtx, w.cleanupAge)
+			return cleanupErr
+		})
+	} else {
+		// No RLS - direct repository access (for tests)
+		deleted, err = w.sessionRepo.DeleteExpired(ctx, w.cleanupAge)
+	}
+
 	if err != nil {
 		logger.Logger.Error("Failed to cleanup expired OAuth sessions",
 			"error", err.Error())

backend/internal/infrastructure/auth/session_worker_test.go

@@ -10,8 +10,18 @@ import (
 	"time"
 
 	"github.com/btouchard/ackify-ce/backend/internal/domain/models"
+	"github.com/google/uuid"
 )
 
+// mockTenantProvider for testing
+type mockTenantProvider struct {
+	tenantID uuid.UUID
+}
+
+func (m *mockTenantProvider) CurrentTenant(ctx context.Context) (uuid.UUID, error) {
+	return m.tenantID, nil
+}
+
 // mockSessionRepo implements SessionRepository for testing
 type mockSessionRepoForWorker struct {
 	mu              sync.Mutex
@@ -56,7 +66,7 @@ func TestSessionWorker_StartStop(t *testing.T) {
 		CleanupAge:      1 * time.Hour,
 	}
 
-	worker := NewSessionWorker(repo, config)
+	worker := NewSessionWorker(repo, config, nil, &mockTenantProvider{tenantID: uuid.New()})
 
 	// Test starting
 	err := worker.Start()
@@ -113,7 +123,7 @@ func TestSessionWorker_CleanupSuccess(t *testing.T) {
 		CleanupAge:      24 * time.Hour,
 	}
 
-	worker := NewSessionWorker(repo, config)
+	worker := NewSessionWorker(repo, config, nil, &mockTenantProvider{tenantID: uuid.New()})
 
 	err := worker.Start()
 	if err != nil {
@@ -147,7 +157,7 @@ func TestSessionWorker_CleanupError(t *testing.T) {
 		CleanupAge:      24 * time.Hour,
 	}
 
-	worker := NewSessionWorker(repo, config)
+	worker := NewSessionWorker(repo, config, nil, &mockTenantProvider{tenantID: uuid.New()})
 
 	err := worker.Start()
 	if err != nil {
@@ -181,7 +191,7 @@ func TestSessionWorker_ImmediateCleanupOnStart(t *testing.T) {
 		CleanupAge:      24 * time.Hour,
 	}
 
-	worker := NewSessionWorker(repo, config)
+	worker := NewSessionWorker(repo, config, nil, &mockTenantProvider{tenantID: uuid.New()})
 
 	err := worker.Start()
 	if err != nil {
@@ -228,7 +238,7 @@ func TestSessionWorker_GracefulShutdown(t *testing.T) {
 		CleanupAge:      1 * time.Hour,
 	}
 
-	worker := NewSessionWorker(repo, config)
+	worker := NewSessionWorker(repo, config, nil, &mockTenantProvider{tenantID: uuid.New()})
 
 	err := worker.Start()
 	if err != nil {
@@ -295,7 +305,7 @@ func TestSessionWorker_ContextCancellation(t *testing.T) {
 		CleanupAge:      1 * time.Hour,
 	}
 
-	worker := NewSessionWorker(repo, config)
+	worker := NewSessionWorker(repo, config, nil, &mockTenantProvider{tenantID: uuid.New()})
 
 	err := worker.Start()
 	if err != nil {