HARMONY-2318: Add read only access to the harmony database. (#888)

Author: flamingbear

db/migrations/20260331171217_create_read_only_user.js

@@ -0,0 +1,36 @@
+exports.up = async function(knex) {
+
+  const password = process.env.DATABASE_READONLY_PASSWORD;
+  if (!password) {
+    throw new Error('Unable to create harmony_read_only user: DATABASE_READONLY_PASSWORD variable is not set');
+  }
+
+  const { rows } = await knex.raw(
+    `SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = 'harmony_read_only'`
+  );
+
+  if (rows.length === 0) {
+    const escapedPassword = password.replace(/'/g, "''");
+    await knex.raw(`CREATE ROLE harmony_read_only WITH LOGIN PASSWORD '${escapedPassword}'`);
+  }
+
+  await knex.raw(`GRANT USAGE ON SCHEMA public TO harmony_read_only`);
+  await knex.raw(`GRANT SELECT ON ALL TABLES IN SCHEMA public TO harmony_read_only`);
+  await knex.raw(`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO harmony_read_only`);
+};
+
+exports.down = async function(knex) {
+
+  const { rows } = await knex.raw(
+    `SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = 'harmony_read_only'`
+  );
+
+  if (rows.length === 0) {
+    return;
+  }
+
+  await knex.raw(`ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM harmony_read_only`);
+  await knex.raw(`REVOKE SELECT ON ALL TABLES IN SCHEMA public FROM harmony_read_only`);
+  await knex.raw(`REVOKE USAGE ON SCHEMA public FROM harmony_read_only`);
+  await knex.raw(`DROP ROLE IF EXISTS harmony_read_only`);
+};

packages/util/env-defaults

@@ -84,6 +84,9 @@ DATABASE_TYPE=postgres
 # ignored, using a sqlite3 file instead
 DATABASE_URL=postgresql://postgres:password@localhost:5432/postgres
 
+# Password for read only database access
+DATABASE_READONLY_PASSWORD=changeme
+
 # Whether to use encryption when communicating with the database.
 DB_USE_SSL=false