feat(postgraphql): inject custom settings into the database (graphile#399)

* (feat) Allow the injection of custom postgres settings

* Making sure the value that gets set is a string

* Linting errors fixed

Author: Malte Legenhausen

src/postgraphql/__tests__/withPostGraphQLContext-test.js

@@ -107,7 +107,7 @@ test('will throw an error if the JWT token does not have an appropriate audience
   expect(pgClient.query.mock.calls).toEqual([['begin'], ['commit']])
 })
 
-test('will succeed with all the correct thigns', async () => {
+test('will succeed with all the correct things', async () => {
   const pgClient = { query: jest.fn(), release: jest.fn() }
   const pgPool = { connect: jest.fn(() => pgClient) }
   await withPostGraphQLContext({
@@ -140,6 +140,28 @@ test('will add extra claims as available', async () => {
   }], ['commit']])
 })
 
+test('will add extra settings as available', async () => {
+  const pgClient = { query: jest.fn(), release: jest.fn() }
+  const pgPool = { connect: jest.fn(() => pgClient) }
+  await withPostGraphQLContext({
+    pgPool,
+    jwtToken: jwt.sign({ aud: 'postgraphql' }, 'secret', { noTimestamp: true }),
+    jwtSecret: 'secret',
+    pgSettings: {
+      'foo.bar': 'test1',
+      'some.other.var': 'hello world',
+    },
+  }, () => {})
+  expect(pgClient.query.mock.calls).toEqual([['begin'], [{
+    text: 'select set_config($1, $2, true), set_config($3, $4, true), set_config($5, $6, true)',
+    values: [
+      'foo.bar', 'test1',
+      'some.other.var', 'hello world',
+      'jwt.claims.aud', 'postgraphql',
+    ],
+  }], ['commit']])
+})
+
 test('will set the default role if available', async () => {
   const pgClient = { query: jest.fn(), release: jest.fn() }
   const pgPool = { connect: jest.fn(() => pgClient) }

src/postgraphql/http/__tests__/createPostGraphQLHttpRequestHandler-test.js

@@ -540,5 +540,42 @@ for (const [name, createServerFromHandler] of Array.from(serverCreators)) {
         console.error = origConsoleError
       }
     })
+
+    test('will correctly hand over pgSettings to the withPostGraphQLContext call', async () => {
+      pgPool.connect.mockClear()
+      pgClient.query.mockClear()
+      pgClient.release.mockClear()
+      const server = createServer({
+        pgSettings: {
+          'foo.string': 'test1',
+          'foo.number': 42,
+          'foo.boolean': true,
+        },
+      })
+      await (
+        request(server)
+        .post('/graphql')
+        .send({ query: '{hello}' })
+        .expect(200)
+        .expect('Content-Type', /json/)
+        .expect({ data: { hello: 'world' } })
+      )
+      expect(pgPool.connect.mock.calls).toEqual([[]])
+      expect(pgClient.query.mock.calls).toEqual([
+        ['begin'],
+        [
+          {
+            text: 'select set_config($1, $2, true), set_config($3, $4, true), set_config($5, $6, true)',
+            values: [
+              'foo.string', 'test1',
+              'foo.number', '42',
+              'foo.boolean', 'true',
+            ],
+          },
+        ],
+        ['commit'],
+      ])
+      expect(pgClient.release.mock.calls).toEqual([[]])
+    })
   })
 }

src/postgraphql/http/createPostGraphQLHttpRequestHandler.d.ts

@@ -73,4 +73,9 @@ export default function createPostGraphQLHttpRequestHandler (config: {
   // The size can be given as a human-readable string, such as '200kB' or '5MB'
   // (case insensitive).
   bodySizeLimit?: string,
+
+  // Allows the definition of custom postgres settings which get injected in
+  // each transaction via set_config. They can then be used via current_setting
+  // in postgres functions.
+  pgSettings?: { [key: string]: mixed },
 }): HttpRequestHandler

src/postgraphql/http/createPostGraphQLHttpRequestHandler.js

@@ -65,7 +65,7 @@ const origGraphiqlHtml = new Promise((resolve, reject) => {
  * @param {GraphQLSchema} graphqlSchema
  */
 export default function createPostGraphQLHttpRequestHandler (options) {
-  const { getGqlSchema, pgPool } = options
+  const { getGqlSchema, pgPool, pgSettings } = options
 
   // Gets the route names for our GraphQL endpoint, and our GraphiQL endpoint.
   const graphqlRoute = options.graphqlRoute || '/graphql'
@@ -395,6 +395,7 @@ export default function createPostGraphQLHttpRequestHandler (options) {
         jwtToken,
         jwtSecret: options.jwtSecret,
         pgDefaultRole: options.pgDefaultRole,
+        pgSettings,
       }, context => {
         pgRole = context.pgRole
         return executeGraphql(

src/postgraphql/postgraphql.ts

@@ -25,6 +25,7 @@ type PostGraphQLOptions = {
   exportJsonSchemaPath?: string,
   exportGqlSchemaPath?: string,
   bodySizeLimit?: string,
+  pgSettings?: { [key: string]: mixed },
 }
 
 /**

src/postgraphql/withPostGraphQLContext.ts

@@ -36,11 +36,13 @@ export default async function withPostGraphQLContext(
     jwtToken,
     jwtSecret,
     pgDefaultRole,
+    pgSettings,
   }: {
     pgPool: Pool,
     jwtToken?: string,
     jwtSecret?: string,
     pgDefaultRole?: string,
+    pgSettings?: { [key: string]: mixed },
   },
   callback: (context: mixed) => Promise<ExecutionResult>,
 ): Promise<ExecutionResult> {
@@ -60,6 +62,7 @@ export default async function withPostGraphQLContext(
       jwtToken,
       jwtSecret,
       pgDefaultRole,
+      pgSettings,
     })
 
     return await callback({
@@ -89,11 +92,13 @@ async function setupPgClientTransaction ({
   jwtToken,
   jwtSecret,
   pgDefaultRole,
+  pgSettings,
 }: {
   pgClient: Client,
   jwtToken?: string,
   jwtSecret?: string,
   pgDefaultRole?: string,
+  pgSettings?: { [key: string]: mixed },
 }): Promise<string | undefined> {
   // Setup our default role. Once we decode our token, the role may change.
   let role = pgDefaultRole
@@ -135,6 +140,14 @@ async function setupPgClientTransaction ({
   // Sql query.
   const localSettings = new Map<string, mixed>()
 
+  // Set the custom provided settings before jwt claims and role are set
+  // this prevents an accidentional overwriting
+  if (typeof pgSettings === 'object') {
+    for (const key of Object.keys(pgSettings)) {
+      localSettings.set(key, String(pgSettings[key]))
+    }
+  }
+
   // If there is a rule, we want to set the root `role` setting locally
   // to be our role. The role may only be null if we have no default role.
   if (typeof role === 'string') {