Add organization and customer table and add api_key auth (#294)

* Add customer and org table

* apikey auth success

* regenerate migration with api key unique

* use dot instead of key_ prefix to be backwards compat

Author: openint-bot

packages-v1/api-v1/__tests__/auth.spec.ts

@@ -2,6 +2,7 @@ import type {CustomerId, Viewer} from '@openint/cdk'
 import {schema} from '@openint/db'
 import {describeEachDatabase} from '@openint/db/__tests__/test-utils'
 import {initDbPGLite} from '@openint/db/db.pglite'
+import {makeUlid} from '@openint/util'
 import {createTRPCCaller} from '../trpc/handlers'
 import {getTestTRPCClient} from './test-utils'
 
@@ -26,33 +27,47 @@ describe('authentication', () => {
     await db.$end()
   })
 
-  test.each(Object.entries(viewers))(
-    'authenticating as %s',
-    async (_desc, viewer) => {
-      const client = getTestTRPCClient({db}, viewer)
-      const res = await client.viewer.query()
-      expect(res).toEqual(viewer ?? {role: 'anon'})
-
-      const caller = createTRPCCaller({db}, viewer)
-      const res2 = await caller.viewer()
-      expect(res2).toEqual(viewer ?? {role: 'anon'})
-    },
-  )
+  test.each(Object.entries(viewers))('via jwt as %s', async (_desc, viewer) => {
+    const client = getTestTRPCClient({db}, viewer)
+    const res = await client.viewer.query()
+    expect(res).toEqual(viewer ?? {role: 'anon'})
+
+    const caller = createTRPCCaller({db}, viewer)
+    const res2 = await caller.viewer()
+    expect(res2).toEqual(viewer ?? {role: 'anon'})
+  })
 })
 
 describeEachDatabase({drivers: 'rls', migrate: true}, (db) => {
-  function getClient(viewer: Viewer) {
-    return getTestTRPCClient({db}, viewer)
+  function getClient(viewerOrKey: Viewer | {api_key: string}) {
+    return getTestTRPCClient({db}, viewerOrKey)
   }
   function getCaller(viewer: Viewer) {
     return createTRPCCaller({db}, viewer)
   }
 
+  const apiKey = `key_${makeUlid()}`
+
   beforeAll(async () => {
     await db.$truncateAll()
     await db
       .insert(schema.connector_config)
       .values({org_id: 'org_123', id: 'ccfg_123'})
+    await db.insert(schema.organization).values({
+      id: 'org_123',
+      api_key: apiKey,
+    })
+  })
+
+  test('apikey auth success', async () => {
+    const client = getTestTRPCClient({db}, {api_key: apiKey})
+    const res = await client.viewer.query()
+    expect(res).toEqual({role: 'org', orgId: 'org_123'})
+  })
+
+  test('apikey auth failure', async () => {
+    const client = getTestTRPCClient({db}, {api_key: 'key_badddd'})
+    await expect(client.viewer.query()).rejects.toThrow('Invalid API key')
   })
 
   test('anon user has no access to connector_config', async () => {

packages-v1/api-v1/__tests__/test-utils.ts

@@ -3,10 +3,8 @@ import type {Viewer} from '@openint/cdk'
 import {makeJwtClient} from '@openint/cdk'
 import {envRequired} from '@openint/env'
 import {createApp} from '../app'
-import {
-  CreateFetchHandlerOptions,
-  createFetchHandlerTRPC,
-} from '../trpc/handlers'
+import type {CreateFetchHandlerOptions} from '../trpc/handlers'
+import {createFetchHandlerTRPC} from '../trpc/handlers'
 import {type AppRouter} from '../trpc/routers'
 
 export function headersForViewer(viewer: Viewer) {
@@ -19,7 +17,7 @@ export function headersForViewer(viewer: Viewer) {
 /** Prefer to operate at the highest level of stack possible while still bienbeing performant */
 export function getTestTRPCClient(
   {router, ...opts}: Omit<CreateFetchHandlerOptions, 'endpoint'>,
-  viewer: Viewer,
+  viewerOrKey: Viewer | {api_key: string},
 ) {
   const handler = router
     ? createFetchHandlerTRPC({...opts, router, endpoint: '/api/v1/trpc'})
@@ -30,7 +28,10 @@ export function getTestTRPCClient(
       httpLink({
         url: 'http://localhost/api/v1/trpc',
         fetch: (input, init) => handler(new Request(input, init)),
-        headers: headersForViewer(viewer),
+        headers:
+          'api_key' in viewerOrKey
+            ? {authorization: `Bearer ${viewerOrKey.api_key}`}
+            : headersForViewer(viewerOrKey),
       }),
     ],
   })

packages-v1/api-v1/trpc/context.ts

@@ -1,23 +1,42 @@
-import type {Viewer} from '@openint/cdk'
+import {TRPCError} from '@trpc/server'
+import type {Id, Viewer} from '@openint/cdk'
 import {makeJwtClient} from '@openint/cdk'
-import {AnyDatabase} from '@openint/db/db'
+import {eq, schema} from '@openint/db'
+import type {AnyDatabase} from '@openint/db/db'
 import {envRequired} from '@openint/env'
 import type {RouterContext, ViewerContext} from './_base'
 
 const jwt = makeJwtClient({
   secretOrPublicKey: envRequired.JWT_SECRET,
 })
 
-export function viewerFromRequest(req: Request): Viewer {
+export async function viewerFromRequest(
+  ctx: {db: AnyDatabase},
+  req: Request,
+): Promise<Viewer> {
   const token = req.headers.get('authorization')?.match(/^Bearer (.+)/)?.[1]
+  // JWT always include a dot. Without a dot we assume it's an API key
+  if (token && !token.includes('.')) {
+    const org = await ctx.db.query.organization.findFirst({
+      columns: {id: true},
+      where: eq(schema.organization.api_key, token),
+    })
+    if (!org) {
+      throw new TRPCError({code: 'UNAUTHORIZED', message: 'Invalid API key'})
+    }
+    return {role: 'org', orgId: org.id as Id['org']}
+  }
   return jwt.verifyViewer(token)
 }
 
-export function routerContextFromRequest({
+export async function routerContextFromRequest({
   req,
   ...ctx
 }: {req: Request} & Omit<CreateRouterContextOptions, 'viewer'>) {
-  return routerContextFromViewer({...ctx, viewer: viewerFromRequest(req)})
+  return routerContextFromViewer({
+    ...ctx,
+    viewer: await viewerFromRequest(ctx, req),
+  })
 }
 
 interface CreateRouterContextOptions {

packages/db/db.ts

@@ -1,6 +1,7 @@
+import path from 'node:path'
 import type {Assume, DrizzleConfig, SQLWrapper} from 'drizzle-orm'
 import type {MigrationConfig} from 'drizzle-orm/migrator'
-import {Viewer} from '@openint/cdk'
+import type {Viewer} from '@openint/cdk'
 import type {initDbNeon} from './db.neon'
 import type {initDbPg, initDbPgDirect} from './db.pg'
 import type {initDbPGLite, initDbPGLiteDirect} from './db.pglite'
@@ -41,7 +42,8 @@ export function getDrizzleConfig(
 export function getMigrationConfig(): MigrationConfig {
   const config: Config = drizzleKitConfig
   return {
-    migrationsFolder: drizzleKitConfig.out,
+    // WARNING This only works if config is in the same folder as current file
+    migrationsFolder: path.join(__dirname, drizzleKitConfig.out),
     migrationsSchema: config.migrations?.schema,
     migrationsTable: config.migrations?.table,
   }

packages/db/drizzle.config.ts

@@ -1,11 +1,10 @@
-import path from 'node:path'
 import type {Config} from 'drizzle-kit'
 import {env} from '@openint/env'
 
 export default {
-  out: path.join(__dirname, './migrations'),
+  out: './migrations',
   dialect: 'postgresql',
-  schema: path.join(__dirname, './schema/schema.ts'),
+  schema: './schema/schema.ts',
   dbCredentials: {url: env.DATABASE_URL_UNPOOLED ?? env.DATABASE_URL},
   introspect: {casing: 'preserve'},
   migrations: {},

packages/db/migrations/0006_add_org_customer_tables.sql

@@ -0,0 +1,28 @@
+CREATE TABLE "customer" (
+	"org_id" varchar NOT NULL,
+	"id" varchar DEFAULT 'concat(''cus_'', generate_ulid())' NOT NULL,
+	"metadata" jsonb,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "customer_org_id_id_pk" PRIMARY KEY("org_id","id")
+);
+--> statement-breakpoint
+ALTER TABLE "customer" ENABLE ROW LEVEL SECURITY;--> statement-breakpoint
+CREATE TABLE "organization" (
+	"id" varchar PRIMARY KEY DEFAULT 'concat(''org_'', generate_ulid())' NOT NULL,
+	"api_key" varchar,
+	"name" varchar,
+	"slug" varchar,
+	"metadata" jsonb,
+	"created_at" timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at" timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "organization_api_key_unique" UNIQUE("api_key")
+);
+--> statement-breakpoint
+ALTER TABLE "organization" ENABLE ROW LEVEL SECURITY;--> statement-breakpoint
+ALTER TABLE "customer" ADD CONSTRAINT "customer_org_id_organization_id_fk" FOREIGN KEY ("org_id") REFERENCES "public"."organization"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+CREATE POLICY "org_access" ON "customer" AS PERMISSIVE FOR ALL TO "org" USING (org_id = jwt_org_id()) WITH CHECK (org_id = jwt_org_id());--> statement-breakpoint
+CREATE POLICY "org_member_access" ON "customer" AS PERMISSIVE FOR ALL TO "authenticated" USING (org_id = jwt_org_id()) WITH CHECK (org_id = jwt_org_id());--> statement-breakpoint
+CREATE POLICY "customer_read" ON "customer" AS PERMISSIVE FOR ALL TO "customer" USING (org_id = jwt_org_id() AND id = jwt_customer_id());--> statement-breakpoint
+CREATE POLICY "org_read" ON "organization" AS PERMISSIVE FOR SELECT TO "org" USING (id = jwt_org_id());--> statement-breakpoint
+CREATE POLICY "org_member_read" ON "organization" AS PERMISSIVE FOR SELECT TO "authenticated" USING (id = jwt_org_id());