fix: move to storage schema

supabase · Mar 18, 2021 · dc80121 · dc80121
1 parent 186bd74
commit dc80121
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 24 deletions.
diff --git a/src/test/db/02-storage-schema.sql b/src/test/db/02-storage-schema.sql
@@ -1,5 +1,12 @@
-DROP TABLE IF EXISTS "public"."buckets";
-CREATE TABLE "public"."buckets" (
+CREATE SCHEMA IF NOT EXISTS storage AUTHORIZATION supabase_admin;
+
+grant usage on schema storage to postgres, anon, authenticated, service_role;
+alter default privileges in schema storage grant all on tables to postgres, anon, authenticated, service_role;
+alter default privileges in schema storage grant all on functions to postgres, anon, authenticated, service_role;
+alter default privileges in schema storage grant all on sequences to postgres, anon, authenticated, service_role;
+
+DROP TABLE IF EXISTS "storage"."buckets";
+CREATE TABLE "storage"."buckets" (
     "id" text not NULL,
     "name" text NOT NULL,
     "owner" uuid,
@@ -8,10 +15,10 @@ CREATE TABLE "public"."buckets" (
     CONSTRAINT "buckets_owner_fkey" FOREIGN KEY ("owner") REFERENCES "auth"."users"("id"),
     PRIMARY KEY ("id")
 );
-CREATE UNIQUE INDEX "bname" ON "public"."buckets" USING BTREE ("name");
+CREATE UNIQUE INDEX "bname" ON "storage"."buckets" USING BTREE ("name");
 
-DROP TABLE IF EXISTS "public"."objects";
-CREATE TABLE "public"."objects" (
+DROP TABLE IF EXISTS "storage"."objects";
+CREATE TABLE "storage"."objects" (
     "id" uuid NOT NULL DEFAULT extensions.uuid_generate_v4(),
     "bucket_id" text,
     "name" text,
@@ -20,17 +27,17 @@ CREATE TABLE "public"."objects" (
     "updated_at" timestamptz DEFAULT now(),
     "last_accessed_at" timestamptz DEFAULT now(),
     "metadata" jsonb,
-    CONSTRAINT "objects_bucketId_fkey" FOREIGN KEY ("bucket_id") REFERENCES "public"."buckets"("id"),
+    CONSTRAINT "objects_bucketId_fkey" FOREIGN KEY ("bucket_id") REFERENCES "storage"."buckets"("id"),
     CONSTRAINT "objects_owner_fkey" FOREIGN KEY ("owner") REFERENCES "auth"."users"("id"),
     PRIMARY KEY ("id")
 );
-CREATE UNIQUE INDEX "bucketid_objname" ON "public"."objects" USING BTREE ("bucket_id","name");
-CREATE INDEX name_prefix_search ON objects(name text_pattern_ops);
+CREATE UNIQUE INDEX "bucketid_objname" ON "storage"."objects" USING BTREE ("bucket_id","name");
+CREATE INDEX name_prefix_search ON storage.objects(name text_pattern_ops);
 
-ALTER TABLE objects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE storage.objects ENABLE ROW LEVEL SECURITY;
 -- @todo enable RLS only for buckets table
 
-CREATE OR REPLACE FUNCTION public.foldername(name text)
+CREATE OR REPLACE FUNCTION storage.foldername(name text)
  RETURNS text[]
  LANGUAGE plpgsql
 AS $function$
@@ -42,7 +49,7 @@ BEGIN
 END
 $function$;
 
-CREATE OR REPLACE FUNCTION public.filename(name text)
+CREATE OR REPLACE FUNCTION storage.filename(name text)
  RETURNS text
  LANGUAGE plpgsql
 AS $function$
@@ -54,7 +61,7 @@ BEGIN
 END
 $function$;
 
-CREATE OR REPLACE FUNCTION public.extension(name text)
+CREATE OR REPLACE FUNCTION storage.extension(name text)
  RETURNS text
  LANGUAGE plpgsql
 AS $function$
@@ -71,7 +78,7 @@ $function$;
 
 -- @todo can this query be optimised further?
 -- @todo is this vulnerable to sqli
-CREATE OR REPLACE FUNCTION public.search(prefix text, bucketname text, limits int DEFAULT 100, levels int DEFAULT 1, offsets int DEFAULT 0)
+CREATE OR REPLACE FUNCTION storage.search(prefix text, bucketname text, limits int DEFAULT 100, levels int DEFAULT 1, offsets int DEFAULT 0)
  RETURNS TABLE (
     name text,
     id uuid,

diff --git a/src/test/db/03-dummy-data.sql b/src/test/db/03-dummy-data.sql
@@ -5,15 +5,15 @@ INSERT INTO "auth"."users" ("instance_id", "id", "aud", "role", "email", "encryp
 ('00000000-0000-0000-0000-000000000000', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', 'authenticated', 'authenticated', '[email protected]', '', NULL, '2021-02-17 04:40:42.901743+00', '3EG99GjT_e3NC4eGEBXOjw', '2021-02-17 04:40:42.901743+00', '', NULL, '', '', NULL, NULL, '{"provider": "email"}', 'null', 'f', '2021-02-17 04:40:42.890632+00', '2021-02-17 04:40:42.890637+00');
 
 -- insert buckets
-INSERT INTO "public"."buckets" ("id", "name", "owner", "created_at", "updated_at") VALUES
+INSERT INTO "storage"."buckets" ("id", "name", "owner", "created_at", "updated_at") VALUES
 ('bucket2', 'bucket2', '4d56e902-f0a0-4662-8448-a4d9e643c142', '2021-02-17 04:43:32.770206+00', '2021-02-17 04:43:32.770206+00'),
 ('bucket3', 'bucket3', '4d56e902-f0a0-4662-8448-a4d9e643c142', '2021-02-17 04:43:32.770206+00', '2021-02-17 04:43:32.770206+00'),
 ('bucket4', 'bucket4', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-25 09:23:01.58385+00', '2021-02-25 09:23:01.58385+00'),
 ('bucket5', 'bucket5', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-02-27 03:04:25.6386+00', '2021-02-27 03:04:25.6386+00');
 
 
 -- insert objects
-INSERT INTO "public"."objects" ("id", "bucket_id", "name", "owner", "created_at", "updated_at", "last_accessed_at", "metadata") VALUES
+INSERT INTO "storage"."objects" ("id", "bucket_id", "name", "owner", "created_at", "updated_at", "last_accessed_at", "metadata") VALUES
 ('03e458f9-892f-4db2-8cb9-d3401a689e25', 'bucket2', 'public/sadcat-upload23.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-04 08:26:08.553748+00', '2021-03-04 08:26:08.553748+00', '2021-03-04 08:26:08.553748+00', '{"mimetype": "image/svg+xml"}'),
 ('070825af-a11d-44fe-9f1d-abdc76f686f2', 'bucket2', 'public/sadcat-upload.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-02 16:31:11.115996+00', '2021-03-02 16:31:11.115996+00', '2021-03-02 16:31:11.115996+00', '{"mimetype": "image/png"}'),
 ('0cac5609-11e1-4f21-b486-d0eeb60909f6', 'bucket2', 'curlimage.jpg', 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2', '2021-02-23 11:05:16.625075+00', '2021-02-23 11:05:16.625075+00', '2021-02-23 11:05:16.625075+00', NULL),
@@ -36,11 +36,11 @@ INSERT INTO "public"."objects" ("id", "bucket_id", "name", "owner", "created_at"
 ('D3EB488E-94F4-46CD-86D3-242C13B95BAC', 'bucket3', 'sadcat-upload2.png', '317eadce-631a-4429-a0bb-f19a7a517b4a', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '2021-03-01 08:53:29.567975+00', '{"mimetype": "image/svg+xml"}');
 
 -- add policies
-CREATE POLICY crud_public_folder ON objects for all USING (bucket_id='bucket2' and (foldername(name))[1] = 'public');
-CREATE POLICY crud_public_file ON objects for all USING (bucket_id='bucket2' and name = 'folder/subfolder/public-all-permissions.png');
-CREATE POLICY crud_uid_folder ON objects for all USING (bucket_id='bucket2' and (foldername(name))[1] = 'only_uid' and auth.uid() = 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2');
-CREATE POLICY crud_uid_file ON objects for all USING (bucket_id='bucket2' and name = 'folder/only_uid.jpg' and auth.uid() = 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2');
-CREATE POLICY authenticated_folder ON objects for all USING (bucket_id='bucket2' and (foldername(name))[1] = 'authenticated' and auth.role() = 'authenticated');
-CREATE POLICY crud_owner_only ON objects for all USING (bucket_id='bucket2' and (foldername(name))[1] = 'only_owner' and owner = auth.uid());
-CREATE POLICY delete_owner_only ON objects for all USING (bucket_id='bucket2' and (foldername(name))[1] = 'only_owner' and owner = auth.uid());
-CREATE POLICY open_all_update ON objects for all WITH CHECK (bucket_id='bucket4');
+CREATE POLICY crud_public_folder ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'public');
+CREATE POLICY crud_public_file ON storage.objects for all USING (bucket_id='bucket2' and name = 'folder/subfolder/public-all-permissions.png');
+CREATE POLICY crud_uid_folder ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'only_uid' and auth.uid() = 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2');
+CREATE POLICY crud_uid_file ON storage.objects for all USING (bucket_id='bucket2' and name = 'folder/only_uid.jpg' and auth.uid() = 'd8c7bce9-cfeb-497b-bd61-e66ce2cbdaa2');
+CREATE POLICY authenticated_folder ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'authenticated' and auth.role() = 'authenticated');
+CREATE POLICY crud_owner_only ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'only_owner' and owner = auth.uid());
+CREATE POLICY delete_owner_only ON storage.objects for all USING (bucket_id='bucket2' and (storage.foldername(name))[1] = 'only_owner' and owner = auth.uid());
+CREATE POLICY open_all_update ON storage.objects for all WITH CHECK (bucket_id='bucket4');
diff --git a/src/test/db/docker-compose.yml b/src/test/db/docker-compose.yml
@@ -8,7 +8,8 @@ services:
       - '3000:3000'
     environment:
       PGRST_DB_URI: postgres://postgres:postgres@db:5432/postgres
-      PGRST_DB_SCHEMA: public
+      PGRST_DB_SCHEMA: public,storage
+      PGRST_DB_EXTRA_SEARCH_PATH: public,storage,extensions
       PGRST_DB_ANON_ROLE: postgres
       PGRST_JWT_SECRET: ${PGRST_JWT_SECRET:?err}
     depends_on:

diff --git a/src/utils/index.ts b/src/utils/index.ts
@@ -14,6 +14,7 @@ export function getPostgrestClient(jwt: string): PostgrestClient {
       apiKey: anonKey,
       Authorization: `Bearer ${jwt}`,
     },
+    schema: 'storage',
   })
   return postgrest
 }