feat: inject jwt.claims.api_id provenance claim and add REST /fn routes#1364
Open
pyramation wants to merge 1 commit into
Open
feat: inject jwt.claims.api_id provenance claim and add REST /fn routes#1364pyramation wants to merge 1 commit into
pyramation wants to merge 1 commit into
Conversation
- Set jwt.claims.api_id transaction-locally via pgSettings for every request on an API surface, derived from the server-side hostname -> services_public.domains -> api_id resolution (never client input) - Add compute module loader (function/invocation module metadata) - Add POST /fn/:alias and GET /fn/invocations/:id REST routes resolving function_api_bindings by (api_id, alias); 404 on missing binding, rest-disabled config, or disallowed method; RLS enforced end to end - ajv/JSON-Schema payload validation intentionally deferred (TODO hook) Refs constructive-io/constructive-planning#1149
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Track B1 of constructive-planning#1149: trusted server-side API provenance + REST function invocation.
Provenance claim (
jwt.claims.api_id) — set transaction-locally via pgSettings for every request on an API surface, derived exclusively from the server's hostname →services_public.domains→api_idresolution; clients can never influence it (headers/body/token payload are ignored):express-context/pg-settings.ts:settings['jwt.claims.api_id'] = api.apiIdalongside the existingjwt.claims.*keys.graphql/server/middleware/graphile.ts: same claim added to the shared PostGraphile context (spread into both authenticated and anonymous settings).This pairs with the parallel DB-side change to the
function_invocationsINSERT RLS policy (b.api_id = jwt_private.current_api_id()); the api arm depends on this claim being present.Compute module loader — new
computeLoaderin express-context resolves function/invocation module metadata (metaschema_modules_public.function_module/function_invocation_module) per database, registered increateDefaultRegistry(). The GraphQL server now passesloaders: createDefaultRegistry()tocreateContextMiddlewaresoctx.useModule(...)works at runtime.REST routes (
graphql/server/middleware/fn.ts, mounted before graphile):POST /fn/:alias— looks upfunction_api_bindingsby(api_id, alias); 404 when no binding,config.restabsent (REST disabled), or method not inconfig.rest.methods; otherwise inserts thefunction_invocationsrow throughctx.withPgClient(request pgSettings incl. the claim, RLS enforced — no superuser/bypass path) and returns202 { "invocationId": ... }.GET /fn/invocations/:id— RLS-guarded read of invocation status/result; 404 for unknown/inaccessible rows.Tests
packages/express-context/__tests__/pg-settings.test.ts: claim present for anon + authenticated API requests, omitted off API surfaces, token payload cannot override it.graphql/server-test/__tests__/fn-routes.integration.test.ts(+__fixtures__/seed/compute/*): happy path 202, the insert passing a seeded api-arm RLS policy mirroring the production one, and 404s for missing binding / rest-disabled / disallowed method / unknown or non-uuid invocation id. The fixture policy notes the dependency on the parallel constructive-db policy work.Note:
pnpm lint(eslint 9 vs.eslintrc.json) and 81 server-test failures are pre-existing on the base commit — verified by stashing this branch and re-running; this branch adds 7 new tests, all passing, with no new failures.Refs constructive-io/constructive-planning#1149
Link to Devin session: https://app.devin.ai/sessions/2fa82d89240d444681d41758548445a6
Requested by: @pyramation