diff --git a/packages/jwt-claims/deploy/schemas/jwt_private/procedures/current_api_id.sql b/packages/jwt-claims/deploy/schemas/jwt_private/procedures/current_api_id.sql new file mode 100644 index 00000000..a60f9412 --- /dev/null +++ b/packages/jwt-claims/deploy/schemas/jwt_private/procedures/current_api_id.sql @@ -0,0 +1,34 @@ +-- Deploy schemas/jwt_private/procedures/current_api_id to pg +-- Retrieves the current API ID from JWT claims (private/internal use) + +-- requires: schemas/jwt_private/schema + +BEGIN; + +-- Returns the current API UUID from the JWT claims +-- Used for API invocation provenance checks in RLS policies +-- Returns NULL if the claim is not set or invalid +CREATE FUNCTION jwt_private.current_api_id() + RETURNS uuid +AS $$ +DECLARE + v_identifier_id uuid; +BEGIN + IF current_setting('jwt.claims.api_id', TRUE) + IS NOT NULL THEN + BEGIN + v_identifier_id = current_setting('jwt.claims.api_id', TRUE)::uuid; + EXCEPTION + WHEN OTHERS THEN + RAISE NOTICE 'Invalid UUID value'; + RETURN NULL; + END; + RETURN v_identifier_id; + ELSE + RETURN NULL; + END IF; +END; +$$ +LANGUAGE 'plpgsql' STABLE; + +COMMIT; diff --git a/packages/jwt-claims/pgpm.plan b/packages/jwt-claims/pgpm.plan index 8bc13757..baa8523a 100644 --- a/packages/jwt-claims/pgpm.plan +++ b/packages/jwt-claims/pgpm.plan @@ -19,3 +19,4 @@ schemas/jwt_private/schema 2020-12-17T06:47:34Z Dan Lynch # schemas/jwt_private/procedures/current_database_id [schemas/jwt_private/schema] 2020-12-17T23:22:28Z Dan Lynch # add schemas/jwt_private/procedures/current_database_id schemas/jwt_private/procedures/current_token_id [schemas/jwt_private/schema] 2017-08-11T08:11:51Z skitch # add schemas/jwt_private/procedures/current_token_id schemas/jwt_private/procedures/current_session_id [schemas/jwt_private/schema] 2026-01-28T05:44:00Z Dan Lynch # add schemas/jwt_private/procedures/current_session_id +schemas/jwt_private/procedures/current_api_id [schemas/jwt_private/schema] 2026-07-12T13:40:27Z Dan Lynch # add schemas/jwt_private/procedures/current_api_id diff --git a/packages/jwt-claims/revert/schemas/jwt_private/procedures/current_api_id.sql b/packages/jwt-claims/revert/schemas/jwt_private/procedures/current_api_id.sql new file mode 100644 index 00000000..1aa3218a --- /dev/null +++ b/packages/jwt-claims/revert/schemas/jwt_private/procedures/current_api_id.sql @@ -0,0 +1,7 @@ +-- Revert schemas/jwt_private/procedures/current_api_id from pg + +BEGIN; + +DROP FUNCTION jwt_private.current_api_id; + +COMMIT; diff --git a/packages/jwt-claims/sql/pgpm-jwt-claims--0.15.5.sql b/packages/jwt-claims/sql/pgpm-jwt-claims--0.15.5.sql index f2d73e60..d61ace79 100644 --- a/packages/jwt-claims/sql/pgpm-jwt-claims--0.15.5.sql +++ b/packages/jwt-claims/sql/pgpm-jwt-claims--0.15.5.sql @@ -177,4 +177,24 @@ $EOFCODE$ LANGUAGE sql STABLE; CREATE FUNCTION jwt_private.current_session_id() RETURNS uuid AS $EOFCODE$ SELECT nullif(current_setting('jwt.claims.session_id', true), '')::uuid; -$EOFCODE$ LANGUAGE sql STABLE; \ No newline at end of file +$EOFCODE$ LANGUAGE sql STABLE; + +CREATE FUNCTION jwt_private.current_api_id() RETURNS uuid AS $EOFCODE$ +DECLARE + v_identifier_id uuid; +BEGIN + IF current_setting('jwt.claims.api_id', TRUE) + IS NOT NULL THEN + BEGIN + v_identifier_id = current_setting('jwt.claims.api_id', TRUE)::uuid; + EXCEPTION + WHEN OTHERS THEN + RAISE NOTICE 'Invalid UUID value'; + RETURN NULL; + END; + RETURN v_identifier_id; + ELSE + RETURN NULL; + END IF; +END; +$EOFCODE$ LANGUAGE plpgsql STABLE; \ No newline at end of file diff --git a/packages/jwt-claims/verify/schemas/jwt_private/procedures/current_api_id.sql b/packages/jwt-claims/verify/schemas/jwt_private/procedures/current_api_id.sql new file mode 100644 index 00000000..6cd2484e --- /dev/null +++ b/packages/jwt-claims/verify/schemas/jwt_private/procedures/current_api_id.sql @@ -0,0 +1,7 @@ +-- Verify schemas/jwt_private/procedures/current_api_id on pg + +BEGIN; + +SELECT verify_function ('jwt_private.current_api_id'); + +ROLLBACK;