Open tristan957 opened 1 week ago
Are the thread local variables supposed to be per-backend? Doesn't seem like they need to be thread local to me.
I think we're tracking that here: https://github.com/neondatabase/cloud/issues/16041.
Mind renaming
auth.get()
to something likeauth.get_session()
Absolutely, it's now auth.session()
Can we rename the schema from
auth to
session_jwt`?
We shouldn't, because developers using this will type it a lot, e.g.:
create table todos (
id bigint generated by default as identity primary key,
user_id text not null,
task text check (char_length(task) > 0),
is_complete boolean default false,
inserted_at timestamp with time zone default timezone('utc'::text, now()) not null
);
alter table todos enable row level security;
create policy "Individuals can create todos." on todos for
insert with check (auth.user_id() = user_id);
create policy "Individuals can view their own todos. " on todos for
select using (auth.user_id() = user_id);
create policy "Individuals can update their own todos." on todos for
update using (auth.user_id() = user_id);
create policy "Individuals can delete their own todos." on todos for
delete using (auth.user_id() = user_id);
I've addressed most everything else in a PR: https://github.com/neondatabase/pg_session_jwt/pull/7.
We shouldn't, because developers using this will type it a lot
Then I would rename the extension to something that mentions auth 🤷
We shouldn't, because developers using this will type it a lot
Then I would rename the extension to something that mentions auth 🤷
We were initially going with that, but auth
is pretty confusing because it can mean authentication or authorization (or both some times).
Ultimately, this isn't very important because this extension will be automatically installed for users and we don't really expect anyone to use it outside of Neon.
Panics do indeed become ereport, but with an arbitrary error code. Changing it to manual ereport in #8
Why can't the extension be relocatable (control file)?
Was the default setting from pgrx. I don't really know what it means. Will look into it
cargo pgrx schema
Using DefaultFeature("pg16") and `pg_config` from /Users/conrad/.pgrx/16.4/pgrx-install/bin/pg_config
Error:
0: /Users/conrad/Documents/neon/ext/neon_jwt/pg_session_jwt.control: The `relocatable` property MUST be `false`. Please update your .control file.
seems to be a limitation of pgrx 0.11. fixed in 0.12
Why can't the extension be relocatable (control file)?
Was the default setting from pgrx. I don't really know what it means. Will look into it
If it is relocatable, would it break BaaS?
ALTER EXTENSION pg_session_jwt SET SCHEMA test_schema;
-- Try to use the functions
Ah, possibly. local_proxy needs to know how to access it.
Might be worth testing in your local environment, just to make sure my hypothesis is right.
Tested with commit cb073ad6d9 and I think it's not relocatable:
pg_session_jwt=# CREATE SCHEMA test_schema;
CREATE SCHEMA
pg_session_jwt=# ALTER EXTENSION pg_session_jwt SET SCHEMA test_schema;
ERROR: extension "pg_session_jwt" does not support SET SCHEMA
then tried with public
schema
pg_session_jwt=# ALTER EXTENSION pg_session_jwt SET SCHEMA public;
ALTER EXTENSION
pg_session_jwt=# select public.user_id();
ERROR: function public.user_id() does not exist
LINE 1: select public.user_id();
^
HINT: No function matches the given name and argument types. You might need to add explicit type casts.
pg_session_jwt=# select auth.user_id();
ERROR: invalid subject claim in the JWT
auth::init()
, which can only be called once. In postgres, you would use an ereport.pgrx_embed!()
. Is it important?auth
tosession_jwt
or something?auth
is pretty generic and not related to the extension name.auth.get()
to something likeauth.get_session()
? Anything but a nakedget
would be good. Looking atauth.user_id()
which is a getter, maybe something likeauth.session()
makes sense.I'll leave the Rust stuff to the experts :). It's possible pgrx is taking the panics and transforming them into Postgres errors, but if it does do that, what error messages does it produce for unwraps, and what SQL error code is produced with it?