Utilizing client extension for Postgres with Prisma to activate RLS: A step-by-step guide

Question

Utilizing client extension for Postgres with Prisma to activate RLS: A step-by-step guide

Recently, I attempted to implement client extension as advised on Github. My approach involved defining row level security policies in my migration.sql file:

-- Enabling Row Level Security
ALTER TABLE "User" ENABLE ROW LEVEL SECURITY;
ALTER TABLE "Company" ENABLE ROW LEVEL SECURITY;

-- Applying Row Level Security for table owners
ALTER TABLE "User" FORCE ROW LEVEL SECURITY;
ALTER TABLE "Company" FORCE ROW LEVEL SECURITY;

-- Defining row security policies
CREATE POLICY tenant_isolation_policy ON "Company" USING ("id" = current_setting('app.current_company_id', TRUE)::uuid);
CREATE POL

In addition, I have specified only two models in my schema.prisma file:

generator client {
  provider        = "prisma-client-js"
  previewFeatures = ["clientExtensions"]
}

datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model Company {
  id    String @id @default(dbgenerated("gen_random_uuid()")) @db.Uuid
  name  String
  users User[]
}

model User {
  id        String  @id @default(dbgenerated("gen_random_uuid()")) @db.Uuid
  companyId String  @default(dbgenerated("(current_setting('app.current_company_id'::text))::uuid")) @db.Uuid
  email     String  @unique
  company   Company @relation(fields: [companyId], references: [id], onDelete: Cascade)
}

Furthermore, my script.js file contains various functions aimed at validating the functionality of RLS. Despite creating test data for both company and user tables, I am facing difficulties in restricting access to companies or users as required.

//Setting a company_id as current_company_id for RLS Validation
const setUserId = await prisma.$executeRaw`SET app.current_company_id = 'id_of_a_company';`;
// Creating a specific company with a user
await prisma.company.create({
        data: {
          name: "Company 1",
          users: {
            create: {
              email: "<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e693958394d7a685898b9687889fd7c885898b">[email protected]</a>",
            },
          },
        },
      });
// Attempting to query users from Company 1 as a user who should have access
    const company1Users = await prisma.user.findMany({
        where: {
        company: {
            name: "Company 1",
        },
        },
    });
    // Trying to fetch users from Company 2 as a user without access privileges
    const company2Users = await prisma.user.findMany({
        where: {
        company: {
            name: "Company 2",
        },
        },
    });

Any insights on what could be going wrong here?

typescript postgresql prisma

Answer 1

Answer №1

Here are two potential reasons for the issue:

First: Ensure you are using the extended PrismaClient

It appears that in your examples, you have not shown that you are extending the original PrismaClient with the necessary data from current_settings and then utilizing that client for queries.

For instance, this is how you can configure the extended client to utilize the current_settings:

const db = new PrismaClient()
const rlsDb = db.$extends(currentCompanyRlsExtension(session.company.id))

function currentCompanyRlsExtension(companyId) {
  return Prisma.defineExtension((prisma) =>
    prisma.$extends({
      query: {
        $allModels: {
          async $allOperations({ args, query }) {
            const [, result] = await prisma.$transaction([
              prisma.$executeRaw`SELECT set_config('app.current_company_id', ${companyId}, TRUE)`,
              query(args),
            ])
            return result
          },
        },
      },
    }),
  )
}

When making database queries, ensure to use the extended client:

const companyUsers = await rlsDb.user.findMany()

Second: Confirm that you are using a database user that cannot bypass RLS

Verify that your DATABASE_URL does not employ a database user that will consistently bypass RLS. According to the PostgreSQL v16 documentation:

Superusers and roles with the BYPASSRLS attribute always skip the row security system when accessing a table. Table owners typically bypass row security as well, unless they choose to abide by row security with ALTER TABLE ... FORCE ROW LEVEL SECURITY.

Answer 2

Here are two potential reasons for the issue:

First: Ensure you are using the extended PrismaClient

It appears that in your examples, you have not shown that you are extending the original PrismaClient with the necessary data from current_settings and then utilizing that client for queries.

For instance, this is how you can configure the extended client to utilize the current_settings:

const db = new PrismaClient()
const rlsDb = db.$extends(currentCompanyRlsExtension(session.company.id))

function currentCompanyRlsExtension(companyId) {
  return Prisma.defineExtension((prisma) =>
    prisma.$extends({
      query: {
        $allModels: {
          async $allOperations({ args, query }) {
            const [, result] = await prisma.$transaction([
              prisma.$executeRaw`SELECT set_config('app.current_company_id', ${companyId}, TRUE)`,
              query(args),
            ])
            return result
          },
        },
      },
    }),
  )
}

When making database queries, ensure to use the extended client:

const companyUsers = await rlsDb.user.findMany()

Second: Confirm that you are using a database user that cannot bypass RLS

Verify that your DATABASE_URL does not employ a database user that will consistently bypass RLS. According to the PostgreSQL v16 documentation:

Superusers and roles with the BYPASSRLS attribute always skip the row security system when accessing a table. Table owners typically bypass row security as well, unless they choose to abide by row security with ALTER TABLE ... FORCE ROW LEVEL SECURITY.

Utilizing client extension for Postgres with Prisma to activate RLS: A step-by-step guide

Answer №1

First: Ensure you are using the extended PrismaClient

Second: Confirm that you are using a database user that cannot bypass RLS

Similar questions

Is there a way to programmatically trigger a CodeAction from a VSCode extension?

The Angular component seems to be failing to refresh the user interface despite changes in value

TypeScript's standard React.Children interface for compound components

How to fix the TS4090 error regarding conflicting definitions for a node in Visual Studio 2017

Guide on mocking a function inside another function imported from a module with TypeScript and Jest

The functionality of Angular/Typescript class.name appears to fail during a production build

Leveraging the OpenLayers Map functionality within an Angular service

Looking for Assistance with PyGreSQL's upsert() Function

Fetching an item from Local Storage in Angular 8

Struggling to convert my VueJS component from JavaScript to TypeScript, feeling a bit lost

Encountering difficulty when integrating external JavaScript libraries into Angular 5

I am looking to conceal the y-axis labels and tooltip within the react chart

React Native is throwing a TypeError because it is encountering an undefined object

What is the reason behind being unable to register two components with the same name using React Hook Form?

JS/Docker - The attribute 'user' is not recognized in the context of 'Session & Partial<SessionData>'

Utilizing classes as types in TypeScript

Issues with the rating plugin functionality in Ionic 3

Managing status in Angular applications

What are some solutions to the error message "Error: Cannot find any matching routes" that appears when trying to switch between tabs following a successful login?

Can you provide guidance on how to divide a series of dates and times into an array based