Migrate to TLE-based installation (#2)

.vscode/settings.json

@@ -0,0 +1,15 @@
+{
+    "Prettier-SQL.SQLFlavourOverride": "postgresql",
+    "sqltools.connections": [
+        {
+            "previewLimit": 50,
+            "server": "localhost",
+            "port": 54322,
+            "driver": "PostgreSQL",
+            "name": "Supabase Local",
+            "database": "postgres",
+            "username": "postgres",
+            "password": "postgres"
+        }
+    ]
+}

README.md

@@ -1,6 +1,6 @@
 # Supabase Multi-Tenant Role-based Access Control
 
-This is a template (set of db migrations) which attempts to provide a group and role system for supabase projects. It is based off the supabase community [custom claims work done here](https://github.com/supabase-community/supabase-custom-claims).
+This is a [PostgreSQL TLE](https://github.com/aws/pg_tle) (extension) which attempts to provide a group and role system for supabase projects. You can add it to your database by using the [database.dev](https://database.dev/) tool. It is based off the supabase community [custom claims work done here](https://github.com/supabase-community/supabase-custom-claims).
 
 ## Disclaimer
 
@@ -63,7 +63,7 @@ As a security note, `raw_app_meta_data` is stored within the JWTs when a session
 #### Pre-check
 
 - Requires PostgreSQL 15.x (due to use of "security_invoker" on the user_role view)
-- This creates the following tables / views. Make sure they do not collide with existing tables:
+- This creates the following tables / views. Make sure they do not collide with existing tables. (alternatively, specify an alternate schema during creation of the extension):
   - groups
   - group_users
   - user_roles (view)
@@ -78,15 +78,21 @@ As a security note, `raw_app_meta_data` is stored within the JWTs when a session
   - set_group_owner
   - add_group_user_by_email
 
-#### Installation via the SQL console
+#### Installation via dbdev
 
-1. Copy the contents of one or more of the [migration files](supabase/migrations/) in this repository
-1. Paste the contents into the SQL console on your supabase dashboard and run it
-1. Optionally, run a diff from your supabase cli to create a migration file capturing these changes
+1. Make sure you have [dbdev package manager](https://supabase.github.io/dbdev/install-in-db-client/#use) installed
+2. Run `select dbdev.install(<extension_name>);` in your SQL console to install the rbac plugin
+3. Create the extension by running one of the following:
 
-#### Installation via local migration file
+```sql
+create extension "pointsource-supabase_rbac";
+```
+
+or, if you want to specify a schema or version:
 
-If you use the supabase cli and have a local dev environment, you can copy the migration files from this repo into your `supabase/migrations/*` folder and rename them to reflect a more recent timestamp. Note that in order for supabase to apply the migrations, they must conform to the `<timestamp>_name.sql` format.
+```sql
+create extension "pointsource-supabase_rbac" schema "my_schema_name" version "0.0.1";
+```
 
 ### Security / RLS
 

supabase/migrations/20231130021555_reset_database.sql

@@ -0,0 +1,45 @@
+drop trigger if exists "on_change_update_user_metadata" on "public"."group_users";
+
+drop trigger if exists "on_insert_set_group_owner" on "public"."groups";
+
+drop trigger if exists "on_delete_user" on "public"."user_roles";
+
+alter table "public"."group_users" drop constraint "group_users_group_id_fkey";
+
+alter table "public"."group_users" drop constraint "group_users_user_id_fkey";
+
+drop function if exists "public"."add_group_user_by_email"(user_email text, gid uuid, group_role text);
+
+drop function if exists "public"."delete_group_users"();
+
+drop function if exists "public"."has_group_role"(group_id uuid, group_role text);
+
+drop function if exists "public"."is_group_member"(group_id uuid);
+
+drop function if exists "public"."jwt_has_group_role"(group_id uuid, group_role text);
+
+drop function if exists "public"."jwt_is_expired"();
+
+drop function if exists "public"."jwt_is_group_member"(group_id uuid);
+
+drop function if exists "public"."set_group_owner"();
+
+drop function if exists "public"."update_user_roles"();
+
+drop view if exists "public"."user_roles";
+
+alter table "public"."group_users" drop constraint "group_users_pkey";
+
+alter table "public"."groups" drop constraint "group_pkey";
+
+drop index if exists "public"."group_pkey";
+
+drop index if exists "public"."group_users_group_id_idx";
+
+drop index if exists "public"."group_users_pkey";
+
+drop table "public"."group_users";
+
+drop table "public"."groups";
+
+

supabase/migrations/20231130022127_install_dbdev.sql

@@ -0,0 +1,46 @@
+create extension if not exists http
+with
+    schema extensions;
+
+create extension if not exists pg_tle;
+
+select
+    pgtle.uninstall_extension_if_exists ('supabase-dbdev');
+
+drop extension if exists "supabase-dbdev";
+
+select
+    pgtle.install_extension (
+        'supabase-dbdev',
+        resp.contents ->> 'version',
+        'PostgreSQL package manager',
+        resp.contents ->> 'sql'
+    )
+from
+    http (
+        (
+            'GET',
+            'https://api.database.dev/rest/v1/' || 'package_versions?select=sql,version' || '&package_name=eq.supabase-dbdev' || '&order=version.desc' || '&limit=1',
+            array[
+                (
+                    'apiKey',
+                    'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InhtdXB0cHBsZnZpaWZyYndtbXR2Iiwicm9sZSI6ImFub24iLCJpYXQiOjE2ODAxMDczNzIsImV4cCI6MTk5NTY4MzM3Mn0.z2CN0mvO2No8wSi46Gw59DFGCTJrzM0AQKsu_5k134s'
+                )::http_header
+            ],
+            null,
+            null
+        )
+    ) x,
+    lateral (
+        select
+            ((row_to_json(x) -> 'content') #>> '{}')::json -> 0
+    ) resp (contents);
+
+create extension "supabase-dbdev";
+
+select
+    dbdev.install ('supabase-dbdev');
+
+drop extension if exists "supabase-dbdev";
+
+create extension "supabase-dbdev";

supabase/migrations/20231130022337_install_rbac.sql

@@ -0,0 +1,6 @@
+select
+    dbdev.install ('pointsource-supabase_rbac');
+
+create extension if not exists "pointsource-supabase_rbac"
+with
+    schema "public" version '0.0.1';