UNPKG

@shoito/prismarls

Version:

Prismarls is a CLI tool designed to facilitate the integration of PostgreSQL Row-Level Security (RLS) with Prisma Migrations. After creating a migration using `prisma migrate dev --create-only`, running `prismarls` will automatically generate SQL to appen

github.com/shoito/prismarls

shoito/prismarls

81 lines (60 loc) 2.91 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Prismarls Prismarls is a CLI tool designed to facilitate the integration of PostgreSQL Row-Level Security (RLS) with Prisma Migrations. After creating a migration using `prisma migrate dev --create-only`, running `prismarls` will automatically generate SQL to append RLS configurations to the latest migration file. Here's an example of the SQL generated by Prisma Migrate: ```sql -- CreateTable CREATE TABLE "Company" ( "id" TEXT NOT NULL, "name" TEXT NOT NULL, "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP, "updatedAt" TIMESTAMP(3) NOT NULL, CONSTRAINT "Company_pkey" PRIMARY KEY ("id") ); ``` Prismarls will add the following RLS settings: ```sql -- RLS Settings ALTER TABLE "Company" ENABLE ROW LEVEL SECURITY; CREATE POLICY tenant_isolation_policy ON "Company" USING("id" = current_setting('app.company_id')); CREATE POLICY bypass_rls_policy ON "Company" USING (current_setting('app.bypass_rls', TRUE)::text = 'on'); ``` ## Usage Create a migration with Prisma Migrate and then append RLS configurations using Prismarls: ```bash # Create a migration with Prisma Migrate --create-only npx prisma migrate dev --create-only --name migration # Use Prismarls to add RLS settings and create policies for the specified tables npx @shoito/prismarls --schema=./prisma/schema.prisma --migrations=./prisma/migrations --currentSettingIsolation=app.company_id --currentSettingBypass=app.bypass_rls ``` ## schema.prisma Add a `/// @RLS` comment in your `schema.prisma` to specify tables and columns for which RLS should be configured. ```prisma model Company { id String @id @default(cuid()) /// @RLS name String createdAt DateTime @default(now()) updatedAt DateTime @updatedAt } ``` If table or column names are specified using `map`, include these in the `@RLS` annotation: ```prisma model User { id String @id @default(cuid()) email String @unique company Company? @relation(fields: [companyId], references: [id]) companyId String? @map("company_id") /// @RLS(table: "users", column: "company_id") @@map("users") } ``` ## Command Options - `--schema`: Path to your Prisma `schema.prisma` file. Default is `./prisma/schema.prisma`. - `--migrations`: Directory path containing migration files generated by Prisma Migrate. Default is `./prisma/migrations`. - `--currentSettingIsolation`: Specify the current setting for RLS isolation. Default is `app.tenant_id`. - `--currentUser`: Specify if using `current_user` with RLS. Default is `false`. - `--currentSettingBypass`: Specify the current setting for RLS bypass. Default is `app.bypass_rls`. - `--forceEnable`: Enable `FORCE ROW LEVEL SECURITY` for all tables. Default is `false`. ## Prisma Limitations - Settings from `prisma db pull` do not include RLS configurations. - Deploying schemas with `prisma db push` does not apply RLS settings. ## License MIT