-
Notifications
You must be signed in to change notification settings - Fork 50
/
Copy pathsupabase_custom_claims--1.0.sql
101 lines (95 loc) · 3.4 KB
/
supabase_custom_claims--1.0.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
--complain if script is sourced in psql, rather than via CREATE EXTENSION
\echo Use "CREATE EXTENSION supabase_custom_claims" to load this file. \quit
CREATE OR REPLACE FUNCTION is_claims_admin() RETURNS "bool"
LANGUAGE "plpgsql"
AS $$
BEGIN
IF session_user = 'authenticator' THEN
--------------------------------------------
-- To disallow any authenticated app users
-- from editing claims, delete the following
-- block of code and replace it with:
-- RETURN FALSE;
--------------------------------------------
IF extract(epoch from now()) > coalesce((current_setting('request.jwt.claims', true)::jsonb)->>'exp', '0')::numeric THEN
return false; -- jwt expired
END IF;
IF coalesce((current_setting('request.jwt.claims', true)::jsonb)->'app_metadata'->'claims_admin', 'false')::bool THEN
return true; -- user has claims_admin set to true
ELSE
return false; -- user does NOT have claims_admin set to true
END IF;
--------------------------------------------
-- End of block
--------------------------------------------
ELSE -- not a user session, probably being called from a trigger or something
return true;
END IF;
END;
$$;
CREATE OR REPLACE FUNCTION get_my_claims() RETURNS "jsonb"
LANGUAGE "sql" STABLE
AS $$
select
coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata', '{}'::jsonb)::jsonb
$$;
CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT) RETURNS "jsonb"
LANGUAGE "sql" STABLE
AS $$
select
coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata' -> claim, null)
$$;
CREATE OR REPLACE FUNCTION get_claims(uid uuid) RETURNS "jsonb"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
AS $$
DECLARE retval jsonb;
BEGIN
IF NOT is_claims_admin() THEN
RETURN '{"error":"access denied"}'::jsonb;
ELSE
select raw_app_meta_data from auth.users into retval where id = uid::uuid;
return retval;
END IF;
END;
$$;
CREATE OR REPLACE FUNCTION get_claim(uid uuid, claim text) RETURNS "jsonb"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
AS $$
DECLARE retval jsonb;
BEGIN
IF NOT is_claims_admin() THEN
RETURN '{"error":"access denied"}'::jsonb;
ELSE
select coalesce(raw_app_meta_data->claim, null) from auth.users into retval where id = uid::uuid;
return retval;
END IF;
END;
$$;
CREATE OR REPLACE FUNCTION set_claim(uid uuid, claim text, value jsonb) RETURNS "text"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
AS $$
BEGIN
IF NOT is_claims_admin() THEN
RETURN 'error: access denied';
ELSE
update auth.users set raw_app_meta_data =
raw_app_meta_data ||
json_build_object(claim, value)::jsonb where id = uid;
return 'OK';
END IF;
END;
$$;
CREATE OR REPLACE FUNCTION delete_claim(uid uuid, claim text) RETURNS "text"
LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
AS $$
BEGIN
IF NOT is_claims_admin() THEN
RETURN 'error: access denied';
ELSE
update auth.users set raw_app_meta_data =
raw_app_meta_data - claim where id = uid;
return 'OK';
END IF;
END;
$$;
NOTIFY pgrst, 'reload schema';