by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 18:19
    steve-chavez transferred #1539
  • 17:45

    steve-chavez on master

    Nixify io and memory tests (#15… (compare)

  • 17:45
    steve-chavez closed #1538
  • 17:44
    steve-chavez commented #1538
  • 12:57
    hivemall closed #1539
  • 12:57
    hivemall commented #1539
  • 12:57
    hivemall edited #1539
  • 12:57
    hivemall opened #1539
  • 07:29
    monacoremo synchronize #1538
  • 07:25
    monacoremo synchronize #1538
  • May 27 16:54
    steve-chavez labeled #1536
  • May 27 16:54
    steve-chavez commented #1536
  • May 27 07:09
    michael-todorovic commented #1536
  • May 26 23:00
    monacoremo ready_for_review #1538
  • May 26 23:00
    monacoremo edited #1538
  • May 26 21:25
    monacoremo synchronize #1538
  • May 26 21:15
    monacoremo synchronize #1538
  • May 26 20:03
    monacoremo synchronize #1538
  • May 26 16:54
    steve-chavez commented #1521
  • May 26 16:50
    steve-chavez commented #1521
Jeton Mustini
@Mu2tini
This questions has probably been asked many times before, but can't find how to search inside a room in Gitter.
Question is how do I insert data with relations similar to how you query tables with relations using Resource Embeddeding?
Like a nested JSON object inserted to the right tables based on foreign keys...
Jeton Mustini
@Mu2tini
Does one have to do this by calling a procedure?
hivemall
@hivemall
i hope steve will pop in soon and shed some light :)
matrixbot
@matrixbot
ךושיל Jeton Mustini (Gitter): If you're referring to a PostgREST/postgrest#818 then no. You can create a view which joins the tables together and then an instead of rule when updating.
Steve Chavez
@steve-chavez
@hivemall There's no config option for disabling the anon role. But you could workaround the error message with a proxy. On nginx it could be like:
if ($http_authorization = "") {
    return 403;
}
David Vartok
@dvartok_twitter
Hi! I haven't figured out how to properly bulk POST CSV that contains a JSON field, would anyone have some resources for that?
David Vartok
@dvartok_twitter
Never mind - I think I'll bulk insert JSON instead of CSV in this case.
I would still be curious if it was possible to insert JSON fields through CSV bulk inserts in PostgREST, and how to correctly escape them.
Thanks btw to all the contributors!
hivemall
@hivemall
@steve-chavez thank you; also: without a directive in postgrest.conf the exp is meaningless: attacker just omits it!
thus postgrest.conf should have an option to enforce a exp field.
assuming the client got the (symmetric)key and it is leaked.
Ruslan Talpa
@ruslantalpa
If the attacker has your secret/key the conf rule you are talking about is meaningless since he can generate whatever jwt je likes (with or without exp)
hivemall
@hivemall
i agree: the jwt is meant to be generated serverside only.
Kai
@tingkai-zhang

Hi, I was wondering how Row Level Security is used in Postgrest to restrict user can only operate on its own row?

They way I can think of is to use RLS to grant a user to access only to his/her specific row is by adding a column called username

CREATE POLICY accounts_policy
ON public.accounts
USING (username = CURRENT_USER);

In this way, current login user can operate on rows that have the same username as the current user.
I don't think thats feasible. Since

  1. It requires every table has a column called username which will be used to match with current login user.
  2. We need to create a user in PG for each client user. (What if there are 500k users for an app, are we going to create so many users? My approach is not automated which makes it even worse!)

My proposal is definitely not good. But I am wondering how RSL is used in Postgrest?

3 replies
Steve Chavez
@steve-chavez
@tingkai-zhang It's not necessary to create a pg role for each web user. See http://postgrest.org/en/v7.0.0/auth.html#web-users-sharing-role. Also, for some examples of RLS: https://github.com/steve-chavez/socnet/tree/master/security
hivemall
@hivemall
@steve-chavez i will do nginx filtering 400 bad request for anon role not exist because i cant disable it.
the reply is too verbose, and cant turn it off, even when enforcing the auth header, a bad header fallbacks to anon role and again the too verbose message appears
would be cool to have .conf anon on/off
hivemall
@hivemall
workaround: use proxy_intercept_errors on; in nginx to eat replace errors with custom bodys + error_page 400 404 500 502 503 504 /generic_error.html; # redirect
Michael Jendryke
@MichaelJendryke

Dear all, I am trying to achieve RLS using JWT with an email claim. I took the todos table from the tutorial and added a column email. I also created an auth schema with a user table. Each user has an email and a role (authenticator). BTW: there are only two relevant roles web_anon (for everything that is public) and authenticator for everything that needs authentication. With the right policy in place and a JWT with email claim I can make a GET request that returns only those rows that match the email.

Question: How do I POST - add a task to the todos table - and insert the email present in the JWT email claim? I could add the email to the data {"task": "hugo's task", "email": "hugo@gmail.com"}, but that does not seem right, because someone could take a valid JWT and insert tasks for someone else...

Michael Jendryke
@MichaelJendryke
Do I just need to modify the insert policy example in https://github.com/steve-chavez/socnet/blob/master/security/comments.sql
Steve Chavez
@steve-chavez
@MichaelJendryke Yes, an RLS insert policy would make sure a user can only insert todos for himself. Like in insert_policy as you pointed out.
Steve Chavez
@steve-chavez
@hivemall Nice workaround. You could open an issue with the feature request to serve as a reminder.
svdeveloper1
@svdeveloper1
Hi
I was reading the documentation and saw there is an Extension section. Where can I find more information on how to write an extension or possibly how to contribute to postgrest?
hfv1606
@hfv1606
Thanks for your clear postgrest tutorial. I finished Tutorial 0 and encountered one minor problem: in the tutorial postgres is mapped on port 5433 instead of 5432. This leads to an error message in Step 5. Run PostgREST. "could not connect to server: Connection refused\n\tIs the server running on host \"localhost\" (127.0.0.1) and accepting\n\tTCP/IP connections on port 5432?" Please change the port mapping in the docker command. Then the Tutorial is perfect.
CUI
@497983606
hi every
Im from china , is a first know PostgREST, I think it's great and very fit taiwutech.com
Steve Chavez
@steve-chavez
@svdeveloper1 For developing postgrest, check the development page on the docs. There's also some easy issues you could pick up if you'd like to contribute.
@hfv1606 I see what you mean, that looks related to this issue: PostgREST/postgrest-docs#304.
@497983606 Thanks!
NickEmpetvee
@NickEmpetvee
Does PostgREST maintain a persistent connection with PostgreSQL from launch to shutdown, or does it open a new connection each time?
Steve Chavez
@steve-chavez
@NickEmpetvee The number of connections is defined by db-pool, those live as long as specified in db-pool-timeout.
NickEmpetvee
@NickEmpetvee
@steve-chavez Thank you.
NickEmpetvee
@NickEmpetvee
Is anyone here using the JWT that's issued by PostgREST to also serve as proof of application-side authentication? For example, if the front end is Angular / React, store the JWT issued by PostgREST in localStorage / sessionStorage until expiration? If so, how is that working out?
My front end needs session management and I'm wondering if the PostgREST JWT can serve that purpose.
NickEmpetvee
@NickEmpetvee
Right now, the application code honors any user who passes the PostgREST login and treats them as logged-in to the application too.
Cameron Bourke
@cameronbourke

Hey everyone, I've been banging my head against the wall a little trying to serve images for an <img>. Following the how-to in the docs, I'm currently experiencing a different behaviour. Let's say we are making a request to /rpc/file?id=42. In my case, the body of the response is the literal string in bytea hex format. I think this may be related to the select:

select files.blob from files where files.id = file.id into blob;

From my understanding, select files.blob will actually output the binary data into a binary string. Any help would be greatly appreciated!

21 replies
NickEmpetvee
@NickEmpetvee
One more question - if the user logs out, how can an unexpired JWT issued by PostgREST be invalidated?
Steve Chavez
@steve-chavez
@NickEmpetvee Custom Validation with pre-request can help for that. Also, you might want to look at https://github.com/monacoremo/postgrest-sessions-example for another approach to sessions.
NickEmpetvee
@NickEmpetvee
@steve-chavez Excellent thank you!
NickEmpetvee
@NickEmpetvee
@steve-chavez do you prefer JWT or sessions?
Elisa Chen
@echennh_gitlab
image.png
Hello! I just unzipped the Linux PostgREST distribution on my server and ran ./postgrest, and I was wondering is this output normal or do I have an error because of the missing filename?
All it says in the documentation is that if the postgrest installation is successful, then it will print out its version and configuration, which it does look like it's doing
Steve Chavez
@steve-chavez
@NickEmpetvee I've only used JWT until now. But sessions are looking really good, we're working on monacoremo/postgrest-sessions-example#19 to add a guide to the postgrest docs.
@echennh_gitlab Yes, the output is good. You need to pass a config file. Check http://postgrest.org/en/v7.0.0/configuration.html#configuration.
Elisa Chen
@echennh_gitlab
Thank you @steve-chavez ! I've created a config file and it says the connection is successful when I type "./postgrest postgres.conf", even though ./postgrest still says "missing FILENAME". It's a relief to know I don't have to keep troubleshooting
NickEmpetvee
@NickEmpetvee
@steve-chavez That's great to hear! Thank you.
hivemall
@hivemall
@steve-chavez full solution snippet: PostgREST/postgrest#1539