bd12160ebb
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized set_config() in interactive Prisma transactions (no SQL injection) - Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables - Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy - Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions - Wrap all API route and page loader queries in withTenant() - Wrap validateSession() in withBypassRLS() (joins RLS-protected users) - Keep existing tenantId where-clause filters as optimization layer - Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
32 lines
723 B
Bash
32 lines
723 B
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
echo "Waiting for database..."
|
|
MAX_RETRIES=30
|
|
RETRY=0
|
|
|
|
while [ $RETRY -lt $MAX_RETRIES ]; do
|
|
if npx prisma db push --skip-generate 2>&1; then
|
|
echo "Database schema synced successfully."
|
|
break
|
|
fi
|
|
RETRY=$((RETRY + 1))
|
|
echo "Database not ready (attempt $RETRY/$MAX_RETRIES), retrying in 3s..."
|
|
sleep 3
|
|
done
|
|
|
|
if [ $RETRY -ge $MAX_RETRIES ]; then
|
|
echo "ERROR: Could not connect to database after $MAX_RETRIES attempts."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Applying RLS policies..."
|
|
if psql "$DATABASE_URL" -f ./scripts/setup-rls.sql; then
|
|
echo "RLS policies applied successfully."
|
|
else
|
|
echo "WARNING: Failed to apply RLS policies. Continuing anyway..."
|
|
fi
|
|
|
|
echo "Starting server..."
|
|
exec node server.js
|