Private
Public Access
1
0
Files
Kanban/docker-entrypoint.sh
T
Catherine Renelle bd12160ebb Phase 2: Enforce Row-Level Security at the PostgreSQL level
- Rewrite rls.ts with withTenant()/withBypassRLS() using parameterized
  set_config() in interactive Prisma transactions (no SQL injection)
- Add FORCE ROW LEVEL SECURITY on all 15 tenant-scoped tables
- Add __bypass__ sentinel and WITH CHECK clauses to every RLS policy
- Explicitly DISABLE RLS on tenants, tenant_hostnames, sessions
- Wrap all API route and page loader queries in withTenant()
- Wrap validateSession() in withBypassRLS() (joins RLS-protected users)
- Keep existing tenantId where-clause filters as optimization layer
- Add postgresql-client to Dockerfile and auto-apply RLS via entrypoint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 22:54:26 -05:00

32 lines
723 B
Bash

#!/bin/sh
set -e
echo "Waiting for database..."
MAX_RETRIES=30
RETRY=0
while [ $RETRY -lt $MAX_RETRIES ]; do
if npx prisma db push --skip-generate 2>&1; then
echo "Database schema synced successfully."
break
fi
RETRY=$((RETRY + 1))
echo "Database not ready (attempt $RETRY/$MAX_RETRIES), retrying in 3s..."
sleep 3
done
if [ $RETRY -ge $MAX_RETRIES ]; then
echo "ERROR: Could not connect to database after $MAX_RETRIES attempts."
exit 1
fi
echo "Applying RLS policies..."
if psql "$DATABASE_URL" -f ./scripts/setup-rls.sql; then
echo "RLS policies applied successfully."
else
echo "WARNING: Failed to apply RLS policies. Continuing anyway..."
fi
echo "Starting server..."
exec node server.js