CodeCow/stack
1
0
Fork 0
mirror of https://github.com/stack-auth/stack.git synced 2026-06-13 21:01:21 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
91e7266a21
stack/docker/dev-postgres-with-extensions/Dockerfile
Konsti Wohlwend 7a35751f8e
Sign up rules (#1138) 
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **High Risk**
> Touches core sign-up/auth flows and user restriction semantics
(including new DB constraints) and introduces dynamic rule
evaluation/logging; misconfiguration or CEL/parser bugs could block
sign-ups or incorrectly restrict users.
> 
> **Overview**
> Introduces **CEL-based sign-up rules** (config-driven) that are
evaluated during password/OTP/OAuth sign-ups and anonymous upgrades;
matching rules can reject sign-ups or mark users as admin-restricted,
and triggers are logged for analytics.
> 
> Extends `ProjectUser` with `restrictedByAdmin` plus public/private
restriction details, updates restriction computation/filtering, and
exposes these fields via user CRUD (including validation + DB constraint
enforcing consistency when unrestricted).
> 
> Adds a new dashboard **Sign-up Rules** page with a visual condition
builder (CEL <-> visual tree), drag-reorder by priority, per-rule 48h
sparkline analytics via a new hidden internal endpoint, and adds
user-page UI to view/edit manual restrictions. Also refactors ClickHouse
client initialization to require env vars (removing
`isClickhouseConfigured` checks) and adjusts CI container startup wait
time.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
2141e689e8c1b72303b805e9234f996010d0880. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Sign-up Rules: visual rule builder, in-project CRUD with drag-reorder,
per-rule analytics, backend evaluation, and admin UI.
* Admin user restrictions: dashboard controls, banners/status,
public/private admin details surfaced in user views.

* **APIs & Schema**
* Config and user schemas extended; new SignUpRejected error and sign-up
rule types added.

* **Tests**
* Extensive unit and E2E coverage for rules, parser, evaluator,
analytics, and restricted-user flows.

* **Docs**
  * Editorial guidance added to AGENTS.md.

* **Chores**
* DB statement timeout, updated clean script, minor dependency
additions.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-02-03 11:08:24 -08:00

58 lines
2.8 KiB
Docker
Raw Blame History

FROM postgres:15
RUN apt-get update && apt-get install -y \
git \
build-essential \
libpq-dev \
postgresql-server-dev-15
# Install HypoPG
RUN git clone https://github.com/HypoPG/hypopg.git /hypopg
RUN cd /hypopg && make install
# Install index_advisor
RUN git clone https://github.com/supabase/index_advisor.git /index_advisor
RUN cd /index_advisor && make install
# Write initialization SQL
RUN echo "CREATE EXTENSION pg_stat_statements;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "CREATE EXTENSION hypopg;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "CREATE EXTENSION index_advisor;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "CREATE ROLE anon;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "CREATE ROLE authenticated;" >> /docker-entrypoint-initdb.d/init.sql
# Create a read-only user for read replica emulation in development
RUN echo "CREATE USER readonly WITH PASSWORD 'PASSWORD-PLACEHOLDER--readonlyuqfEC1hmmv';" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "GRANT CONNECT ON DATABASE stackframe TO readonly;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "GRANT USAGE ON SCHEMA public TO readonly;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;" >> /docker-entrypoint-initdb.d/init.sql
RUN echo "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly;" >> /docker-entrypoint-initdb.d/init.sql
# Create a replication user for streaming replication to the replica
RUN echo "CREATE USER replicator WITH REPLICATION PASSWORD 'PASSWORD-PLACEHOLDER--replicatorpass';" >> /docker-entrypoint-initdb.d/init.sql
# Create a script to add replication permissions to pg_hba.conf after init
# This script runs after the database is initialized but before it starts accepting connections
RUN echo '#!/bin/bash' > /docker-entrypoint-initdb.d/00-setup-replication.sh && \
echo 'echo "host replication replicator all scram-sha-256" >> "$PGDATA/pg_hba.conf"' >> /docker-entrypoint-initdb.d/00-setup-replication.sh && \
chmod +x /docker-entrypoint-initdb.d/00-setup-replication.sh
# Add args to Postgres entrypoint
ENTRYPOINT ["sh", "-c", "\
# Add delay if POSTGRES_DELAY_MS is set \
if [ $POSTGRES_DELAY_MS -gt 0 ]; then \
apt-get update && apt-get install -y iproute2 && tc qdisc add dev eth0 root netem delay ${POSTGRES_DELAY_MS}ms; \
fi; \
\
# Start Postgres with replication enabled and extensions \
exec docker-entrypoint.sh postgres \
-c shared_preload_libraries='pg_stat_statements' \
-c pg_stat_statements.track=all \
-c wal_level=logical \
-c max_wal_senders=5 \
-c max_replication_slots=5 \
-c wal_keep_size=64MB \
-c hot_standby=on \
-c statement_timeout=30s `# In production this is higher, but better safe than sorry during dev` \
"]
Reference in New Issue View Git Blame Copy Permalink