refactor: make all validation/expiry config dynamic from storage_module table, fix RC versions to stable

Author: pyramation

graphile/graphile-presigned-url-plugin/package.json

@@ -46,13 +46,13 @@
     "lru-cache": "^11.2.7"
   },
   "peerDependencies": {
-    "grafast": "1.0.0-rc.9",
-    "graphile-build": "5.0.0-rc.6",
-    "graphile-build-pg": "5.0.0-rc.8",
-    "graphile-config": "1.0.0-rc.6",
-    "graphile-utils": "5.0.0-rc.8",
+    "grafast": "1.0.0",
+    "graphile-build": "5.0.0",
+    "graphile-build-pg": "5.0.0",
+    "graphile-config": "1.0.0",
+    "graphile-utils": "5.0.0",
     "graphql": "16.13.0",
-    "postgraphile": "5.0.0-rc.10"
+    "postgraphile": "5.0.0"
   },
   "devDependencies": {
     "@types/node": "^22.19.11",

graphile/graphile-presigned-url-plugin/src/download-url-field.ts

@@ -18,6 +18,7 @@ import { Logger } from '@pgpmjs/logger';
 
 import type { PresignedUrlPluginOptions } from './types';
 import { generatePresignedGetUrl } from './s3-signer';
+import { getStorageModuleConfig } from './storage-module-cache';
 
 const log = new Logger('graphile-presigned-url:download-url');
 
@@ -34,7 +35,6 @@ export function createDownloadUrlPlugin(
   options: PresignedUrlPluginOptions,
 ): GraphileConfig.Plugin {
   const { s3 } = options;
-  const downloadUrlExpirySeconds = 3600; // 1 hour for GET URLs
 
   return {
     name: 'PresignedUrlDownloadPlugin',
@@ -75,7 +75,7 @@ export function createDownloadUrlPlugin(
                     'URL to download this file. For public files, returns the public URL. ' +
                     'For private files, returns a time-limited presigned URL.',
                   type: GraphQLString,
-                  resolve(parent: any) {
+                  async resolve(parent: any, _args: any, context: any) {
                     const key = parent.key || parent.get?.('key');
                     const isPublic = parent.is_public ?? parent.get?.('is_public');
                     const filename = parent.filename || parent.get?.('filename');
@@ -93,6 +93,29 @@ export function createDownloadUrlPlugin(
                       return `${s3.publicUrlPrefix}/${key}`;
                     }
 
+                    // Resolve download URL expiry from storage module config (per-database)
+                    let downloadUrlExpirySeconds = 3600; // fallback default
+                    try {
+                      const withPgClient = context.pgSettings
+                        ? context.withPgClient
+                        : null;
+                      if (withPgClient) {
+                        const config = await withPgClient(null, async (pgClient: any) => {
+                          const dbResult = await pgClient.query(
+                            `SELECT jwt_private.current_database_id() AS id`,
+                          );
+                          const databaseId = dbResult.rows[0]?.id;
+                          if (!databaseId) return null;
+                          return getStorageModuleConfig(pgClient, databaseId);
+                        });
+                        if (config) {
+                          downloadUrlExpirySeconds = config.downloadUrlExpirySeconds;
+                        }
+                      }
+                    } catch {
+                      // Fall back to default if config lookup fails
+                    }
+
                     // Private file: generate presigned GET URL
                     return generatePresignedGetUrl(
                       s3,

graphile/graphile-presigned-url-plugin/src/plugin.ts

@@ -28,11 +28,10 @@ import { generatePresignedPutUrl, headObject } from './s3-signer';
 
 const log = new Logger('graphile-presigned-url:plugin');
 
-// --- Validation constants ---
+// --- Protocol-level constants (not configurable) ---
 
 const MAX_CONTENT_HASH_LENGTH = 128;
 const MAX_CONTENT_TYPE_LENGTH = 255;
-const MAX_FILENAME_LENGTH = 1024;
 const MAX_BUCKET_KEY_LENGTH = 255;
 const SHA256_HEX_REGEX = /^[a-f0-9]{64}$/;
 
@@ -71,11 +70,7 @@ async function resolveDatabaseId(pgClient: any): Promise<string | null> {
 export function createPresignedUrlPlugin(
   options: PresignedUrlPluginOptions,
 ): GraphileConfig.Plugin {
-  const {
-    s3,
-    urlExpirySeconds = 900,
-    maxFileSize = 200 * 1024 * 1024,
-  } = options;
+  const { s3 } = options;
 
   return extendSchema(() => ({
     typeDefs: gql`
@@ -168,19 +163,11 @@ export function createPresignedUrlPlugin(
             if (!contentType || typeof contentType !== 'string' || contentType.length > MAX_CONTENT_TYPE_LENGTH) {
               throw new Error('INVALID_CONTENT_TYPE');
             }
-            if (typeof size !== 'number' || size <= 0 || size > maxFileSize) {
-              throw new Error(`INVALID_FILE_SIZE: must be between 1 and ${maxFileSize} bytes`);
-            }
-            if (filename !== undefined && filename !== null) {
-              if (typeof filename !== 'string' || filename.length > MAX_FILENAME_LENGTH) {
-                throw new Error('INVALID_FILENAME');
-              }
-            }
 
             return withPgClient(pgSettings, async (pgClient: any) => {
               await pgClient.query('BEGIN');
               try {
-                // --- Resolve storage module config ---
+                // --- Resolve storage module config (all limits come from here) ---
                 const databaseId = await resolveDatabaseId(pgClient);
                 if (!databaseId) {
                   throw new Error('DATABASE_NOT_FOUND');
@@ -191,6 +178,16 @@ export function createPresignedUrlPlugin(
                   throw new Error('STORAGE_MODULE_NOT_PROVISIONED');
                 }
 
+                // --- Validate size against storage module default (bucket override checked below) ---
+                if (typeof size !== 'number' || size <= 0 || size > storageConfig.defaultMaxFileSize) {
+                  throw new Error(`INVALID_FILE_SIZE: must be between 1 and ${storageConfig.defaultMaxFileSize} bytes`);
+                }
+                if (filename !== undefined && filename !== null) {
+                  if (typeof filename !== 'string' || filename.length > storageConfig.maxFilenameLength) {
+                    throw new Error('INVALID_FILENAME');
+                  }
+                }
+
                 // --- Look up the bucket (RLS enforced) ---
                 const bucketResult = await pgClient.query(
                   `SELECT id, type, is_public, owner_id, allowed_mime_types, max_file_size
@@ -288,10 +285,10 @@ export function createPresignedUrlPlugin(
                   s3Key,
                   contentType,
                   size,
-                  urlExpirySeconds,
+                  storageConfig.uploadUrlExpirySeconds,
                 );
 
-                const expiresAt = new Date(Date.now() + urlExpirySeconds * 1000).toISOString();
+                const expiresAt = new Date(Date.now() + storageConfig.uploadUrlExpirySeconds * 1000).toISOString();
 
                 // --- Track the upload request ---
                 await pgClient.query(

graphile/graphile-presigned-url-plugin/src/preset.ts

@@ -29,8 +29,6 @@ import { createDownloadUrlPlugin } from './download-url-field';
  *         bucket: 'my-bucket',
  *         publicUrlPrefix: 'https://cdn.example.com',
  *       },
- *       urlExpirySeconds: 900,
- *       maxFileSize: 200 * 1024 * 1024,
  *     }),
  *   ],
  * };

graphile/graphile-presigned-url-plugin/src/storage-module-cache.ts

@@ -4,6 +4,13 @@ import type { StorageModuleConfig } from './types';
 
 const log = new Logger('graphile-presigned-url:cache');
 
+// --- Defaults ---
+const DEFAULT_UPLOAD_URL_EXPIRY_SECONDS = 900; // 15 minutes
+const DEFAULT_DOWNLOAD_URL_EXPIRY_SECONDS = 3600; // 1 hour
+const DEFAULT_MAX_FILE_SIZE = 200 * 1024 * 1024; // 200MB
+const DEFAULT_MAX_FILENAME_LENGTH = 1024;
+const DEFAULT_CACHE_TTL_SECONDS = process.env.NODE_ENV === 'development' ? 300 : 3600;
+
 const FIVE_MINUTES_MS = 1000 * 60 * 5;
 const ONE_HOUR_MS = 1000 * 60 * 60;
 
@@ -36,7 +43,12 @@ const STORAGE_MODULE_QUERY = `
     fs.schema_name AS files_schema,
     ft.name AS files_table,
     urs.schema_name AS upload_requests_schema,
-    urt.name AS upload_requests_table
+    urt.name AS upload_requests_table,
+    sm.upload_url_expiry_seconds,
+    sm.download_url_expiry_seconds,
+    sm.default_max_file_size,
+    sm.max_filename_length,
+    sm.cache_ttl_seconds
   FROM metaschema_modules_public.storage_module sm
   JOIN metaschema_public.table bt ON bt.id = sm.buckets_table_id
   JOIN metaschema_public.schema bs ON bs.id = bt.schema_id
@@ -56,6 +68,11 @@ interface StorageModuleRow {
   files_table: string;
   upload_requests_schema: string;
   upload_requests_table: string;
+  upload_url_expiry_seconds: number | null;
+  download_url_expiry_seconds: number | null;
+  default_max_file_size: number | null;
+  max_filename_length: number | null;
+  cache_ttl_seconds: number | null;
 }
 
 /**
@@ -84,6 +101,8 @@ export async function getStorageModuleConfig(
   }
 
   const row = result.rows[0] as StorageModuleRow;
+  const cacheTtlSeconds = row.cache_ttl_seconds ?? DEFAULT_CACHE_TTL_SECONDS;
+
   const config: StorageModuleConfig = {
     id: row.id,
     bucketsQualifiedName: `"${row.buckets_schema}"."${row.buckets_table}"`,
@@ -93,6 +112,11 @@ export async function getStorageModuleConfig(
     bucketsTableName: row.buckets_table,
     filesTableName: row.files_table,
     uploadRequestsTableName: row.upload_requests_table,
+    uploadUrlExpirySeconds: row.upload_url_expiry_seconds ?? DEFAULT_UPLOAD_URL_EXPIRY_SECONDS,
+    downloadUrlExpirySeconds: row.download_url_expiry_seconds ?? DEFAULT_DOWNLOAD_URL_EXPIRY_SECONDS,
+    defaultMaxFileSize: row.default_max_file_size ?? DEFAULT_MAX_FILE_SIZE,
+    maxFilenameLength: row.max_filename_length ?? DEFAULT_MAX_FILENAME_LENGTH,
+    cacheTtlSeconds,
   };
 
   storageModuleCache.set(cacheKey, config);

graphile/graphile-presigned-url-plugin/src/types.ts

@@ -33,6 +33,19 @@ export interface StorageModuleConfig {
   filesTableName: string;
   /** Upload requests table name */
   uploadRequestsTableName: string;
+
+  // --- Per-database configurable settings ---
+
+  /** Presigned PUT URL expiry in seconds (default: 900 = 15 min) */
+  uploadUrlExpirySeconds: number;
+  /** Presigned GET URL expiry in seconds (default: 3600 = 1 hour) */
+  downloadUrlExpirySeconds: number;
+  /** Default max file size in bytes (default: 200MB). Bucket-level max_file_size overrides this. */
+  defaultMaxFileSize: number;
+  /** Max filename length in characters (default: 1024) */
+  maxFilenameLength: number;
+  /** Cache TTL in seconds for this config entry (default: 300 dev / 3600 prod) */
+  cacheTtlSeconds: number;
 }
 
 /**
@@ -111,11 +124,4 @@ export interface S3Config {
 export interface PresignedUrlPluginOptions {
   /** S3 configuration */
   s3: S3Config;
-  /** Presigned URL expiry in seconds (default: 900 = 15 minutes) */
-  urlExpirySeconds?: number;
-  /** Maximum file size in bytes (default: 200MB) */
-  maxFileSize?: number;
-  /** Performance threshold for content hashing in bytes.
-   *  Above this size, use UUID key instead of content hash. (default: 200MB) */
-  hashThresholdBytes?: number;
 }