feat: multi-scope bucket resolution (Option C: bucketKey + ownerId)

- presigned-url-plugin: Add optional ownerId to RequestUploadUrlInput
  - getStorageModuleConfig now filters to app-level (membership_type IS NULL)
  - New getStorageModuleConfigForOwner resolves entity-scoped modules by probing entity tables
  - New resolveStorageModuleByFileId for confirmUpload (probes all file tables by UUID)
  - getBucketConfig supports entity-scoped lookups with (owner_id, key) composite
  - File INSERT adapts to presence/absence of owner_id column per scope

- bucket-provisioner-plugin: Add optional ownerId to ProvisionBucketInput
  - Replace LIMIT 1 query with scope-aware resolveStorageModule function
  - provisionBucket mutation resolves storage module via ownerId
  - Auto-provisioning hook uses app-level resolution (no ownerId context)

- Backward compatible: omitting ownerId defaults to app-level storage
- No DB changes required (builds on PR #876 membership_type + entity_table_id columns)

Author: pyramation

graphile/graphile-bucket-provisioner-plugin/src/plugin.ts

@@ -47,11 +47,16 @@ import type {
 
 const log = new Logger('graphile-bucket-provisioner:plugin');
 
-// --- Storage module query (same as presigned-url-plugin) ---
+// --- Storage module queries ---
 
-const STORAGE_MODULE_QUERY = `
+/**
+ * Resolve the app-level storage module (membership_type IS NULL).
+ */
+const APP_STORAGE_MODULE_QUERY = `
   SELECT
     sm.id,
+    sm.membership_type,
+    sm.entity_table_id,
     bs.schema_name AS buckets_schema,
     bt.name AS buckets_table,
     sm.endpoint,
@@ -62,17 +67,79 @@ const STORAGE_MODULE_QUERY = `
   JOIN metaschema_public.table bt ON bt.id = sm.buckets_table_id
   JOIN metaschema_public.schema bs ON bs.id = bt.schema_id
   WHERE sm.database_id = $1
+    AND sm.membership_type IS NULL
   LIMIT 1
 `;
 
+/**
+ * Resolve ALL storage modules for a database (for ownerId-based resolution).
+ */
+const ALL_STORAGE_MODULES_QUERY = `
+  SELECT
+    sm.id,
+    sm.membership_type,
+    sm.entity_table_id,
+    bs.schema_name AS buckets_schema,
+    bt.name AS buckets_table,
+    sm.endpoint,
+    sm.public_url_prefix,
+    sm.provider,
+    sm.allowed_origins,
+    es.schema_name AS entity_schema,
+    et.name AS entity_table
+  FROM metaschema_modules_public.storage_module sm
+  JOIN metaschema_public.table bt ON bt.id = sm.buckets_table_id
+  JOIN metaschema_public.schema bs ON bs.id = bt.schema_id
+  LEFT JOIN metaschema_public.table et ON et.id = sm.entity_table_id
+  LEFT JOIN metaschema_public.schema es ON es.id = et.schema_id
+  WHERE sm.database_id = $1
+`;
+
 interface StorageModuleRow {
   id: string;
+  membership_type: number | null;
+  entity_table_id: string | null;
   buckets_schema: string;
   buckets_table: string;
   endpoint: string | null;
   public_url_prefix: string | null;
   provider: string | null;
   allowed_origins: string[] | null;
+  entity_schema?: string | null;
+  entity_table?: string | null;
+}
+
+/**
+ * Resolve the storage module for a given scope.
+ * If ownerId is provided, probes entity tables to find the matching module.
+ * Otherwise, returns the app-level module.
+ */
+async function resolveStorageModule(
+  pgClient: any,
+  databaseId: string,
+  ownerId?: string,
+): Promise<StorageModuleRow | null> {
+  if (!ownerId) {
+    const result = await pgClient.query(APP_STORAGE_MODULE_QUERY, [databaseId]);
+    return (result.rows[0] as StorageModuleRow) ?? null;
+  }
+
+  // Load all modules and probe entity tables
+  const result = await pgClient.query(ALL_STORAGE_MODULES_QUERY, [databaseId]);
+  const modules = result.rows as StorageModuleRow[];
+  const entityModules = modules.filter((m) => m.entity_schema && m.entity_table);
+
+  for (const mod of entityModules) {
+    const probe = await pgClient.query(
+      `SELECT 1 FROM "${mod.entity_schema}"."${mod.entity_table}" WHERE id = $1 LIMIT 1`,
+      [ownerId],
+    );
+    if (probe.rows.length > 0) {
+      return mod;
+    }
+  }
+
+  return null;
 }
 
 interface BucketRow {
@@ -187,8 +254,7 @@ async function provisionBucketForRow(
   const accessType = bucketType as 'public' | 'private' | 'temp';
 
   // Read storage module config to check for endpoint/provider/CORS overrides
-  const smResult = await pgClient.query(STORAGE_MODULE_QUERY, [databaseId]);
-  const storageModule: StorageModuleRow | null = smResult.rows[0] ?? null;
+  const storageModule = await resolveStorageModule(pgClient, databaseId);
 
   // Resolve CORS origins using the 3-tier hierarchy
   const effectiveOrigins = resolveAllowedOrigins(
@@ -234,8 +300,7 @@ async function updateBucketCors(
   const s3BucketName = resolveBucketName(bucketKey, databaseId, options);
   const accessType = bucketType as 'public' | 'private' | 'temp';
 
-  const smResult = await pgClient.query(STORAGE_MODULE_QUERY, [databaseId]);
-  const storageModule: StorageModuleRow | null = smResult.rows[0] ?? null;
+  const storageModule = await resolveStorageModule(pgClient, databaseId);
 
   const effectiveOrigins = resolveAllowedOrigins(
     bucketAllowedOrigins,
@@ -287,6 +352,11 @@ export function createBucketProvisionerPlugin(
       input ProvisionBucketInput {
         """The logical bucket key (e.g., "public", "private")"""
         bucketKey: String!
+        """
+        Owner entity ID for entity-scoped bucket provisioning.
+        Omit for app-level (database-wide) storage.
+        """
+        ownerId: UUID
       }
 
       type ProvisionBucketPayload {
@@ -329,7 +399,7 @@ export function createBucketProvisionerPlugin(
           });
 
           return lambda($combined, async ({ input, withPgClient, pgSettings }: any) => {
-            const { bucketKey } = input;
+            const { bucketKey, ownerId } = input;
 
             if (!bucketKey || typeof bucketKey !== 'string') {
               throw new Error('INVALID_BUCKET_KEY');
@@ -342,20 +412,29 @@ export function createBucketProvisionerPlugin(
                 throw new Error('DATABASE_NOT_FOUND');
               }
 
-              // Read storage module config
-              const smResult = await pgClient.query(STORAGE_MODULE_QUERY, [databaseId]);
-              if (smResult.rows.length === 0) {
-                throw new Error('STORAGE_MODULE_NOT_PROVISIONED');
+              // Resolve storage module (app-level or entity-scoped via ownerId)
+              const storageModule = await resolveStorageModule(pgClient, databaseId, ownerId);
+              if (!storageModule) {
+                throw new Error(
+                  ownerId
+                    ? 'STORAGE_MODULE_NOT_FOUND_FOR_OWNER: no storage module found for the given ownerId'
+                    : 'STORAGE_MODULE_NOT_PROVISIONED',
+                );
               }
-              const storageModule = smResult.rows[0] as StorageModuleRow;
 
               // Look up the bucket row (RLS enforced via pgSettings)
+              const hasOwner = ownerId && storageModule.membership_type !== null;
               const bucketResult = await pgClient.query(
-                `SELECT id, key, type, is_public, allowed_origins
-                 FROM "${storageModule.buckets_schema}"."${storageModule.buckets_table}"
-                 WHERE key = $1
-                 LIMIT 1`,
-                [bucketKey],
+                hasOwner
+                  ? `SELECT id, key, type, is_public, allowed_origins
+                     FROM "${storageModule.buckets_schema}"."${storageModule.buckets_table}"
+                     WHERE key = $1 AND owner_id = $2
+                     LIMIT 1`
+                  : `SELECT id, key, type, is_public, allowed_origins
+                     FROM "${storageModule.buckets_schema}"."${storageModule.buckets_table}"
+                     WHERE key = $1
+                     LIMIT 1`,
+                hasOwner ? [bucketKey, ownerId] : [bucketKey],
               );
 
               if (bucketResult.rows.length === 0) {
@@ -522,13 +601,12 @@ export function createBucketProvisionerPlugin(
                       return;
                     }
 
-                    // Read the updated bucket row to get full state
-                    const smResult = await pgClient.query(STORAGE_MODULE_QUERY, [databaseId]);
-                    if (smResult.rows.length === 0) {
+                    // Read the storage module config (app-level; auto-hook doesn't have ownerId context)
+                    const storageModule = await resolveStorageModule(pgClient, databaseId);
+                    if (!storageModule) {
                       log.warn('CORS update skipped: storage module not provisioned');
                       return;
                     }
-                    const storageModule = smResult.rows[0] as StorageModuleRow;
 
                     // We need the bucket key — it may come from input or patch
                     // For updates, PostGraphile uses nodeId or the row's PK, so

graphile/graphile-bucket-provisioner-plugin/src/types.ts

@@ -89,6 +89,11 @@ export interface BucketProvisionerPluginOptions {
 export interface ProvisionBucketInput {
   /** The logical bucket key (e.g., "public", "private") */
   bucketKey: string;
+  /**
+   * Owner entity ID for entity-scoped bucket provisioning.
+   * Omit for app-level (database-wide) storage.
+   */
+  ownerId?: string;
 }
 
 /**

graphile/graphile-presigned-url-plugin/src/index.ts

@@ -30,7 +30,7 @@
 export { PresignedUrlPlugin, createPresignedUrlPlugin } from './plugin';
 export { createDownloadUrlPlugin } from './download-url-field';
 export { PresignedUrlPreset } from './preset';
-export { getStorageModuleConfig, getBucketConfig, clearStorageModuleCache, clearBucketCache, isS3BucketProvisioned, markS3BucketProvisioned } from './storage-module-cache';
+export { getStorageModuleConfig, getStorageModuleConfigForOwner, getBucketConfig, resolveStorageModuleByFileId, clearStorageModuleCache, clearBucketCache, isS3BucketProvisioned, markS3BucketProvisioned } from './storage-module-cache';
 export { generatePresignedPutUrl, generatePresignedGetUrl, headObject } from './s3-signer';
 export type {
   BucketConfig,

graphile/graphile-presigned-url-plugin/src/plugin.ts

@@ -23,7 +23,7 @@ import { extendSchema, gql } from 'graphile-utils';
 import { Logger } from '@pgpmjs/logger';
 
 import type { PresignedUrlPluginOptions, S3Config, StorageModuleConfig, BucketConfig } from './types';
-import { getStorageModuleConfig, getBucketConfig, isS3BucketProvisioned, markS3BucketProvisioned } from './storage-module-cache';
+import { getStorageModuleConfig, getStorageModuleConfigForOwner, getBucketConfig, resolveStorageModuleByFileId, isS3BucketProvisioned, markS3BucketProvisioned } from './storage-module-cache';
 import { generatePresignedPutUrl, headObject } from './s3-signer';
 
 const log = new Logger('graphile-presigned-url:plugin');
@@ -147,6 +147,13 @@ export function createPresignedUrlPlugin(
       input RequestUploadUrlInput {
         """Bucket key (e.g., "public", "private")"""
         bucketKey: String!
+        """
+        Owner entity ID for entity-scoped uploads.
+        Omit for app-level (database-wide) storage.
+        When provided, resolves the storage module for the entity type
+        that owns this entity instance (e.g., a data room ID, team ID).
+        """
+        ownerId: UUID
         """SHA-256 content hash computed by the client (hex-encoded, 64 chars)"""
         contentHash: String!
         """MIME type of the file (e.g., "image/png")"""
@@ -219,7 +226,7 @@ export function createPresignedUrlPlugin(
 
           return lambda($combined, async ({ input, withPgClient, pgSettings }: any) => {
             // --- Input validation ---
-            const { bucketKey, contentHash, contentType, size, filename } = input;
+            const { bucketKey, ownerId, contentHash, contentType, size, filename } = input;
 
             if (!bucketKey || typeof bucketKey !== 'string' || bucketKey.length > MAX_BUCKET_KEY_LENGTH) {
               throw new Error('INVALID_BUCKET_KEY');
@@ -242,9 +249,16 @@ export function createPresignedUrlPlugin(
                   throw new Error('DATABASE_NOT_FOUND');
                 }
 
-                const storageConfig = await getStorageModuleConfig(txClient, databaseId);
+                // --- Resolve storage module (app-level or entity-scoped) ---
+                const storageConfig = ownerId
+                  ? await getStorageModuleConfigForOwner(txClient, databaseId, ownerId)
+                  : await getStorageModuleConfig(txClient, databaseId);
                 if (!storageConfig) {
-                  throw new Error('STORAGE_MODULE_NOT_PROVISIONED');
+                  throw new Error(
+                    ownerId
+                      ? 'STORAGE_MODULE_NOT_FOUND_FOR_OWNER: no storage module found for the given ownerId'
+                      : 'STORAGE_MODULE_NOT_PROVISIONED',
+                  );
                 }
 
                 // --- Validate size against storage module default (bucket override checked below) ---
@@ -258,7 +272,7 @@ export function createPresignedUrlPlugin(
                 }
 
                 // --- Look up the bucket (cached; first miss queries via RLS) ---
-                const bucket = await getBucketConfig(txClient, storageConfig, databaseId, bucketKey);
+                const bucket = await getBucketConfig(txClient, storageConfig, databaseId, bucketKey, ownerId);
                 if (!bucket) {
                   throw new Error('BUCKET_NOT_FOUND');
                 }
@@ -319,21 +333,38 @@ export function createPresignedUrlPlugin(
                 }
 
                 // --- Create file record (status=pending) ---
+                // For app-level storage (no owner_id column), omit owner_id from the INSERT.
+                const hasOwnerColumn = storageConfig.membershipType !== null;
                 const fileResult = await txClient.query({
-                  text: `INSERT INTO ${storageConfig.filesQualifiedName}
-                   (bucket_id, key, content_type, content_hash, size, filename, owner_id, is_public, status)
-                   VALUES ($1, $2, $3, $4, $5, $6, $7, $8, 'pending')
-                   RETURNING id`,
-                  values: [
-                    bucket.id,
-                    s3Key,
-                    contentType,
-                    contentHash,
-                    size,
-                    filename || null,
-                    bucket.owner_id,
-                    bucket.is_public,
-                  ],
+                  text: hasOwnerColumn
+                    ? `INSERT INTO ${storageConfig.filesQualifiedName}
+                       (bucket_id, key, content_type, content_hash, size, filename, owner_id, is_public, status)
+                       VALUES ($1, $2, $3, $4, $5, $6, $7, $8, 'pending')
+                       RETURNING id`
+                    : `INSERT INTO ${storageConfig.filesQualifiedName}
+                       (bucket_id, key, content_type, content_hash, size, filename, is_public, status)
+                       VALUES ($1, $2, $3, $4, $5, $6, $7, 'pending')
+                       RETURNING id`,
+                  values: hasOwnerColumn
+                    ? [
+                        bucket.id,
+                        s3Key,
+                        contentType,
+                        contentHash,
+                        size,
+                        filename || null,
+                        bucket.owner_id,
+                        bucket.is_public,
+                      ]
+                    : [
+                        bucket.id,
+                        s3Key,
+                        contentType,
+                        contentHash,
+                        size,
+                        filename || null,
+                        bucket.is_public,
+                      ],
                 });
 
                 const fileId = fileResult.rows[0].id;
@@ -392,31 +423,18 @@ export function createPresignedUrlPlugin(
 
             return withPgClient(pgSettings, async (pgClient: any) => {
               return pgClient.withTransaction(async (txClient: any) => {
-                // --- Resolve storage module config ---
+                // --- Resolve storage module by file ID (probes all file tables) ---
                 const databaseId = await resolveDatabaseId(txClient);
                 if (!databaseId) {
                   throw new Error('DATABASE_NOT_FOUND');
                 }
 
-                const storageConfig = await getStorageModuleConfig(txClient, databaseId);
-                if (!storageConfig) {
-                  throw new Error('STORAGE_MODULE_NOT_PROVISIONED');
-                }
-
-                // --- Look up the file (RLS enforced) ---
-                const fileResult = await txClient.query({
-                  text: `SELECT id, key, content_type, status, bucket_id
-                   FROM ${storageConfig.filesQualifiedName}
-                   WHERE id = $1
-                   LIMIT 1`,
-                  values: [fileId],
-                });
-
-                if (fileResult.rows.length === 0) {
+                const resolved = await resolveStorageModuleByFileId(txClient, databaseId, fileId);
+                if (!resolved) {
                   throw new Error('FILE_NOT_FOUND');
                 }
 
-                const file = fileResult.rows[0];
+                const { storageConfig, file } = resolved;
 
                 if (file.status !== 'pending') {
                   // File is already confirmed or processed — idempotent success
@@ -429,7 +447,7 @@ export function createPresignedUrlPlugin(
 
                 // --- Verify file exists in S3 (per-database bucket) ---
                 const s3ForDb = resolveS3ForDatabase(options, storageConfig, databaseId);
-                const s3Head = await headObject(s3ForDb, file.key, file.content_type);
+                const s3Head = await headObject(s3ForDb, file.key, file.content_type as string);
 
                 if (!s3Head) {
                   throw new Error('FILE_NOT_IN_S3: the file has not been uploaded yet');