constructive-io
diff --git a/‎graphile/graphile-cache/src/graphile-cache.ts‎
Lines changed: 24 additions & 20 deletions b/‎graphile/graphile-cache/src/graphile-cache.ts‎
Lines changed: 24 additions & 20 deletions
diff --git a/‎graphile/graphile-misc-plugins/src/PublicKeySignature.ts‎
Lines changed: 37 additions & 10 deletions b/‎graphile/graphile-misc-plugins/src/PublicKeySignature.ts‎
Lines changed: 37 additions & 10 deletions
diff --git a/‎graphile/graphile-plugin-connection-filter-postgis/__tests__/operators.test.ts‎
Lines changed: 3 additions & 3 deletions b/‎graphile/graphile-plugin-connection-filter-postgis/__tests__/operators.test.ts‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎graphile/graphile-plugin-connection-filter-postgis/src/plugin.ts‎
Lines changed: 2 additions & 4 deletions b/‎graphile/graphile-plugin-connection-filter-postgis/src/plugin.ts‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎graphile/graphile-postgis/src/plugins/codec.ts‎
Lines changed: 12 additions & 1 deletion b/‎graphile/graphile-postgis/src/plugins/codec.ts‎
Lines changed: 12 additions & 1 deletion
@@ -248,34 +248,38 @@ export const closeAllCaches = async (verbose = false): Promise<void> => {
   if (closePromise.promise) return closePromise.promise;
 
   closePromise.promise = (async () => {
-    if (verbose) log.info('Closing all server caches...');
+    try {
+      if (verbose) log.info('Closing all server caches...');
 
-    // Collect all entries and dispose them properly
-    const entries = [...graphileCache.entries()];
+      // Collect all entries and dispose them properly
+      const entries = [...graphileCache.entries()];
 
-    // Mark all as manual evictions
-    for (const [key] of entries) {
-      manualEvictionKeys.add(key);
-    }
+      // Mark all as manual evictions
+      for (const [key] of entries) {
+        manualEvictionKeys.add(key);
+      }
 
-    const disposePromises = entries.map(([key, entry]) =>
-      disposeEntry(entry, key)
-    );
+      const disposePromises = entries.map(([key, entry]) =>
+        disposeEntry(entry, key)
+      );
 
-    // Wait for all disposals to complete
-    await Promise.allSettled(disposePromises);
+      // Wait for all disposals to complete
+      await Promise.allSettled(disposePromises);
 
-    // Clear the cache after disposal (dispose callback will no-op due to disposedKeys)
-    graphileCache.clear();
+      // Clear the cache after disposal (dispose callback will no-op due to disposedKeys)
+      graphileCache.clear();
 
-    // Clear disposed keys tracking after full cleanup
-    disposedKeys.clear();
-    manualEvictionKeys.clear();
+      // Clear disposed keys tracking after full cleanup
+      disposedKeys.clear();
+      manualEvictionKeys.clear();
 
-    // Close pg pools
-    await pgCache.close();
+      // Close pg pools
+      await pgCache.close();
 
-    if (verbose) log.success('All caches disposed.');
+      if (verbose) log.success('All caches disposed.');
+    } finally {
+      closePromise.promise = null;
+    }
   })();
 
   return closePromise.promise;
 
@@ -23,6 +23,10 @@ function validateIdentifier(name: string, label: string): void {
   }
 }
 
+const MAX_PUBLIC_KEY_LENGTH = 256;
+const MAX_MESSAGE_LENGTH = 4096;
+const MAX_SIGNATURE_LENGTH = 1024;
+
 export const PublicKeySignature = (pubkey_challenge: PublicKeyChallengeConfig): GraphileConfig.Plugin => {
   const {
     schema,
@@ -90,23 +94,29 @@ export const PublicKeySignature = (pubkey_challenge: PublicKeyChallengeConfig):
           const $combined = object({ input: $input, withPgClient: $withPgClient });
 
           return lambda($combined, async ({ input, withPgClient }: any) => {
+            if (!input.publicKey || typeof input.publicKey !== 'string' || input.publicKey.length > MAX_PUBLIC_KEY_LENGTH) {
+              throw new Error('INVALID_PUBLIC_KEY');
+            }
+
             return withPgClient(null, async (pgClient: any) => {
               await pgClient.query('BEGIN');
               try {
                 await pgQueryWithContext({
                   client: pgClient,
                   context: { role: 'anonymous' },
-                  query: `SELECT * FROM "${schema}".${sign_up_with_key}($1)`,
-                  variables: [input.publicKey]
+                  query: `SELECT * FROM "${schema}"."${sign_up_with_key}"($1)`,
+                  variables: [input.publicKey],
+                  skipTransaction: true
                 });
 
                 const {
                   rows: [{ [sign_in_request_challenge]: message }]
                 } = await pgQueryWithContext({
                   client: pgClient,
                   context: { role: 'anonymous' },
-                  query: `SELECT * FROM "${schema}".${sign_in_request_challenge}($1)`,
-                  variables: [input.publicKey]
+                  query: `SELECT * FROM "${schema}"."${sign_in_request_challenge}"($1)`,
+                  variables: [input.publicKey],
+                  skipTransaction: true
                 });
 
                 await pgClient.query('COMMIT');
@@ -125,14 +135,19 @@ export const PublicKeySignature = (pubkey_challenge: PublicKeyChallengeConfig):
           const $combined = object({ input: $input, withPgClient: $withPgClient });
 
           return lambda($combined, async ({ input, withPgClient }: any) => {
+            if (!input.publicKey || typeof input.publicKey !== 'string' || input.publicKey.length > MAX_PUBLIC_KEY_LENGTH) {
+              throw new Error('INVALID_PUBLIC_KEY');
+            }
+
             return withPgClient(null, async (pgClient: any) => {
               const {
                 rows: [{ [sign_in_request_challenge]: message }]
               } = await pgQueryWithContext({
                 client: pgClient,
                 context: { role: 'anonymous' },
-                query: `SELECT * FROM "${schema}".${sign_in_request_challenge}($1)`,
-                variables: [input.publicKey]
+                query: `SELECT * FROM "${schema}"."${sign_in_request_challenge}"($1)`,
+                variables: [input.publicKey],
+                skipTransaction: true
               });
 
               if (!message) throw new Error('NO_ACCOUNT_EXISTS');
@@ -155,6 +170,16 @@ export const PublicKeySignature = (pubkey_challenge: PublicKeyChallengeConfig):
           return lambda($combined, async ({ input, withPgClient }: any) => {
             const { publicKey, message, signature: _signature } = input;
 
+            if (!publicKey || typeof publicKey !== 'string' || publicKey.length > MAX_PUBLIC_KEY_LENGTH) {
+              throw new Error('INVALID_PUBLIC_KEY');
+            }
+            if (!message || typeof message !== 'string' || message.length > MAX_MESSAGE_LENGTH) {
+              throw new Error('INVALID_MESSAGE');
+            }
+            if (!_signature || typeof _signature !== 'string' || _signature.length > MAX_SIGNATURE_LENGTH) {
+              throw new Error('INVALID_SIGNATURE');
+            }
+
             // TODO: Re-implement crypto verification (e.g. using interchainJS).
             // const network = Networks[crypto_network];
             // const result = verifyMessage(message, publicKey, signature, network);
@@ -166,8 +191,9 @@ export const PublicKeySignature = (pubkey_challenge: PublicKeyChallengeConfig):
                 await pgQueryWithContext({
                   client: pgClient,
                   context: { role: 'anonymous' },
-                  query: `SELECT * FROM "${schema}".${sign_in_record_failure}($1)`,
-                  variables: [publicKey]
+                  query: `SELECT * FROM "${schema}"."${sign_in_record_failure}"($1)`,
+                  variables: [publicKey],
+                  skipTransaction: true
                 });
                 throw new Error('BAD_SIGNIN');
               }
@@ -180,8 +206,9 @@ export const PublicKeySignature = (pubkey_challenge: PublicKeyChallengeConfig):
                 } = await pgQueryWithContext({
                   client: pgClient,
                   context: { role: 'anonymous' },
-                  query: `SELECT * FROM "${schema}".${sign_in_with_challenge}($1, $2)`,
-                  variables: [publicKey, message]
+                  query: `SELECT * FROM "${schema}"."${sign_in_with_challenge}"($1, $2)`,
+                  variables: [publicKey, message],
+                  skipTransaction: true
                 });
 
                 if (!token?.access_token) throw new Error('BAD_SIGNIN');
 
@@ -279,7 +279,7 @@ describe('PgConnectionArgFilterPostgisOperatorsPlugin', () => {
 
   describe('SQL generation', () => {
     describe('function-based operators', () => {
-      it('generates correct SQL for public schema', () => {
+      it('generates schema-qualified SQL for public schema', () => {
         const { registered } = runPlugin({ schemaName: 'public' });
         const containsOp = registered.find(r => r.operatorName === 'contains');
         expect(containsOp).toBeDefined();
@@ -291,7 +291,7 @@ describe('PgConnectionArgFilterPostgisOperatorsPlugin', () => {
           operatorName: 'contains'
         });
         const compiled = sql.compile(result);
-        expect(compiled.text).toBe('"st_contains"("col", "val")');
+        expect(compiled.text).toBe('"public"."st_contains"("col", "val")');
       });
 
       it('generates schema-qualified SQL for non-public schema', () => {
@@ -321,7 +321,7 @@ describe('PgConnectionArgFilterPostgisOperatorsPlugin', () => {
           operatorName: 'intersects3D'
         });
         const compiled = sql.compile(result);
-        expect(compiled.text).toBe('"st_3dintersects"("a", "b")');
+        expect(compiled.text).toBe('"public"."st_3dintersects"("a", "b")');
       });
     });
 
 
@@ -244,9 +244,7 @@ export const PgConnectionArgFilterPostgisOperatorsPlugin: GraphileConfig.Plugin
         // Process function-based operators
         for (const [fn, baseTypes, operatorName, description] of functionSpecs) {
           for (const baseType of baseTypes) {
-            const sqlGisFunction = schemaName === 'public'
-              ? sql.identifier(fn.toLowerCase())
-              : sql.identifier(schemaName, fn.toLowerCase());
+            const sqlGisFunction = sql.identifier(schemaName, fn.toLowerCase());
 
             allSpecs.push({
               typeNames: gqlTypeNamesByBase[baseType],
@@ -270,7 +268,7 @@ export const PgConnectionArgFilterPostgisOperatorsPlugin: GraphileConfig.Plugin
         }
 
         // Sort by operator name for deterministic schema output
-        allSpecs.sort((a, b) => (a.operatorName > b.operatorName ? 1 : -1));
+        allSpecs.sort((a, b) => a.operatorName.localeCompare(b.operatorName));
 
         // Register each operator with the connection filter plugin
         for (const spec of allSpecs) {
 
@@ -106,6 +106,9 @@ function buildGisCodec(
      * The result is cast to ::text so PostgreSQL sends it as a string,
      * which fromPg then JSON.parses.
      */
+    // NOTE: `fragment` is evaluated 4 times in the SQL. This is acceptable because
+    // PostGraphile v5 always passes simple column references here.
+    // If this changes, consider wrapping in a LATERAL subexpression.
     castFromPg(fragment: SQL): SQL {
       return sql.fragment`(case when (${fragment}) is null then null else json_build_object(
         '__gisType', ${sql.identifier(schemaName, 'geometrytype')}(${fragment}),
@@ -122,7 +125,15 @@ function buildGisCodec(
      * We normalize __gisType from PostGIS uppercase to our mixed-case format.
      */
     fromPg(value: string): GisFieldValue {
-      const parsed = JSON.parse(value);
+      let parsed: any;
+      try {
+        parsed = JSON.parse(value);
+      } catch (e) {
+        throw new Error(
+          `Failed to parse PostGIS geometry value: ${e instanceof Error ? e.message : String(e)}. ` +
+          `Raw value (first 200 chars): ${String(value).slice(0, 200)}`
+        );
+      }
       if (parsed && typeof parsed === 'object' && parsed.__gisType) {
         parsed.__gisType = normalizeGisType(parsed.__gisType);
       }