remove regex from authorizer api and replace magic values with constants

Author: PThorpe92

Cargo.toml

@@ -15,7 +15,6 @@ libsql = { version = "0.9.30", features = ["encryption"]  }
 napi = { version = "2", default-features = false, features = ["napi6", "tokio_rt", "async"] }
 napi-derive = "2"
 once_cell = "1.18.0"
-regex = "1"
 serde_json = "1.0.140"
 tokio = { version = "1.47.1", features = [ "rt-multi-thread" ] }
 tracing = "0.1"

integration-tests/tests/extensions.test.js

@@ -152,22 +152,6 @@ test.serial("Rule-based: glob pattern on table name", async (t) => {
   });
 });
 
-test.serial("Rule-based: regex pattern on table name", async (t) => {
-  const db = t.context.db;
-
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^users$/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const stmt = db.prepare("SELECT * FROM users");
-  const users = stmt.all();
-  t.is(users.length, 2);
-});
-
 test.serial("Rule-based: IGNORE returns NULL for READ columns", async (t) => {
   const db = t.context.db;
 
@@ -192,7 +176,7 @@ test.serial("Rule-based: entity pattern for functions", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.FUNCTION, entity: /^(lower|upper|length)$/, policy: Authorization.ALLOW },
+      { action: Action.FUNCTION, entity: "upper", policy: Authorization.ALLOW },
       { action: Action.READ, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
@@ -430,193 +414,13 @@ test.serial("Glob: exact string without wildcards is exact match", async (t) =>
   t.is(rows.length, 2);
 });
 
-// ---- Regex pattern tests ----
-
-test.serial("Regex: case-insensitive flag", async (t) => {
-  const db = t.context.db;
-
-  db.exec("CREATE TABLE IF NOT EXISTS Users_CI (id INTEGER PRIMARY KEY, val TEXT)");
-  db.exec("INSERT INTO Users_CI (id, val) VALUES (1, 'test')");
-
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^users_ci$/i, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const rows = db.prepare("SELECT * FROM Users_CI").all();
-  t.is(rows.length, 1);
-});
-
-test.serial("Regex: partial match (no anchors)", async (t) => {
-  const db = t.context.db;
-
-  // /user/ without anchors should match "users" (partial match)
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /user/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const rows = db.prepare("SELECT * FROM users").all();
-  t.is(rows.length, 2);
-});
-
-test.serial("Regex: anchored pattern rejects partial matches", async (t) => {
-  const db = t.context.db;
-
-  // /^user$/ should NOT match "users" (has trailing s)
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^user$/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  await t.throwsAsync(async () => {
-    return await db.prepare("SELECT * FROM users");
-  }, { instanceOf: t.context.errorType, code: "SQLITE_AUTH" });
-});
-
-test.serial("Regex: alternation pattern", async (t) => {
-  const db = t.context.db;
-
-  db.exec("CREATE TABLE IF NOT EXISTS products (id INTEGER PRIMARY KEY, pname TEXT)");
-  db.exec("INSERT INTO products (id, pname) VALUES (1, 'Widget')");
-
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^(users|products)$/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const u = db.prepare("SELECT * FROM users").all();
-  t.is(u.length, 2);
-  const p = db.prepare("SELECT * FROM products").all();
-  t.is(p.length, 1);
-});
-
-test.serial("Regex: character class pattern", async (t) => {
-  const db = t.context.db;
-
-  db.exec("CREATE TABLE IF NOT EXISTS t1_data (id INTEGER PRIMARY KEY)");
-  db.exec("CREATE TABLE IF NOT EXISTS t2_data (id INTEGER PRIMARY KEY)");
-  db.exec("INSERT INTO t1_data (id) VALUES (1)");
-  db.exec("INSERT INTO t2_data (id) VALUES (1)");
-
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^t[0-9]_data$/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const r1 = db.prepare("SELECT * FROM t1_data").all();
-  t.is(r1.length, 1);
-  const r2 = db.prepare("SELECT * FROM t2_data").all();
-  t.is(r2.length, 1);
-
-  // users shouldn't match
-  await t.throwsAsync(async () => {
-    return await db.prepare("SELECT * FROM users");
-  }, { instanceOf: t.context.errorType, code: "SQLITE_AUTH" });
-});
-
-test.serial("Regex: on column name with IGNORE", async (t) => {
-  const db = t.context.db;
-
-  // IGNORE any column ending in "il" → email gets NULL
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: "users", column: /il$/, policy: Authorization.IGNORE },
-      { action: Action.READ, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const row = db.prepare("SELECT id, name, email FROM users WHERE id = 1").get();
-  t.is(row.id, 1);
-  t.is(row.name, "Alice");
-  t.is(row.email, null); // "email" ends in "il"
-});
-
-test.serial("Regex: on entity name for allowed functions", async (t) => {
+test.serial("Glob: table + column combo", async (t) => {
   const db = t.context.db;
 
-  // Allow only functions starting with lowercase letters
+  // For any table matching user*, IGNORE columns matching e*
   db.authorizer({
     rules: [
-      { action: Action.FUNCTION, entity: /^[a-z]/, policy: Authorization.ALLOW },
-      { action: Action.READ, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const row = db.prepare("SELECT length(name) as len FROM users WHERE id = 1").get();
-  t.is(row.len, 5); // "Alice" = 5 chars
-});
-
-test.serial("Regex: non-matching regex denies correctly", async (t) => {
-  const db = t.context.db;
-
-  // Only allow tables starting with "archive_"
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^archive_/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  // users doesn't start with archive_
-  await t.throwsAsync(async () => {
-    return await db.prepare("SELECT * FROM users");
-  }, { instanceOf: t.context.errorType, code: "SQLITE_AUTH" });
-});
-
-test.serial("Regex: complex pattern with quantifiers", async (t) => {
-  const db = t.context.db;
-
-  db.exec("CREATE TABLE IF NOT EXISTS logs_2024_01 (id INTEGER PRIMARY KEY, msg TEXT)");
-  db.exec("INSERT INTO logs_2024_01 (id, msg) VALUES (1, 'jan')");
-
-  // Match logs_YYYY_MM pattern
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^logs_\d{4}_\d{2}$/, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const rows = db.prepare("SELECT * FROM logs_2024_01").all();
-  t.is(rows.length, 1);
-
-  // users doesn't match the date pattern
-  await t.throwsAsync(async () => {
-    return await db.prepare("SELECT * FROM users");
-  }, { instanceOf: t.context.errorType, code: "SQLITE_AUTH" });
-});
-
-// ---- Combined glob/regex with multiple fields ----
-
-test.serial("Glob table + regex column combo", async (t) => {
-  const db = t.context.db;
-
-  // For any table matching user*, IGNORE columns matching a secret-ish pattern
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: "user*", column: /^(email|password|ssn)$/, policy: Authorization.IGNORE },
+      { action: Action.READ, table: "user*", column: "e*", policy: Authorization.IGNORE },
       { action: Action.READ, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
@@ -626,26 +430,7 @@ test.serial("Glob table + regex column combo", async (t) => {
   const row = db.prepare("SELECT id, name, email FROM users WHERE id = 2").get();
   t.is(row.id, 2);
   t.is(row.name, "Bob");
-  t.is(row.email, null); // email matched the regex, users matched user*
-});
-
-test.serial("Regex table + glob column combo", async (t) => {
-  const db = t.context.db;
-
-  // For tables matching /^users$/, IGNORE columns matching e*
-  db.authorizer({
-    rules: [
-      { action: Action.READ, table: /^users$/, column: "e*", policy: Authorization.IGNORE },
-      { action: Action.READ, policy: Authorization.ALLOW },
-      { action: Action.SELECT, policy: Authorization.ALLOW },
-    ],
-    defaultPolicy: Authorization.DENY,
-  });
-
-  const row = db.prepare("SELECT id, name, email FROM users WHERE id = 1").get();
-  t.is(row.id, 1);
-  t.is(row.name, "Alice");
-  t.is(row.email, null);
+  t.is(row.email, null); // email matches e*, users matches user*
 });
 
 test.serial("Glob: wildcard-only pattern * matches everything", async (t) => {
@@ -700,11 +485,7 @@ test.beforeEach(async (t) => {
       DROP TABLE IF EXISTS audit_users;
       DROP TABLE IF EXISTS app_prod_logs;
       DROP TABLE IF EXISTS x_data_y;
-      DROP TABLE IF EXISTS Users_CI;
       DROP TABLE IF EXISTS products;
-      DROP TABLE IF EXISTS t1_data;
-      DROP TABLE IF EXISTS t2_data;
-      DROP TABLE IF EXISTS logs_2024_01;
       CREATE TABLE users (id INTEGER PRIMARY KEY, name TEXT, email TEXT)
   `);
   db.exec(

src/auth.rs

@@ -20,16 +20,13 @@ pub enum PatternMatcher {
     Exact(String),
     /// Glob pattern (supports `*` and `?` wildcards).
     Glob(String),
-    /// Compiled regular expression.
-    Regex(regex::Regex),
 }
 
 impl PatternMatcher {
     pub fn matches(&self, value: &str) -> bool {
         match self {
             PatternMatcher::Exact(s) => s == value,
             PatternMatcher::Glob(pattern) => glob_match::glob_match(pattern, value),
-            PatternMatcher::Regex(re) => re.is_match(value),
         }
     }
 }
@@ -404,7 +401,25 @@ impl AuthorizerBuilder {
 
         // Table-bearing action codes (actions where the old authorizer checked tables)
         let table_actions: Vec<i32> = vec![
-            1, 2, 3, 4, 5, 7, 9, 10, 11, 12, 13, 14, 16, 18, 20, 23, 26, 29, 30,
+            SQLITE_CREATE_INDEX,
+            SQLITE_CREATE_TABLE,
+            SQLITE_CREATE_TEMP_INDEX,
+            SQLITE_CREATE_TEMP_TABLE,
+            SQLITE_CREATE_TEMP_TRIGGER,
+            SQLITE_CREATE_TRIGGER,
+            SQLITE_DELETE,
+            SQLITE_DROP_INDEX,
+            SQLITE_DROP_TABLE,
+            SQLITE_DROP_TEMP_INDEX,
+            SQLITE_DROP_TEMP_TABLE,
+            SQLITE_DROP_TEMP_TRIGGER,
+            SQLITE_DROP_TRIGGER,
+            SQLITE_INSERT,
+            SQLITE_READ,
+            SQLITE_UPDATE,
+            SQLITE_ALTER_TABLE,
+            SQLITE_CREATE_VTABLE,
+            SQLITE_DROP_VTABLE,
         ];
 
         // Deny rules first
@@ -431,7 +446,7 @@ impl AuthorizerBuilder {
 
         // Legacy behavior: always allow SELECT (no table context)
         rules.push(AuthRule {
-            actions: vec![21], // SELECT
+            actions: vec![SQLITE_SELECT],
             table: None,
             column: None,
             entity: None,

src/lib.rs

@@ -727,56 +727,20 @@ fn parse_single_rule(rule_obj: &napi::JsObject) -> Result<crate::auth::AuthRule>
     })
 }
 
-/// Parse a pattern value: string (exact or glob) or RegExp.
+/// Parse a pattern value: plain string or glob (auto-detected by `*` or `?`).
 fn parse_pattern(val: JsUnknown, field_name: &str) -> Result<crate::auth::PatternMatcher> {
     match val.get_type()? {
         ValueType::String => {
             let s: napi::JsString = val.coerce_to_string()?;
             let owned = s.into_utf8()?.into_owned()?;
-            // Auto-detect glob: if the string contains * or ?, treat as glob
             if owned.contains('*') || owned.contains('?') {
                 Ok(crate::auth::PatternMatcher::Glob(owned))
             } else {
                 Ok(crate::auth::PatternMatcher::Exact(owned))
             }
         }
-        ValueType::Object => {
-            // Check if it's a RegExp by checking for .source property
-            let obj: napi::JsObject = val.coerce_to_object()?;
-            if obj.has_named_property("source")? {
-                let source_js: napi::JsString = obj.get_named_property("source")?;
-                let source = source_js.into_utf8()?.into_owned()?;
-
-                // Check for flags (we support 'i' for case-insensitive)
-                let flags_str = if obj.has_named_property("flags")? {
-                    let flags_js: napi::JsString = obj.get_named_property("flags")?;
-                    flags_js.into_utf8()?.into_owned()?
-                } else {
-                    String::new()
-                };
-
-                let pattern = if flags_str.contains('i') {
-                    format!("(?i){}", source)
-                } else {
-                    source
-                };
-
-                let re = regex::Regex::new(&pattern).map_err(|e| {
-                    napi::Error::from_reason(format!(
-                        "Invalid regex pattern for {}: {}",
-                        field_name, e
-                    ))
-                })?;
-                Ok(crate::auth::PatternMatcher::Regex(re))
-            } else {
-                Err(napi::Error::from_reason(format!(
-                    "{} must be a string or RegExp",
-                    field_name
-                )))
-            }
-        }
         _ => Err(napi::Error::from_reason(format!(
-            "{} must be a string or RegExp",
+            "{} must be a string",
             field_name
         ))),
     }