make glob field explicit in authorizer api and update docs

Author: PThorpe92

docs/api.md

@@ -68,31 +68,112 @@ This function is currently not supported.
 
 This function is currently not supported.
 
-### authorizer(rules) ⇒ this
+### authorizer(config) ⇒ this
 
-Configure authorization rules. The `rules` object is a map from table name to
-`Authorization` object, which defines if access to table is allowed or denied.
-If a table has no authorization rule, access to it is _denied_ by default.
+Configure authorization rules for the database. Accepts three formats:
 
-Example:
+- **Legacy format** — a map from table name to `Authorization.ALLOW` or `Authorization.DENY`
+- **Rule-based format** — an `AuthorizerConfig` object with ordered rules and pattern matching
+- **`null`** — removes the authorizer entirely
+
+#### Legacy format
+
+A simple object mapping table names to `Authorization.ALLOW` (0) or `Authorization.DENY` (1).
+Tables without an entry are denied by default.
 
 ```javascript
+const { Authorization } = require('libsql');
+
 db.authorizer({
-  "users": Authorization.ALLOW
+  "users": Authorization.ALLOW,
+  "secrets": Authorization.DENY,
 });
 
-// Access is allowed.
+// Access to "users" is allowed.
 const stmt = db.prepare("SELECT * FROM users");
 
+// Access to "secrets" throws SQLITE_AUTH.
+const stmt = db.prepare("SELECT * FROM secrets"); // Error!
+```
+
+#### Rule-based format
+
+An object with a `rules` array and an optional `defaultPolicy`. Rules are evaluated in order — **first match wins**. If no rule matches, `defaultPolicy` applies (defaults to `DENY`).
+
+```javascript
+const { Authorization, Action } = require('libsql');
+
 db.authorizer({
-  "users": Authorization.DENY
+  rules: [
+    // Hide sensitive columns (returns NULL instead of the real value)
+    { action: Action.READ, table: "users", column: "password_hash", policy: Authorization.IGNORE },
+    { action: Action.READ, table: "users", column: "ssn", policy: Authorization.IGNORE },
+
+    // Allow all reads
+    { action: Action.READ, policy: Authorization.ALLOW },
+
+    // Allow inserts on tables matching a glob pattern
+    { action: Action.INSERT, table: { glob: "logs_*" }, policy: Authorization.ALLOW },
+
+    // Deny DDL operations
+    { action: [Action.CREATE_TABLE, Action.DROP_TABLE, Action.ALTER_TABLE], policy: Authorization.DENY },
+
+    // Allow transactions and selects
+    { action: Action.TRANSACTION, policy: Authorization.ALLOW },
+    { action: Action.SELECT, policy: Authorization.ALLOW },
+  ],
+  defaultPolicy: Authorization.DENY,
 });
+```
 
-// Access is denied.
-const stmt = db.prepare("SELECT * FROM users");
+#### AuthRule fields
+
+| Field    | Type                                      | Description                                                          |
+| -------- | ----------------------------------------- | -------------------------------------------------------------------- |
+| action   | <code>number \| number[]</code>           | Action code(s) to match (from `Action`). Omit to match all actions.  |
+| table    | <code>string \| { glob: string }</code>   | Table name pattern. Omit to match any table.                         |
+| column   | <code>string \| { glob: string }</code>   | Column name pattern (relevant for READ/UPDATE). Omit to match any.   |
+| entity   | <code>string \| { glob: string }</code>   | Entity name (index, trigger, view, pragma, function). Omit to match any. |
+| policy   | <code>number</code>                       | `Authorization.ALLOW`, `Authorization.DENY`, or `Authorization.IGNORE`. |
+
+#### Pattern matching
+
+Pattern fields (`table`, `column`, `entity`) accept either:
+
+- A **plain string** for exact matching: `"users"`
+- An **object with a `glob` key** for glob matching: `{ glob: "logs_*" }`
+
+Glob patterns support `*` (match any number of characters) and `?` (match exactly one character).
+
+```javascript
+// Exact match
+{ action: Action.READ, table: "users", policy: Authorization.ALLOW }
+
+// Glob: all tables starting with "logs_"
+{ action: Action.READ, table: { glob: "logs_*" }, policy: Authorization.ALLOW }
+
+// Glob: single-character wildcard
+{ action: Action.READ, table: { glob: "t?_data" }, policy: Authorization.ALLOW }
+
+// Glob: match all tables
+{ action: Action.READ, table: { glob: "*" }, policy: Authorization.ALLOW }
 ```
 
-**Note: This is an experimental API and, therefore, subject to change.**
+#### Authorization values
+
+| Value                      | Effect                                                                 |
+| -------------------------- | ---------------------------------------------------------------------- |
+| `Authorization.ALLOW` (0)  | Permit the operation.                                                  |
+| `Authorization.DENY` (1)   | Reject the entire SQL statement with a `SQLITE_AUTH` error.            |
+| `Authorization.IGNORE` (2) | For READ: return NULL instead of the column value. Otherwise: deny.    |
+
+#### Removing the authorizer
+
+Pass `null` to remove the authorizer and allow all operations:
+
+```javascript
+db.authorizer(null);
+```
 
 ### loadExtension(path, [entryPoint]) ⇒ this
 

integration-tests/tests/extensions.test.js

@@ -133,7 +133,7 @@ test.serial("Rule-based: glob pattern on table name", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "logs_*", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "logs_*" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -260,7 +260,7 @@ test.serial("Glob: ? matches exactly one character", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "log_?", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "log_?" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -287,7 +287,7 @@ test.serial("Glob: ? does not match zero or multiple characters", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "item_?", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "item_?" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -312,7 +312,7 @@ test.serial("Glob: * at start of pattern", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "*_users", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "*_users" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -330,7 +330,7 @@ test.serial("Glob: * in middle of pattern", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "app_*_logs", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "app_*_logs" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -353,7 +353,7 @@ test.serial("Glob: multiple wildcards in one pattern", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "*_data_*", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "*_data_*" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -369,7 +369,7 @@ test.serial("Glob: on column name", async (t) => {
   // IGNORE columns matching e* → email gets NULL, everything else readable
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "users", column: "e*", policy: Authorization.IGNORE },
+      { action: Action.READ, table: "users", column: { glob: "e*" }, policy: Authorization.IGNORE },
       { action: Action.READ, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
@@ -387,7 +387,7 @@ test.serial("Glob: on entity name (pragma)", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.PRAGMA, entity: "table_*", policy: Authorization.ALLOW },
+      { action: Action.PRAGMA, entity: { glob: "table_*" }, policy: Authorization.ALLOW },
       { action: Action.READ, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
@@ -420,7 +420,7 @@ test.serial("Glob: table + column combo", async (t) => {
   // For any table matching user*, IGNORE columns matching e*
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "user*", column: "e*", policy: Authorization.IGNORE },
+      { action: Action.READ, table: { glob: "user*" }, column: { glob: "e*" }, policy: Authorization.IGNORE },
       { action: Action.READ, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
@@ -438,7 +438,7 @@ test.serial("Glob: wildcard-only pattern * matches everything", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "*", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "*" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,
@@ -453,7 +453,7 @@ test.serial("Glob: pattern with no match denies correctly", async (t) => {
 
   db.authorizer({
     rules: [
-      { action: Action.READ, table: "nonexistent_*", policy: Authorization.ALLOW },
+      { action: Action.READ, table: { glob: "nonexistent_*" }, policy: Authorization.ALLOW },
       { action: Action.SELECT, policy: Authorization.ALLOW },
     ],
     defaultPolicy: Authorization.DENY,

src/lib.rs

@@ -426,6 +426,32 @@ impl Database {
     /// - Legacy format: `{ [tableName: string]: 0 | 1 }`
     /// - Full format: `{ rules: AuthRule[], defaultPolicy?: 0 | 1 | 2 }`
     /// - `null` to remove the authorizer
+    ///
+    /// Pattern fields (`table`, `column`, `entity`) accept a plain string for
+    /// exact matching, or `{ glob: "pattern" }` for glob matching with `*` and `?`.
+    ///
+    /// # Examples
+    ///
+    /// ```javascript
+    /// const { Authorization, Action } = require('libsql');
+    ///
+    /// // Legacy table-level allow/deny
+    /// db.authorizer({ "users": Authorization.ALLOW });
+    ///
+    /// // Rule-based with glob patterns
+    /// db.authorizer({
+    ///   rules: [
+    ///     { action: Action.READ, table: "users", column: "password", policy: Authorization.IGNORE },
+    ///     { action: Action.INSERT, table: { glob: "logs_*" }, policy: Authorization.ALLOW },
+    ///     { action: Action.READ, policy: Authorization.ALLOW },
+    ///     { action: Action.SELECT, policy: Authorization.ALLOW },
+    ///   ],
+    ///   defaultPolicy: Authorization.DENY,
+    /// });
+    ///
+    /// // Remove authorizer
+    /// db.authorizer(null);
+    /// ```
     #[napi]
     pub fn authorizer(&self, env: Env, config: JsUnknown) -> Result<()> {
         let conn = match &self.conn {
@@ -727,20 +753,29 @@ fn parse_single_rule(rule_obj: &napi::JsObject) -> Result<crate::auth::AuthRule>
     })
 }
 
-/// Parse a pattern value: plain string or glob (auto-detected by `*` or `?`).
+/// Parse a pattern value: plain string (exact match) or `{ glob: "pattern" }`.
 fn parse_pattern(val: JsUnknown, field_name: &str) -> Result<crate::auth::PatternMatcher> {
     match val.get_type()? {
         ValueType::String => {
             let s: napi::JsString = val.coerce_to_string()?;
             let owned = s.into_utf8()?.into_owned()?;
-            if owned.contains('*') || owned.contains('?') {
+            Ok(crate::auth::PatternMatcher::Exact(owned))
+        }
+        ValueType::Object => {
+            let obj: napi::JsObject = val.coerce_to_object()?;
+            if obj.has_named_property("glob")? {
+                let s: napi::JsString = obj.get_named_property("glob")?;
+                let owned = s.into_utf8()?.into_owned()?;
                 Ok(crate::auth::PatternMatcher::Glob(owned))
             } else {
-                Ok(crate::auth::PatternMatcher::Exact(owned))
+                Err(napi::Error::from_reason(format!(
+                    "{} must be a string or {{ glob: \"pattern\" }}",
+                    field_name
+                )))
             }
         }
         _ => Err(napi::Error::from_reason(format!(
-            "{} must be a string",
+            "{} must be a string or {{ glob: \"pattern\" }}",
             field_name
         ))),
     }