Authorizer api

.gitignore

@@ -111,7 +111,7 @@ dist
 .vscode-test
 
 # End of https://www.toptal.com/developers/gitignore/api/node
-
+integration-tests/*.db
 # Created by https://www.toptal.com/developers/gitignore/api/macos
 # Edit at https://www.toptal.com/developers/gitignore?templates=macos
 

Cargo.toml

@@ -10,10 +10,12 @@ edition = "2021"
 crate-type = ["cdylib"]
 
 [dependencies]
+glob-match = "0.2"
 libsql = { version = "0.9.30", features = ["encryption"]  }
 napi = { version = "2", default-features = false, features = ["napi6", "tokio_rt", "async"] }
 napi-derive = "2"
 once_cell = "1.18.0"
+regex = "1"
 serde_json = "1.0.140"
 tokio = { version = "1.47.1", features = [ "rt-multi-thread" ] }
 tracing = "0.1"

auth.js

@@ -5,6 +5,7 @@
  * @enum {number}
  * @property {number} ALLOW - Allow access to a resource.
  * @property {number} DENY - Deny access to a resource and throw an error.
+ * @property {number} IGNORE - For READ: return NULL instead of the column value. For other actions: equivalent to DENY.
  */
 const Authorization = {
   /**
@@ -18,5 +19,55 @@ const Authorization = {
    * @type {number}
    */
   DENY: 1,
+
+  /**
+   * For READ: return NULL instead of the actual column value.
+   * For other actions: equivalent to DENY.
+   * @type {number}
+   */
+  IGNORE: 2,
+};
+
+/**
+ * SQLite authorizer action codes.
+ *
+ * @readonly
+ * @enum {number}
+ */
+const Action = {
+  CREATE_INDEX: 1,
+  CREATE_TABLE: 2,
+  CREATE_TEMP_INDEX: 3,
+  CREATE_TEMP_TABLE: 4,
+  CREATE_TEMP_TRIGGER: 5,
+  CREATE_TEMP_VIEW: 6,
+  CREATE_TRIGGER: 7,
+  CREATE_VIEW: 8,
+  DELETE: 9,
+  DROP_INDEX: 10,
+  DROP_TABLE: 11,
+  DROP_TEMP_INDEX: 12,
+  DROP_TEMP_TABLE: 13,
+  DROP_TEMP_TRIGGER: 14,
+  DROP_TEMP_VIEW: 15,
+  DROP_TRIGGER: 16,
+  DROP_VIEW: 17,
+  INSERT: 18,
+  PRAGMA: 19,
+  READ: 20,
+  SELECT: 21,
+  TRANSACTION: 22,
+  UPDATE: 23,
+  ATTACH: 24,
+  DETACH: 25,
+  ALTER_TABLE: 26,
+  REINDEX: 27,
+  ANALYZE: 28,
+  CREATE_VTABLE: 29,
+  DROP_VTABLE: 30,
+  FUNCTION: 31,
+  SAVEPOINT: 32,
+  RECURSIVE: 33,
 };
-module.exports = Authorization;
+
+module.exports = { Authorization, Action };

compat.js

@@ -2,7 +2,7 @@
 
 const { Database: NativeDb, databasePrepareSync, databaseSyncSync, databaseExecSync, statementRunSync, statementGetSync, statementIterateSync, iteratorNextSync } = require("./index.js");
 const SqliteError = require("./sqlite-error.js");
-const Authorization = require("./auth");
+const { Authorization, Action } = require("./auth");
 
 function convertError(err) {
   // Handle errors from Rust with JSON-encoded message
@@ -167,14 +167,6 @@ class Database {
     throw new Error("not implemented");
   }
 
-  authorizer(rules) {
-    try {
-      this.db.authorizer(rules);
-    } catch (err) {
-      throw convertError(err);
-    }
-  }
-
   loadExtension(...args) {
     try {
       this.db.loadExtension(...args);
@@ -218,8 +210,12 @@ class Database {
     this.db.close();
   }
 
-  authorizer(hook) {
-    this.db.authorizer(hook);
+  authorizer(config) {
+    try {
+      this.db.authorizer(config);
+    } catch (err) {
+      throw convertError(err);
+    }
     return this;
   }
 
@@ -372,3 +368,4 @@ class Statement {
 module.exports = Database;
 module.exports.SqliteError = SqliteError;
 module.exports.Authorization = Authorization;
+module.exports.Action = Action;

index.d.ts

@@ -76,25 +76,12 @@ export declare class Database {
   /**
    * Sets the authorizer for the database.
    *
-   * # Arguments
-   *
-   * * `env` - The environment.
-   * * `rules_obj` - The rules object.
-   *
-   * The `rules_obj` is a JavaScript object with the following properties:
-   *
-   * * `Authorization.ALLOW` - Allow access to the table.
-   * * `Authorization.DENY` - Deny access to the table.
-   *
-   * Example:
-   *
-   * ```javascript
-   * db.authorizer({
-   *     "users": Authorization.ALLOW
-   * });
-   * ```
+   * Accepts either:
+   * - Legacy format: `{ [tableName: string]: 0 | 1 }`
+   * - Full format: `{ rules: AuthRule[], defaultPolicy?: 0 | 1 | 2 }`
+   * - `null` to remove the authorizer
    */
-  authorizer(rulesObj: object): void
+  authorizer(config: unknown): void
   /**
    * Loads an extension into the database.
    *