forked from defenseunicorns/leapfrogai
-
Notifications
You must be signed in to change notification settings - Fork 0
/
20240618163044_v0.9.0_api_keys.sql
175 lines (158 loc) · 5.3 KB
/
20240618163044_v0.9.0_api_keys.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
create extension if not exists pgcrypto;
-- Initialize api_keys table
create table api_keys (
name text,
id uuid primary key default uuid_generate_v4(),
user_id uuid references auth.users not null,
api_key_hash text not null unique,
created_at bigint default extract(epoch from now()) not null,
expires_at bigint default null,
checksum text not null
);
alter table api_keys enable row level security;
-- Hash the api key and store it in the table
create or replace function insert_api_key(
p_name text,
p_user_id uuid,
p_api_key text,
p_checksum text,
p_expires_at bigint default null
) returns table (
name text,
id uuid,
created_at bigint,
expires_at bigint,
checksum text
) language plpgsql as $$
declare
v_name text;
v_id uuid;
v_created_at bigint;
v_expires_at bigint;
v_checksum text;
v_hash text;
begin
-- Calculate the one-way hash of the api key
v_hash := extensions.crypt(p_api_key, extensions.gen_salt('bf'));
insert into api_keys (name, user_id, api_key_hash, expires_at, checksum)
values (p_name, p_user_id, v_hash, p_expires_at, p_checksum)
returning api_keys.name, api_keys.id, api_keys.created_at, api_keys.expires_at, api_keys.checksum
into v_name, v_id, v_created_at, v_expires_at, v_checksum;
return query select v_name, v_id, v_created_at, v_expires_at, v_checksum;
end;
$$;
create policy "Read only if API key matches and is current" ON api_keys for
select using (
api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_key_hash)
and (expires_at is null or expires_at > extract(epoch from now()))
);
create policy "Individuals can crud their own api_keys." on api_keys for
all using (auth.uid() = user_id);
-- API Key Policies
create policy "Individuals can CRUD their own assistant_objects via API key."
on assistant_objects for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = assistant_objects.user_id
)
);
create policy "Individuals can CRUD their own thread_objects via API key."
on thread_objects for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = thread_objects.user_id
)
);
create policy "Individuals can CRUD their own message_objects via API key."
on message_objects for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = message_objects.user_id
)
);
create policy "Individuals can CRUD their own file_objects via API key."
on file_objects for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = file_objects.user_id
)
);
create policy "Individuals can CRUD file_bucket via API key."
on storage.buckets for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
)
);
create policy "Individuals can CRUD their own run_objects via API key."
on run_objects for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = run_objects.user_id
)
);
create policy "Individuals can CRUD their own vector_store via API key."
on vector_store for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = vector_store.user_id
)
);
create policy "Individuals can CRUD their own vector_store_file via API key."
on vector_store_file for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = vector_store_file.user_id
)
);
create policy "Individuals can CRUD their own vector_content via API key."
on vector_content for all
to anon
using
(
exists (
select 1
from api_keys
where api_keys.api_key_hash = crypt(current_setting('request.headers')::json->>'x-custom-api-key', api_keys.api_key_hash)
and api_keys.user_id = vector_content.user_id
)
);