fix: RLS auth bypass for signup/login flows

- Add set_config('app.tenant_id') before user INSERT in signup tx - Add 004_auth_rls_fix.sql: permissive SELECT on users/api_keys for auth lookups, INSERT on users with tenant context check - db-setup now runs migrations on every up (idempotent)
2026-03-03 05:38:25 +00:00
parent 1d068c3f75
commit 76715d169e
11 changed files with 127 additions and 0 deletions
--- a/products/docker-compose.yml
+++ b/products/docker-compose.yml
@@ -59,6 +59,12 @@ services:
    restart: "no"
    depends_on:
      postgres: { condition: service_healthy }
+    volumes:
+      - ./02-iac-drift-detection/saas/migrations:/migrations/02-drift:ro
+      - ./03-alert-intelligence/migrations:/migrations/03-alert:ro
+      - ./04-lightweight-idp/migrations:/migrations/04-portal:ro
+      - ./05-aws-cost-anomaly/migrations:/migrations/05-cost:ro
+      - ./06-runbook-automation/saas/migrations:/migrations/06-run:ro
    environment:
      PGHOST: postgres
      PGUSER: ${POSTGRES_USER:-dd0c}
@@ -88,6 +94,22 @@ services:
        create_user dd0c_portal dd0c_portal "$$DB_PORTAL_PASSWORD"
        create_user dd0c_cost  dd0c_cost  "$$DB_COST_PASSWORD"
        create_user dd0c_run   dd0c_run   "$$DB_RUN_PASSWORD"
+        # Run any new migrations (idempotent — CREATE IF NOT EXISTS / DO blocks)
+        run_migrations() {
+          local db=$$1 dir=$$2
+          if [ -d "$$dir" ]; then
+            for sql in "$$dir"/*.sql; do
+              [ -f "$$sql" ] || continue
+              echo "  $$db ← $$(basename $$sql)"
+              psql -d "$$db" -f "$$sql" 2>/dev/null || true
+            done
+          fi
+        }
+        run_migrations dd0c_drift /migrations/02-drift
+        run_migrations dd0c_alert /migrations/03-alert
+        run_migrations dd0c_portal /migrations/04-portal
+        run_migrations dd0c_cost /migrations/05-cost
+        run_migrations dd0c_run /migrations/06-run
        echo "db-setup complete"

  # --- dd0c Products ---