A plugin for postgraphile adding safe update and delete mutations, where the client must prove knowledge of overwritten/deleted data
- Written by David Björkevik david@bjorkevik.se
- Paid for by Envista AB
- Thanks to benjie for useful pointers on how to implement this
I needed to build this for an internal project. It needs better packaging to be distributed but I release it anyways in case it helps someone.
You have a TIMESTAMP WITH TIMEZONE
-column in your PostgreSQL tables that
holds the timestamp of last row update, which is preferably automatically
updated by a trigger.
It alters the update and delete mutations generated by postgraphile so that each input type also contains a mandatory field with the current row timestamp.
If the database row has changed (typically by some other client) the provided timestamp will be stale. In this case an error is thrown and the mutation is blocked.
The function makeSafeUpdateAndDeletePlugin
generates a plugin that will check
the value of the column with the name provided.
const SafeUpdateAndDeletePlugin =
makeSafeUpdateAndDeletePlugin({timestampColumn: 'modified'});
app.use(
postgraphile(process.env.DATABASE_URL, "app_public", {
appendPlugins: [SafeUpdateAndDeletePlugin],
graphiql: true,
})
);
- Tables that lack a column with the given name will not have the safety logic added
- To disable the safety logic explicitly for a table, use the
@disableSafeUpdateAndDelete
tag