Rebuilding Screen Pilot backend

Author: bcb

compose.override.yaml

@@ -5,6 +5,10 @@ services:
       - ./postgres/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d:ro
       - ./postgres/migrations:/etc/superstack/migrations:rw
       - ./postgres/bin:/superstack-bin:ro
+      - ./postgres/rc:/rc:ro
+    environment:
+      PSQLRC: /rc/.psqlrc
+      INPUTRC: /rc/.inputrc
     # Set a faster healthcheck interval for the development server
     healthcheck:
       interval: 0.5s

compose.yaml

@@ -3,7 +3,7 @@
 
 services:
   postgres:
-    image: ghcr.io/explodinglabs/superstack-postgres
+    image: ghcr.io/explodinglabs/sp-postgres
     build:
       context: ./postgres
     volumes:
@@ -33,7 +33,7 @@ services:
       PGRST_APP_SETTINGS_JWT_EXP: 3600
       PGRST_APP_SETTINGS_JWT_SECRET: ${PGRST_JWT_SECRET:?}
       PGRST_DB_ANON_ROLE: anon
-      PGRST_DB_SCHEMAS: api
+      PGRST_DB_SCHEMAS: api,auth
       PGRST_DB_URI: postgres://authenticator:${PGRST_AUTHENTICATOR_PASS:?}@postgres:5432/app
       PGRST_DB_USE_LEGACY_GUCS: false
       PGRST_JWT_SECRET: ${PGRST_JWT_SECRET:?}
@@ -47,7 +47,7 @@ services:
       - postgrest
 
   caddy:
-    image: ghcr.io/explodinglabs/superstack-caddy:0.1.0
+    image: ghcr.io/explodinglabs/sp-caddy:0.1.0
     build:
       context: ./caddy
     depends_on:

postgres/Dockerfile

@@ -2,10 +2,19 @@ FROM postgres:17
 
 # gettext is needed for envsubst
 RUN apt-get update && apt-get install -y \
-  gettext
+  gettext \
+  build-essential \
+  postgresql-server-dev-17
 
 COPY docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
 COPY migrations /etc/superstack/migrations
 COPY bin /superstack-bin
 
 ENV PATH="/superstack-bin:$PATH"
+
+# pgjwt - used by auth schema
+COPY ./pgjwt /pgjwt
+WORKDIR /pgjwt
+RUN make && make install
+
+WORKDIR /var/lib/postgresql

postgres/migrations/01-extensions.sql

@@ -0,0 +1,7 @@
+/* pgcrypto adds public.crypt used in auth.encrypt_pass pgjwt also needs this
+so it must be loaded first. pgcrypto is built into Postgres, so no need to
+install it. */
+create extension pgcrypto;
+
+-- pgjwt adds public.sign used in auth.generate_access_token
+create extension pgjwt;

postgres/migrations/02-create_auth_schema.sql

@@ -0,0 +1,144 @@
+-- 02-create_auth_schema.sql
+begin;
+
+-- Create auth schema and tables
+create schema auth;
+
+create table auth.user (
+  username text primary key check (length(username) >= 3),
+  password text not null check (length(password) < 512),
+  role name not null check (length(role) < 512)
+);
+
+create table auth.refresh_token (
+  id bigint generated always as identity primary key,
+  created_at timestamp not null default now(),
+  token text,
+  username text
+);
+
+-- Enforce that roles exist in pg_roles
+create function auth.check_role_exists() returns trigger
+language plpgsql as $$
+begin
+  if not exists (select 1 from pg_roles where rolname = new.role) then
+    raise foreign_key_violation using message = 'unknown database role: ' || new.role;
+    return null;
+  end if;
+  return new;
+end
+$$;
+
+create constraint trigger ensure_user_role_exists
+after insert or update on auth.user
+for each row execute procedure auth.check_role_exists();
+
+-- Encrypt passwords on insert/update
+create function auth.encrypt_pass() returns trigger
+language plpgsql as $$
+begin
+  if tg_op = 'INSERT' or new.password <> old.password then
+    new.password := crypt(new.password, gen_salt('bf'));
+  end if;
+  return new;
+end
+$$;
+
+create trigger encrypt_pass
+before insert or update on auth.user
+for each row execute procedure auth.encrypt_pass();
+
+-- Generate JWT access tokens
+create function auth.generate_access_token(
+  role_ text, user_ text, secret text
+) returns text
+language plpgsql as $$
+declare
+  access_token text;
+begin
+  select public.sign(row_to_json(r), secret) into access_token from (
+    select role_ as role, user_ as username,
+      extract(epoch from now())::integer + 600 as exp
+  ) r;
+  return access_token;
+end;
+$$;
+
+-- Login endpoint
+create function auth.login(user_ text, pass text) returns void
+language plpgsql security definer as $$
+declare
+  access_token text;
+  headers text;
+  refresh_token text;
+  role_ name;
+begin
+  select role into role_
+  from auth.user
+  where username = user_
+    and password = public.crypt(pass, password);
+
+  if role_ is null then
+    raise sqlstate 'PT401' using message = 'Invalid user or password';
+  end if;
+
+  select auth.generate_access_token(role_, user_, current_setting('pgrst.jwt_secret')) into access_token;
+
+  refresh_token := public.gen_random_uuid();
+  insert into auth.refresh_token (token, username) values (refresh_token, user_);
+
+  headers := '[' ||
+    '{"Set-Cookie": "access_token=' || access_token || '; Path=/; HttpOnly;"},' ||
+    '{"Set-Cookie": "refresh_token=' || refresh_token || '; Path=/rpc/refresh_token; HttpOnly;"}' ||
+  ']';
+  perform set_config('response.headers', headers, true);
+end;
+$$;
+
+-- Logout endpoint
+create function auth.logout() returns void
+language plpgsql security definer as $$
+declare headers text;
+begin
+  headers := '[' ||
+    '{"Set-Cookie": "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;"},' ||
+    '{"Set-Cookie": "refresh_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT;"}' ||
+  ']';
+  perform set_config('response.headers', headers, true);
+end;
+$$;
+
+-- Refresh token endpoint
+create function auth.refresh_token() returns void
+language plpgsql security definer as $$
+declare
+  user_ text;
+  access_token text;
+  headers text;
+  refresh_token_ text;
+  role_ text;
+begin
+  refresh_token_ := current_setting('request.cookies', true)::json->>'refresh_token';
+
+  select username into user_
+  from auth.refresh_token
+  where token = refresh_token_
+    and created_at > now() - interval '30 days';
+
+  if user_ is null then
+    raise sqlstate 'PT401' using message = 'Invalid or expired refresh token';
+  end if;
+
+  select role into role_ from auth.user where username = user_;
+  if role_ is null then
+    raise sqlstate 'PT401' using message = 'Unknown user';
+  end if;
+
+  select auth.generate_access_token(role_, user_, current_setting('pgrst.jwt_secret')) into access_token;
+
+  headers := '[{"Set-Cookie": "access_token=' || access_token || '; Path=/; HttpOnly;"}]';
+  perform set_config('response.headers', headers, true);
+end;
+$$;
+
+commit;

postgres/migrations/03-create_api_schema.sql

@@ -0,0 +1,126 @@
+begin;
+
+-- Create the api schema
+-- No need, this is created in 00-init_postgrest.sql
+-- create schema api;
+
+comment on schema api is 'Screen Pilot API';
+
+-- Create the asset table
+create table api.asset (
+  id bigint generated always as identity primary key,
+  created_at timestamp not null default now(),
+  filename text unique not null,
+  mime text not null,
+  size int not null
+);
+
+-- Create the playlist table
+create table api.playlist (
+  id bigint generated always as identity primary key,
+  created_at timestamp not null default now(),
+  name text not null
+);
+
+-- Create the playlist_assets table
+create table api.playlist_asset (
+  id bigint generated always as identity primary key,
+  playlist_id bigint references api.playlist (id) not null,
+  asset_id bigint references api.asset (id) not null,
+  /* "The join table determines many-to-many relationships. It must contain
+  foreign keys to other two tables and they must be part of its composite key."
+  https://docs.postgrest.org/en/v12/references/api/resource_embedding.html#many-to-many-relationships
+  */
+  primary key (id, playlist_id, asset_id)
+);
+
+-- Send an MPV command
+/*
+create function api.mpv_command(routing_key text, command text []) returns void
+language plpgsql as $$
+begin
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'MPVCommand', 'command', command)::text);
+end;
+$$;
+
+comment on function api.mpv_command(text, text [])
+is 'Send an MPV command. Currently unused.';
+*/
+
+-- Select playlist files from db and play
+create function api.play_playlist_id(
+  routing_key text,
+  p_id int,
+  index int
+) returns void language plpgsql as $$
+declare
+  files text[];
+  playlist_name text;
+  json text;
+begin
+  select name into playlist_name
+  from api.playlist
+  where id = p_id;
+
+  select array_agg(filename) into files
+  from api.playlist_asset
+  left join asset on playlist_asset.id = asset.id
+  where playlist_asset.playlist_id = p_id;
+
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'LoadList', 'files', files)::text);
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'MPVCommand', 'command', array["playlist-play-index", index])::text);
+end;
+$$;
+
+comment on function api.play_playlist_id(text, int, int) is
+'Select playlist files from the database and play them.
+
+Parameters:
+  - routing_key: The routing key of the screen
+  - p_id: Playlist id
+  - index: Index to begin playback from.';
+
+-- Load files in a known playlist text file and play
+create function api.play_playlist_file(
+  routing_key text,
+  playlist_file text,
+  index int
+) returns void language plpgsql as $$
+begin
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'MPVCommand', 'command', array["loadlist", playlist_file])::text);
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'MPVCommand', 'command', array["playlist-play-index", index])::text);
+end;
+$$;
+
+comment on function api.play_playlist_file(text, text, int) is
+'Load files in a known playlist text file and play.
+
+Parameters:
+  - routing_key: The routing key of the screen
+  - playlist_file: Contents of the playlist file.
+  - index: Index to begin playback from.';
+
+-- Write playlist text file and play
+create function api.play_files(
+  routing_key text,
+  files text [],
+  index int
+) returns void language plpgsql as $$
+begin
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'LoadList', 'files', files)::text);
+  perform amqp.publish(1, 'amq.topic', routing_key, json_build_object('event', 'MPVCommand', 'command', array['playlist-play-index', index::text])::text);
+end;
+$$;
+
+comment on function api.play_files(text, text [], int) is
+'Write playlist text file and play.
+
+Tells the consumer write a list of files to a text file, then load that
+playlist text file.
+
+Parameters:
+  - routing_key: The routing key of the screen
+  - files: Contents of the playlist file.
+  - index: Index to begin playback from.';
+
+commit;

postgres/migrations/98-roles.sql

@@ -0,0 +1 @@
+create role basic_subscriber;

postgres/migrations/99-grants.sql

@@ -0,0 +1,27 @@
+begin;
+
+grant usage on schema auth to anon;
+grant execute on function auth.login(text, text) to anon;
+grant execute on function auth.logout() to anon;
+grant execute on function auth.refresh_token() to anon;
+
+-- basic_subscriber
+grant basic_subscriber to authenticator;
+grant usage on schema api to basic_subscriber;
+-- amqp extension has its own 'amqp' schema
+grant usage on schema amqp to basic_subscriber;
+-- Grant table privileges
+grant select, insert, update on
+api.playlist,
+api.asset,
+api.playlist_asset,
+amqp.broker to basic_subscriber;
+-- Grant execute on RPC functions
+grant execute on function
+-- api.mpv_command(text, text []),
+api.play_playlist_id(text, int, int),
+api.play_playlist_file(text, text, int),
+api.play_files(text, text [], int)
+to basic_subscriber;
+
+commit;

postgres/rc/.inputrc

@@ -0,0 +1 @@
+set editing-mode vi

postgres/rc/.psqlrc

@@ -0,0 +1,2 @@
+\pset pager off
+\setenv PAGER 'less -S'