feat: encrypt snapshot column

Cargo.toml

@@ -1,6 +1,5 @@
 [workspace]
 members = [
     "postgres",
-    "realtime",
     "storage",
 ]

README.md

@@ -5,7 +5,6 @@ real-time functionality, and storage.
 
 ## [Postgres](https://supabase.com/docs/guides/database/overview)
 
-## [Real-time](https://supabase.com/docs/guides/realtime)
 
 ## [Storage](https://supabase.com/docs/guides/storage)
 

postgres/migrations/V3__awareness.sql

@@ -1,87 +1,6 @@
 -- Create the user_awareness partition of the af_collab_update table
 CREATE TABLE af_collab_update_user_awareness PARTITION OF af_collab_update FOR
 VALUES IN (5);
--- Add the encrypt column to the af_collab_update table. If the encrypt column is
--- null, then the update is not encrypted.
-ALTER TABLE af_collab_update
-ADD COLUMN encrypt INTEGER DEFAULT 0;
--- Add encryption_sign column to the af_user table
-ALTER TABLE af_user
-ADD COLUMN encryption_sign TEXT;
-CREATE OR REPLACE FUNCTION prevent_reset_encryption_sign_func() RETURNS TRIGGER AS $$ BEGIN IF OLD.encryption_sign IS NOT NULL
-    AND NEW.encryption_sign IS DISTINCT
-FROM OLD.encryption_sign THEN RAISE EXCEPTION 'The encryption sign can not be reset once it has been set';
-END IF;
-RETURN NEW;
-END;
-$$ LANGUAGE plpgsql;
-CREATE TRIGGER trigger_prevent_reset_encryption_sign BEFORE
-UPDATE ON af_user FOR EACH ROW EXECUTE FUNCTION prevent_reset_encryption_sign_func();
--- Re-create the af_user_profile_view to show the 'encrypt' column in the view.
-DROP VIEW af_user_profile_view;
-CREATE VIEW af_user_profile_view AS
-SELECT u.*,
-    w.workspace_id AS latest_workspace_id
-FROM af_user u
-    INNER JOIN (
-        SELECT uid,
-            workspace_id,
-            rank() OVER (
-                PARTITION BY uid
-                ORDER BY updated_at DESC
-            ) AS rn
-        FROM af_workspace_member
-    ) w ON u.uid = w.uid
-    AND w.rn = 1;
 -- Currently, we aren't using the JWT token for requests, so there's no need to validate
 -- auth.jwt() ->> 'email' against the email.
-ALTER POLICY af_user_update_policy ON public.af_user USING (true) WITH CHECK (true);
--- Update the flush_collab_updates function that accept a new column called encrypt
-CREATE OR REPLACE FUNCTION public.flush_collab_updates_v3(
-        oid TEXT,
-        new_value BYTEA,
-        encrypt INTEGER,
-        md5 TEXT,
-        value_size INTEGER,
-        partition_key INTEGER,
-        uid BIGINT,
-        workspace_id UUID,
-        removed_keys BIGINT [],
-        did TEXT
-    ) RETURNS void AS $$
-DECLARE lock_key INTEGER;
-BEGIN -- Hashing the oid to an integer for the advisory lock
-lock_key := (hashtext(oid)::bigint)::integer;
--- Getting a session level lock
-PERFORM pg_advisory_lock(lock_key);
--- Deleting rows with keys in removed_keys
-DELETE FROM af_collab_update
-WHERE key = ANY (removed_keys);
--- Inserting a new update with the new key and value
-INSERT INTO af_collab_update(
-        oid,
-        value,
-        encrypt,
-        md5,
-        value_size,
-        partition_key,
-        uid,
-        workspace_id,
-        did
-    )
-VALUES (
-        oid,
-        new_value,
-        encrypt,
-        md5,
-        value_size,
-        partition_key,
-        uid,
-        workspace_id,
-        did
-    );
--- Releasing the lock
-PERFORM pg_advisory_unlock(lock_key);
-RETURN;
-END;
-$$ LANGUAGE plpgsql;
+ALTER POLICY af_user_update_policy ON public.af_user USING (true) WITH CHECK (true);

postgres/migrations/V3__awareness.down.sql → postgres/migrations/V4__encryption.down.sql

@@ -1,2 +1,3 @@
 DROP TRIGGER IF EXISTS trigger_prevent_reset_encryption_sign ON af_user;
 DROP FUNCTION IF EXISTS prevent_reset_encryption_sign_func;
+DROP FUNCTION IF EXISTS flush_collab_updates_v3;

postgres/migrations/V4__encryption.sql

@@ -0,0 +1,86 @@
+-- Add the encrypt column to the af_collab_update table. If the encrypt column is
+-- 0, then the update is not encrypted.
+ALTER TABLE af_collab_update
+ADD COLUMN encrypt INTEGER DEFAULT 0;
+-- Add the encrypt column to the af_collab_snapshot table. If the encrypt column is
+-- 0, then the update is not encrypted.
+ALTER TABLE af_collab_snapshot
+ADD COLUMN encrypt INTEGER DEFAULT 0;
+-- Add encryption_sign column to the af_user table
+ALTER TABLE af_user
+ADD COLUMN encryption_sign TEXT;
+CREATE OR REPLACE FUNCTION prevent_reset_encryption_sign_func() RETURNS TRIGGER AS $$ BEGIN IF OLD.encryption_sign IS NOT NULL
+    AND NEW.encryption_sign IS DISTINCT
+FROM OLD.encryption_sign THEN RAISE EXCEPTION 'The encryption sign can not be reset once it has been set';
+END IF;
+RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+CREATE TRIGGER trigger_prevent_reset_encryption_sign BEFORE
+UPDATE ON af_user FOR EACH ROW EXECUTE FUNCTION prevent_reset_encryption_sign_func();
+
+-- Re-create the af_user_profile_view to show the 'encrypt' column in the view.
+DROP VIEW af_user_profile_view;
+CREATE VIEW af_user_profile_view AS
+SELECT u.*,
+    w.workspace_id AS latest_workspace_id
+FROM af_user u
+    INNER JOIN (
+        SELECT uid,
+            workspace_id,
+            rank() OVER (
+                PARTITION BY uid
+                ORDER BY updated_at DESC
+            ) AS rn
+        FROM af_workspace_member
+    ) w ON u.uid = w.uid
+    AND w.rn = 1;
+-- Update the flush_collab_updates function that accept a new column called encrypt
+CREATE OR REPLACE FUNCTION public.flush_collab_updates_v3(
+        oid TEXT,
+        new_value BYTEA,
+        encrypt INTEGER,
+        md5 TEXT,
+        value_size INTEGER,
+        partition_key INTEGER,
+        uid BIGINT,
+        workspace_id UUID,
+        removed_keys BIGINT [],
+        did TEXT
+    ) RETURNS void AS $$
+DECLARE lock_key INTEGER;
+BEGIN -- Hashing the oid to an integer for the advisory lock
+lock_key := (hashtext(oid)::bigint)::integer;
+-- Getting a session level lock
+PERFORM pg_advisory_lock(lock_key);
+-- Deleting rows with keys in removed_keys
+DELETE FROM af_collab_update
+WHERE key = ANY (removed_keys);
+-- Inserting a new update with the new key and value
+INSERT INTO af_collab_update(
+        oid,
+        value,
+        encrypt,
+        md5,
+        value_size,
+        partition_key,
+        uid,
+        workspace_id,
+        did
+    )
+VALUES (
+        oid,
+        new_value,
+        encrypt,
+        md5,
+        value_size,
+        partition_key,
+        uid,
+        workspace_id,
+        did
+    );
+-- Releasing the lock
+PERFORM pg_advisory_unlock(lock_key);
+RETURN;
+END;
+$$ LANGUAGE plpgsql;

postgres/src/migration.rs

@@ -37,7 +37,7 @@ pub async fn run_down_migration(client: &Client) -> Result<(), Error> {
   let sql = include_str!("../migrations/V2__realtime.down.sql");
   client.batch_execute(sql).await?;
 
-  let sql = include_str!("../migrations/V3__awareness.down.sql");
+  let sql = include_str!("../migrations/V4__encryption.down.sql");
   client.batch_execute(sql).await?;
 
   client