Implements Row-Level Security (RLS) policies on accounts and sessions tables with FORCE enforcement.
Core Implementation:
- Added FORCE ROW LEVEL SECURITY to accounts and sessions tables
- Created conditional owner bypass policies (when current_user_id() IS NULL)
- Created user-scoped access policies using current_user_id() helper
- Documented PostgreSQL superuser limitation with production deployment guide
Security Features:
- Prevents cross-user data access at database level
- Defense-in-depth security layer complementing application logic
- Owner bypass allows migrations and BetterAuth operations when no RLS context
- Production requires non-superuser application role (documented in migration)
Test Coverage:
- 22 comprehensive integration tests (9 accounts + 9 sessions + 4 context)
- Complete CRUD coverage: CREATE, READ, UPDATE, DELETE (own + others)
- Superuser detection with fail-fast error message
- Verification that blocked DELETE operations preserve data
- 100% test coverage, all tests passing
Integration:
- Uses RLS context provider from #351 (runWithRlsClient, getRlsClient)
- Parameterized queries using set_config() for security
- Transaction-scoped session variables with SET LOCAL
Files Created:
- apps/api/prisma/migrations/20260207_add_auth_rls_policies/migration.sql
- apps/api/src/auth/auth-rls.integration.spec.ts
Fixes#350
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
