feat: add tenant specific feature flags (#231)

Author: fenos

migrations/multitenant/0004-add-feature-image-transformation-column.sql

@@ -0,0 +1 @@
+ALTER TABLE tenants ADD COLUMN feature_image_transformation boolean DEFAULT false NOT NULL;

src/database/tenant.ts

@@ -9,10 +9,17 @@ interface TenantConfig {
   anonKey: string
   databaseUrl: string
   fileSizeLimit: number
+  features: Features
   jwtSecret: string
   serviceKey: string
 }
 
+export interface Features {
+  imageTransformation: {
+    enabled: boolean
+  }
+}
+
 const { multitenantDatabaseUrl } = getConfig()
 
 const tenantConfigCache = new Map<string, TenantConfig>()
@@ -66,13 +73,26 @@ export async function getTenantConfig(tenantId: string): Promise<TenantConfig> {
       `Tenant config for ${tenantId} not found`
     )
   }
-  const { anon_key, database_url, file_size_limit, jwt_secret, service_key } = tenant
+  const {
+    anon_key,
+    database_url,
+    file_size_limit,
+    jwt_secret,
+    service_key,
+    feature_image_transformation,
+  } = tenant
+
   const config = {
     anonKey: decrypt(anon_key),
     databaseUrl: decrypt(database_url),
     fileSizeLimit: Number(file_size_limit),
     jwtSecret: decrypt(jwt_secret),
     serviceKey: decrypt(service_key),
+    features: {
+      imageTransformation: {
+        enabled: feature_image_transformation,
+      },
+    },
   }
   await cacheTenantConfigAndRunMigrations(tenantId, config)
   return config
@@ -114,6 +134,15 @@ export async function getFileSizeLimit(tenantId: string): Promise<number> {
   return fileSizeLimit
 }
 
+/**
+ * Get features flags config for a specific tenant
+ * @param tenantId
+ */
+export async function getFeatures(tenantId: string): Promise<Features> {
+  const { features } = await getTenantConfig(tenantId)
+  return features
+}
+
 const TENANTS_UPDATE_CHANNEL = 'tenants_update'
 
 /**

src/http/plugins/index.ts

@@ -5,3 +5,4 @@ export * from './log-request'
 export * from './postgrest'
 export * from './storage'
 export * from './tenant-id'
+export * from './tenant-feature'

src/http/plugins/tenant-feature.ts

@@ -0,0 +1,28 @@
+import fastifyPlugin from 'fastify-plugin'
+import { getConfig } from '../../config'
+import { Features, getFeatures } from '../../database/tenant'
+
+/**
+ * Requires a specific feature to be enabled for a given tenant.
+ *
+ * This only applies for multi-tenant applications.
+ * For single-tenant, use environment variables to toggle features
+ * @param feature
+ */
+export const requireTenantFeature = (feature: keyof Features) =>
+  fastifyPlugin(async (fastify) => {
+    const { isMultitenant } = getConfig()
+    fastify.addHook('onRequest', async (request, reply) => {
+      if (!isMultitenant) return
+
+      const features = await getFeatures(request.tenantId)
+
+      if (!features[feature].enabled) {
+        reply.status(403).send({
+          error: 'FeatureNotEnabled',
+          statusCode: '403',
+          message: 'feature not enabled for this tenant',
+        })
+      }
+    })
+  })

src/http/routes/object/getSignedURL.ts

@@ -3,8 +3,8 @@ import { FromSchema } from 'json-schema-to-ts'
 import { createDefaultSchema } from '../../generic-routes'
 import { AuthenticatedRequest } from '../../request'
 import { ImageRenderer } from '../../../storage/renderer'
-import { getConfig } from '../../../config'
 import { transformationOptionsSchema } from '../../schemas/transformations'
+import { isImageTransformationEnabled } from '../../../storage/limits'
 
 const getSignedURLParamsSchema = {
   type: 'object',
@@ -43,8 +43,6 @@ interface getSignedURLRequestInterface extends AuthenticatedRequest {
   Body: FromSchema<typeof getSignedURLBodySchema>
 }
 
-const { enableImageTransformation } = getConfig()
-
 export default async function routes(fastify: FastifyInstance) {
   const summary = 'Generate a presigned url to retrieve an object'
 
@@ -66,11 +64,12 @@ export default async function routes(fastify: FastifyInstance) {
       const { expiresIn } = request.body
 
       const urlPath = request.url.split('?').shift()
+      const imageTransformationEnabled = await isImageTransformationEnabled(request.tenantId)
 
       const signedURL = await request.storage
         .from(bucketName)
         .signObjectUrl(objectName, urlPath as string, expiresIn, {
-          transformations: enableImageTransformation
+          transformations: imageTransformationEnabled
             ? ImageRenderer.applyTransformation(request.body.transform || {}).join(',')
             : '',
         })

src/http/routes/render/index.ts

@@ -2,7 +2,7 @@ import { FastifyInstance } from 'fastify'
 import renderPublicImage from './renderPublicImage'
 import renderAuthenticatedImage from './renderAuthenticatedImage'
 import renderSignedImage from './renderSignedImage'
-import { jwt, postgrest, superUserPostgrest, storage } from '../../plugins'
+import { jwt, postgrest, superUserPostgrest, storage, requireTenantFeature } from '../../plugins'
 import { getConfig } from '../../../config'
 
 const { enableImageTransformation } = getConfig()
@@ -13,6 +13,7 @@ export default async function routes(fastify: FastifyInstance) {
   }
 
   fastify.register(async function authorizationContext(fastify) {
+    fastify.register(requireTenantFeature('imageTransformation'))
     fastify.register(jwt)
     fastify.register(postgrest)
     fastify.register(superUserPostgrest)
@@ -21,6 +22,7 @@ export default async function routes(fastify: FastifyInstance) {
   })
 
   fastify.register(async (fastify) => {
+    fastify.register(requireTenantFeature('imageTransformation'))
     fastify.register(superUserPostgrest)
     fastify.register(storage)
     fastify.register(renderSignedImage)

src/http/routes/tenant/index.ts

@@ -14,6 +14,17 @@ const patchSchema = {
       fileSizeLimit: { type: 'number' },
       jwtSecret: { type: 'string' },
       serviceKey: { type: 'string' },
+      features: {
+        type: 'object',
+        properties: {
+          imageTransformation: {
+            type: 'object',
+            properties: {
+              enabled: { type: 'boolean' },
+            },
+          },
+        },
+      },
     },
   },
 } as const
@@ -46,6 +57,7 @@ interface tenantDBInterface {
   jwt_secret: string
   service_key: string
   file_size_limit?: number
+  feature_image_transformation: boolean
 }
 
 export default async function routes(fastify: FastifyInstance) {
@@ -54,13 +66,26 @@ export default async function routes(fastify: FastifyInstance) {
   fastify.get('/', async () => {
     const tenants = await knex('tenants').select()
     return tenants.map(
-      ({ id, anon_key, database_url, file_size_limit, jwt_secret, service_key }) => ({
+      ({
+        id,
+        anon_key,
+        database_url,
+        file_size_limit,
+        jwt_secret,
+        service_key,
+        feature_image_transformation,
+      }) => ({
         id,
         anonKey: decrypt(anon_key),
         databaseUrl: decrypt(database_url),
         fileSizeLimit: Number(file_size_limit),
         jwtSecret: decrypt(jwt_secret),
         serviceKey: decrypt(service_key),
+        features: {
+          imageTransformation: {
+            enabled: feature_image_transformation,
+          },
+        },
       })
     )
   })
@@ -70,20 +95,34 @@ export default async function routes(fastify: FastifyInstance) {
     if (!tenant) {
       reply.code(404).send()
     } else {
-      const { anon_key, database_url, file_size_limit, jwt_secret, service_key } = tenant
+      const {
+        anon_key,
+        database_url,
+        file_size_limit,
+        jwt_secret,
+        service_key,
+        feature_image_transformation,
+      } = tenant
+
       return {
         anonKey: decrypt(anon_key),
         databaseUrl: decrypt(database_url),
         fileSizeLimit: Number(file_size_limit),
         jwtSecret: decrypt(jwt_secret),
         serviceKey: decrypt(service_key),
+        features: {
+          imageTransformation: {
+            enabled: feature_image_transformation,
+          },
+        },
       }
     }
   })
 
   fastify.post<tenantRequestInterface>('/:tenantId', { schema }, async (request, reply) => {
-    const { anonKey, databaseUrl, fileSizeLimit, jwtSecret, serviceKey } = request.body
     const { tenantId } = request.params
+    const { anonKey, databaseUrl, fileSizeLimit, jwtSecret, serviceKey, features } = request.body
+
     await runMigrations(tenantId, databaseUrl)
     await knex('tenants').insert({
       id: tenantId,
@@ -92,6 +131,7 @@ export default async function routes(fastify: FastifyInstance) {
       file_size_limit: fileSizeLimit,
       jwt_secret: encrypt(jwtSecret),
       service_key: encrypt(serviceKey),
+      feature_image_transformation: features?.imageTransformation?.enabled ?? false,
     })
     reply.code(201).send()
   })
@@ -100,7 +140,7 @@ export default async function routes(fastify: FastifyInstance) {
     '/:tenantId',
     { schema: patchSchema },
     async (request, reply) => {
-      const { anonKey, databaseUrl, fileSizeLimit, jwtSecret, serviceKey } = request.body
+      const { anonKey, databaseUrl, fileSizeLimit, jwtSecret, serviceKey, features } = request.body
       const { tenantId } = request.params
       if (databaseUrl) {
         await runMigrations(tenantId, databaseUrl)
@@ -112,14 +152,15 @@ export default async function routes(fastify: FastifyInstance) {
           file_size_limit: fileSizeLimit,
           jwt_secret: jwtSecret !== undefined ? encrypt(jwtSecret) : undefined,
           service_key: serviceKey !== undefined ? encrypt(serviceKey) : undefined,
+          feature_image_transformation: features?.imageTransformation?.enabled,
         })
         .where('id', tenantId)
       reply.code(204).send()
     }
   )
 
   fastify.put<tenantRequestInterface>('/:tenantId', { schema }, async (request, reply) => {
-    const { anonKey, databaseUrl, fileSizeLimit, jwtSecret, serviceKey } = request.body
+    const { anonKey, databaseUrl, fileSizeLimit, jwtSecret, serviceKey, features } = request.body
     const { tenantId } = request.params
     await runMigrations(tenantId, databaseUrl)
 
@@ -129,6 +170,7 @@ export default async function routes(fastify: FastifyInstance) {
       database_url: encrypt(databaseUrl),
       jwt_secret: encrypt(jwtSecret),
       service_key: encrypt(serviceKey),
+      feature_image_transformation: features?.imageTransformation?.enabled ?? false,
     }
 
     if (fileSizeLimit) {

src/storage/backend/s3.ts

@@ -22,7 +22,7 @@ import { StorageBackendError } from '../errors'
 
 /**
  * S3Backend
- * Interacts with a s3 system with this S3Backend adapter
+ * Interacts with an s3-compatible file system with this S3Adapter
  */
 export class S3Backend implements StorageBackendAdapter {
   client: S3Client

src/storage/limits.ts

@@ -1,8 +1,8 @@
 import { getConfig } from '../config'
-import { getFileSizeLimit as getFileSizeLimitForTenant } from '../database/tenant'
+import { getFileSizeLimit as getFileSizeLimitForTenant, getFeatures } from '../database/tenant'
 import { StorageBackendError } from './errors'
 
-const { isMultitenant } = getConfig()
+const { isMultitenant, enableImageTransformation } = getConfig()
 
 /**
  * Get the maximum file size for a specific project
@@ -16,6 +16,20 @@ export async function getFileSizeLimit(tenantId: string): Promise<number> {
   return fileSizeLimit
 }
 
+/**
+ * Determines if the image transformation feature is enabled.
+ * @param tenantId
+ */
+export async function isImageTransformationEnabled(tenantId: string) {
+  if (!isMultitenant) {
+    return enableImageTransformation
+  }
+
+  const { imageTransformation } = await getFeatures(tenantId)
+
+  return imageTransformation.enabled
+}
+
 /**
  * Validates if a given object key or bucket key is valid
  * @param key

src/storage/storage.ts

@@ -2,7 +2,7 @@ import { StorageBackendAdapter } from './backend'
 import { Database, FindBucketFilters } from './database'
 import { StorageBackendError } from './errors'
 import { ImageRenderer, AssetRenderer, HeadRenderer } from './renderer'
-import { mustBeValidBucketName, mustBeValidKey } from './limits'
+import { mustBeValidBucketName } from './limits'
 import { Uploader } from './uploader'
 import { getConfig } from '../config'
 import { ObjectStorage } from './object'
@@ -22,7 +22,7 @@ export class Storage {
    * @param bucketId
    */
   from(bucketId: string) {
-    mustBeValidKey(bucketId, 'The bucketId name contains invalid characters')
+    mustBeValidBucketName(bucketId, 'The bucketId name contains invalid characters')
 
     return new ObjectStorage(this.backend, this.db, bucketId)
   }

src/test/tenant.test.ts

@@ -12,6 +12,11 @@ const payload = {
   fileSizeLimit: 1,
   jwtSecret: 'c',
   serviceKey: 'd',
+  features: {
+    imageTransformation: {
+      enabled: true,
+    },
+  },
 }
 
 const payload2 = {
@@ -20,6 +25,11 @@ const payload2 = {
   fileSizeLimit: 2,
   jwtSecret: 'g',
   serviceKey: 'h',
+  features: {
+    imageTransformation: {
+      enabled: false,
+    },
+  },
 }
 
 beforeAll(async () => {

src/test/x-forwarded-host.test.ts

@@ -19,6 +19,11 @@ beforeAll(async () => {
     serviceKey: process.env.SERVICE_KEY || '',
     jwtSecret: process.env.PGRST_JWT_SECRET || '',
     fileSizeLimit: parseInt(process.env.FILE_SIZE_LIMIT || '1000'),
+    features: {
+      imageTransformation: {
+        enabled: true,
+      },
+    },
   }))
 
   jest