feat(wasm): per-request credentials from session variables (#604)

* feat(openapi_fdw): session variable auth override for per-request credentials

Adds `auth_token_setting` and `auth_token_prefix` server options to the
OpenAPI FDW, allowing a Postgres session configuration variable to supply
the authentication credential at query time rather than at server creation.

The credential is resolved via `current_setting(name, true)` each time a
request is made, so a security-definer wrapper function can inject a
per-user or per-transaction token via `set_config(..., true)` before
querying the foreign table. An empty or absent setting is a no-op,
preserving any static credential configured at server level.

Implementation:
- Add `query-setting` to the utils WIT interface (v1 + v2)
- Implement `query_setting()` in supabase-wrappers via SPI
- Wire host binding in wasm_fdw/host/utils.rs (v1 + v2)
- Add `auth_token_setting` / `auth_token_prefix` fields to ServerConfig
- Extract `apply_session_token()` as a pure testable helper
- Apply override in `make_request` before each HTTP call
- Add 15 unit tests covering all override edge cases

* test(openapi_fdw): integration test for session-token injection

Adds a pgrx integration test exercising the auth_token_setting path
end-to-end: with a session GUC unset the FDW injects no Authorization
header, and after set_config(...) the resolved token is sent prefixed.

This is the only runtime coverage of the query-setting host function ->
SPI -> guest round-trip; the existing unit tests only cover the pure
apply_session_token helper in isolation.

- wasm_fdw/tests.rs: new #[pg_test] openapi_session_token_injection
  (negative + positive cases) against the local mock on :8096
- dockerfiles/wasm/server.py: add /whoami route that reflects the
  received Authorization header so the test can assert on it

* fix(openapi_fdw): address review feedback

- apply_session_token: match the authorization header case-insensitively
  so a static Authorization header (e.g. from the headers option) is
  replaced rather than duplicated
- query_setting: report unexpected SPI errors instead of swallowing them,
  matching get_vault_secret (still returns None; absent settings are not
  errors thanks to current_setting(name, true))
- configure_auth: treat an empty/whitespace auth_token_setting as unset to
  avoid a pointless per-request lookup, and trim auth_token_prefix
- tests: rename the prefix-default test to reflect the empty struct default,
  add a case-insensitive replace regression test

* docs: document session-variable auth

- openapi.md: auth_token_setting / auth_token_prefix server options,
  updated authentication limitation, and a per-request credentials example
- wasm-advanced.md: new Host functions section documenting the utils
  interface, including query_setting for reading session GUCs
- openapi_fdw README: note per-request session-variable tokens

---------

Co-authored-by: Cody Bromley <codybrom@users.noreply.github.com>

Author: codybrom

docs/catalog/openapi.md

@@ -105,6 +105,8 @@ We need to provide Postgres with the credentials to access the API and any addit
 | `api_key_location` | No | Where to send the API key: `header` (default), `query`, or `cookie`. |
 | `bearer_token` | No | Bearer token for authentication (alternative to `api_key`). |
 | `bearer_token_id` | No | Vault secret key ID storing the bearer token. |
+| `auth_token_setting` | No | Name of a Postgres session variable (GUC) to read the auth token from at request time, e.g. `app.api_token`. When set and non-empty it overrides any static credential for that request. See [Per-request credentials](#per-request-credentials-session-variables). |
+| `auth_token_prefix` | No | Prefix for the `auth_token_setting` value in the Authorization header (default: `Bearer`). Set to an empty string to send the raw token. |
 | `user_agent` | No | Custom User-Agent header value. |
 | `accept` | No | Custom Accept header for content negotiation (e.g., `application/geo+json`). |
 | `headers` | No | Custom headers as JSON object (e.g., `'{"X-Custom": "value"}'`). |
@@ -402,7 +404,7 @@ options (endpoint '/users');
 
 - **Read-only**: This FDW only supports SELECT operations. INSERT, UPDATE, and DELETE are not supported at this time.
 - **No transactions**: Each SQL statement results in immediate HTTP requests; there is no transactional grouping.
-- **Authentication**: Currently supports API Key and Bearer Token authentication. OAuth flows are not supported.
+- **Authentication**: Supports API Key and Bearer Token authentication, either static (server option or Vault) or resolved per request from a session variable (see [Per-request credentials](#per-request-credentials-session-variables)). The FDW does not run OAuth flows itself, but a session variable lets you supply a token your application already obtained.
 - **OpenAPI version**: Only OpenAPI 3.0+ specifications are supported (not Swagger 2.0).
 
 ## Automatic Retries
@@ -519,6 +521,37 @@ create server query_auth_api
   );
 ```
 
+### Per-request credentials (session variables)
+
+A server's credential is normally fixed when the server is created. To vary it per request (for example, per-user OAuth tokens in a multi-tenant app) set `auth_token_setting` to the name of a Postgres session variable, then resolve that variable per query with a `SECURITY DEFINER` function:
+
+```sql
+create server per_user_api
+  foreign data wrapper wasm_wrapper
+  options (
+    fdw_package_url 'https://github.com/supabase/wrappers/releases/download/wasm_openapi_fdw_v0.2.0/openapi_fdw.wasm',
+    fdw_package_name 'supabase:openapi-fdw',
+    fdw_package_version '0.2.0',
+    fdw_package_checksum 'f0d4d6e50f7c519a66363bd8bdbe1ea8086ca810ca14b43fb0ed18b64acdf6aa',
+    base_url 'https://api.example.com',
+    auth_token_setting 'app.api_token'  -- read the token from this session variable each request
+  );
+
+-- Resolve the calling user's token (e.g. from an RLS-protected table keyed to
+-- auth.uid()) and pin it for the life of the transaction:
+create function set_api_token() returns void
+  language sql security definer set search_path = '' as $$
+  select set_config('app.api_token',
+    (select access_token from public.user_tokens where user_id = auth.uid()),
+    true);
+$$;
+
+select set_api_token();
+select * from some_foreign_table;
+```
+
+On each request the FDW reads `app.api_token` and sends it as `Authorization: Bearer <token>`. If the variable is unset or empty no token is injected, and any static credential on the server still applies. Use `auth_token_prefix` to change the `Bearer` prefix, or set it to an empty string to send the raw token.
+
 ### Response Path Extraction
 
 For APIs that wrap data in a container object:

docs/guides/wasm-advanced.md

@@ -177,6 +177,36 @@ fn iter_scan(ctx: &Context, row: &Row) -> Result<Option<u32>, FdwError> {
 }
 ```
 
+## Host functions
+
+The host (the Wrappers Wasm runtime) exposes a small set of functions to the guest Wasm FDW through the `utils` interface.
+
+| Function | Description |
+| --- | --- |
+| `utils::report_info` / `report_notice` / `report_warning` / `report_error` | Emit a PostgreSQL log message (visible in `psql`), handy for debugging. |
+| `utils::cell_to_string(cell)` | Format a `Cell` value as a string. |
+| `utils::get_vault_secret(id)` / `get_vault_secret_by_name(name)` | Read a decrypted secret from [Vault](https://supabase.com/docs/guides/database/vault). Use for static credentials. |
+| `utils::query_setting(name)` | Read a PostgreSQL session setting (GUC) at request time. Returns `None` if unset. |
+
+### Reading session settings
+
+`utils::query_setting(name)` wraps `current_setting(name, true)`, so it returns the current value of a session GUC, or `None` when it isn't set. This is useful when an FDW needs a value that varies per request, per user, or per transaction rather than a static server option.
+
+```rust
+// inside your FDW, read a value set earlier in the same transaction
+if let Some(token) = utils::query_setting("app.api_token") {
+    // use the token for this request
+}
+```
+
+The value is supplied from SQL with `set_config`, typically from a `SECURITY DEFINER` function that resolves it for the calling user and scopes it to the transaction:
+
+```sql
+select set_config('app.api_token', '<resolved-token>', true);  -- true = transaction-local
+```
+
+For example, the OpenAPI FDW's [`auth_token_setting`](../catalog/openapi.md#server-options) option reads a named session setting per request and uses it as the Authorization token.
+
 ## Developing locally
 
 We'll use the CLI to develop locally. This will be faster than the GitHub release workflow.

supabase-wrappers/src/utils.rs

@@ -388,6 +388,25 @@ pub fn get_vault_secret(secret_id_or_name: &str) -> Option<String> {
     }
 }
 
+/// Read a PostgreSQL session configuration parameter by name.
+///
+/// Calls `current_setting(name, true)` — returns `None` if the setting is absent
+/// rather than raising an error. Useful for injecting per-transaction credentials
+/// (e.g., via `set_config`) without requiring a fallback value. An unexpected SPI
+/// error is reported and surfaced as `None` rather than silently swallowed.
+pub fn query_setting(name: &str) -> Option<String> {
+    match Spi::get_one_with_args::<String>("SELECT current_setting($1, true)", &[name.into()]) {
+        Ok(value) => value,
+        Err(err) => {
+            report_error(
+                PgSqlErrorCode::ERRCODE_FDW_ERROR,
+                &format!("read session setting \"{name}\" failed: {err}"),
+            );
+            None
+        }
+    }
+}
+
 /// Get decrypted secret from Vault by secret name
 ///
 /// Get decrypted secret as string from Vault by secret name. Vault is an extension for storing

wasm-wrappers/fdw/openapi_fdw/README.md

@@ -17,14 +17,14 @@ Point it at an OpenAPI spec and query the API with SQL. The FDW parses the spec
 - **Rate-limit handling** — Retries automatically with exponential backoff on HTTP 429 responses
 - **Type coercion** — Maps JSON types to PostgreSQL types (`text`, `integer`, `boolean`, `timestamptz`, `jsonb`, etc.)
 - **camelCase matching** — Matches API field names like `stationIdentifier` to snake_case columns like `station_identifier`
-- **Auth support** — API key (header, query param, or cookie) and Bearer token authentication, with Supabase Vault integration
+- **Auth support** — API key (header, query param, or cookie) and Bearer token authentication, with Supabase Vault integration or per-request tokens from a session variable (`auth_token_setting`)
 - **Debug mode** — Set `debug 'true'` on the server to log HTTP request/response details as PostgreSQL INFO messages
 
 ## Limitations
 
 - Read-only (no INSERT/UPDATE/DELETE)
 - POST-for-read available via `method` table option, but only GET endpoints are auto-imported
-- Auth: API key and Bearer token only (no OAuth2 flows — use pre-obtained tokens)
+- Auth: API key and Bearer token, static or resolved per request from a session variable (no OAuth2 flows — supply pre-obtained tokens)
 - OpenAPI 3.x only (Swagger 2.0 is rejected)
 
 ## Documentation

wasm-wrappers/fdw/openapi_fdw/src/config.rs

@@ -30,6 +30,10 @@ pub(crate) struct ServerConfig {
     pub(crate) max_response_bytes: usize,
     pub(crate) debug: bool,
 
+    // Dynamic auth: Postgres session variable that overrides static auth at request time
+    pub(crate) auth_token_setting: Option<String>,
+    pub(crate) auth_token_prefix: String,
+
     // Server-level defaults (saved after init, restored in begin_scan)
     pub(crate) default_page_size: usize,
     pub(crate) default_page_size_param: String,
@@ -65,6 +69,7 @@ impl std::fmt::Debug for ServerConfig {
             .field("max_pages", &self.max_pages)
             .field("max_response_bytes", &self.max_response_bytes)
             .field("debug", &self.debug)
+            .field("auth_token_setting", &self.auth_token_setting)
             .finish()
     }
 }
@@ -84,6 +89,8 @@ impl Default for ServerConfig {
             max_pages: DEFAULT_MAX_PAGES,
             max_response_bytes: DEFAULT_MAX_RESPONSE_BYTES,
             debug: false,
+            auth_token_setting: None,
+            auth_token_prefix: String::new(),
             default_page_size: 0,
             default_page_size_param: String::new(),
             default_cursor_param: String::new(),
@@ -213,6 +220,16 @@ impl ServerConfig {
             );
         }
 
+        // Treat an empty/whitespace-only setting name as unset, so the request
+        // path doesn't fire a pointless current_setting('') lookup per request.
+        self.auth_token_setting = opts
+            .get("auth_token_setting")
+            .filter(|s| !s.trim().is_empty());
+        self.auth_token_prefix = opts
+            .require_or("auth_token_prefix", "Bearer")
+            .trim()
+            .to_owned();
+
         Ok(())
     }
 
@@ -280,6 +297,38 @@ impl ServerConfig {
 
         Ok(())
     }
+
+    /// Apply a dynamically resolved token to a request headers list.
+    ///
+    /// Replaces an existing `authorization` header if present, otherwise appends one.
+    /// No-ops if `token` is empty or whitespace-only.
+    ///
+    /// Separated from the WASM-dependent `make_request` call path for testability.
+    pub(crate) fn apply_session_token(
+        headers: &mut Vec<(String, String)>,
+        token: &str,
+        prefix: &str,
+    ) {
+        if token.trim().is_empty() {
+            return;
+        }
+        let value = if prefix.is_empty() {
+            token.to_owned()
+        } else {
+            format!("{prefix} {token}")
+        };
+        // HTTP header names are case-insensitive: match any existing
+        // authorization header regardless of casing so we replace rather than
+        // append a duplicate (e.g. a static "Authorization" from the headers option).
+        if let Some(h) = headers
+            .iter_mut()
+            .find(|h| h.0.eq_ignore_ascii_case("authorization"))
+        {
+            h.1 = value;
+        } else {
+            headers.push(("authorization".to_owned(), value));
+        }
+    }
 }
 
 #[cfg(test)]

wasm-wrappers/fdw/openapi_fdw/src/config_tests.rs

@@ -1,5 +1,153 @@
 use super::{DEFAULT_MAX_PAGES, DEFAULT_MAX_RESPONSE_BYTES, ServerConfig};
 
+// --- apply_session_token ---
+
+#[test]
+fn test_session_token_default_none() {
+    let config = ServerConfig::default();
+    assert!(config.auth_token_setting.is_none());
+}
+
+#[test]
+fn test_session_token_prefix_default_empty() {
+    let config = ServerConfig::default();
+    // Struct Default gives an empty prefix; configure_auth applies the real
+    // "Bearer" default when the server option is absent.
+    assert_eq!(config.auth_token_prefix, "");
+}
+
+#[test]
+fn test_apply_session_token_adds_bearer_header() {
+    let mut headers = vec![];
+    ServerConfig::apply_session_token(&mut headers, "tok_abc123", "Bearer");
+    assert_eq!(headers.len(), 1);
+    assert_eq!(headers[0].0, "authorization");
+    assert_eq!(headers[0].1, "Bearer tok_abc123");
+}
+
+#[test]
+fn test_apply_session_token_custom_prefix() {
+    let mut headers = vec![];
+    ServerConfig::apply_session_token(&mut headers, "tok_xyz", "Token");
+    assert_eq!(headers[0].1, "Token tok_xyz");
+}
+
+#[test]
+fn test_apply_session_token_empty_prefix_no_prefix() {
+    // Empty prefix → raw token value, no leading space
+    let mut headers = vec![];
+    ServerConfig::apply_session_token(&mut headers, "rawtoken", "");
+    assert_eq!(headers[0].1, "rawtoken");
+}
+
+#[test]
+fn test_apply_session_token_replaces_existing_authorization() {
+    let mut headers = vec![("authorization".to_owned(), "Bearer old-token".to_owned())];
+    ServerConfig::apply_session_token(&mut headers, "new-token", "Bearer");
+    // Should replace, not append
+    assert_eq!(headers.len(), 1);
+    assert_eq!(headers[0].1, "Bearer new-token");
+}
+
+#[test]
+fn test_apply_session_token_replaces_existing_authorization_case_insensitive() {
+    // Existing header uses capital "Authorization" (e.g. from the headers option).
+    // Header names are case-insensitive, so it should be replaced, not duplicated.
+    let mut headers = vec![("Authorization".to_owned(), "Bearer old-token".to_owned())];
+    ServerConfig::apply_session_token(&mut headers, "new-token", "Bearer");
+    assert_eq!(headers.len(), 1);
+    assert_eq!(headers[0].1, "Bearer new-token");
+}
+
+#[test]
+fn test_apply_session_token_replaces_leaves_other_headers_intact() {
+    let mut headers = vec![
+        ("content-type".to_owned(), "application/json".to_owned()),
+        ("authorization".to_owned(), "Bearer old".to_owned()),
+        ("x-request-id".to_owned(), "req-123".to_owned()),
+    ];
+    ServerConfig::apply_session_token(&mut headers, "new", "Bearer");
+    assert_eq!(headers.len(), 3);
+    assert_eq!(headers[0].0, "content-type");
+    assert_eq!(headers[1].1, "Bearer new");
+    assert_eq!(headers[2].0, "x-request-id");
+}
+
+#[test]
+fn test_apply_session_token_appends_when_no_existing_authorization() {
+    let mut headers = vec![
+        ("content-type".to_owned(), "application/json".to_owned()),
+        ("user-agent".to_owned(), "Wrappers/1.0".to_owned()),
+    ];
+    ServerConfig::apply_session_token(&mut headers, "tok", "Bearer");
+    assert_eq!(headers.len(), 3);
+    assert_eq!(headers[2].0, "authorization");
+    assert_eq!(headers[2].1, "Bearer tok");
+}
+
+#[test]
+fn test_apply_session_token_empty_token_noop() {
+    let mut headers = vec![("authorization".to_owned(), "Bearer original".to_owned())];
+    ServerConfig::apply_session_token(&mut headers, "", "Bearer");
+    // Empty token → no change
+    assert_eq!(headers[0].1, "Bearer original");
+}
+
+#[test]
+fn test_apply_session_token_whitespace_token_noop() {
+    let mut headers = vec![("authorization".to_owned(), "Bearer original".to_owned())];
+    ServerConfig::apply_session_token(&mut headers, "   ", "Bearer");
+    assert_eq!(headers[0].1, "Bearer original");
+}
+
+#[test]
+fn test_apply_session_token_empty_token_does_not_append() {
+    let mut headers = vec![];
+    ServerConfig::apply_session_token(&mut headers, "", "Bearer");
+    assert!(headers.is_empty());
+}
+
+#[test]
+fn test_apply_session_token_overrides_static_bearer() {
+    // Simulate: static bearer_token set at init, session token injected at request time
+    let mut headers = vec![
+        ("content-type".to_owned(), "application/json".to_owned()),
+        ("authorization".to_owned(), "Bearer static-token".to_owned()),
+    ];
+    ServerConfig::apply_session_token(&mut headers, "per-user-token", "Bearer");
+    let auth = headers.iter().find(|h| h.0 == "authorization").unwrap();
+    assert_eq!(auth.1, "Bearer per-user-token");
+    // Static token not leaked
+    assert!(!auth.1.contains("static-token"));
+}
+
+#[test]
+fn test_apply_session_token_second_call_replaces_first() {
+    let mut headers = vec![];
+    ServerConfig::apply_session_token(&mut headers, "first", "Bearer");
+    ServerConfig::apply_session_token(&mut headers, "second", "Bearer");
+    assert_eq!(headers.len(), 1);
+    assert_eq!(headers[0].1, "Bearer second");
+}
+
+#[test]
+fn test_debug_shows_auth_token_setting_name() {
+    let config = ServerConfig {
+        auth_token_setting: Some("app.user_token".to_string()),
+        ..Default::default()
+    };
+    let debug_output = format!("{config:?}");
+    // Setting name is not sensitive — it should appear in debug output
+    assert!(debug_output.contains("app.user_token"));
+}
+
+#[test]
+fn test_debug_no_auth_token_setting_shows_none() {
+    let config = ServerConfig::default();
+    let debug_output = format!("{config:?}");
+    assert!(debug_output.contains("auth_token_setting: None"));
+}
+
 // --- Default values ---
 
 #[test]