feat: propagate kind + access_level as JWT claims in pgSettings

pyramation · pyramation · commit 788fdfed6cca · 2026-04-17T22:34:03.000Z
Adds jwt.claims.access_level and jwt.claims.kind to PostgreSQL session
settings so PG functions can read them via current_setting(). This lets
the DB layer make decisions based on credential type (api_key vs session)
and access level (read_write vs read_only) without additional lookups.
diff --git a/graphql/server/src/middleware/graphile.ts b/graphql/server/src/middleware/graphile.ts
@@ -189,6 +189,15 @@ const buildPreset = (
             ...context,
           };
 
+          // Propagate credential metadata as JWT claims so PG functions
+          // can read them via current_setting('jwt.claims.access_level') etc.
+          if (req.token.access_level) {
+            pgSettings['jwt.claims.access_level'] = req.token.access_level;
+          }
+          if (req.token.kind) {
+            pgSettings['jwt.claims.kind'] = req.token.kind;
+          }
+
           // Enforce read-only transactions for read_only credentials (API keys, etc.)
           if (req.token.access_level === 'read_only') {
             pgSettings['default_transaction_read_only'] = 'on';
