Protect system database from DDL operations

max-lt · max-lt · commit 89d16be17091 · 2026-02-20T09:49:03.000+01:00
Restrict system token to SELECT/INSERT/UPDATE/DELETE only and block
table/column modifications on the platform database (id 0000...).
diff --git a/DEPLOY.md b/DEPLOY.md
@@ -85,10 +85,10 @@ Once the platform is running, use a **space alias** (goes through the API) for s
 
 ```bash
 bun run build
-ow <space> worker upload openworkers-api ./build
+ow infra worker upload openworkers-api ./build
 ```
 
-Where `<space>` is the target space (`dev`, `main`, `ps`, ...).
+Where `infra` is the target space alias (could be `dev`, `main`, `local`, ...).
 
 Create the environment **before** the first upload so the project inherits it automatically. If the worker was already uploaded without an environment, `worker link` will cascade it to the project and all function workers.
 
@@ -100,10 +100,10 @@ Secrets are prompted interactively (masked input) when value is omitted:
 
 ```bash
 # Variables (plain text)
-ow <space> env set openworkers-api-env APP_URL https://dash.example.com
+ow infra env set openworkers-api-env APP_URL https://dash.example.com
 
 # Secrets (prompted interactively, not stored in shell history)
-ow <space> env set openworkers-api-env JWT_ACCESS_SECRET --secret
+ow infra env set openworkers-api-env JWT_ACCESS_SECRET --secret
 ```
 
 Bindings (`DATABASE`, `ASSETS`) are set with `ow infra env bind` during the initial setup (see step 5 above). They connect the worker to its database and assets storage at runtime.
@@ -133,17 +133,17 @@ In Docker mode, `POSTGATE_URL` and `POSTGATE_TOKEN` must be set in `.env` to con
 Workers that are uploaded with multiple routes/functions are automatically promoted to **projects**. Projects group related workers.
 
 ```bash
-ow <space> projects list              # List all projects
-ow <space> projects delete my-app     # Delete project and all its workers
+ow infra projects list              # List all projects
+ow infra projects delete my-app     # Delete project and all its workers
 ```
 
 To delete a worker that belongs to a project, delete the project instead:
 
 ```bash
 # This fails:
-ow <space> worker delete my-app
+ow infra worker delete my-app
 # → "Cannot delete main worker - delete the project instead"
 
 # Do this instead:
-ow <space> projects delete my-app
+ow infra projects delete my-app
 ```
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "openworkers-api",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "license": "MIT",
   "type": "module",
   "repository": {
diff --git a/src/lib/services/db/database-tokens.ts b/src/lib/services/db/database-tokens.ts
@@ -7,6 +7,10 @@ import type { DatabaseOperation } from '../../types/schemas/database-token.schem
 const SYSTEM_TOKEN_NAME = '__system__';
 const ALL_OPERATIONS: DatabaseOperation[] = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'CREATE', 'ALTER', 'DROP'];
 
+function isProtectedDatabase(databaseId: string): boolean {
+  return databaseId === '00000000-0000-0000-0000-000000000000';
+}
+
 export interface DatabaseToken {
   id: string;
   databaseId: string;
@@ -116,14 +120,19 @@ async function createSystemToken(databaseId: string): Promise<string> {
   const tokenPrefix = fullToken.substring(0, 8);
   const tokenHash = await hashToken(fullToken);
 
+  const isProtected = isProtectedDatabase(databaseId);
+  const allowedOperations: DatabaseOperation[] = isProtected
+    ? ['SELECT', 'INSERT', 'UPDATE', 'DELETE']
+    : ALL_OPERATIONS;
+
   await kysely
     .insertInto('databaseTokens')
     .values({
       databaseId: uuid(databaseId),
       name: SYSTEM_TOKEN_NAME,
       tokenHash,
       tokenPrefix,
-      allowedOperations: textArray(ALL_OPERATIONS)
+      allowedOperations: textArray(allowedOperations)
     })
     .onConflict((oc) => oc.columns(['databaseId', 'name']).doNothing())
     .execute();
diff --git a/src/lib/services/tables.ts b/src/lib/services/tables.ts
@@ -3,6 +3,10 @@ import * as db from './db/databases';
 import type { ITableInfo, IColumnInfo, IColumnDefinition } from '../types';
 
 export class TablesService {
+  private isProtectedDatabase(databaseId: string): boolean {
+    return databaseId === '00000000-0000-0000-0000-000000000000';
+  }
+
   /**
    * List all tables in a database schema
    */
@@ -91,6 +95,10 @@ export class TablesService {
       throw new Error('Schema not configured');
     }
 
+    if (this.isProtectedDatabase(databaseId)) {
+      throw new Error('Cannot modify protected database');
+    }
+
     await sql(`SELECT create_tenant_table($1::uuid, $2, $3, $4::jsonb)`, [
       userId,
       dbConfig.schemaName,
@@ -117,6 +125,10 @@ export class TablesService {
       throw new Error('Schema not configured');
     }
 
+    if (this.isProtectedDatabase(databaseId)) {
+      throw new Error('Cannot modify protected database');
+    }
+
     await sql(`SELECT drop_tenant_table($1::uuid, $2, $3)`, [userId, dbConfig.schemaName, tableName]);
   }
 
@@ -138,6 +150,10 @@ export class TablesService {
       throw new Error('Schema not configured');
     }
 
+    if (this.isProtectedDatabase(databaseId)) {
+      throw new Error('Cannot modify protected database');
+    }
+
     await sql(`SELECT add_tenant_column($1::uuid, $2, $3, $4::jsonb)`, [
       userId,
       dbConfig.schemaName,
@@ -164,6 +180,10 @@ export class TablesService {
       throw new Error('Schema not configured');
     }
 
+    if (this.isProtectedDatabase(databaseId)) {
+      throw new Error('Cannot modify protected database');
+    }
+
     await sql(`SELECT drop_tenant_column($1::uuid, $2, $3, $4)`, [userId, dbConfig.schemaName, tableName, columnName]);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "openworkers-api",`
`3`		`- "version": "1.6.0",`
	`3`	`+ "version": "1.6.1",`
`4`	`4`	`"license": "MIT",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"repository": {`