fix: address PostgREST authenticator review findings

moizpgedge · moizpgedge · commit bd06babf33d0 · 2026-04-02T15:24:58.000+05:00
- Hoist parsed PostgREST config outside the service type switch so the
  per-node authenticator loop reuses the already-validated result instead
  of re-parsing and silently discarding errors, which could cause
  per-node authenticators to use a different anon role than the primary.
- Fix double `%w` in `PostgRESTAuthenticatorResource.Refresh` — replace
  with `errors.Join` so both `resource.ErrNotFound` and the original
  error are independently unwrappable via `errors.Is`/`errors.As`.
diff --git a/server/internal/orchestrator/swarm/orchestrator.go b/server/internal/orchestrator/swarm/orchestrator.go
@@ -462,6 +462,10 @@ func (o *Orchestrator) GenerateServiceInstanceResources(spec *database.ServiceIn
 	// Service-type-specific resources.
 	var serviceSpecificResources []resource.Resource
 
+	// Hoisted PostgREST config — parsed once and reused in both the primary
+	// resource block and the per-node authenticator loop below.
+	var parsedPostgRESTConfig *database.PostgRESTServiceConfig
+
 	switch spec.ServiceSpec.ServiceType {
 	case "mcp":
 		mcpConfig, errs := database.ParseMCPServiceConfig(spec.ServiceSpec.Config, false)
@@ -489,10 +493,12 @@ func (o *Orchestrator) GenerateServiceInstanceResources(spec *database.ServiceIn
 		serviceSpecificResources = []resource.Resource{dataDir, mcpConfigResource}
 
 	case "postgrest":
-		postgrestConfig, errs := database.ParsePostgRESTServiceConfig(spec.ServiceSpec.Config)
+		var errs []error
+		parsedPostgRESTConfig, errs = database.ParsePostgRESTServiceConfig(spec.ServiceSpec.Config)
 		if len(errs) > 0 {
 			return nil, fmt.Errorf("failed to parse PostgREST service config: %w", errors.Join(errs...))
 		}
+		postgrestConfig := parsedPostgRESTConfig
 
 		preflight := &PostgRESTPreflightResource{
 			ServiceID:    spec.ServiceSpec.ServiceID,
@@ -594,14 +600,13 @@ func (o *Orchestrator) GenerateServiceInstanceResources(spec *database.ServiceIn
 				},
 			)
 			if spec.ServiceSpec.ServiceType == "postgrest" {
-				postgrestConfig, _ := database.ParsePostgRESTServiceConfig(spec.ServiceSpec.Config)
 				orchestratorResources = append(orchestratorResources,
 					&PostgRESTAuthenticatorResource{
 						ServiceID:    spec.ServiceSpec.ServiceID,
 						DatabaseID:   spec.DatabaseID,
 						DatabaseName: spec.DatabaseName,
 						NodeName:     nodeInst.NodeName,
-						DBAnonRole:   postgrestConfig.DBAnonRole,
+						DBAnonRole:   parsedPostgRESTConfig.DBAnonRole,
 						UserRoleID:   perNodeRWID,
 					},
 				)
diff --git a/server/internal/orchestrator/swarm/postgrest_authenticator_resource.go b/server/internal/orchestrator/swarm/postgrest_authenticator_resource.go
@@ -2,6 +2,7 @@ package swarm
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/jackc/pgx/v5"
@@ -97,7 +98,7 @@ func (r *PostgRESTAuthenticatorResource) Refresh(ctx context.Context, rc *resour
 		r.authenticatorUsername(),
 	).Scan(&noInherit)
 	if err != nil {
-		return fmt.Errorf("%w: role %q not found: %w", resource.ErrNotFound, r.authenticatorUsername(), err)
+		return fmt.Errorf("%w", errors.Join(resource.ErrNotFound, fmt.Errorf("role %q not found: %w", r.authenticatorUsername(), err)))
 	}
 	if !noInherit {
 		return fmt.Errorf("%w: role %q does not have NOINHERIT", resource.ErrNotFound, r.authenticatorUsername())
