understood-app/database-migrations-performance.sql at main · dblaira/understood-app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
-- Performance & Security Fixes Migration
-- Run these SQL commands in your Supabase SQL Editor
-- Generated: 2026-02-01

-- =============================================================================
-- FIX 1: RLS PERFORMANCE OPTIMIZATION (auth_rls_initplan)
-- Problem: auth.uid() is re-evaluated for each row, causing slow queries at scale
-- Solution: Wrap in (select auth.uid()) to evaluate once per query
-- =============================================================================

-- Drop existing entries policies
DROP POLICY IF EXISTS "Users can view their own entries" ON entries;
DROP POLICY IF EXISTS "Users can insert their own entries" ON entries;
DROP POLICY IF EXISTS "Users can update their own entries" ON entries;
DROP POLICY IF EXISTS "Users can delete their own entries" ON entries;

-- Recreate with optimized pattern
CREATE POLICY "Users can view their own entries"
  ON entries FOR SELECT
  USING ((select auth.uid()) = user_id);

CREATE POLICY "Users can insert their own entries"
  ON entries FOR INSERT
  WITH CHECK ((select auth.uid()) = user_id);

CREATE POLICY "Users can update their own entries"
  ON entries FOR UPDATE
  USING ((select auth.uid()) = user_id)
  WITH CHECK ((select auth.uid()) = user_id);

CREATE POLICY "Users can delete their own entries"
  ON entries FOR DELETE
  USING ((select auth.uid()) = user_id);

-- Drop existing weekly_themes policies
DROP POLICY IF EXISTS "Users can view own weekly themes" ON weekly_themes;
DROP POLICY IF EXISTS "Users can insert own weekly themes" ON weekly_themes;
DROP POLICY IF EXISTS "Users can update own weekly themes" ON weekly_themes;
DROP POLICY IF EXISTS "Users can delete own weekly themes" ON weekly_themes;

-- Recreate with optimized pattern
CREATE POLICY "Users can view own weekly themes"
  ON weekly_themes FOR SELECT
  USING ((select auth.uid()) = user_id);

CREATE POLICY "Users can insert own weekly themes"
  ON weekly_themes FOR INSERT
  WITH CHECK ((select auth.uid()) = user_id);

CREATE POLICY "Users can update own weekly themes"
  ON weekly_themes FOR UPDATE
  USING ((select auth.uid()) = user_id)
  WITH CHECK ((select auth.uid()) = user_id);

CREATE POLICY "Users can delete own weekly themes"
  ON weekly_themes FOR DELETE
  USING ((select auth.uid()) = user_id);

-- =============================================================================
-- FIX 2: FUNCTION SEARCH_PATH SECURITY
-- Problem: increment_entry_view_count has mutable search_path (security risk)
-- Solution: Set search_path explicitly in function definition
-- =============================================================================

CREATE OR REPLACE FUNCTION increment_entry_view_count(entry_id UUID, owner_id UUID)
RETURNS BOOLEAN
LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = public
AS $$
DECLARE
  rows_updated INTEGER;
BEGIN
  UPDATE entries
  SET view_count = COALESCE(view_count, 0) + 1
  WHERE id = entry_id AND user_id = owner_id;

  GET DIAGNOSTICS rows_updated = ROW_COUNT;
  RETURN rows_updated > 0;
END;
$$;

-- =============================================================================
-- VERIFICATION QUERIES (run to confirm fixes)
-- =============================================================================

-- Check entries policies (should show optimized pattern)
-- SELECT policyname, qual FROM pg_policies WHERE tablename = 'entries';

-- Check weekly_themes policies
-- SELECT policyname, qual FROM pg_policies WHERE tablename = 'weekly_themes';

-- Check function definition
-- SELECT prosrc FROM pg_proc WHERE proname = 'increment_entry_view_count';