Generating of zod types not working when using rbac.

[tonven]

Hi. I have a question not directly related to your project. I am using your library and trying to generate zod types using this project: https://github.com/psteinroe/supabase-to-zod
The problem comes when try to generate zod types. I get the following error:
Error: Some schemas can't be generated due to direct or indirect missing dependencies: dbPreRequestArgsSchema getUserClaimsArgsSchema jwtIsExpiredArgsSchema

As I understand it is because some properties are not defined from rbac. psteinroe/supabase-to-zod#32
Do you have an idea how it can be fixed without manually updating zod defenitions?

[point-source]

I am not really familiar with what a zod is but that may be irrelevant here. It seems to me there are two issues going on:

1. The functions generated by supabase.ts suggest these functions have args while they do not:

      db_pre_request: {
        Args: Record<PropertyKey, never>
        Returns: undefined
      }
      get_user_claims: {
        Args: Record<PropertyKey, never>
        Returns: Json
      }
      jwt_is_expired: {
        Args: Record<PropertyKey, never>
        Returns: boolean
      }

Here are the function definitions:

create
or REPLACE FUNCTION @[email protected]_pre_request () returns void language plpgsql stable security definer
set
  search_path = @extschema@ as $function$
declare
    groups jsonb;
begin
    -- get current groups from auth.users
    select raw_app_meta_data->'groups' from auth.users into groups where id = auth.uid();
    -- store it in the request object
    perform set_config('request.groups'::text, groups::text, false /* applies to transaction if true, session if false */);
end;
$function$;

create
or replace function @[email protected]_user_claims () returns jsonb language sql stable 
set
  search_path = @extschema@ as $function$
select coalesce(current_setting('request.groups', true)::jsonb, auth.jwt()->'app_metadata'->'groups')::jsonb
$function$;

create
or replace function @[email protected]_is_expired () returns boolean language plpgsql stable 
set
  search_path = @extschema@ as $function$
begin
  return extract(epoch from now()) > coalesce(auth.jwt()->>'exp', '0')::numeric;
end;
$function$;

As you can see, supabase is correctly identifying the return types but not the requires args (which should be none as far as I know). This may be either something I don't fully understand or a bug in the way these supabase.ts files are generated. Might be worth opening an issue on the supabase tracker.

2. More critically, these functions should never be called via the postgrest api (or any external system).

This is likely showing up this way because you installed the plugin into the public schema which is what supabase.ts is generated from, as far as I know. While a potential fix is to install this plugin in a different schema, I should either prevent installation in public or find a way to prevent these functions from being surfaced in the postgrest api and hopefully therefore the supabase.ts file.

I am looking into ways to further secure this and may eventually make it so that this library is only available for install in non-public schemas for both security and compatibility reasons. Thoughts?