add a new "sqlpage.header" function and improve error handling in functions

Author: lovasoa

build.rs

@@ -55,7 +55,7 @@ fn hashed_filename(path: &Path) -> String {
     loop {
         let bytes_read = file
             .read(&mut buf)
-            .expect(&format!("error reading {}", path.display()));
+            .unwrap_or_else(|e| panic!("error reading '{}': {}", path.display(), e));
         if bytes_read == 0 {
             break;
         }

examples/official-site/functions.sql

@@ -0,0 +1,37 @@
+select 'dynamic' as component, properties FROM example WHERE component = 'shell' LIMIT 1;
+
+select 'text' as component, 'SQLPage built-in functions' as title;
+select '
+In addition to normal SQL functions supported by your database,
+SQLPage provides a few special functions to help you extract data from user requests.
+
+These functions are special, because they are not executed inside your database,
+but by SQLPage itself before sending the query to your database.
+Thus, they require all the parameters to be known at the time the query is sent to your database.
+Function parameters cannot reference columns from the rest of your query.
+' as contents_md;
+
+select 'list' as component, 'SQLPage functions' as title;
+select name as title,
+    icon,
+    '?function=' || name || '#function' as link,
+    $function = name as active
+from sqlpage_functions
+order by name;
+
+select 'text' as component,
+        'The sqlpage.' || $function || ' function' as title,
+        'function' as id
+    where $function IS NOT NULL;
+
+SELECT description_md as contents_md FROM sqlpage_functions WHERE name = $function;
+
+select 'title' as component, 3 as level, 'Parameters' as contents where $function IS NOT NULL AND EXISTS (SELECT 1 from sqlpage_function_parameters where "function" = $function);
+select 'card' as component, 3 AS columns where $function IS NOT NULL;
+select
+    name as title,
+    description_md as description,
+    type as footer,
+    'azure' as color
+from sqlpage_function_parameters where "function" = $function
+ORDER BY "index";

examples/official-site/sqlpage/migrations/05_cookie.sql

@@ -88,7 +88,7 @@ SELECT ''cookie'' as component,
         ''John Doe'' as value;
 ```
 
-and then display the value of the cookie:
+and then display the value of the cookie using the [`sqlpage.cookie`](functions.sql?function=cookie) function:
     
 ```sql
 SELECT ''text'' as component,

examples/official-site/sqlpage/migrations/07_authentication.sql

@@ -0,0 +1,68 @@
+-- Insert the http_header component into the component table
+INSERT INTO component (name, description, icon)
+VALUES (
+        'authentication',
+        'An advanced component that can be used to create pages with password-restricted access.
+        When used, this component has to be at the top of your page, because once the page has begun being sent to the browser, it is too late to restrict access to it.
+        The authentication component checks if the user has sent the correct password, and if not, redirects them to the URL specified in the link parameter.
+        If you don''t want to re-check the password on every page (which is an expensive operation),
+        you can check the password only once and store a session token in your database. 
+        You can use the cookie component to set the session token cookie in the client browser,
+        and then check whether the token matches what you stored in subsequent pages.',
+        'lock'
+    );
+-- Insert the parameters for the http_header component into the parameter table
+INSERT INTO parameter (
+        component,
+        name,
+        description,
+        type,
+        top_level,
+        optional
+    )
+VALUES (
+        'authentication',
+        'link',
+        'The URL to redirect the user to if they are not logged in.',
+        'TEXT',
+        TRUE,
+        TRUE
+    ),
+    (
+        'authentication',
+        'password',
+        'The password that was sent by the user. You can set this to :password if you have a login form leading to your page.',
+        'TEXT',
+        TRUE,
+        TRUE
+    ),
+    (
+        'authentication',
+        'password_hash',
+        'The hash of the password that you stored for the user that is currently trying to log in. These hashes can be generated ahead of time using a tool like https://argon2.online/.',
+        'TEXT',
+        TRUE,
+        TRUE
+    );
+
+-- Insert an example usage of the http_header component into the example table
+INSERT INTO example (component, description)
+VALUES (
+        'authentication',
+        '
+The most basic usage of the authentication component is to simply check if the user has sent the correct password, and if not, redirect them to a login page: 
+
+```sql
+SELECT ''authentication'' AS component,
+    ''/login'' AS link,
+    ''$argon2id$v=19$m=16,t=2,p=1$TERTd0lIcUpraWFTcmRQYw$+bjtag7Xjb6p1dsuYOkngw'' AS password_hash, -- generated using https://argon2.online/
+    :password AS password; -- this is the password that the user sent through our form
+```
+
+and in `login.sql` :
+
+```sql
+SELECT ''form'' AS component, ''Login'' AS title, ''my_protected_page.sql'' AS action;
+SELECT ''password'' AS type, ''password'' AS name, ''Password'' AS label;
+```
+');

examples/official-site/sqlpage/migrations/08_functions.sql

@@ -0,0 +1,74 @@
+CREATE TABLE IF NOT EXISTS sqlpage_functions (
+    "name" TEXT PRIMARY KEY,
+    "icon" TEXT,
+    "description_md" TEXT,
+    "return_type" TEXT
+);
+CREATE TABLE IF NOT EXISTS sqlpage_function_parameters (
+    "function" TEXT REFERENCES sqlpage_functions("name"),
+    "index" INTEGER,
+    "name" TEXT,
+    "description_md" TEXT,
+    "type" TEXT
+);
+INSERT INTO sqlpage_functions ("name", "icon", "description_md")
+VALUES (
+        'cookie',
+        'cookie',
+        'Reads a [cookie](https://en.wikipedia.org/wiki/HTTP_cookie) with the given name from the request.
+    Returns the value of the cookie as text, or NULL if the cookie is not present.
+
+### Example
+
+Read a cookie called `username` and greet the user by name:
+
+```sql
+SELECT ''text'' as component,
+        ''Hello, '' || sqlpage.cookie(''username'') || ''!'' as contents;
+```
+'
+    );
+INSERT INTO sqlpage_function_parameters (
+        "function",
+        "index",
+        "name",
+        "description_md",
+        "type"
+    )
+VALUES (
+        'cookie',
+        1,
+        'name',
+        'The name of the cookie to read.',
+        'TEXT'
+    );
+INSERT INTO sqlpage_functions ("name", "icon", "description_md")
+VALUES (
+        'header',
+        'heading',
+        'Reads a [header](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields) with the given name from the request.
+    Returns the value of the header as text, or NULL if the header is not present.
+
+### Example
+
+Log the [`User-Agent`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent) of the browser making the request in the database:
+
+```sql
+INSERT INTO user_agent_log (user_agent) VALUES (sqlpage.header(''user-agent''));
+```
+    '
+    );
+INSERT INTO sqlpage_function_parameters (
+        "function",
+        "index",
+        "name",
+        "description_md",
+        "type"
+    )
+VALUES (
+        'header',
+        1,
+        'name',
+        'The name of the HTTP header to read.',
+        'TEXT'
+    );

src/webserver/database/mod.rs

@@ -117,7 +117,7 @@ pub async fn stream_query_results_direct<'a>(
         for res in &sql_file.statements {
             match res {
                 Ok(stmt)=>{
-                    let query = bind_parameters(stmt, request);
+                    let query = bind_parameters(stmt, request)?;
                     let mut stream = query.fetch_many(&db.connection);
                     while let Some(elem) = stream.next().await {
                         yield elem.with_context(|| format!("Error while running SQL: {stmt}"))
@@ -141,7 +141,7 @@ fn clone_anyhow_err(err: &anyhow::Error) -> anyhow::Error {
 fn bind_parameters<'a>(
     stmt: &'a PreparedStatement,
     request: &'a RequestInfo,
-) -> Query<'a, sqlx::Any, AnyArguments<'a>> {
+) -> anyhow::Result<Query<'a, sqlx::Any, AnyArguments<'a>>> {
     let mut arguments = AnyArguments::default();
     for param in &stmt.parameters {
         let argument = match param {
@@ -152,6 +152,8 @@ fn bind_parameters<'a>(
                 .get(x)
                 .or_else(|| request.get_variables.get(x)),
             StmtParam::Cookie(x) => request.cookies.get(x),
+            StmtParam::Header(x) => request.headers.get(x),
+            StmtParam::Error(x) => anyhow::bail!("{}", x),
         };
         log::debug!("Binding value {:?} in statement {}", &argument, stmt);
         match argument {
@@ -162,7 +164,7 @@ fn bind_parameters<'a>(
             }
         }
     }
-    stmt.statement.query_with(arguments)
+    Ok(stmt.statement.query_with(arguments))
 }
 
 #[derive(Debug)]
@@ -300,6 +302,8 @@ enum StmtParam {
     Post(String),
     GetOrPost(String),
     Cookie(String),
+    Header(String),
+    Error(String),
 }
 
 #[actix_web::test]

src/webserver/database/sql.rs

@@ -148,32 +148,35 @@ impl ParameterExtractor {
         mut arguments: Vec<FunctionArg>,
     ) -> Expr {
         #[allow(clippy::single_match_else)]
-        match (func_name, arguments.as_mut_slice()) {
-            (
-                "cookie",
-                [FunctionArg::Unnamed(FunctionArgExpr::Expr(Expr::Value(
-                    Value::SingleQuotedString(cookie_name),
-                )))],
-            ) => {
-                let placeholder = self.make_placeholder();
-                self.parameters
-                    .push(StmtParam::Cookie(std::mem::take(cookie_name)));
-                placeholder
+        let placeholder = self.make_placeholder();
+        let param = match func_name {
+            "cookie" => extract_single_quoted_string("cookie", &mut arguments)
+                .map_or_else(StmtParam::Error, StmtParam::Cookie),
+            "header" => extract_single_quoted_string("header", &mut arguments)
+                .map_or_else(StmtParam::Error, StmtParam::Header),
+            unknown_name => {
+                StmtParam::Error(format!("Unknown function {unknown_name}({arguments:#?})"))
             }
-            _ => {
-                log::warn!(
-                    "Unsupported SQLPage function: {func_name} with arguments {arguments:#?}"
-                );
-                Expr::Function(Function {
-                    name: ObjectName(vec![Ident::new("unsupported_sqlpage_function")]),
-                    args: arguments,
-                    special: false,
-                    distinct: false,
-                    over: None,
-                    order_by: vec![],
-                })
-            }
-        }
+        };
+        self.parameters.push(param);
+        placeholder
+    }
+}
+
+fn extract_single_quoted_string(
+    func_name: &'static str,
+    arguments: &mut [FunctionArg],
+) -> Result<String, String> {
+    if let [FunctionArg::Unnamed(FunctionArgExpr::Expr(Expr::Value(Value::SingleQuotedString(
+        param_value,
+    ))))] = arguments
+    {
+        Ok(std::mem::take(param_value))
+    } else {
+        Err(format!(
+            "{func_name}({args}) is not a valid call. Expected a literal single quoted string.",
+            args = arguments.iter().map(ToString::to_string).collect::<Vec<_>>().join(", ")
+        ))
     }
 }