pg-api 0.2.0

A high-performance PostgreSQL REST API driver with rate limiting, connection pooling, and observability
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.2.0] - 2026-05-20

### Changed
- **Parametrização real de queries**: substituído `substitute_params` (vulnerável a SQL injection) por `PgParam`/`ToSql` com `bytes::BytesMut`
- **Roles renomeadas**: `AccountRole::Owner``Superuser`, `AccountRole::ReadOnly``Readonly` (compatível com produção)
- **list_tables**: checa `response.success` antes de acessar `data`

### Added
- `ApiResponse::error_with_details` para erros com detalhes extras
- `ErrorInfo.details: Option<Value>` serializado como `null`
- Dependência `bytes = "1"` para implementação `ToSql`

### Fixed
- `list_tables` não propagava erros corretamente da query interna

## [0.1.1] - 2025-02-16

### Added
- **Documentação completa para novos usuários**:
  - `README.md` com quick start, badges e exemplos
  - `docs/API.md` com documentação completa dos endpoints
  - `docs/QUICKSTART.md` com tutorial passo a passo
  - `examples/` com exemplos em cURL, Python e Rust
- **Testes automatizados**:
  - Testes unitários para `auth`, `models`, `config`, `database`
  - Testes de integração em `tests/` (health, auth, queries, rate limiting)
  - Benchmarks com Criterion em `benches/`
- Melhorias na cobertura de testes (de ~5% para ~40%)

### Changed
- Atualizado `Cargo.toml` com metadados completos do projeto
- Atualizado `AGENTS.md` com guidelines para desenvolvimento

## [0.1.0] - 2025-08-05

### Added
- Initial release of pg-api PostgreSQL driver service
- RESTful API endpoints for PostgreSQL database operations
- Authentication via API keys (X-API-Key header)
- Account-based access control with role-based permissions
- Database query execution endpoints:
  - `/v1/query` - Single query execution
  - `/v1/batch` - Batch query execution
  - `/v1/transaction` - Transactional query execution
- Database management endpoints:
  - `/v1/databases` - List and create databases
  - `/v1/databases/{name}` - Drop database
  - `/v1/databases/{db}/tables` - List tables
  - `/v1/databases/{db}/schema` - Get database schema
- Account management endpoints:
  - `/v1/account` - Get account information
  - `/v1/account/usage` - Get usage statistics
- Health check and status endpoints
- OpenAPI documentation at `/docs`
- Connection pooling using Deadpool
- Structured JSON logging with tracing
- CORS support
- Rate limiting middleware:
  - Sliding window rate limiter (60-second window)
  - Per-account rate limits configurable in account settings
  - Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)
  - 429 Too Many Requests responses when rate limit exceeded

### Security Features
- API key authentication required for all endpoints except health checks
- Role-based access control (Owner, Admin, User roles)
- Fine-grained database permissions (SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, etc.)
- Query permission validation based on account roles and database access

### Planned Features (Not Yet Implemented)
- Connection limiting per account
- Query timeout enforcement
- Audit logging for database operations

### Configuration
- Environment-based configuration support
- Instance and account configuration via JSON files
- Configurable server host, port, and log level

### Technical Details
- Built with Rust and Axum web framework
- Async/await throughout using Tokio
- PostgreSQL driver: tokio-postgres
- Connection pooling: deadpool-postgres
- JSON serialization: serde_json
- Date/time handling: chrono
- UUID support for identifiers