fix: skip empty context

__tests__/rls.ts

@@ -53,6 +53,12 @@ describe('rls extension', () => {
       .resolves.toEqual([]);
   });
 
+  test('denied with empty context', async () => {
+    const model = client.$rls([]).obj;
+    await expect(model.findMany()) //
+      .rejects.toThrow(/denied/);
+  });
+
   test('allow with custom context', async () => {
     const model = client.$rls(context).obj;
     await expect(model.findMany()) //

prisma/migrations/0000_init/migration.sql

@@ -13,10 +13,13 @@ ALTER TABLE "Obj" ENABLE ROW LEVEL SECURITY;
 -- Force Row Level Security for table owners
 ALTER TABLE "Obj" FORCE ROW LEVEL SECURITY;
 
--- Create role for not exist
+-- Create role for not exist (mock supabase)
+-- CREATE ROLE authenticator WITH NOINHERIT LOGIN;
 -- CREATE ROLE authenticated;
 -- Grant `set role authenticated` perm to connected role(authenticator)
 -- GRANT authenticated to authenticator;
+-- GRANT ALL PRIVILEGES ON TABLE "Obj" TO authenticated;
+
 
 -- Create row security policies
-CREATE POLICY supabase_policy ON "Obj" TO "authenticated" USING ("uid" = (current_setting('request.jwt.claims', TRUE)::jsonb ->> 'sub')::uuid);
+CREATE POLICY supabase_policy ON "Obj" TO "authenticated" USING ("uid" = (nullif(current_setting('request.jwt.claims', true), '')::jsonb ->> 'sub')::uuid);

src/prisma-extension-rls.ts

@@ -27,6 +27,10 @@ export function createContext(initial: ContextData) {
             };
 
             const merged = mergeContext(initial, context);
+            if (!merged.length) {
+              return query(rest);
+            }
+
             const sqlParts = merged.map(
               ([k, v]) => Prisma.sql`SET_CONFIG(${k}, ${stringify(v)}, TRUE)`
             );