Vlad Durnea
8ade39ae2d
Some checks failed
CI/CD Pipeline / e2e-tests (push) Has been cancelled
CI/CD Pipeline / build (push) Has been cancelled
CI/CD Pipeline / unit-tests (push) Has been cancelled
CI/CD Pipeline / lint (push) Successful in 3m45s
CI/CD Pipeline / integration-tests (push) Failing after 53s
- Fix 5 source files corrupted with markdown formatting by previous AI - Remove secret logging from auth middleware, signup, and recovery handlers - Add role validation (ALLOWED_ROLES allowlist) to all 10 data_api + storage handlers - Fix JavaScript injection in Deno runtime via double-serialization - Add UUID validation to TUS upload paths to prevent path traversal - Gate token issuance on email confirmation (AUTH_AUTO_CONFIRM env var) - Reject unconfirmed users on login with 403 - Prevent OAuth account takeover (409 on email conflict with different provider) - Replace permissive CORS (allow_origin Any) with ALLOWED_ORIGINS env var - Wire session-based admin auth into control plane, add POST /platform/v1/login - Hide secrets from list_projects API via ProjectSummary struct - Add missing deps (redis, uuid, chrono, tower-http fs feature) - Fix http version mismatch between reqwest 0.11 and axum 0.7 in proxy - Clean up all unused imports across workspace Build: zero errors, zero warnings. Tests: 10 passed, 0 failed. Made-with: Cursor
MadBase
MadBase is an open-source, high-performance Backend-as-a-Service (BaaS) written in Rust. It serves as a lightweight alternative to Supabase, providing a comprehensive suite of tools for building modern web and mobile applications.
🚀 Features
MadBase consolidates the following services into a single, efficient binary:
- 🔐 Authentication (
/auth/v1)- User Signup & Login (Email/Password).
- JWT-based Session Management.
- Row Level Security (RLS) integration with PostgreSQL.
- 💾 Data API (
/rest/v1)- Auto-generated REST API for your Postgres tables.
- CRUD operations (Select, Insert, Update, Delete).
- Filtering, Pagination, and Ordering.
- Stored Procedure (RPC) calls.
- ⚡ Realtime (
/realtime/v1)- WebSocket-based event streaming.
- Listen to database changes via Postgres
LISTEN/NOTIFY.
- 📦 Storage (
/storage/v1)- S3-compatible object storage (backed by MinIO).
- File Upload, Download, and Management.
- Integrated RLS permissions for buckets and objects.
- 🎛️ Control Plane (
/platform/v1)- Project Management.
- Automatic API Key Generation (
anonandservice_role).
🛠️ Architecture
MadBase is built as a modular monolith in Rust, utilizing the Axum web framework for high performance and low latency.
- Gateway: The central entry point that routes requests to appropriate internal modules.
- PostgreSQL: The primary database for data, auth, and system state.
- MinIO: S3-compatible object storage.
🏁 Getting Started
Prerequisites
- Rust (latest stable)
- Docker & Docker Compose (for DB and MinIO)
- PostgreSQL Client (optional, for debugging)
Installation
-
Clone the repository:
git clone https://github.com/yourusername/madbase.git cd madbase -
Start Infrastructure: Spin up PostgreSQL and MinIO using Docker Compose:
docker-compose up -d -
Run Migrations: Initialize the database schema:
sqlx migrate run(Note: You may need to install sqlx-cli:
cargo install sqlx-cli) -
Start the Gateway: Run the main server:
cargo run -p gatewayThe server will start at
http://0.0.0.0:8000.
📖 Usage Guide
1. Create a Project
Use the Control Plane to initialize a project and get your API keys.
curl -X POST http://localhost:8000/platform/v1/projects \
-H "Content-Type: application/json" \
-d '{"name": "my-awesome-app"}'
Response:
{
"id": "...",
"anon_key": "eyJ...",
"service_role_key": "eyJ...",
...
}
Save the anon_key and service_role_key!
2. Authentication
Sign up a new user:
curl -X POST http://localhost:8000/auth/v1/signup \
-H "apikey: <ANON_KEY>" \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "securepassword"}'
3. Data Operations
Query a table (e.g., users):
curl -X GET "http://localhost:8000/rest/v1/users?select=*" \
-H "apikey: <ANON_KEY>" \
-H "Authorization: Bearer <USER_ACCESS_TOKEN>"
4. Realtime
Connect via WebSocket:
ws://localhost:8000/realtime/v1
5. Storage
Upload a file:
curl -X POST http://localhost:8000/storage/v1/object/my-bucket/image.png \
-H "apikey: <ANON_KEY>" \
-H "Authorization: Bearer <USER_ACCESS_TOKEN>" \
-F "file=@./local-image.png"
🗺️ Roadmap
See ROADMAP.md for detailed progress and future plans.
📄 License
MIT