# class Database The `Database` class represents a connection that can prepare and execute SQL statements. ## Methods ### new Database(path, [options]) ⇒ Database Creates a new database connection. | Param | Type | Description | | ------- | ------------------- | ------------------------- | | path | string | Path to the database file | | options | object | Options. | The `path` parameter points to the SQLite database file to open. If the file pointed to by `path` does not exists, it will be created. To open an in-memory database, please pass `:memory:` as the `path` parameter. You can use the `options` parameter to specify various options. Options supported by the parameter are: - `syncUrl`: open the database as embedded replica synchronizing from the provided URL. - `syncPeriod`: synchronize the database periodically every `syncPeriod` seconds. - `authToken`: authentication token for the provider URL (optional). - `timeout`: number of milliseconds to wait on locked database before returning `SQLITE_BUSY` error - `defaultQueryTimeout`: default maximum number of milliseconds a query is allowed to run before being interrupted with `SQLITE_INTERRUPT` error The function returns a `Database` object. ### prepare(sql) ⇒ Statement Prepares a SQL statement for execution. | Param | Type | Description | | ------ | ------------------- | ------------------------------------ | | sql | string | The SQL statement string to prepare. | The function returns a `Statement` object. ### run(sql[, ...bindParameters][, queryOptions]) ⇒ object Convenience wrapper that prepares `sql` and executes `Statement.run`. Returns the same info object as `Statement.run` (`changes` and `lastInsertRowid`). | Param | Type | Description | | -------------- | ------------------- | -------------------------------------------------------------------- | | sql | string | The SQL statement string. | | bindParameters | any | Optional positional or named bind parameters. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | **Note:** This is an extension in libSQL and not available in `better-sqlite3`. ### get(sql[, ...bindParameters][, queryOptions]) ⇒ row Convenience wrapper that prepares `sql` and executes `Statement.get`. Returns the first row, or `undefined` if no row matched. | Param | Type | Description | | -------------- | ------------------- | -------------------------------------------------------------------- | | sql | string | The SQL statement string. | | bindParameters | any | Optional positional or named bind parameters. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | **Note:** This is an extension in libSQL and not available in `better-sqlite3`. ### all(sql[, ...bindParameters][, queryOptions]) ⇒ array of rows Convenience wrapper that prepares `sql` and executes `Statement.all`. Returns all matching rows as an array. | Param | Type | Description | | -------------- | ------------------- | -------------------------------------------------------------------- | | sql | string | The SQL statement string. | | bindParameters | any | Optional positional or named bind parameters. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | **Note:** This is an extension in libSQL and not available in `better-sqlite3`. ### iterate(sql[, ...bindParameters][, queryOptions]) ⇒ iterator Convenience wrapper that prepares `sql` and executes `Statement.iterate`. Returns an async iterator over the resulting rows. | Param | Type | Description | | -------------- | ------------------- | -------------------------------------------------------------------- | | sql | string | The SQL statement string. | | bindParameters | any | Optional positional or named bind parameters. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | **Note:** This is an extension in libSQL and not available in `better-sqlite3`. ### transaction(function) ⇒ function Returns a function that runs the given function in a transaction. | Param | Type | Description | | -------- | --------------------- | ------------------------------------- | | function | function | The function to run in a transaction. | ### pragma(string, [options]) ⇒ results This function is currently not supported. ### backup(destination, [options]) ⇒ promise This function is currently not supported. ### serialize([options]) ⇒ Buffer This function is currently not supported. ### function(name, [options], function) ⇒ this This function is currently not supported. ### aggregate(name, options) ⇒ this This function is currently not supported. ### table(name, definition) ⇒ this This function is currently not supported. ### authorizer(config) ⇒ this Configure authorization rules for the database. Accepts three formats: - **Legacy format** — a map from table name to `Authorization.ALLOW` or `Authorization.DENY` - **Rule-based format** — an `AuthorizerConfig` object with ordered rules and pattern matching - **`null`** — removes the authorizer entirely #### Legacy format A simple object mapping table names to `Authorization.ALLOW` (0) or `Authorization.DENY` (1). Tables without an entry are denied by default. ```javascript const { Authorization } = require('libsql'); db.authorizer({ "users": Authorization.ALLOW, "secrets": Authorization.DENY, }); // Access to "users" is allowed. const stmt = db.prepare("SELECT * FROM users"); // Access to "secrets" throws SQLITE_AUTH. const stmt = db.prepare("SELECT * FROM secrets"); // Error! ``` #### Rule-based format An object with a `rules` array and an optional `defaultPolicy`. Rules are evaluated in order — **first match wins**. If no rule matches, `defaultPolicy` applies (defaults to `DENY`). ```javascript const { Authorization, Action } = require('libsql'); db.authorizer({ rules: [ // Hide sensitive columns (returns NULL instead of the real value) { action: Action.READ, table: "users", column: "password_hash", policy: Authorization.IGNORE }, { action: Action.READ, table: "users", column: "ssn", policy: Authorization.IGNORE }, // Allow all reads { action: Action.READ, policy: Authorization.ALLOW }, // Allow inserts on tables matching a glob pattern { action: Action.INSERT, table: { glob: "logs_*" }, policy: Authorization.ALLOW }, // Deny DDL operations { action: [Action.CREATE_TABLE, Action.DROP_TABLE, Action.ALTER_TABLE], policy: Authorization.DENY }, // Allow transactions and selects { action: Action.TRANSACTION, policy: Authorization.ALLOW }, { action: Action.SELECT, policy: Authorization.ALLOW }, ], defaultPolicy: Authorization.DENY, }); ``` #### AuthRule fields | Field | Type | Description | | -------- | ----------------------------------------- | -------------------------------------------------------------------- | | action | number \| number[] | Action code(s) to match (from `Action`). Omit to match all actions. | | table | string \| { glob: string } | Table name pattern. Omit to match any table. | | column | string \| { glob: string } | Column name pattern (relevant for READ/UPDATE). Omit to match any. | | entity | string \| { glob: string } | Entity name (index, trigger, view, pragma, function). Omit to match any. | | accessor | string \| { glob: string } | The innermost trigger or view that caused this access. See below. | | policy | number | `Authorization.ALLOW`, `Authorization.DENY`, or `Authorization.IGNORE`. | #### Accessor field The `accessor` field corresponds to the 4th argument of SQLite's C-level authorizer callback. When a READ occurs because a view is being expanded, SQLite sets this to the view name. For direct table access, it is `null`. This enables **view-scoped authorization**: you can allow reads from an underlying table only when accessed through a specific view, while blocking direct access. ```javascript db.authorizer({ rules: [ { action: Action.SELECT, policy: Authorization.ALLOW }, // Allow reads from the view itself { action: Action.READ, table: "my_view", policy: Authorization.ALLOW }, // Allow reads from the underlying table ONLY when accessed via my_view { action: Action.READ, table: "underlying_data", accessor: "my_view", policy: Authorization.ALLOW }, ], defaultPolicy: Authorization.DENY, }); // Works — accessed through the view db.prepare("SELECT * FROM my_view"); // Blocked — direct access has accessor=null, which doesn't match "my_view" db.prepare("SELECT * FROM underlying_data"); // Error: SQLITE_AUTH ``` #### Pattern matching Pattern fields (`table`, `column`, `entity`, `accessor`) accept either: - A **plain string** for exact matching: `"users"` - An **object with a `glob` key** for glob matching: `{ glob: "logs_*" }` Glob patterns support `*` (match any number of characters) and `?` (match exactly one character). ```javascript // Exact match { action: Action.READ, table: "users", policy: Authorization.ALLOW } // Glob: all tables starting with "logs_" { action: Action.READ, table: { glob: "logs_*" }, policy: Authorization.ALLOW } // Glob: single-character wildcard { action: Action.READ, table: { glob: "t?_data" }, policy: Authorization.ALLOW } // Glob: match all tables { action: Action.READ, table: { glob: "*" }, policy: Authorization.ALLOW } ``` #### Authorization values | Value | Effect | | -------------------------- | ---------------------------------------------------------------------- | | `Authorization.ALLOW` (0) | Permit the operation. | | `Authorization.DENY` (1) | Reject the entire SQL statement with a `SQLITE_AUTH` error. | | `Authorization.IGNORE` (2) | For READ: return NULL instead of the column value. Otherwise: deny. | #### Removing the authorizer Pass `null` to remove the authorizer and allow all operations: ```javascript db.authorizer(null); ``` ### loadExtension(path, [entryPoint]) ⇒ this Loads a SQLite3 extension ### exec(sql[, queryOptions]) ⇒ this Executes a SQL statement. | Param | Type | Description | | ------ | ------------------- | ------------------------------------ | | sql | string | The SQL statement string to execute. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | ### batch(statements, [options]) ⇒ array of ResultSet Executes a batch of SQL statements sequentially and returns one `ResultSet` per input statement. Each statement may be a SQL string or an object of the form `{ sql, args }`, where `args` is an array (positional) or an object (named) of bind parameters. `options` may be a transaction mode string for compatibility, or an object with `mode` and `raw` fields. Set `raw: true` to return reader rows in the same array form as `Statement.raw().all()`. | Param | Type | Description | | ---------- | ------------------- | ------------------------------------ | | statements | array | The statements to execute. | | options | string \| object | Optional transaction mode string or `{ mode, raw }` object. When `mode` is provided and the connection is not already in a transaction, the batch runs inside a transaction that is rolled back if any statement fails. When `raw` is true, reader rows are arrays. | Each `ResultSet` has the following shape: | Field | Type | Description | | --------------- | ----------------------------- | --------------------------------------------- | | columns | string[] | The column names of the result. | | columnTypes | string[] | The declared column types of the result. | | rows | Row[] | Rows returned by `Statement.all()`. | | rowsAffected | number | The number of rows changed by the statement. | Mutation result sets intentionally expose `rowsAffected` only. Unlike `Statement.run()`, `batch()` result sets do not include `lastInsertRowid`. **Note:** This is an extension in libSQL and not available in `better-sqlite3`. ### interrupt() ⇒ this Cancel ongoing operations and make them return at earliest opportunity. **Note:** This is an extension in libSQL and not available in `better-sqlite3`. ### close() ⇒ this Closes the database connection. # class Statement ## Methods ### run([...bindParameters][, queryOptions]) ⇒ object Executes the SQL statement and returns an info object. | Param | Type | Description | | -------------- | ----------------------------- | ------------------------------------------------ | | bindParameters | array of objects | The bind parameters for executing the statement. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | The returned info object contains two properties: `changes` that describes the number of modified rows and `info.lastInsertRowid` that represents the `rowid` of the last inserted row. ### get([...bindParameters][, queryOptions]) ⇒ row Executes the SQL statement and returns the first row. | Param | Type | Description | | -------------- | ----------------------------- | ------------------------------------------------ | | bindParameters | array of objects | The bind parameters for executing the statement. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | ### all([...bindParameters][, queryOptions]) ⇒ array of rows Executes the SQL statement and returns an array of the resulting rows. | Param | Type | Description | | -------------- | ----------------------------- | ------------------------------------------------ | | bindParameters | array of objects | The bind parameters for executing the statement. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | ### iterate([...bindParameters][, queryOptions]) ⇒ iterator Executes the SQL statement and returns an iterator to the resulting rows. | Param | Type | Description | | -------------- | ----------------------------- | ------------------------------------------------ | | bindParameters | array of objects | The bind parameters for executing the statement. | | queryOptions | object | Optional per-query overrides (for example, `{ queryTimeout: 100 }`). | ### pluck([toggleState]) ⇒ this This function is currently not supported. ### expand([toggleState]) ⇒ this This function is currently not supported. ### raw([rawMode]) ⇒ this Toggle raw mode. | Param | Type | Description | | ------- | -------------------- | --------------------------------------------------------------------------------- | | rawMode | boolean | Enable or disable raw mode. If you don't pass the parameter, raw mode is enabled. | This function enables or disables raw mode. Prepared statements return objects by default, but if raw mode is enabled, the functions return arrays instead. ### timed([toggle]) ⇒ this Toggle query duration timing. ### columns() ⇒ array of objects Returns the columns in the result set returned by this prepared statement. ### reader ⇒ boolean Returns `true` if the statement returns data (i.e., it is a `SELECT` statement or an `INSERT`/`UPDATE`/`DELETE` with a `RETURNING` clause), `false` otherwise. ### bind([...bindParameters]) ⇒ this This function is currently not supported.