2023-07-21 23:59:12 +00:00
|
|
|
|
-- Test login
|
|
|
|
|
|
set client_min_messages to warning;
|
|
|
|
|
|
create extension if not exists pgtap;
|
|
|
|
|
|
reset client_min_messages;
|
|
|
|
|
|
|
|
|
|
|
|
begin;
|
|
|
|
|
|
|
|
|
|
|
|
select plan(20);
|
|
|
|
|
|
|
|
|
|
|
|
set search_path to auth, camper, public;
|
|
|
|
|
|
|
|
|
|
|
|
select has_function('camper', 'login', array ['email', 'text', 'inet']);
|
|
|
|
|
|
select function_lang_is('camper', 'login', array ['email', 'text', 'inet'], 'plpgsql');
|
|
|
|
|
|
select function_returns('camper', 'login', array ['email', 'text', 'inet'], 'text');
|
|
|
|
|
|
select is_definer('camper', 'login', array ['email', 'text', 'inet']);
|
|
|
|
|
|
select volatility_is('camper', 'login', array ['email', 'text', 'inet'], 'volatile');
|
|
|
|
|
|
select function_privs_are('camper', 'login', array ['email', 'text', 'inet'], 'guest', array ['EXECUTE']);
|
|
|
|
|
|
select function_privs_are('camper', 'login', array ['email', 'text', 'inet'], 'employee', array []::text[]);
|
|
|
|
|
|
select function_privs_are('camper', 'login', array ['email', 'text', 'inet'], 'admin', array []::text[]);
|
|
|
|
|
|
select function_privs_are('camper', 'login', array ['email', 'text', 'inet'], 'authenticator', array []::text[]);
|
|
|
|
|
|
|
|
|
|
|
|
set client_min_messages to warning;
|
|
|
|
|
|
truncate auth."user" cascade;
|
|
|
|
|
|
truncate auth.login_attempt cascade;
|
|
|
|
|
|
reset client_min_messages;
|
|
|
|
|
|
|
Move the user role down to company_user relation
I was starting to add the public page for campsite types, creating more
granular row-level security policies for select, insert, update, and
delete, because now the guest users needed to SELECT them and they have
no related company to filter the rows with. Suddenly, i realized that
the role was wrong in the user relation: a user can be an admin to one
company, and employee to another, and guess to yet another company;
the role should be in the company_user relation instead.
That means that to know the role to set to, the user alone is not enough
and have to know the company as well. Had to change all the
cookie-related function to accept also the company’s host name, as this
is the information that the Go application has.
2023-08-08 00:22:16 +00:00
|
|
|
|
insert into auth."user" (email, name, password)
|
|
|
|
|
|
values ('info@tandem.blog', 'Tandem', 'test');
|
2023-07-21 23:59:12 +00:00
|
|
|
|
|
|
|
|
|
|
create temp table _login_test
|
|
|
|
|
|
(
|
|
|
|
|
|
result_num integer,
|
|
|
|
|
|
cookie text not null
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select lives_ok(
|
|
|
|
|
|
$$ insert into _login_test select 1, split_part(login('info@tandem.blog', 'test', '::1'::inet), '/', 1) $$,
|
|
|
|
|
|
'Should login with a correct user and password'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select isnt_empty(
|
|
|
|
|
|
$$ select cookie from _login_test join "user" using (cookie) where email = 'info@tandem.blog' $$,
|
|
|
|
|
|
'Should have returned the cookie that wrote to the user relation.'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select results_eq(
|
|
|
|
|
|
$$ select cookie_expires_at > current_timestamp from "user" where email = 'info@tandem.blog' $$,
|
|
|
|
|
|
$$ values (true) $$,
|
|
|
|
|
|
'Should have set an expiry date in the future.'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select isnt_empty(
|
|
|
|
|
|
$$ select cookie from _login_test where cookie in (select split_part(login('info@tandem.blog', 'test', '192.168.0.1'::inet), '/', 1)) $$,
|
|
|
|
|
|
'Should return the same cookie if not expired yet.'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
update "user"
|
|
|
|
|
|
set cookie_expires_at = current_timestamp - interval '1 hour'
|
|
|
|
|
|
where email = 'info@tandem.blog';
|
|
|
|
|
|
|
|
|
|
|
|
select lives_ok(
|
|
|
|
|
|
$$ insert into _login_test select 2, split_part(login('info@tandem.blog', 'test', '::1'::inet), '/', 1) $$,
|
|
|
|
|
|
'Should login with a correct user and password even with an expired cookie'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
select results_eq(
|
|
|
|
|
|
$$ select count(distinct cookie)::integer from _login_test $$,
|
|
|
|
|
|
$$ values (2) $$,
|
|
|
|
|
|
'Should have returned a new cookie'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select isnt_empty(
|
|
|
|
|
|
$$ select cookie from _login_test join "user" using (cookie) where email = 'info@tandem.blog' and result_num = 2 $$,
|
|
|
|
|
|
'Should have updated the user’s cookie.'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select results_eq(
|
|
|
|
|
|
$$ select cookie_expires_at > current_timestamp from "user" where email = 'info@tandem.blog' $$,
|
|
|
|
|
|
$$ values(true) $$,
|
|
|
|
|
|
'Should have set an expiry date in the future, again.'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select is(
|
|
|
|
|
|
login('info@tandem.blog'::email, 'mah password', '127.0.0.1'::inet),
|
|
|
|
|
|
''::text,
|
|
|
|
|
|
'Should not find any role with an invalid password'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select is(
|
|
|
|
|
|
login('nope@tandem.blog'::email, 'test'),
|
|
|
|
|
|
''::text,
|
|
|
|
|
|
'Should not find any role with an invalid email'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
select results_eq(
|
|
|
|
|
|
'select user_name, ip_address, success, attempted_at from login_attempt order by attempt_id',
|
|
|
|
|
|
$$ values ('info@tandem.blog', '::1'::inet, true, current_timestamp)
|
|
|
|
|
|
, ('info@tandem.blog', '192.168.0.1'::inet, true, current_timestamp)
|
|
|
|
|
|
, ('info@tandem.blog', '::1'::inet, true, current_timestamp)
|
|
|
|
|
|
, ('info@tandem.blog', '127.0.0.1'::inet, false, current_timestamp)
|
|
|
|
|
|
, ('nope@tandem.blog', null, false, current_timestamp)
|
|
|
|
|
|
$$,
|
|
|
|
|
|
'Should have recorded all login attempts.'
|
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
select *
|
|
|
|
|
|
from finish();
|
|
|
|
|
|
|
|
|
|
|
|
rollback;
|
