numerus/deploy/login.sql

-- Deploy numerus:login to pg
-- requires: roles
-- requires: schema_numerus
-- requires: email
-- requires: user
-- requires: find_user_role

begin;

set search_path to numerus, auth;

create or replace function login(email email, password text) returns name as
$$
declare
	role name;
begin
	select auth.find_user_role(email, password) into role;
	if role is null then
		raise invalid_password using message = 'invalid user or password';
	end if;
	return role;
end;
$$
language plpgsql
stable
security definer;

comment on function login(email, text) is
'Checks that the email and password pair is valid and returns the user’s databasse role.';

revoke execute on function login(email, text) from public;
grant execute on function login(email, text) to guest;

commit;
-												Setup authentication schema and user relation

User authentication is based on PostgREST’s[0]: There is a noninherit
role, authenticator, whose function is only to switch to a different
role according to the application’s session.  Accordingly, this role has
no permission for anything.

The roles that this authentication can switch to are guest, invoicer, or
admin.  Guest is for anonymous users, when they need to login or
register; invoicers are regular users; and admin are application’s
administrators, that can change other user’s status, when they have to
be removed or have they password changed, for example.

The user relation is actually inaccessible to all roles and can only be
used through a security definer function, login, so that passwords are
not accessible from the application.

I hesitated on what to use as the user’s primary key.  The email seemed
a good candiate, because it will be used for login.  But something rubs
me the wrong way.

It is not that they can change because, despite what people on the
Internet keeps parroting, they do not need to be “immutable”, PostgreSQL
can cascade updates to foreign keys, and people do **not** change email
addresses that ofter.

What i **do** know is that email addresses should be unique in order to
be used for login and password, hovewer i had to decide what “unique”
means here, because the domain part is case insensitive, but the local
part who knows?  I made the arbitrary decision of assuming that the
whole address is case sensitive.

I have the feeling that this will bite me harder in the ass than using
it as the primary key.

[0]: https://postgrest.org/en/stable/auth.html

											
										
										
											2023-01-13 00:43:20 +00:00
+								-- Deploy numerus:login to pg
 								-- requires: roles
 								-- requires: schema_numerus
 								-- requires: email
 								-- requires: user
 								-- requires: find_user_role
 								begin;
 								set search_path to numerus, auth;
 								create or replace function login(email email, password text) returns name as
 								$$
 								declare
 									role name;
 								begin
 									select auth.find_user_role(email, password) into role;
 									if role is null then
 										raise invalid_password using message = 'invalid user or password';
 									end if;
 									return role;
 								end;
 								$$
 								language plpgsql
-												Change find_user_role’s and login’s volatility to stable

According to PostgreSQL’s manual[0]:

  “STABLE indicates that the function cannot modify the database, and
   that within a single table scan it will consistently return the same
   result for the same argument values, but that its result could change
   across SQL statements.”

This definition matches both functions.  Moreover, find_user_role did
not need to be written in plpgsql, that i assume—but did not test—are
slower than sql functions.

[0]: https://www.postgresql.org/docs/14/sql-createfunction.html

											
										
										
											2023-01-16 09:02:31 +00:00
+								stable
-												Setup authentication schema and user relation

User authentication is based on PostgREST’s[0]: There is a noninherit
role, authenticator, whose function is only to switch to a different
role according to the application’s session.  Accordingly, this role has
no permission for anything.

The roles that this authentication can switch to are guest, invoicer, or
admin.  Guest is for anonymous users, when they need to login or
register; invoicers are regular users; and admin are application’s
administrators, that can change other user’s status, when they have to
be removed or have they password changed, for example.

The user relation is actually inaccessible to all roles and can only be
used through a security definer function, login, so that passwords are
not accessible from the application.

I hesitated on what to use as the user’s primary key.  The email seemed
a good candiate, because it will be used for login.  But something rubs
me the wrong way.

It is not that they can change because, despite what people on the
Internet keeps parroting, they do not need to be “immutable”, PostgreSQL
can cascade updates to foreign keys, and people do **not** change email
addresses that ofter.

What i **do** know is that email addresses should be unique in order to
be used for login and password, hovewer i had to decide what “unique”
means here, because the domain part is case insensitive, but the local
part who knows?  I made the arbitrary decision of assuming that the
whole address is case sensitive.

I have the feeling that this will bite me harder in the ass than using
it as the primary key.

[0]: https://postgrest.org/en/stable/auth.html

											
										
										
											2023-01-13 00:43:20 +00:00
+								security definer;
 								comment on function login(email, text) is
 								'Checks that the email and password pair is valid and returns the user’s databasse role.';
-												Remove the revocation of all function executions

I need to execute some functions in public for citext, such as
texticregexeq, or guest users would not be able to login.

											
										
										
											2023-01-17 12:05:58 +00:00
+								revoke execute on function login(email, text) from public;
-												Setup authentication schema and user relation

User authentication is based on PostgREST’s[0]: There is a noninherit
role, authenticator, whose function is only to switch to a different
role according to the application’s session.  Accordingly, this role has
no permission for anything.

The roles that this authentication can switch to are guest, invoicer, or
admin.  Guest is for anonymous users, when they need to login or
register; invoicers are regular users; and admin are application’s
administrators, that can change other user’s status, when they have to
be removed or have they password changed, for example.

The user relation is actually inaccessible to all roles and can only be
used through a security definer function, login, so that passwords are
not accessible from the application.

I hesitated on what to use as the user’s primary key.  The email seemed
a good candiate, because it will be used for login.  But something rubs
me the wrong way.

It is not that they can change because, despite what people on the
Internet keeps parroting, they do not need to be “immutable”, PostgreSQL
can cascade updates to foreign keys, and people do **not** change email
addresses that ofter.

What i **do** know is that email addresses should be unique in order to
be used for login and password, hovewer i had to decide what “unique”
means here, because the domain part is case insensitive, but the local
part who knows?  I made the arbitrary decision of assuming that the
whole address is case sensitive.

I have the feeling that this will bite me harder in the ass than using
it as the primary key.

[0]: https://postgrest.org/en/stable/auth.html

											
										
										
											2023-01-13 00:43:20 +00:00
+								grant execute on function login(email, text) to guest;
 								commit;