Implement login cookie, its verification, and logout
At first i thought that i would need to implement sessions, the ones
that keep small files onto the disk, to know which user is talking to
the server, but then i realized that, for now at least, i only need a
very large number, plus the email address, to be used as a lookup, and
that can be stored in the user table, in a separate schema.
Had to change login to avoid raising exceptions when login failed
because i now keep a record of login attemps, and functions are always
run in a single transaction, thus the exception would prevent me to
insert into login_attempt. Even if i use a separate procedure, i could
not keep the records.
I did not want to add a parameter to the logout function because i was
afraid that it could be called from separate users. I do not know
whether it is possible with the current approach, since the settings
variable is also set by the same applications; time will tell.
2023-01-17 19:48:50 +00:00
|
|
|
-- Deploy numerus:check_cookie to pg
|
|
|
|
|
-- requires: schema_auth
|
|
|
|
|
-- requires: user
|
|
|
|
|
|
|
|
|
|
begin;
|
|
|
|
|
|
2023-01-18 13:12:59 +00:00
|
|
|
set search_path to public, numerus, auth;
|
Implement login cookie, its verification, and logout
At first i thought that i would need to implement sessions, the ones
that keep small files onto the disk, to know which user is talking to
the server, but then i realized that, for now at least, i only need a
very large number, plus the email address, to be used as a lookup, and
that can be stored in the user table, in a separate schema.
Had to change login to avoid raising exceptions when login failed
because i now keep a record of login attemps, and functions are always
run in a single transaction, thus the exception would prevent me to
insert into login_attempt. Even if i use a separate procedure, i could
not keep the records.
I did not want to add a parameter to the logout function because i was
afraid that it could be called from separate users. I do not know
whether it is possible with the current approach, since the settings
variable is also set by the same applications; time will tell.
2023-01-17 19:48:50 +00:00
|
|
|
|
|
|
|
|
create or replace function check_cookie(input_cookie text) returns record as
|
|
|
|
|
$$
|
|
|
|
|
declare
|
|
|
|
|
value record;
|
|
|
|
|
begin
|
|
|
|
|
select email::text, role
|
|
|
|
|
into value
|
|
|
|
|
from "user"
|
|
|
|
|
where email = split_part(input_cookie, '/', 2)
|
|
|
|
|
and cookie_expires_at > current_timestamp
|
|
|
|
|
and length(password) > 0
|
|
|
|
|
and cookie = split_part(input_cookie, '/', 1)
|
|
|
|
|
;
|
|
|
|
|
if value is null then
|
|
|
|
|
select '', 'guest'::name into value;
|
|
|
|
|
end if;
|
|
|
|
|
return value;
|
|
|
|
|
end;
|
|
|
|
|
$$
|
|
|
|
|
language plpgsql
|
|
|
|
|
security definer
|
|
|
|
|
stable
|
|
|
|
|
set search_path = auth, numerus, pg_temp;
|
|
|
|
|
|
|
|
|
|
comment on function check_cookie(text) is
|
|
|
|
|
'Checks whether a given cookie is for a valid users, returning its email and role';
|
|
|
|
|
|
|
|
|
|
revoke execute on function check_cookie(text) from public;
|
|
|
|
|
grant execute on function check_cookie(text) to authenticator;
|
|
|
|
|
|
|
|
|
|
commit;
|
