tandem
/
numerus
2
0
Fork 0
Code Issues 39 Pull Requests Packages Projects 1 Releases 1 Wiki Activity

Use current_app_user to logout 

Do not want people being able to logout other users just by setting a
number in a setting.
This commit is contained in:
jordi fita mas 2023-01-23 01:18:05 +01:00
parent c6eb1ef24e
commit b5968b1179
2 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
deploy/logout.sql
View File

@ -1,6 +1,7 @@
-- Deploy numerus:logout to pg
-- requires: schema_auth
-- requires: user
-- requires: current_app_user
begin;
@ -11,7 +12,9 @@ $$
update "user"
set cookie = default
, cookie_expires_at = default
where user_id = current_setting('request.user.id', true)::integer
where cookie = current_app_user()
and cookie_expires_at > current_timestamp
and length(cookie) > 30
$$
language sql
security definer

6
test/logout.sql
View File

@ -32,7 +32,7 @@ prepare user_cookies as
select cookie, cookie_expires_at from "user" order by user_id
;
select set_config('request.user.id', '0', false);
select set_config('request.user.cookie', '', false);
select lives_ok( $$ select * from logout() $$, 'Can logout “nobody”' );
select results_eq(
@ -43,7 +43,7 @@ select results_eq(
'Nothing changed'
);
select set_config('request.user.id', '1', false);
select set_config('request.user.cookie', '8c23d4a8d777775f8fc507676a0d99d3dfa54b03b1b257c838', false);
select lives_ok( $$ select * from logout() $$, 'Can logout the first user' );
select results_eq(
@ -54,7 +54,7 @@ select results_eq(
'The first user logged out'
);
select set_config('request.user.id', '12', false);
select set_config('request.user.cookie', '0169e5f668eec1e6749fd25388b057997358efa8dfd697961a', false);
select lives_ok( $$ select * from logout() $$, 'Can logout the second user' );
select results_eq(