jordi fita mas
917db31227
I use the ten first digits of the cookie’s hash, that i believe it is not a problem, has the advantage of not expiring until the user logs out, and using a per user session token is explicitly allowed by OWASP[0]. [0]: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern
47 lines
1.5 KiB
PL/PgSQL
47 lines
1.5 KiB
PL/PgSQL
-- Verify numerus:user_profile on pg
|
|
|
|
begin;
|
|
|
|
select
|
|
user_id
|
|
, email
|
|
, name
|
|
, role
|
|
, lang_tag
|
|
, csrf_token
|
|
from numerus.user_profile
|
|
where false;
|
|
|
|
select has_function_privilege('numerus.update_user_profile()', 'execute');
|
|
|
|
select 1/count(*)
|
|
from pg_trigger
|
|
where not tgisinternal
|
|
and tgname = 'update_user_profile'
|
|
and tgrelid = 'numerus.user_profile'::regclass
|
|
and tgtype = b'01010001'::int;
|
|
-- │││││││
|
|
-- ││││││└─> row
|
|
-- │││││└──> before
|
|
-- ││││└───> insert
|
|
-- │││└────> delete
|
|
-- ││└─────> update
|
|
-- │└──────> truncate
|
|
-- └───────> instead
|
|
select 1/count(*)
|
|
from pg_trigger
|
|
where not tgisinternal
|
|
and tgname = 'encrypt_password'
|
|
and tgrelid = 'auth.user'::regclass
|
|
and tgtype = b'00010111'::int;
|
|
-- │││││││
|
|
-- ││││││└─> row
|
|
-- │││││└──> before
|
|
-- ││││└───> insert
|
|
-- │││└────> delete
|
|
-- ││└─────> update
|
|
-- │└──────> truncate
|
|
-- └───────> instead
|
|
|
|
rollback;
|