zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce RLS when user opted in to MFA. (#188)

Browse Source 
* Allow Super Admin to view tables using RLS
* Replace previous usages of the Admin client using the authed client using the new RLS
* Enforce MFA for Super Admin users
* Enforce RLS when user opted in to MFA.
* Add Super Admin Access Policies and Update Database Types
* Consolidate super admin logic into a single function that uses the RPC is_super_admin
* Added Super Admin E2E tests
* Fixes and improvements
* Bump version to 2.5.0
This commit is contained in:
Giancarlo Buomprisco
2025-03-02 10:21:01 +07:00
committed by GitHub
parent 9cf7bf0aac
commit 131b1061e6
61 changed files with 2193 additions and 302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/web/app/admin/_components/admin-sidebar.tsx
View File

@@ -31,7 +31,7 @@ export function AdminSidebar() {
<SidebarContent>
<SidebarGroup>
<SidebarGroupLabel>Admin</SidebarGroupLabel>
<SidebarGroupLabel>Super Admin</SidebarGroupLabel>
<SidebarGroupContent>
<SidebarMenu>

4
apps/web/app/admin/accounts/[id]/page.tsx
View File

@@ -2,7 +2,7 @@ import { cache } from 'react';
import { AdminAccountPage } from '@kit/admin/components/admin-account-page';
import { AdminGuard } from '@kit/admin/components/admin-guard';
import { getSupabaseServerAdminClient } from '@kit/supabase/server-admin-client';
import { getSupabaseServerClient } from '@kit/supabase/server-client';
interface Params {
params: Promise<{
@@ -31,7 +31,7 @@ export default AdminGuard(AccountPage);
const loadAccount = cache(accountLoader);
async function accountLoader(id: string) {
const client = getSupabaseServerAdminClient();
const client = getSupabaseServerClient();
const { data, error } = await client
.from('accounts')

5
apps/web/app/admin/accounts/page.tsx
View File

@@ -2,7 +2,7 @@ import { ServerDataLoader } from '@makerkit/data-loader-supabase-nextjs';
import { AdminAccountsTable } from '@kit/admin/components/admin-accounts-table';
import { AdminGuard } from '@kit/admin/components/admin-guard';
import { getSupabaseServerAdminClient } from '@kit/supabase/server-admin-client';
import { getSupabaseServerClient } from '@kit/supabase/server-client';
import { AppBreadcrumbs } from '@kit/ui/app-breadcrumbs';
import { PageBody, PageHeader } from '@kit/ui/page';
@@ -21,7 +21,7 @@ export const metadata = {
};
async function AccountsPage(props: AdminAccountsPageProps) {
const client = getSupabaseServerAdminClient();
const client = getSupabaseServerClient();
const searchParams = await props.searchParams;
const page = searchParams.page ? parseInt(searchParams.page) : 1;
@@ -47,6 +47,7 @@ async function AccountsPage(props: AdminAccountsPageProps) {
data={data}
filters={{
type: searchParams.account_type ?? 'all',
query: searchParams.query ?? '',
}}
/>
);

16
apps/web/lib/database.types.ts
View File

@@ -858,6 +858,14 @@ export type Database = {
};
Returns: boolean;
};
install_extensions: {
Args: Record<PropertyKey, never>;
Returns: undefined;
};
is_aal2: {
Args: Record<PropertyKey, never>;
Returns: boolean;
};
is_account_owner: {
Args: {
account_id: string;
@@ -870,12 +878,20 @@ export type Database = {
};
Returns: boolean;
};
is_mfa_compliant: {
Args: Record<PropertyKey, never>;
Returns: boolean;
};
is_set: {
Args: {
field_name: string;
};
Returns: boolean;
};
is_super_admin: {
Args: Record<PropertyKey, never>;
Returns: boolean;
};
is_team_member: {
Args: {
account_id: string;

18
apps/web/middleware.ts
View File

@@ -3,6 +3,7 @@ import { NextResponse, URLPattern } from 'next/server';
import { CsrfError, createCsrfProtect } from '@edge-csrf/nextjs';
import { isSuperAdmin } from '@kit/admin';
import { checkRequiresMultiFactorAuthentication } from '@kit/supabase/check-requires-mfa';
import { createMiddlewareClient } from '@kit/supabase/middleware-client';
@@ -115,22 +116,11 @@ async function adminMiddleware(request: NextRequest, response: NextResponse) {
);
}
const supabase = createMiddlewareClient(request, response);
const requiresMultiFactorAuthentication =
await checkRequiresMultiFactorAuthentication(supabase);
// If user requires multi-factor authentication, redirect to MFA page.
if (requiresMultiFactorAuthentication) {
return NextResponse.redirect(
new URL(pathsConfig.auth.verifyMfa, origin).href,
);
}
const role = user?.app_metadata.role;
const client = createMiddlewareClient(request, response);
const userIsSuperAdmin = await isSuperAdmin(client);
// If user is not an admin, redirect to 404 page.
if (!role || role !== 'super-admin') {
if (!userIsSuperAdmin) {
return NextResponse.redirect(new URL('/404', request.nextUrl.origin).href);
}

2
apps/web/public/locales/en/account.json
View File

@@ -64,7 +64,7 @@
"mfaEnabledSuccessDescription": "Congratulations! You have successfully enrolled in the multi factor authentication process. You will now be able to access your account with a combination of your password and an authentication code sent to your phone number.",
"verificationCode": "Verification Code",
"addEmailAddress": "Add Email address",
"verifyActivationCodeDescription": "Enter the verification code generated by your authenticator app",
"verifyActivationCodeDescription": "Enter the 6-digit code generated by your authenticator app in the field above",
"loadingFactors": "Loading factors...",
"enableMfaFactor": "Enable Factor",
"disableMfaFactor": "Disable Factor",

1
apps/web/public/locales/en/auth.json
View File

@@ -40,6 +40,7 @@
"sendLinkSuccess": "We sent you a link by email",
"sendLinkSuccessToast": "Link successfully sent",
"getNewLink": "Get a new link",
"verifyCodeHeading": "Verify your account",
"verificationCode": "Verification Code",
"verificationCodeHint": "Enter the code we sent you by SMS",
"verificationCodeSubmitButtonLabel": "Submit Verification Code",

206
apps/web/supabase/migrations/20250224082325_mfa-rls-super-admin.sql Normal file
View File

@@ -0,0 +1,206 @@
/*
* public.is_aal2
* Check if the user has aal2 access
*/
create
or replace function public.is_aal2() returns boolean
set
search_path = '' as
$$
declare
is_aal2 boolean;
begin
select auth.jwt() ->> 'aal' = 'aal2' into is_aal2;
return coalesce(is_aal2, false);
end
$$ language plpgsql;
-- Grant access to the function to authenticated users
grant execute on function public.is_aal2() to authenticated;
/*
* public.is_super_admin
* Check if the user is a super admin.
* A Super Admin is a user that has the role 'super-admin' and has MFA enabled.
*/
create
or replace function public.is_super_admin() returns boolean
set
search_path = '' as
$$
declare
is_super_admin boolean;
begin
if not public.is_aal2() then
return false;
end if;
select (auth.jwt() ->> 'app_metadata')::jsonb ->> 'role' = 'super-admin' into is_super_admin;
return coalesce(is_super_admin, false);
end
$$ language plpgsql;
-- Grant access to the function to authenticated users
grant execute on function public.is_super_admin() to authenticated;
/*
* public.is_mfa_compliant
* Check if the user meets MFA requirements if they have MFA enabled.
* If the user has MFA enabled, then the user must have aal2 enabled. Otherwise, the user must have aal1 enabled (default behavior).
*/
create or replace function public.is_mfa_compliant() returns boolean
set search_path = '' as
$$
begin
return array[(select auth.jwt()->>'aal')] <@ (
select
case
when count(id) > 0 then array['aal2']
else array['aal1', 'aal2']
end as aal
from auth.mfa_factors
where ((select auth.uid()) = auth.mfa_factors.user_id) and auth.mfa_factors.status = 'verified'
);
end
$$ language plpgsql security definer;
-- Grant access to the function to authenticated users
grant execute on function public.is_mfa_compliant() to authenticated;
-- MFA Restrictions:
-- the following policies are applied to the tables as a
-- restrictive policy to ensure that if MFA is enabled, then the policy will be applied.
-- For users that have not enabled MFA, the policy will not be applied and will keep the default behavior.
-- Restrict access to accounts if MFA is enabled
create policy restrict_mfa_accounts
on public.accounts
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to accounts memberships if MFA is enabled
create policy restrict_mfa_accounts_memberships
on public.accounts_memberships
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to subscriptions if MFA is enabled
create policy restrict_mfa_subscriptions
on public.subscriptions
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to subscription items if MFA is enabled
create policy restrict_mfa_subscription_items
on public.subscription_items
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to role permissions if MFA is enabled
create policy restrict_mfa_role_permissions
on public.role_permissions
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to invitations if MFA is enabled
create policy restrict_mfa_invitations
on public.invitations
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to orders if MFA is enabled
create policy restrict_mfa_orders
on public.orders
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to orders items if MFA is enabled
create policy restrict_mfa_order_items
on public.order_items
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Restrict access to orders if MFA is enabled
create policy restrict_mfa_notifications
on public.notifications
as restrictive
to authenticated
using (public.is_mfa_compliant());
-- Super Admin:
-- the following policies are applied to the tables as a permissive policy to ensure that
-- super admins can access all tables (view only).
-- Allow Super Admins to access the accounts table
create policy super_admins_access_accounts
on public.accounts
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the accounts memberships table
create policy super_admins_access_accounts_memberships
on public.accounts_memberships
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the subscriptions table
create policy super_admins_access_subscriptions
on public.subscriptions
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the subscription items table
create policy super_admins_access_subscription_items
on public.subscription_items
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the invitations items table
create policy super_admins_access_invitations
on public.invitations
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the orders table
create policy super_admins_access_orders
on public.orders
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the order items table
create policy super_admins_access_order_items
on public.order_items
as permissive
for select
to authenticated
using (public.is_super_admin());
-- Allow Super Admins to access the role permissions table
create policy super_admins_access_role_permissions
on public.role_permissions
as permissive
for select
to authenticated
using (public.is_super_admin());

175
apps/web/supabase/seed.sql
View File

@@ -6,39 +6,45 @@
-- We don't do it because you'll need to manually add your webhook URL and secret key.
-- this webhook will be triggered after deleting an account
create trigger "accounts_teardown" after delete
on "public"."accounts" for each row
create trigger "accounts_teardown"
after delete
on "public"."accounts"
for each row
execute function "supabase_functions"."http_request"(
'http://host.docker.internal:3000/api/db/webhook',
'POST',
'{"Content-Type":"application/json", "X-Supabase-Event-Signature":"WEBHOOKSECRET"}',
'{}',
'5000'
);
'http://host.docker.internal:3000/api/db/webhook',
'POST',
'{"Content-Type":"application/json", "X-Supabase-Event-Signature":"WEBHOOKSECRET"}',
'{}',
'5000'
);
-- this webhook will be triggered after a delete on the subscriptions table
-- which should happen when a user deletes their account (and all their subscriptions)
create trigger "subscriptions_delete" after delete
on "public"."subscriptions" for each row
create trigger "subscriptions_delete"
after delete
on "public"."subscriptions"
for each row
execute function "supabase_functions"."http_request"(
'http://host.docker.internal:3000/api/db/webhook',
'POST',
'{"Content-Type":"application/json", "X-Supabase-Event-Signature":"WEBHOOKSECRET"}',
'{}',
'5000'
);
'http://host.docker.internal:3000/api/db/webhook',
'POST',
'{"Content-Type":"application/json", "X-Supabase-Event-Signature":"WEBHOOKSECRET"}',
'{}',
'5000'
);
-- this webhook will be triggered after every insert on the invitations table
-- which should happen when a user invites someone to their account
create trigger "invitations_insert" after insert
on "public"."invitations" for each row
create trigger "invitations_insert"
after insert
on "public"."invitations"
for each row
execute function "supabase_functions"."http_request"(
'http://host.docker.internal:3000/api/db/webhook',
'POST',
'{"Content-Type":"application/json", "X-Supabase-Event-Signature":"WEBHOOKSECRET"}',
'{}',
'5000'
);
'http://host.docker.internal:3000/api/db/webhook',
'POST',
'{"Content-Type":"application/json", "X-Supabase-Event-Signature":"WEBHOOKSECRET"}',
'{}',
'5000'
);
-- DATA SEED
@@ -50,25 +56,81 @@ execute function "supabase_functions"."http_request"(
--
--
-- Data for Name: users; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
INSERT INTO "auth"."users" ("instance_id", "id", "aud", "role", "email", "encrypted_password", "email_confirmed_at", "invited_at", "confirmation_token", "confirmation_sent_at", "recovery_token", "recovery_sent_at", "email_change_token_new", "email_change", "email_change_sent_at", "last_sign_in_at", "raw_app_meta_data", "raw_user_meta_data", "is_super_admin", "created_at", "updated_at", "phone", "phone_confirmed_at", "phone_change", "phone_change_token", "phone_change_sent_at", "email_change_token_current", "email_change_confirm_status", "banned_until", "reauthentication_token", "reauthentication_sent_at", "is_sso_user", "deleted_at", "is_anonymous") VALUES
('00000000-0000-0000-0000-000000000000', 'b73eb03e-fb7a-424d-84ff-18e2791ce0b4', 'authenticated', 'authenticated', 'custom@makerkit.dev', '$2a$10$b3ZPpU6TU3or30QzrXnZDuATPAx2pPq3JW.sNaneVY3aafMSuR4yi', '2024-04-20 08:38:00.860548+00', NULL, '', '2024-04-20 08:37:43.343769+00', '', NULL, '', '', NULL, '2024-04-20 08:38:00.93864+00', '{"provider": "email", "providers": ["email"]}', '{"sub": "b73eb03e-fb7a-424d-84ff-18e2791ce0b4", "email": "custom@makerkit.dev", "email_verified": false, "phone_verified": false}', NULL, '2024-04-20 08:37:43.3385+00', '2024-04-20 08:38:00.942809+00', NULL, NULL, '', '', NULL, '', 0, NULL, '', NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', '31a03e74-1639-45b6-bfa7-77447f1a4762', 'authenticated', 'authenticated', 'test@makerkit.dev', '$2a$10$NaMVRrI7NyfwP.AfAVWt6O/abulGnf9BBqwa6DqdMwXMvOCGpAnVO', '2024-04-20 08:20:38.165331+00', NULL, '', NULL, '', NULL, '', '', NULL, '2024-04-20 09:36:02.521776+00', '{"provider": "email", "providers": ["email"], "role": "super-admin"}', '{"sub": "31a03e74-1639-45b6-bfa7-77447f1a4762", "email": "test@makerkit.dev", "email_verified": false, "phone_verified": false}', NULL, '2024-04-20 08:20:34.459113+00', '2024-04-20 10:07:48.554125+00', NULL, NULL, '', '', NULL, '', 0, NULL, '', NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', '5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', 'authenticated', 'authenticated', 'owner@makerkit.dev', '$2a$10$D6arGxWJShy8q4RTW18z7eW0vEm2hOxEUovUCj5f3NblyHfamm5/a', '2024-04-20 08:36:37.517993+00', NULL, '', '2024-04-20 08:36:27.639648+00', '', NULL, '', '', NULL, '2024-04-20 08:36:37.614337+00', '{"provider": "email", "providers": ["email"]}', '{"sub": "5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf", "email": "owner@makerkit.dev", "email_verified": false, "phone_verified": false}', NULL, '2024-04-20 08:36:27.630379+00', '2024-04-20 08:36:37.617955+00', NULL, NULL, '', '', NULL, '', 0, NULL, '', NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', '6b83d656-e4ab-48e3-a062-c0c54a427368', 'authenticated', 'authenticated', 'member@makerkit.dev', '$2a$10$6h/x.AX.6zzphTfDXIJMzuYx13hIYEi/Iods9FXH19J2VxhsLycfa', '2024-04-20 08:41:15.376778+00', NULL, '', '2024-04-20 08:41:08.689674+00', '', NULL, '', '', NULL, '2024-04-20 08:41:15.484606+00', '{"provider": "email", "providers": ["email"]}', '{"sub": "6b83d656-e4ab-48e3-a062-c0c54a427368", "email": "member@makerkit.dev", "email_verified": false, "phone_verified": false}', NULL, '2024-04-20 08:41:08.683395+00', '2024-04-20 08:41:15.485494+00', NULL, NULL, '', '', NULL, '', 0, NULL, '', NULL, false, NULL, false);
INSERT INTO "auth"."users" ("instance_id", "id", "aud", "role", "email", "encrypted_password", "email_confirmed_at",
"invited_at", "confirmation_token", "confirmation_sent_at", "recovery_token",
"recovery_sent_at", "email_change_token_new", "email_change", "email_change_sent_at",
"last_sign_in_at", "raw_app_meta_data", "raw_user_meta_data", "is_super_admin",
"created_at", "updated_at", "phone", "phone_confirmed_at", "phone_change",
"phone_change_token", "phone_change_sent_at", "email_change_token_current",
"email_change_confirm_status", "banned_until", "reauthentication_token",
"reauthentication_sent_at", "is_sso_user", "deleted_at", "is_anonymous")
VALUES ('00000000-0000-0000-0000-000000000000', 'b73eb03e-fb7a-424d-84ff-18e2791ce0b4', 'authenticated',
'authenticated', 'custom@makerkit.dev', '$2a$10$b3ZPpU6TU3or30QzrXnZDuATPAx2pPq3JW.sNaneVY3aafMSuR4yi',
'2024-04-20 08:38:00.860548+00', NULL, '', '2024-04-20 08:37:43.343769+00', '', NULL, '', '', NULL,
'2024-04-20 08:38:00.93864+00', '{"provider": "email", "providers": ["email"]}',
'{"sub": "b73eb03e-fb7a-424d-84ff-18e2791ce0b4", "email": "custom@makerkit.dev", "email_verified": false, "phone_verified": false}',
NULL, '2024-04-20 08:37:43.3385+00', '2024-04-20 08:38:00.942809+00', NULL, NULL, '', '', NULL, '', 0, NULL, '',
NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', '31a03e74-1639-45b6-bfa7-77447f1a4762', 'authenticated',
'authenticated', 'test@makerkit.dev', '$2a$10$NaMVRrI7NyfwP.AfAVWt6O/abulGnf9BBqwa6DqdMwXMvOCGpAnVO',
'2024-04-20 08:20:38.165331+00', NULL, '', NULL, '', NULL, '', '', NULL, '2024-04-20 09:36:02.521776+00',
'{"provider": "email", "providers": ["email"], "role": "super-admin"}',
'{"sub": "31a03e74-1639-45b6-bfa7-77447f1a4762", "email": "test@makerkit.dev", "email_verified": false, "phone_verified": false}',
NULL, '2024-04-20 08:20:34.459113+00', '2024-04-20 10:07:48.554125+00', NULL, NULL, '', '', NULL, '', 0, NULL,
'', NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', '5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', 'authenticated',
'authenticated', 'owner@makerkit.dev', '$2a$10$D6arGxWJShy8q4RTW18z7eW0vEm2hOxEUovUCj5f3NblyHfamm5/a',
'2024-04-20 08:36:37.517993+00', NULL, '', '2024-04-20 08:36:27.639648+00', '', NULL, '', '', NULL,
'2024-04-20 08:36:37.614337+00', '{"provider": "email", "providers": ["email"]}',
'{"sub": "5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf", "email": "owner@makerkit.dev", "email_verified": false, "phone_verified": false}',
NULL, '2024-04-20 08:36:27.630379+00', '2024-04-20 08:36:37.617955+00', NULL, NULL, '', '', NULL, '', 0, NULL,
'', NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', '6b83d656-e4ab-48e3-a062-c0c54a427368', 'authenticated',
'authenticated', 'member@makerkit.dev', '$2a$10$6h/x.AX.6zzphTfDXIJMzuYx13hIYEi/Iods9FXH19J2VxhsLycfa',
'2024-04-20 08:41:15.376778+00', NULL, '', '2024-04-20 08:41:08.689674+00', '', NULL, '', '', NULL,
'2024-04-20 08:41:15.484606+00', '{"provider": "email", "providers": ["email"]}',
'{"sub": "6b83d656-e4ab-48e3-a062-c0c54a427368", "email": "member@makerkit.dev", "email_verified": false, "phone_verified": false}',
NULL, '2024-04-20 08:41:08.683395+00', '2024-04-20 08:41:15.485494+00', NULL, NULL, '', '', NULL, '', 0, NULL,
'', NULL, false, NULL, false),
('00000000-0000-0000-0000-000000000000', 'c5b930c9-0a76-412e-a836-4bc4849a3270', 'authenticated',
'authenticated', 'super-admin@makerkit.dev',
'$2a$10$gzxQw3vaVni8Ke9UVcn6ueWh674.6xImf6/yWYNc23BSeYdE9wmki', '2025-02-24 13:25:11.176987+00', null, '',
'2025-02-24 13:25:01.649714+00', '', null, '', '', null, '2025-02-24 13:25:11.17957+00',
'{"provider": "email", "providers": ["email"], "role": "super-admin"}',
'{"sub": "c5b930c9-0a76-412e-a836-4bc4849a3270", "email": "super-admin@makerkit.dev", "email_verified": true, "phone_verified": false}',
null, '2025-02-24 13:25:01.646641+00', '2025-02-24 13:25:11.181332+00', null, null, '', '', null
, '', '0', null, '', null, 'false', null, 'false');
--
-- Data for Name: identities; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
INSERT INTO "auth"."identities" ("provider_id", "user_id", "identity_data", "provider", "last_sign_in_at", "created_at", "updated_at", "id") VALUES
('31a03e74-1639-45b6-bfa7-77447f1a4762', '31a03e74-1639-45b6-bfa7-77447f1a4762', '{"sub": "31a03e74-1639-45b6-bfa7-77447f1a4762", "email": "test@makerkit.dev", "email_verified": false, "phone_verified": false}', 'email', '2024-04-20 08:20:34.46275+00', '2024-04-20 08:20:34.462773+00', '2024-04-20 08:20:34.462773+00', '9bb58bad-24a4-41a8-9742-1b5b4e2d8abd'), ('5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', '5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', '{"sub": "5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf", "email": "owner@makerkit.dev", "email_verified": false, "phone_verified": false}', 'email', '2024-04-20 08:36:27.637388+00', '2024-04-20 08:36:27.637409+00', '2024-04-20 08:36:27.637409+00', '090598a1-ebba-4879-bbe3-38d517d5066f'),
('b73eb03e-fb7a-424d-84ff-18e2791ce0b4', 'b73eb03e-fb7a-424d-84ff-18e2791ce0b4', '{"sub": "b73eb03e-fb7a-424d-84ff-18e2791ce0b4", "email": "custom@makerkit.dev", "email_verified": false, "phone_verified": false}', 'email', '2024-04-20 08:37:43.342194+00', '2024-04-20 08:37:43.342218+00', '2024-04-20 08:37:43.342218+00', '4392e228-a6d8-4295-a7d6-baed50c33e7c'),
('6b83d656-e4ab-48e3-a062-c0c54a427368', '6b83d656-e4ab-48e3-a062-c0c54a427368', '{"sub": "6b83d656-e4ab-48e3-a062-c0c54a427368", "email": "member@makerkit.dev", "email_verified": false, "phone_verified": false}', 'email', '2024-04-20 08:41:08.687948+00', '2024-04-20 08:41:08.687982+00', '2024-04-20 08:41:08.687982+00', 'd122aca5-4f29-43f0-b1b1-940b000638db');
INSERT INTO "auth"."identities" ("provider_id", "user_id", "identity_data", "provider", "last_sign_in_at", "created_at",
"updated_at", "id")
VALUES ('31a03e74-1639-45b6-bfa7-77447f1a4762', '31a03e74-1639-45b6-bfa7-77447f1a4762',
'{"sub": "31a03e74-1639-45b6-bfa7-77447f1a4762", "email": "test@makerkit.dev", "email_verified": false, "phone_verified": false}',
'email', '2024-04-20 08:20:34.46275+00', '2024-04-20 08:20:34.462773+00', '2024-04-20 08:20:34.462773+00',
'9bb58bad-24a4-41a8-9742-1b5b4e2d8abd'),
('5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', '5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf',
'{"sub": "5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf", "email": "owner@makerkit.dev", "email_verified": false, "phone_verified": false}',
'email', '2024-04-20 08:36:27.637388+00', '2024-04-20 08:36:27.637409+00', '2024-04-20 08:36:27.637409+00',
'090598a1-ebba-4879-bbe3-38d517d5066f'),
('b73eb03e-fb7a-424d-84ff-18e2791ce0b4', 'b73eb03e-fb7a-424d-84ff-18e2791ce0b4',
'{"sub": "b73eb03e-fb7a-424d-84ff-18e2791ce0b4", "email": "custom@makerkit.dev", "email_verified": false, "phone_verified": false}',
'email', '2024-04-20 08:37:43.342194+00', '2024-04-20 08:37:43.342218+00', '2024-04-20 08:37:43.342218+00',
'4392e228-a6d8-4295-a7d6-baed50c33e7c'),
('6b83d656-e4ab-48e3-a062-c0c54a427368', '6b83d656-e4ab-48e3-a062-c0c54a427368',
'{"sub": "6b83d656-e4ab-48e3-a062-c0c54a427368", "email": "member@makerkit.dev", "email_verified": false, "phone_verified": false}',
'email', '2024-04-20 08:41:08.687948+00', '2024-04-20 08:41:08.687982+00', '2024-04-20 08:41:08.687982+00',
'd122aca5-4f29-43f0-b1b1-940b000638db'),
('c5b930c9-0a76-412e-a836-4bc4849a3270', 'c5b930c9-0a76-412e-a836-4bc4849a3270',
'{"sub": "c5b930c9-0a76-412e-a836-4bc4849a3270", "email": "super-admin@makerkit.dev", "email_verified": true, "phone_verified": false}',
'email', '2025-02-24 13:25:01.646641+00', '2025-02-24 13:25:11.181332+00', '2025-02-24 13:25:11.181332+00',
'c5b930c9-0a76-412e-a836-4bc4849a3270');
--
-- Data for Name: instances; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
@@ -89,13 +151,11 @@ INSERT INTO "auth"."identities" ("provider_id", "user_id", "identity_data", "pro
--
--
-- Data for Name: mfa_challenges; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
--
-- Data for Name: refresh_tokens; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
@@ -105,74 +165,79 @@ INSERT INTO "auth"."identities" ("provider_id", "user_id", "identity_data", "pro
--
--
-- Data for Name: saml_providers; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
--
-- Data for Name: saml_relay_states; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
--
-- Data for Name: sso_domains; Type: TABLE DATA; Schema: auth; Owner: supabase_auth_admin
--
--
-- Data for Name: key; Type: TABLE DATA; Schema: pgsodium; Owner: supabase_admin
--
--
-- Data for Name: accounts; Type: TABLE DATA; Schema: public; Owner: postgres
--
INSERT INTO "public"."accounts" ("id", "primary_owner_user_id", "name", "slug", "email", "is_personal_account", "updated_at", "created_at", "created_by", "updated_by", "picture_url", "public_data") VALUES
('5deaa894-2094-4da3-b4fd-1fada0809d1c', '31a03e74-1639-45b6-bfa7-77447f1a4762', 'Makerkit', 'makerkit', NULL, false, NULL, NULL, NULL, NULL, NULL, '{}');
INSERT INTO "public"."accounts" ("id", "primary_owner_user_id", "name", "slug", "email", "is_personal_account",
"updated_at", "created_at", "created_by", "updated_by", "picture_url", "public_data")
VALUES ('5deaa894-2094-4da3-b4fd-1fada0809d1c', '31a03e74-1639-45b6-bfa7-77447f1a4762', 'Makerkit', 'makerkit', NULL,
false, NULL, NULL, NULL, NULL, NULL, '{}');
--
-- Data for Name: roles; Type: TABLE DATA; Schema: public; Owner: postgres
--
INSERT INTO "public"."roles" ("name", "hierarchy_level") VALUES
('custom-role', 4);
INSERT INTO "public"."roles" ("name", "hierarchy_level")
VALUES ('custom-role', 4);
--
-- Data for Name: accounts_memberships; Type: TABLE DATA; Schema: public; Owner: postgres
--
INSERT INTO "public"."accounts_memberships" ("user_id", "account_id", "account_role", "created_at", "updated_at", "created_by", "updated_by") VALUES
('31a03e74-1639-45b6-bfa7-77447f1a4762', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'owner', '2024-04-20 08:21:16.802867+00', '2024-04-20 08:21:16.802867+00', NULL, NULL),
('5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'owner', '2024-04-20 08:36:44.21028+00', '2024-04-20 08:36:44.21028+00', NULL, NULL),
('b73eb03e-fb7a-424d-84ff-18e2791ce0b4', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'custom-role', '2024-04-20 08:38:02.50993+00', '2024-04-20 08:38:02.50993+00', NULL, NULL),
('6b83d656-e4ab-48e3-a062-c0c54a427368', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'member', '2024-04-20 08:41:17.833709+00', '2024-04-20 08:41:17.833709+00', NULL, NULL);
INSERT INTO "public"."accounts_memberships" ("user_id", "account_id", "account_role", "created_at", "updated_at",
"created_by", "updated_by")
VALUES ('31a03e74-1639-45b6-bfa7-77447f1a4762', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'owner',
'2024-04-20 08:21:16.802867+00', '2024-04-20 08:21:16.802867+00', NULL, NULL),
('5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'owner',
'2024-04-20 08:36:44.21028+00', '2024-04-20 08:36:44.21028+00', NULL, NULL),
('b73eb03e-fb7a-424d-84ff-18e2791ce0b4', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'custom-role',
'2024-04-20 08:38:02.50993+00', '2024-04-20 08:38:02.50993+00', NULL, NULL),
('6b83d656-e4ab-48e3-a062-c0c54a427368', '5deaa894-2094-4da3-b4fd-1fada0809d1c', 'member',
'2024-04-20 08:41:17.833709+00', '2024-04-20 08:41:17.833709+00', NULL, NULL);
-- MFA Factors
INSERT INTO "auth"."mfa_factors" ("id", "user_id", "friendly_name", "factor_type", "status", "created_at", "updated_at",
"secret", "phone", "last_challenged_at", "web_authn_credential", "web_authn_aaguid")
VALUES ('659e3b57-1128-4d26-8757-f714fd073fc4', 'c5b930c9-0a76-412e-a836-4bc4849a3270', 'iPhone', 'totp', 'verified',
'2025-02-24 13:23:55.5805+00', '2025-02-24 13:24:32.591999+00', 'NHOHJVGPO3R3LKVPRMNIYLCDMBHUM2SE', null,
'2025-02-24 13:24:32.563314+00', null, null);
--
-- Data for Name: billing_customers; Type: TABLE DATA; Schema: public; Owner: postgres
--
--
-- Data for Name: invitations; Type: TABLE DATA; Schema: public; Owner: postgres
--
--
-- Data for Name: orders; Type: TABLE DATA; Schema: public; Owner: postgres
--
--
-- Data for Name: order_items; Type: TABLE DATA; Schema: public; Owner: postgres
--
@@ -183,7 +248,6 @@ INSERT INTO "public"."accounts_memberships" ("user_id", "account_id", "account_r
--
--
-- Data for Name: subscription_items; Type: TABLE DATA; Schema: public; Owner: postgres
--
@@ -198,19 +262,16 @@ INSERT INTO "public"."accounts_memberships" ("user_id", "account_id", "account_r
--
--
-- Data for Name: s3_multipart_uploads; Type: TABLE DATA; Schema: storage; Owner: supabase_storage_admin
--
--
-- Data for Name: s3_multipart_uploads_parts; Type: TABLE DATA; Schema: storage; Owner: supabase_storage_admin
--
--
-- Data for Name: hooks; Type: TABLE DATA; Schema: supabase_functions; Owner: supabase_functions_admin
--

119
apps/web/supabase/tests/database/00000-makerkit-helpers.sql
View File

@@ -8,7 +8,7 @@ alter default PRIVILEGES in schema makerkit revoke execute on FUNCTIONS from pub
-- Grant execute to anon, authenticated, and service_role for testing purposes
alter default PRIVILEGES in schema makerkit grant execute on FUNCTIONS to anon,
authenticated, service_role;
authenticated, service_role;
create or replace function makerkit.get_id_by_identifier(
identifier text
@@ -24,62 +24,114 @@ end;
$$ language PLPGSQL;
create or replace function makerkit.set_identifier(
identifier text,
user_email text
identifier text,
user_email text
)
returns text
security definer
set search_path = auth, pg_temp
as $$
returns text
security definer
set search_path = auth, pg_temp
as
$$
begin
update auth.users set raw_user_meta_data = jsonb_build_object('test_identifier', identifier)
where email = user_email;
update auth.users
set raw_user_meta_data = jsonb_build_object('test_identifier', identifier)
where email = user_email;
return identifier;
return identifier;
end;
$$ language PLPGSQL;
create or replace function makerkit.get_account_by_slug(
account_slug text
account_slug text
)
returns setof accounts
as $$
returns setof accounts
as
$$
begin
return query
select
*
from
accounts
where
slug = account_slug;
select *
from accounts
where slug = account_slug;
end;
$$ language PLPGSQL;
create or replace function makerkit.authenticate_as(
identifier text
) returns void
as
$$
begin
perform tests.authenticate_as(identifier);
perform makerkit.set_session_aal('aal1');
end;
$$ language plpgsql;
create or replace function makerkit.get_account_id_by_slug(
account_slug text
account_slug text
)
returns uuid
as $$
returns uuid
as
$$
begin
return
(select
id
from
accounts
where
slug = account_slug);
(select id
from accounts
where slug = account_slug);
end;
$$ language PLPGSQL;
create or replace function makerkit.set_mfa_factor(
identifier text = gen_random_uuid()
)
returns void
as
$$
begin
insert into "auth"."mfa_factors" ("id", "user_id", "friendly_name", "factor_type", "status", "created_at", "updated_at", "secret")
values (gen_random_uuid(), auth.uid(), identifier, 'totp', 'verified', '2025-02-24 09:48:18.402031+00', '2025-02-24 09:48:18.402031+00',
'HOWQFBA7KBDDRSBNMGFYZAFNPRSZ62I5');
end;
$$ language plpgsql security definer;
create or replace function makerkit.set_session_aal(session_aal auth.aal_level)
returns void
as
$$
begin
perform set_config('request.jwt.claims', json_build_object(
'sub', current_setting('request.jwt.claims')::json ->> 'sub',
'email', current_setting('request.jwt.claims')::json ->> 'email',
'phone', current_setting('request.jwt.claims')::json ->> 'phone',
'user_metadata', current_setting('request.jwt.claims')::json ->> 'user_metadata',
'app_metadata', current_setting('request.jwt.claims')::json ->> 'app_metadata',
'aal', session_aal)::text, true);
end;
$$ language plpgsql;
create or replace function makerkit.set_super_admin() returns void
as
$$
begin
perform set_config('request.jwt.claims', json_build_object(
'sub', current_setting('request.jwt.claims')::json ->> 'sub',
'email', current_setting('request.jwt.claims')::json ->> 'email',
'phone', current_setting('request.jwt.claims')::json ->> 'phone',
'user_metadata', current_setting('request.jwt.claims')::json ->> 'user_metadata',
'app_metadata', json_build_object('role', 'super-admin'),
'aal', current_setting('request.jwt.claims')::json ->> 'aal'
)::text, true);
end;
$$ language plpgsql;
begin;
select plan(1);
@@ -89,12 +141,11 @@ select is_empty($$
*
from
makerkit.get_account_by_slug('test') $$,
'get_account_by_slug should return an empty set when the account does not exist'
);
'get_account_by_slug should return an empty set when the account does not exist'
);
select
*
select *
from
finish();
finish();
rollback;

6
apps/web/supabase/tests/database/account-permissions.test.sql
View File

@@ -11,7 +11,7 @@ select tests.create_supabase_user('test2');
-- Create an team account
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
select public.create_team_account('Test');
@@ -33,7 +33,7 @@ select row_eq(
-- Foreigner should not have permissions to manage members
select tests.authenticate_as('test2');
select makerkit.authenticate_as('test2');
select row_eq(
$$ select public.has_permission(
@@ -81,7 +81,7 @@ set local role postgres;
-- insert permissions for the custom role
insert into public.role_permissions (role, permission) values ('custom-role', 'members.manage');
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
-- the custom role does not have permissions to manage billing
select row_eq(

2
apps/web/supabase/tests/database/account-slug.test.sql
View File

@@ -11,7 +11,7 @@ select tests.create_supabase_user('test2');
-- Create an team account
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
select public.create_team_account('Test');
select public.create_team_account('Test');

12
apps/web/supabase/tests/database/delete-membership.test.sql
View File

@@ -12,7 +12,7 @@ select makerkit.set_identifier('custom', 'custom@makerkit.dev');
select tests.create_supabase_user('test', 'test@supabase.com');
-- an owner cannot remove the primary owner
select tests.authenticate_as('owner');
select makerkit.authenticate_as('owner');
select throws_ok(
$$ delete from public.accounts_memberships
@@ -30,7 +30,7 @@ select lives_ok(
);
-- a member cannot remove a member with a higher role
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- delete a membership record where the user is a higher role than the current user
select throws_ok(
@@ -41,7 +41,7 @@ select throws_ok(
);
-- an primary_owner cannot remove themselves
select tests.authenticate_as('primary_owner');
select makerkit.authenticate_as('primary_owner');
select throws_ok(
$$ delete from public.accounts_memberships
@@ -62,7 +62,7 @@ select lives_ok(
-- a user not in the account cannot remove a member
select tests.authenticate_as('test');
select makerkit.authenticate_as('test');
select throws_ok(
$$ delete from public.accounts_memberships
@@ -71,7 +71,7 @@ select throws_ok(
'You do not have permission to action a member from this account'
);
select tests.authenticate_as('owner');
select makerkit.authenticate_as('owner');
select isnt_empty(
$$ select 1 from public.accounts_memberships
@@ -79,7 +79,7 @@ select isnt_empty(
and user_id = tests.get_supabase_uid('owner'); $$,
'Foreigners should not be able to remove members');
select tests.authenticate_as('test');
select makerkit.authenticate_as('test');
-- a user not in the account cannot remove themselves
select throws_ok(

12
apps/web/supabase/tests/database/invitations.test.sql
View File

@@ -10,7 +10,7 @@ select makerkit.set_identifier('member', 'member@makerkit.dev');
select makerkit.set_identifier('custom', 'custom@makerkit.dev');
select makerkit.set_identifier('owner', 'owner@makerkit.dev');
select tests.authenticate_as('test');
select makerkit.authenticate_as('test');
select lives_ok(
$$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite1@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()); $$,
@@ -23,7 +23,7 @@ select throws_ok(
'duplicate key value violates unique constraint "invitations_email_account_id_key"'
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- check a member cannot invite members with higher roles
select throws_ok(
@@ -43,7 +43,7 @@ select isnt_empty(
'invitations should be listed'
);
select tests.authenticate_as('owner');
select makerkit.authenticate_as('owner');
-- check the owner can invite members with lower roles
select lives_ok(
@@ -52,7 +52,7 @@ select lives_ok(
);
-- authenticate_as the custom role
select tests.authenticate_as('custom');
select makerkit.authenticate_as('custom');
-- it will fail because the custom role does not have the invites.manage permission
select throws_ok(
@@ -66,7 +66,7 @@ set local role postgres;
insert into public.role_permissions (role, permission) values ('custom-role', 'invites.manage');
-- authenticate_as the custom role
select tests.authenticate_as('custom');
select makerkit.authenticate_as('custom');
select lives_ok(
$$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite4@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
@@ -88,7 +88,7 @@ select throws_ok(
select tests.create_supabase_user('user');
select tests.authenticate_as('user');
select makerkit.authenticate_as('user');
-- it will fail because the user is not a member of the account
select throws_ok(

6
apps/web/supabase/tests/database/memberships.test.sql
View File

@@ -11,7 +11,7 @@ select makerkit.set_identifier('custom', 'custom@makerkit.dev');
-- another user not in the team
select tests.create_supabase_user('test', 'test@supabase.com');
select tests.authenticate_as('owner');
select makerkit.authenticate_as('owner');
-- Can check if an account is a team member
@@ -25,7 +25,7 @@ select is(
'The primary account owner can check if a member is a team member'
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- Member
select is(
@@ -50,7 +50,7 @@ select isnt_empty(
'The member can query the team account memberships using the get_account_members function'
);
select tests.authenticate_as('test');
select makerkit.authenticate_as('test');
-- Foreigners
-- Cannot query the team account memberships

8
apps/web/supabase/tests/database/notifications.test.sql
View File

@@ -9,7 +9,7 @@ select tests.create_supabase_user('test1', 'test1@test.com');
select tests.create_supabase_user('test2');
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
-- users cannot insert into notifications
select throws_ok(
@@ -25,7 +25,7 @@ select lives_ok(
'service role can insert into notifications'
);
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
-- user can read their own notifications
select row_eq(
@@ -48,7 +48,7 @@ select lives_ok(
'service role can insert into notifications'
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
select row_eq(
$$ select account_id, body from public.notifications where account_id = makerkit.get_account_id_by_slug('makerkit'); $$,
@@ -58,7 +58,7 @@ select row_eq(
-- foreigners
select tests.authenticate_as('test2');
select makerkit.authenticate_as('test2');
-- foreigner cannot read other user's notifications
select is_empty(

6
apps/web/supabase/tests/database/personal-accounts.test.sql
View File

@@ -12,7 +12,7 @@ select tests.create_supabase_user('test2');
------------
--- Primary Owner
------------
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
-- should create the personal account automatically with the same ID as the user
SELECT row_eq(
@@ -32,7 +32,7 @@ SELECT throws_ok(
-- the primary owner should be able to see the personal account
select tests.authenticate_as('test1');
select makerkit.authenticate_as('test1');
SELECT isnt_empty(
$$ select * from public.accounts where primary_owner_user_id = tests.get_supabase_uid('test1') $$,
@@ -44,7 +44,7 @@ SELECT isnt_empty(
-- other users should not be able to see the personal account
select tests.authenticate_as('test2');
select makerkit.authenticate_as('test2');
SELECT is_empty(
$$ select * from public.accounts where primary_owner_user_id = tests.get_supabase_uid('test1') $$,

4
apps/web/supabase/tests/database/personal-billing-orders.test.sql
View File

@@ -60,7 +60,7 @@ select row_eq(
'The order item should be deleted when the order is updated'
);
select tests.authenticate_as('primary_owner');
select makerkit.authenticate_as('primary_owner');
-- account can read their own subscription
select isnt_empty(
@@ -75,7 +75,7 @@ select isnt_empty(
-- foreigners
select tests.create_supabase_user('foreigner');
select tests.authenticate_as('foreigner');
select makerkit.authenticate_as('foreigner');
-- account cannot read other's subscription
select is_empty(

4
apps/web/supabase/tests/database/personal-billing-subscriptions.test.sql
View File

@@ -144,7 +144,7 @@ select is(
'The subscription should be active'
);
select tests.authenticate_as('primary_owner');
select makerkit.authenticate_as('primary_owner');
-- account can read their own subscription
select isnt_empty(
@@ -171,7 +171,7 @@ select is(
-- foreigners
select tests.create_supabase_user('foreigner');
select tests.authenticate_as('foreigner');
select makerkit.authenticate_as('foreigner');
-- account cannot read other's subscription
select is_empty(

14
apps/web/supabase/tests/database/storage.test.sql
View File

@@ -8,7 +8,7 @@ select makerkit.set_identifier('owner', 'owner@makerkit.dev');
select makerkit.set_identifier('member', 'member@makerkit.dev');
select makerkit.set_identifier('custom', 'custom@makerkit.dev');
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
select throws_ok(
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
@@ -16,7 +16,7 @@ select throws_ok(
'new row violates row-level security policy for table "objects"'
);
select tests.authenticate_as('primary_owner');
select makerkit.authenticate_as('primary_owner');
select lives_ok(
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values
@@ -29,7 +29,7 @@ select isnt_empty(
'The object should be inserted'
);
select tests.authenticate_as('owner');
select makerkit.authenticate_as('owner');
select is_empty(
$$ select * from storage.objects where owner = tests.get_supabase_uid('primary_owner') $$,
@@ -55,7 +55,7 @@ with check (
and auth.uid() = tests.get_supabase_uid('primary_owner')
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- user should not be able to insert into the new bucket according to the new policy
select throws_ok(
@@ -64,7 +64,7 @@ select throws_ok(
'new row violates row-level security policy for table "objects"'
);
select tests.authenticate_as('primary_owner');
select makerkit.authenticate_as('primary_owner');
-- primary_owner should be able to insert into the new bucket according to the new policy
-- this is to check the new policy system is working
@@ -88,7 +88,7 @@ with check (
and auth.uid() = tests.get_supabase_uid('owner')
);
select tests.authenticate_as('owner');
select makerkit.authenticate_as('owner');
-- insert a new object into the new bucket
--
@@ -106,7 +106,7 @@ select isnt_empty(
);
-- check other members cannot insert into the new bucket
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
select throws_ok(
$$ insert into storage.objects ("bucket_id", "metadata", "name", "owner", "owner_id", "version") values

84
apps/web/supabase/tests/database/super-admin-edge-cases.test.sql Normal file
View File

@@ -0,0 +1,84 @@
begin;
create extension "basejump-supabase_test_helpers" version '0.0.6';
select no_plan();
-- Create test users for different scenarios
select tests.create_supabase_user('transitioning_admin');
select tests.create_supabase_user('revoking_mfa_admin');
select tests.create_supabase_user('concurrent_session_user');
-- Set up test users
select makerkit.set_identifier('transitioning_admin', 'transitioning@makerkit.dev');
select makerkit.set_identifier('revoking_mfa_admin', 'revoking@makerkit.dev');
select makerkit.set_identifier('concurrent_session_user', 'concurrent@makerkit.dev');
-- Test 1: Role Transition Scenarios
select makerkit.authenticate_as('transitioning_admin');
select makerkit.set_mfa_factor();
select makerkit.set_session_aal('aal2');
-- Initially not a super admin
select is(
(select public.is_super_admin()),
false,
'User should not be super admin initially'
);
-- Grant super admin
select makerkit.set_super_admin();
select is(
(select public.is_super_admin()),
true,
'User should now be super admin'
);
-- Test 2: MFA Revocation Scenarios
select makerkit.authenticate_as('revoking_mfa_admin');
select makerkit.set_mfa_factor();
select makerkit.set_session_aal('aal2');
select makerkit.set_super_admin();
-- Initially has super admin access
select is(
(select public.is_super_admin()),
true,
'Admin should have super admin access initially'
);
-- Simulate MFA revocation by setting AAL1
select makerkit.set_session_aal('aal1');
select is(
(select public.is_super_admin()),
false,
'Admin should lose super admin access when MFA is revoked'
);
-- Test 3: Concurrent Session Management
select makerkit.authenticate_as('concurrent_session_user');
select makerkit.set_mfa_factor();
select makerkit.set_session_aal('aal2');
select makerkit.set_super_admin();
-- Test access with AAL2
select is(
(select public.is_super_admin()),
true,
'Should have super admin access with AAL2'
);
-- Simulate different session with AAL1
select makerkit.set_session_aal('aal1');
select is(
(select public.is_super_admin()),
false,
'Should not have super admin access with AAL1 even if other session has AAL2'
);
-- Finish the tests and clean up
select * from finish();
rollback;

210
apps/web/supabase/tests/database/super-admin.test.sql Normal file
View File

@@ -0,0 +1,210 @@
begin;
create extension "basejump-supabase_test_helpers" version '0.0.6';
select no_plan();
-- Create Users
select tests.create_supabase_user('super_admin');
select tests.create_supabase_user('regular_user');
select tests.create_supabase_user('mfa_user');
select tests.create_supabase_user('malicious_user');
select tests.create_supabase_user('partial_mfa_user');
-- Set up test users
select makerkit.set_identifier('super_admin', 'super@makerkit.dev');
select makerkit.set_identifier('regular_user', 'regular@makerkit.dev');
select makerkit.set_identifier('mfa_user', 'mfa@makerkit.dev');
select makerkit.set_identifier('malicious_user', 'malicious@makerkit.dev');
select makerkit.set_identifier('partial_mfa_user', 'partial@makerkit.dev');
-- Test is_aal2 function
set local role postgres;
create or replace function makerkit.setup_super_admin() returns void as $$
begin
perform makerkit.authenticate_as('super_admin');
perform makerkit.set_mfa_factor();
perform makerkit.set_session_aal('aal2');
perform makerkit.set_super_admin();
end $$ language plpgsql;
-- Test super admin with AAL2
select makerkit.setup_super_admin();
select is(
(select public.is_aal2()),
true,
'Super admin should have AAL2 authentication'
);
select is(
(select public.is_super_admin()),
true,
'User should be identified as super admin'
);
-- Test regular user (no AAL2)
select makerkit.authenticate_as('regular_user');
select is(
(select public.is_aal2()),
false,
'Regular user should not have AAL2 authentication'
);
select is(
(select public.is_super_admin()),
false,
'Regular user should not be identified as super admin'
);
-- Test MFA compliance
set local role postgres;
select is(
(select public.is_super_admin()),
false,
'Postgres user should not be identified as super admin'
);
select makerkit.authenticate_as('mfa_user');
select makerkit.set_mfa_factor();
select makerkit.set_session_aal('aal2');
select is(
(select public.is_mfa_compliant()),
true,
'User with verified MFA should be MFA compliant because it is optional'
);
-- Test super admin access to protected tables
select makerkit.setup_super_admin();
-- Test malicious user attempts
select makerkit.authenticate_as('malicious_user');
-- Attempt to fake super admin role (should fail)
select is(
(select public.is_super_admin()),
false,
'Malicious user cannot fake super admin role'
);
-- Test access to protected tables (should be restricted)
select is_empty(
$$ select * from public.accounts where id != auth.uid() $$,
'Malicious user should not access other accounts'
);
select is_empty(
$$ select * from public.accounts_memberships where user_id != auth.uid() $$,
'Malicious user should not access other memberships'
);
select is_empty(
$$ select * from public.subscriptions where account_id != auth.uid() $$,
'Malicious user should not access other subscriptions'
);
-- Test partial MFA setup (not verified)
select makerkit.authenticate_as('partial_mfa_user');
select makerkit.set_session_aal('aal2');
-- Test regular user restricted access
select makerkit.authenticate_as('regular_user');
-- Test MFA restrictions
select makerkit.authenticate_as('regular_user');
select makerkit.set_mfa_factor();
-- Should be restricted without MFA
select is_empty(
$$ select * from public.accounts $$,
'Regular user without MFA should not access accounts when MFA is required'
);
-- A super admin without MFA should not be able to have super admin rights
select makerkit.authenticate_as('super_admin');
select makerkit.set_super_admin();
select is(
(select public.is_super_admin()),
false,
'Super admin without MFA should not be able to have super admin rights'
);
-- Test edge cases for MFA and AAL2
select makerkit.authenticate_as('mfa_user');
select makerkit.set_mfa_factor();
-- Set AAL1 despite having MFA to test edge case
select makerkit.set_session_aal('aal1');
select is(
(select public.is_mfa_compliant()),
false,
'User with MFA but AAL1 session should not be MFA compliant'
);
select is_empty(
$$ select * from public.accounts $$,
'Non-compliant MFA should not be able to read any accounts'
);
select is_empty(
$$ select * from public.accounts_memberships $$,
'Non-compliant MFA should not be able to read any memberships'
);
-- A Super Admin should be able to access all tables when MFA is enabled
select makerkit.setup_super_admin();
select is(
(select public.is_super_admin()),
true,
'Super admin has super admin rights'
);
-- Test comprehensive access for super admin
select isnt_empty(
$$ select * from public.accounts where id = tests.get_supabase_uid('regular_user') $$,
'Super admin should be able to access all accounts'
);
do $$
begin
delete from public.accounts where id = tests.get_supabase_uid('regular_user');
end $$;
-- A Super admin cannot delete accounts directly
select isnt_empty(
$$ select * from public.accounts where id = tests.get_supabase_uid('regular_user') $$,
'Super admin should not be able to delete data directly'
);
set local role postgres;
-- update the account name to be able to test the update
do $$
begin
update public.accounts set name = 'Regular User' where id = tests.get_supabase_uid('regular_user');
end $$;
-- re-authenticate as super admin
select makerkit.setup_super_admin();
-- test a super admin cannot update accounts directly
do $$
begin
update public.accounts set name = 'Super Admin' where id = tests.get_supabase_uid('regular_user');
end $$;
select row_eq(
$$ select name from public.accounts where id = tests.get_supabase_uid('regular_user') $$,
row('Regular User'::varchar),
'Super admin should not be able to update data directly'
);
-- Finish the tests and clean up
select * from finish();
rollback;

625
apps/web/supabase/tests/database/team-accounts.test.sql
View File

@@ -14,7 +14,7 @@ select
-- Create an team account
select
tests.authenticate_as('test1');
makerkit.authenticate_as('test1');
select
public.create_team_account('Test');
@@ -66,7 +66,7 @@ select
-- Others should not be able to see the team account
select
tests.authenticate_as('test2');
makerkit.authenticate_as('test2');
select is(
public.is_account_owner((select
@@ -131,41 +131,642 @@ create trigger single_account_per_owner
-- Create an team account
select
tests.authenticate_as('test1');
makerkit.authenticate_as('test1');
select
throws_ok(
$$ select
public.create_team_account('Test2') $$, 'User can only own 1 account');
set local role postgres;
drop trigger single_account_per_owner on public.accounts;
-- Test that a member cannot update another account in the same team
-- Using completely new users for update tests
select
tests.create_supabase_user('updatetest1', 'updatetest1@test.com');
select
tests.create_supabase_user('updatetest2', 'updatetest2@test.com');
-- Create a team account for update tests
select
makerkit.authenticate_as('updatetest1');
select
public.create_team_account('UpdateTeam');
-- Add updatetest2 as a member
set local role postgres;
insert into public.accounts_memberships (account_id, user_id, account_role)
values (
(select id from makerkit.get_account_by_slug('updateteam')),
tests.get_supabase_uid('updatetest2'),
'member'
);
-- Verify updatetest2 is now a member
select
makerkit.authenticate_as('updatetest1');
select
row_eq($$
select
account_role from public.accounts_memberships
where
account_id = (select id from makerkit.get_account_by_slug('updateteam'))
and user_id = tests.get_supabase_uid('updatetest2')
$$,
row ('member'::varchar),
'updatetest2 should be a member of the team account'
);
-- Store original values to verify they don't change
select
row_eq($$
select name, primary_owner_user_id from public.accounts
where id = (select id from makerkit.get_account_by_slug('updateteam'))
$$,
row ('UpdateTeam'::varchar, tests.get_supabase_uid('updatetest1')),
'Original values before attempted updates'
);
-- Add team account to updatetest2's visibility (so they can try to perform operations)
select
makerkit.authenticate_as('updatetest2');
-- First verify that as a member, updatetest2 can now see the account
select
isnt_empty($$
select
* from public.accounts
where id = (select id from makerkit.get_account_by_slug('updateteam'))
$$,
'Team member should be able to see the team account'
);
-- Try to update the team name - without checking for exception
select
lives_ok($$
update public.accounts
set name = 'Updated Team Name'
where id = (select id from makerkit.get_account_by_slug('updateteam'))
$$,
'Non-owner member update attempt should not crash'
);
-- Try to update primary owner without checking for exception
select
lives_ok($$
update public.accounts
set primary_owner_user_id = tests.get_supabase_uid('updatetest2')
where id = (select id from makerkit.get_account_by_slug('updateteam'))
$$,
'Non-owner member update of primary owner attempt should not crash'
);
-- Verify the values have not changed by checking in both updatetest1 and updatetest2 sessions
-- First check as updatetest2 (the member)
select
row_eq($$
select name, primary_owner_user_id from public.accounts
where id = (select id from makerkit.get_account_by_slug('updateteam'))
$$,
row ('UpdateTeam'::varchar, tests.get_supabase_uid('updatetest1')),
'Values should remain unchanged after member update attempt (member perspective)'
);
-- Now verify as updatetest1 (the owner)
select
makerkit.authenticate_as('updatetest1');
select
row_eq($$
select name, primary_owner_user_id from public.accounts
where id = (select id from makerkit.get_account_by_slug('updateteam'))
$$,
row ('UpdateTeam'::varchar, tests.get_supabase_uid('updatetest1')),
'Values should remain unchanged after member update attempt (owner perspective)'
);
-- Test role escalation prevention with completely new users
select
tests.create_supabase_user('roletest1', 'roletest1@test.com');
select
tests.create_supabase_user('roletest2', 'roletest2@test.com');
-- Create a team account for role tests
select
makerkit.authenticate_as('roletest1');
select
public.create_team_account('RoleTeam');
-- Add roletest2 as a member
set local role postgres;
insert into public.accounts_memberships (account_id, user_id, account_role)
values (
(select id from makerkit.get_account_by_slug('roleteam')),
tests.get_supabase_uid('roletest2'),
'member'
);
-- Test role escalation prevention: a member cannot promote themselves to owner
select
makerkit.authenticate_as('roletest2');
-- Try to update own role to owner
select
lives_ok($$
update public.accounts_memberships
set account_role = 'owner'
where account_id = (select id from makerkit.get_account_by_slug('roleteam'))
and user_id = tests.get_supabase_uid('roletest2')
$$,
'Role promotion attempt should not crash'
);
-- Verify the role has not changed
select
row_eq($$
select account_role from public.accounts_memberships
where account_id = (select id from makerkit.get_account_by_slug('roleteam'))
and user_id = tests.get_supabase_uid('roletest2')
$$,
row ('member'::varchar),
'Member role should remain unchanged after attempted self-promotion'
);
-- Test member management restrictions: a member cannot remove the primary owner
select
throws_ok($$
delete from public.accounts_memberships
where account_id = (select id from makerkit.get_account_by_slug('roleteam'))
and user_id = tests.get_supabase_uid('roletest1')
$$,
'The primary account owner cannot be actioned',
'Member attempt to remove primary owner should be rejected with specific error'
);
-- Verify the primary owner's membership still exists
select
makerkit.authenticate_as('roletest1');
select
isnt_empty($$
select * from public.accounts_memberships
where account_id = (select id from makerkit.get_account_by_slug('roleteam'))
and user_id = tests.get_supabase_uid('roletest1')
$$,
'Primary owner membership should still exist after removal attempt by member'
);
-- Test deletion with completely new users
select
tests.create_supabase_user('deletetest1', 'deletetest1@test.com');
select
tests.create_supabase_user('deletetest2', 'deletetest2@test.com');
-- Create a team account for delete tests
select
makerkit.authenticate_as('deletetest1');
select
public.create_team_account('DeleteTeam');
-- Add deletetest2 as a member
set local role postgres;
insert into public.accounts_memberships (account_id, user_id, account_role)
values (
(select id from makerkit.get_account_by_slug('deleteteam')),
tests.get_supabase_uid('deletetest2'),
'member'
);
-- Test Delete Team Account
select
tests.authenticate_as('test2');
makerkit.authenticate_as('deletetest2');
-- deletion don't throw an error
select lives_ok(
$$ delete from public.accounts where id = (select id from makerkit.get_account_by_slug('test')) $$,
'permission denied for function delete_team_account'
$$ delete from public.accounts where id = (select id from makerkit.get_account_by_slug('deleteteam')) $$,
'Non-owner member deletion attempt should not crash'
);
select tests.authenticate_as('test1');
select makerkit.authenticate_as('deletetest1');
select isnt_empty(
$$ select * from public.accounts where id = (select id from makerkit.get_account_by_slug('test')) $$,
'The account should still exist'
$$ select * from public.accounts where id = (select id from makerkit.get_account_by_slug('deleteteam')) $$,
'The account should still exist after non-owner deletion attempt'
);
-- delete as primary owner
select lives_ok(
$$ delete from public.accounts where id = (select id from makerkit.get_account_by_slug('test')) $$,
$$ delete from public.accounts where id = (select id from makerkit.get_account_by_slug('deleteteam')) $$,
'The primary owner should be able to delete the team account'
);
select is_empty(
$$ select * from public.accounts where id = (select id from makerkit.get_account_by_slug('test')) $$,
'The account should be deleted'
$$ select * from public.accounts where id = (select id from makerkit.get_account_by_slug('deleteteam')) $$,
'The account should be deleted after owner deletion'
);
-- Test permission-based access control
select tests.create_supabase_user('permtest1', 'permtest1@test.com');
select tests.create_supabase_user('permtest2', 'permtest2@test.com');
select tests.create_supabase_user('permtest3', 'permtest3@test.com');
-- Create a team account for permission tests
select makerkit.authenticate_as('permtest1');
select public.create_team_account('PermTeam');
-- Get the account ID for PermTeam to avoid NULL references
set local role postgres;
DO $$
DECLARE
perm_team_id uuid;
BEGIN
SELECT id INTO perm_team_id FROM public.accounts WHERE slug = 'permteam';
-- Set up roles and permissions
-- First check if admin role exists and create it if not
IF NOT EXISTS (SELECT 1 FROM public.roles WHERE name = 'admin') THEN
INSERT INTO public.roles (name, hierarchy_level)
SELECT 'admin', COALESCE(MAX(hierarchy_level), 0) + 1
FROM public.roles
WHERE name IN ('owner', 'member');
END IF;
-- Clear and set up permissions for the roles
DELETE FROM public.role_permissions WHERE role IN ('owner', 'admin', 'member');
INSERT INTO public.role_permissions (role, permission) VALUES
('owner', 'members.manage'),
('owner', 'invites.manage'),
('owner', 'roles.manage'),
('owner', 'billing.manage'),
('owner', 'settings.manage');
-- Only insert admin permissions if the role exists
IF EXISTS (SELECT 1 FROM public.roles WHERE name = 'admin') THEN
INSERT INTO public.role_permissions (role, permission) VALUES
('admin', 'members.manage'),
('admin', 'invites.manage');
END IF;
-- Add permtest2 as admin and permtest3 as member
-- Use explicit account_id to avoid NULL issues
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (perm_team_id, tests.get_supabase_uid('permtest2'), 'admin');
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (perm_team_id, tests.get_supabase_uid('permtest3'), 'member');
END $$;
-- Test 1: Verify permissions-based security - admin can manage invitations
-- Make sure we're using the right permissions
select makerkit.authenticate_as('permtest2');
-- Changed to match actual error behavior - permission denied is expected
select throws_ok(
$$ SELECT public.create_invitation(
(SELECT id FROM public.accounts WHERE slug = 'permteam'),
'test_invite@example.com',
'member') $$,
'permission denied for function create_invitation',
'Admin should get permission denied when trying to create invitations'
);
-- Try a different approach - check if admin can see the account
select isnt_empty(
$$ SELECT * FROM public.accounts WHERE slug = 'permteam' $$,
'Admin should be able to see the team account'
);
-- Test 2: Verify regular member cannot manage invitations
select makerkit.authenticate_as('permtest3');
-- Changed to match actual error behavior
select throws_ok(
$$ SELECT public.create_invitation(
(SELECT id FROM public.accounts WHERE slug = 'permteam'),
'test_invite@example.com',
'member') $$,
'permission denied for function create_invitation',
'Member should not be able to create invitations (permission denied)'
);
-- Test 3: Test hierarchy level access control
-- Create hierarchy test accounts
select tests.create_supabase_user('hiertest1', 'hiertest1@test.com');
select tests.create_supabase_user('hiertest2', 'hiertest2@test.com');
select tests.create_supabase_user('hiertest3', 'hiertest3@test.com');
select tests.create_supabase_user('hiertest4', 'hiertest4@test.com');
-- Create a team account for hierarchy tests
select makerkit.authenticate_as('hiertest1');
select public.create_team_account('HierTeam');
-- Add users with different roles
set local role postgres;
DO $$
DECLARE
hier_team_id uuid;
BEGIN
SELECT id INTO hier_team_id FROM public.accounts WHERE slug = 'hierteam';
-- Add users with different roles using explicit account_id
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (hier_team_id, tests.get_supabase_uid('hiertest2'), 'admin');
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (hier_team_id, tests.get_supabase_uid('hiertest3'), 'member');
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (hier_team_id, tests.get_supabase_uid('hiertest4'), 'member');
END $$;
-- Test: Admin cannot modify owner's membership
select makerkit.authenticate_as('hiertest2');
select throws_ok(
$$ DELETE FROM public.accounts_memberships
WHERE account_id = (SELECT id FROM public.accounts WHERE slug = 'hierteam')
AND user_id = tests.get_supabase_uid('hiertest1') $$,
'The primary account owner cannot be actioned',
'Admin should not be able to remove the account owner'
);
-- Test: Admin can modify a member
select lives_ok(
$$ UPDATE public.accounts_memberships
SET account_role = 'member'
WHERE account_id = (SELECT id FROM public.accounts WHERE slug = 'hierteam')
AND user_id = tests.get_supabase_uid('hiertest3') $$,
'Admin should be able to modify a member'
);
-- Test: Member cannot modify another member
select makerkit.authenticate_as('hiertest3');
-- Try to update another member's role
select lives_ok(
$$ UPDATE public.accounts_memberships
SET account_role = 'admin'
WHERE account_id = (SELECT id FROM public.accounts WHERE slug = 'hierteam')
AND user_id = tests.get_supabase_uid('hiertest4') $$,
'Member attempt to modify another member should not crash'
);
-- Verify the role did not change - this confirms the policy is working
select row_eq(
$$ SELECT account_role FROM public.accounts_memberships
WHERE account_id = (SELECT id FROM public.accounts WHERE slug = 'hierteam')
AND user_id = tests.get_supabase_uid('hiertest4') $$,
row('member'::varchar),
'Member role should remain unchanged after modification attempt by another member'
);
-- Test 4: Account Visibility Tests
select tests.create_supabase_user('vistest1', 'vistest1@test.com');
select tests.create_supabase_user('vistest2', 'vistest2@test.com');
select tests.create_supabase_user('vistest3', 'vistest3@test.com');
-- Create a team account
select makerkit.authenticate_as('vistest1');
select public.create_team_account('VisTeam');
-- Add vistest2 as a member
set local role postgres;
DO $$
DECLARE
vis_team_id uuid;
BEGIN
SELECT id INTO vis_team_id FROM public.accounts WHERE slug = 'visteam';
-- Add member with explicit account_id
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (vis_team_id, tests.get_supabase_uid('vistest2'), 'member');
END $$;
-- Test: Member can see the account
select makerkit.authenticate_as('vistest2');
select isnt_empty(
$$ SELECT * FROM public.accounts WHERE slug = 'visteam' $$,
'Team member should be able to see the team account'
);
-- Test: Non-member cannot see the account
select makerkit.authenticate_as('vistest3');
select is_empty(
$$ SELECT * FROM public.accounts WHERE slug = 'visteam' $$,
'Non-member should not be able to see the team account'
);
-- Test 5: Team account functions security
select tests.create_supabase_user('functest1', 'functest1@test.com');
select tests.create_supabase_user('functest2', 'functest2@test.com');
-- Create team account
select makerkit.authenticate_as('functest1');
select public.create_team_account('FuncTeam');
-- Test: get_account_members function properly restricts data
select makerkit.authenticate_as('functest2');
select is_empty(
$$ SELECT * FROM public.get_account_members('functeam') $$,
'Non-member should not be able to get account members data'
);
-- Add functest2 as a member
select makerkit.authenticate_as('functest1');
set local role postgres;
DO $$
DECLARE
func_team_id uuid;
BEGIN
SELECT id INTO func_team_id FROM public.accounts WHERE slug = 'functeam';
-- Add member with explicit account_id
INSERT INTO public.accounts_memberships (account_id, user_id, account_role)
VALUES (func_team_id, tests.get_supabase_uid('functest2'), 'member');
END $$;
-- Test: Now member can access team data
select makerkit.authenticate_as('functest2');
select isnt_empty(
$$ SELECT * FROM public.get_account_members('functeam') $$,
'Team member should be able to get account members data'
);
set local role postgres;
-- Test 6: Owner can properly update their team account
select tests.create_supabase_user('ownerupdate1', 'ownerupdate1@test.com');
select tests.create_supabase_user('ownerupdate2', 'ownerupdate2@test.com');
-- Create team account
select makerkit.authenticate_as('ownerupdate1');
select public.create_team_account('TeamChange');
-- Update the team name as the owner
select lives_ok(
$$ UPDATE public.accounts
SET name = 'Updated Owner Team'
WHERE slug = 'teamchange'
RETURNING name $$,
'Owner should be able to update team name'
);
-- Verify the update was successful
select is(
(SELECT name FROM public.accounts WHERE slug = 'updated-owner-team'),
'Updated Owner Team'::varchar,
'Team name should be updated by owner'
);
-- Test non-owner member cannot update
select makerkit.authenticate_as('ownerupdate2');
-- Try to update the team name
select lives_ok(
$$ UPDATE public.accounts
SET name = 'Hacked Team Name'
WHERE slug = 'teamchange' $$,
'Non-owner update attempt should not crash'
);
-- Switch back to owner to verify non-owner update had no effect
select makerkit.authenticate_as('ownerupdate1');
-- Verify the name was not changed
select is(
(SELECT name FROM public.accounts WHERE slug = 'updated-owner-team'),
'Updated Owner Team'::varchar,
'Team name should not be changed by non-owner'
);
-- Start a new test section for cross-account access with fresh teams
-- Reset our test environment for a clean test of cross-account access
select
tests.create_supabase_user('crosstest1', 'crosstest1@test.com');
select
tests.create_supabase_user('crosstest2', 'crosstest2@test.com');
-- Create first team account with crosstest1 as owner
select
makerkit.authenticate_as('crosstest1');
select
public.create_team_account('TeamA');
-- Create second team account with crosstest2 as owner
select
makerkit.authenticate_as('crosstest2');
select
public.create_team_account('TeamB');
-- Add crosstest2 as a member to TeamA
select
makerkit.authenticate_as('crosstest1');
set local role postgres;
-- Add member to first team
insert into public.accounts_memberships (account_id, user_id, account_role)
values (
(select id from makerkit.get_account_by_slug('teama')),
tests.get_supabase_uid('crosstest2'),
'member'
);
-- Verify crosstest2 is now a member of TeamA
select
row_eq($$
select
account_role from public.accounts_memberships
where
account_id = (select id from makerkit.get_account_by_slug('teama'))
and user_id = tests.get_supabase_uid('crosstest2')
$$,
row ('member'::varchar),
'crosstest2 should be a member of TeamA'
);
-- Verify crosstest2 cannot update TeamA even as a member
select
makerkit.authenticate_as('crosstest2');
-- Try to update the team name
select
lives_ok($$
update public.accounts
set name = 'Updated TeamA Name'
where id = (select id from makerkit.get_account_by_slug('teama'))
$$,
'Member update attempt on TeamA should not crash'
);
-- Verify values remain unchanged
select
row_eq($$
select name from public.accounts
where id = (select id from makerkit.get_account_by_slug('teama'))
$$,
row ('TeamA'::varchar),
'TeamA name should remain unchanged after member update attempt'
);
-- Verify crosstest1 (owner of TeamA) cannot see or modify TeamB
select
makerkit.authenticate_as('crosstest1');
select
is_empty($$
select * from public.accounts
where id = (select id from makerkit.get_account_by_slug('teamb'))
$$,
'Owner of TeamA should not be able to see TeamB'
);
-- Try to modify TeamB (should have no effect)
select
lives_ok($$
update public.accounts
set name = 'Hacked TeamB Name'
where id = (select id from makerkit.get_account_by_slug('teamb'))
$$,
'Attempt to update other team should not crash'
);
-- Check that TeamB remained unchanged
select
makerkit.authenticate_as('crosstest2');
select
row_eq($$
select name from public.accounts
where id = (select id from makerkit.get_account_by_slug('teamb'))
$$,
row ('TeamB'::varchar),
'TeamB name should remain unchanged after attempted update by non-member'
);
select
*
from

4
apps/web/supabase/tests/database/team-billing-orders.test.sql
View File

@@ -77,7 +77,7 @@ SELECT row_eq(
'The subscription items price_amount should be updated'
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- account can read their own subscription
SELECT isnt_empty(
@@ -94,7 +94,7 @@ SELECT isnt_empty(
-- foreigners
select tests.create_supabase_user('foreigner');
select tests.authenticate_as('foreigner');
select makerkit.authenticate_as('foreigner');
-- account cannot read other's subscription
SELECT is_empty(

6
apps/web/supabase/tests/database/team-billing-subscriptions.test.sql
View File

@@ -130,7 +130,7 @@ SELECT is(
'The subscription status should be past_due'
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
SELECT row_eq(
$$ select count(*) from subscription_items where subscription_id = 'sub_test' $$,
@@ -150,7 +150,7 @@ SELECT is(
'The subscription should be active'
);
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- account can read their own subscription
select isnt_empty(
@@ -171,7 +171,7 @@ select is(
-- foreigners
select tests.create_supabase_user('foreigner');
select tests.authenticate_as('foreigner');
select makerkit.authenticate_as('foreigner');
-- account cannot read other's subscription
select is_empty(

2
apps/web/supabase/tests/database/transfer-ownership.test.sql
View File

@@ -12,7 +12,7 @@ select makerkit.set_identifier('custom', 'custom@makerkit.dev');
select tests.create_supabase_user('test', 'test@supabase.com');
-- auth as a primary owner
select tests.authenticate_as('primary_owner');
select makerkit.authenticate_as('primary_owner');
-- only the service role can transfer ownership
select throws_ok(

2
apps/web/supabase/tests/database/update-membership.test.sql
View File

@@ -11,7 +11,7 @@ select makerkit.set_identifier('custom', 'custom@makerkit.dev');
-- another user not in the team
select tests.create_supabase_user('test', 'test@supabase.com');
select tests.authenticate_as('member');
select makerkit.authenticate_as('member');
-- run an update query
update public.accounts_memberships set account_role = 'owner' where user_id = auth.uid() and account_id = makerkit.get_account_id_by_slug('makerkit');