(t *testing.T)
| 24 | } |
| 25 | |
| 26 | func TestSourceModeHTTPJWTIdentityAndSystemRoots(t *testing.T) { |
| 27 | handler := newSourceModeJWTHTTPTestHandler(t) |
| 28 | memberToken := signSourceModeJWT(t, jwt.MapClaims{ |
| 29 | "sub": "user_member", |
| 30 | "roles": []string{"member"}, |
| 31 | "account_id": "acct_1", |
| 32 | }) |
| 33 | adminToken := signSourceModeJWT(t, jwt.MapClaims{ |
| 34 | "sub": "admin_user", |
| 35 | "roles": []string{"admin"}, |
| 36 | "account_id": "acct_admin", |
| 37 | }) |
| 38 | |
| 39 | usersResp := postGraphQLJWT(t, handler, memberToken, `query { |
| 40 | users(order_by: { id: asc }) { id name account_id } |
| 41 | }`, map[string]any{"account_id": "acct_2"}) |
| 42 | assertNoGraphQLErrors(t, usersResp) |
| 43 | |
| 44 | var usersOut struct { |
| 45 | Users []struct { |
| 46 | ID int `json:"id"` |
| 47 | Name string `json:"name"` |
| 48 | AccountID string `json:"account_id"` |
| 49 | } `json:"users"` |
| 50 | } |
| 51 | if err := json.Unmarshal(usersResp.Data, &usersOut); err != nil { |
| 52 | t.Fatalf("decode users response: %v\n%s", err, string(usersResp.Data)) |
| 53 | } |
| 54 | if len(usersOut.Users) != 2 || usersOut.Users[0].ID != 1 || usersOut.Users[1].ID != 3 { |
| 55 | t.Fatalf("expected account-scoped rows for acct_1, got %s", string(usersResp.Data)) |
| 56 | } |
| 57 | for _, user := range usersOut.Users { |
| 58 | if user.AccountID != "acct_1" { |
| 59 | t.Fatalf("client-supplied account_id should not override JWT claim, got %+v", usersOut.Users) |
| 60 | } |
| 61 | } |
| 62 | |
| 63 | catalogResp := postGraphQLJWT(t, handler, memberToken, `query { |
| 64 | gj_catalog(limit: 1) { id } |
| 65 | }`, nil) |
| 66 | assertNoGraphQLErrors(t, catalogResp) |
| 67 | var catalogOut struct { |
| 68 | Catalog []struct { |
| 69 | ID string `json:"id"` |
| 70 | } `json:"gj_catalog"` |
| 71 | } |
| 72 | if err := json.Unmarshal(catalogResp.Data, &catalogOut); err != nil { |
| 73 | t.Fatalf("decode catalog response: %v\n%s", err, string(catalogResp.Data)) |
| 74 | } |
| 75 | if len(catalogOut.Catalog) == 0 { |
| 76 | t.Fatalf("expected authenticated user to read gj_catalog, got %s", string(catalogResp.Data)) |
| 77 | } |
| 78 | |
| 79 | securityDenied := postGraphQLJWT(t, handler, memberToken, `query { |
| 80 | gj_security(id: "summary") { id } |
| 81 | }`, nil) |
| 82 | var deniedOut struct { |
| 83 | Security *struct { |
nothing calls this directly
no test coverage detected