Skip to content

Commit f62a0ec

Browse files
pyramationpyramation
committed
one basic RLS test in each seed
1 parent 48f998b commit f62a0ec

File tree

2 files changed

+70
-0
lines changed

2 files changed

+70
-0
lines changed

packages/hello-world/__tests__/seeding/seeding.csv.test.ts

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,14 @@ afterAll(async () => {
2929
await teardown();
3030
});
3131

32+
beforeEach(async () => {
33+
await db.beforeEach();
34+
});
35+
36+
afterEach(async () => {
37+
await db.afterEach();
38+
});
39+
3240
describe('csv seeding', () => {
3341
it('has loaded rows from csv files', async () => {
3442
const usersRes = await pg.query('SELECT COUNT(*) FROM auth.users');
@@ -50,5 +58,37 @@ describe('csv seeding', () => {
5058
);
5159
expect(+alicePets.rows[0].count).toBe(1);
5260
});
61+
62+
it('should enforce RLS - users can only see their own pets', async () => {
63+
// set context to first user
64+
db.setContext({
65+
role: 'authenticated',
66+
'request.jwt.claim.sub': users[0].id
67+
});
68+
69+
// user1 should only see their own pet (Fido)
70+
const user1Pets = await db.many(
71+
`SELECT id, name, breed, user_id FROM rls_test.pets ORDER BY name`
72+
);
73+
74+
expect(user1Pets.length).toBe(1);
75+
expect(user1Pets[0].user_id).toBe(users[0].id);
76+
expect(user1Pets[0].name).toBe('Fido');
77+
78+
// set context to second user
79+
db.setContext({
80+
role: 'authenticated',
81+
'request.jwt.claim.sub': users[1].id
82+
});
83+
84+
// user2 should only see their own pet (Buddy)
85+
const user2Pets = await db.many(
86+
`SELECT id, name, breed, user_id FROM rls_test.pets ORDER BY name`
87+
);
88+
89+
expect(user2Pets.length).toBe(1);
90+
expect(user2Pets[0].user_id).toBe(users[1].id);
91+
expect(user2Pets[0].name).toBe('Buddy');
92+
});
5393
});
5494

packages/hello-world/__tests__/seeding/seeding.sql.test.ts

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,36 @@ describe('tutorial: testing with sql file seeding', () => {
5555
expect(anonPets.length).toBe(0);
5656

5757
});
58+
it('should enforce RLS - users can only see their own pets', async () => {
59+
// set context to first user
60+
db.setContext({
61+
role: 'authenticated',
62+
'request.jwt.claim.sub': users[0].id
63+
});
64+
65+
// user1 should only see their own pet (Fido)
66+
const user1Pets = await db.many(
67+
`SELECT id, name, breed, user_id FROM rls_test.pets ORDER BY name`
68+
);
69+
70+
expect(user1Pets.length).toBe(1);
71+
expect(user1Pets[0].user_id).toBe(users[0].id);
72+
expect(user1Pets[0].name).toBe('Fido');
5873

74+
// set context to second user
75+
db.setContext({
76+
role: 'authenticated',
77+
'request.jwt.claim.sub': users[1].id
78+
});
79+
80+
// user2 should only see their own pet (Buddy)
81+
const user2Pets = await db.many(
82+
`SELECT id, name, breed, user_id FROM rls_test.pets ORDER BY name`
83+
);
84+
85+
expect(user2Pets.length).toBe(1);
86+
expect(user2Pets[0].user_id).toBe(users[1].id);
87+
expect(user2Pets[0].name).toBe('Buddy');
88+
});
5989
});
6090

0 commit comments

Comments
 (0)