neondatabase · mrl5 · Oct 11, 2024 · Oct 8, 2024 · Oct 8, 2024 · Oct 9, 2024
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@
 /target
 *.iml
 **/*.rs.bk
+*.swp
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -15,8 +15,15 @@ Let's initialize pgrx.
 cargo pgrx init
 ```
 
-It's time to run `pg_session_jwt` locally with
+## How to run the extension locally
+
+It's time to run `pg_session_jwt` locally. Please note that `neon.auth.jwk`
+parameter MUST be set when new connection is created (for more details please
+refer to the README file).
 ```console
+MY_JWK=...
+export PGOPTIONS="-c neon.auth.jwk=$MY_JWK"
+
 cargo pgrx run pg16
 ```
 
@@ -35,3 +42,16 @@ If you introduce new function make sure to reload the extension with
 DROP EXTENSION pg_session_jwt;
 CREATE EXTENSION pg_session_jwt;
 ```
+
+## Before sending a PR
+
+You can lint your code with
+```console
+rustfmt src/*.rs tests/*.rs
+cargo clippy --fix --allow-staged
+```
+
+You can run test-suite
+```console
+cargo test
+```
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,9 @@
+[workspace]
+members = ["pgrx-tests"]
+
 [package]
 name = "pg_session_jwt"
-version = "0.0.1"
+version = "0.1.0"
 edition = "2021"
 
 [lib]
@@ -11,7 +14,7 @@ default = ["pg16"]
 pg14 = ["pgrx/pg14", "pgrx-tests/pg14" ]
 pg15 = ["pgrx/pg15", "pgrx-tests/pg15" ]
 pg16 = ["pgrx/pg16", "pgrx-tests/pg16" ]
-pg_test = ["dep:rand", "base64ct/alloc"]
+pg_test = []
 
 [dependencies]
 base64ct = { version = "1.6.0", features = ["std"] }
@@ -22,10 +25,11 @@ pgrx = "=0.11.3"
 serde = { version = "1.0.203", features = ["derive"], default-features = false }
 serde_json = { version = "1.0.117", default-features = false }
 
-rand = { version = "0.8", optional = true }
-
 [dev-dependencies]
-pgrx-tests = "=0.11.3"
+eyre = "0.6.12"
+libtest-mimic = "0.8.1"
+pgrx-tests = { path = "./pgrx-tests" }
+postgres = "0.19.9"
 rand = "0.8"
 
 [profile.dev]
@@ -36,3 +40,8 @@ panic = "unwind"
 opt-level = 3
 lto = "fat"
 codegen-units = 1
+
+[[test]]
+name = "tests"
+harness = false
+path = "tests/pg_session_jwt.rs"
diff --git a/README.md b/README.md
@@ -1,7 +1,9 @@
 pg\_session\_jwt
 ================
 
-`pg_session_jwt` is a PostgreSQL extension designed to handle authenticated sessions through a JWT. This JWT is then verified against a JWK (JSON Web Key) to ensure its authenticity. Both the JWK and the JWT must be provided to the extension by a Postgres superuser. The extension then stores the JWT in the database for later retrieval, and exposes functions to retrieve the user ID (the `sub` subject field) and other parts of the payload.
+`pg_session_jwt` is a PostgreSQL extension designed to handle authenticated sessions through a JWT. This JWT is then verified against a JWK (JSON Web Key) to ensure its authenticity.
+
+**JWK can only be set at postmaster startup, from the configuration file, or by client request in the connection startup packet** (e.g., from libpq's PGOPTIONS variable), whereas the JWT can be set anytime at runtime. The extension then stores the JWT in the database for later retrieval, and exposes functions to retrieve the user ID (the `sub` subject field) and other parts of the payload.
 
 The goal of this extension is to provide a secure and efficient way to manage authenticated sessions in a PostgreSQL database. The JWTs can be generated by third-party auth providers, and then developers can leverage the JWT for [Row Level Security](https://www.postgresql.org/docs/current/ddl-rowsecurity.html) (RLS) policies, or to retrieve the user ID for other purposes (column defaults, filters, etc.).
 
@@ -20,15 +22,23 @@ Features
 Usage
 -----
 
+Before calling functions make sure that `neon.auth.jwk` parameter is properly initialized. [libpq connect options](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNECT-OPTIONS) can be used for that.
+
+For example:
+```console
+MY_JWK=...
+export PGOPTIONS="-c neon.auth.jwk=$MY_JWK"
+```
+
 `pg_session_jwt` exposes four main functions:
 
-### 1\. auth.init(kid bigint, jwk jsonb) → void
+### 1\. auth.init() → void
 
-Initializes a session with a given key identifier (KID) and JWK data in JSONB format.
+Initializes a session using JWK stored in `neon.auth.jwk` [run-time parameter](https://www.postgresql.org/docs/current/sql-show.html). Please remember that this parameter is fixed for a given connection once it's started (but it can vary across different connections)
 
 ### 2\. auth.jwt\_session\_init(jwt text) → void
 
-Initializes the JWT session with the provided `jwt` as a string.
+Initializes the JWT session with the provided `jwt` as a string. JWT must be signed by the JWK that was initialized with `auth.init()`
 
 ### 3\. auth.session(s text) → jsonb
 

diff --git a/pg_session_jwt.control b/pg_session_jwt.control
@@ -2,4 +2,4 @@ comment = 'pg_session_jwt: manage authentication sessions using JWTs'
 default_version = '@CARGO_VERSION@'
 module_pathname = '$libdir/pg_session_jwt'
 relocatable = false
-superuser = true
+superuser = false
diff --git a/pgrx-tests/.gitignore b/pgrx-tests/.gitignore
@@ -0,0 +1,7 @@
+.DS_Store
+.idea/
+target/
+*.iml
+**/*.rs.bk
+Cargo.lock
+sql/pgrx_tests-1.0.sql
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,3 +3,4 @@ @@
     /target
     *.iml
     **/*.rs.bk
+    *.swp