test that non-users aren't able to do things at all

proofcarryingdata · Sep 25, 2024 · 482962d · 482962d
1 parent 41ed37f
commit 482962d
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/apps/passport-server/src/database/queries/pipelineUserDB.ts b/apps/passport-server/src/database/queries/pipelineUserDB.ts
@@ -1,4 +1,5 @@
 import { normalizeEmail } from "@pcd/util";
+import { validate } from "email-validator";
 import { Pool, PoolClient } from "postgres-pool";
 import { v4 as uuid } from "uuid";
 import { traceUser } from "../../services/generic-issuance/honeycombQueries";
@@ -56,6 +57,10 @@ export class PipelineUserDB implements IPipelineUserDB {
         this.db,
         "createOrGetUser",
         async (client): Promise<PipelineUser> => {
+          if (!validate(email)) {
+            throw new Error(`Invalid email: ${email}`);
+          }
+
           span?.setAttribute("email", email);
           const existingUser = await this.getUserByEmail(email, client);
           if (existingUser) {

diff --git a/apps/passport-server/test/generic-issuance/api.spec.ts b/apps/passport-server/test/generic-issuance/api.spec.ts
@@ -977,4 +977,49 @@ t2,i1`,
 
     expectFalse(getRes.success);
   });
+
+  step("non-users cannot perform any pipeline operations", async () => {
+    const nonUserToken = randomUUID();
+
+    const newPipelineDef: CSVPipelineDefinition = {
+      ...adminCsvPipelineDef,
+      id: randomUUID(),
+      timeCreated: new Date().toISOString(),
+      timeUpdated: new Date().toISOString()
+    };
+
+    // Attempt to create a pipeline
+    const createRes = await requestGenericIssuanceUpsertPipeline(
+      giBackend.expressContext.localEndpoint,
+      {
+        jwt: nonUserToken,
+        pipeline: newPipelineDef
+      }
+    );
+    expectFalse(createRes.success);
+
+    // Attempt to get a pipeline
+    const getRes = await requestGenericIssuanceGetPipeline(
+      giBackend.expressContext.localEndpoint,
+      adminCsvPipelineDef.id,
+      nonUserToken
+    );
+    expectFalse(getRes.success);
+
+    // Attempt to delete a pipeline
+    const deleteRes = await requestGenericIssuanceDeletePipeline(
+      giBackend.expressContext.localEndpoint,
+      adminCsvPipelineDef.id,
+      nonUserToken
+    );
+    expectFalse(deleteRes.success);
+
+    // Attempt to get pipeline info
+    const infoRes = await requestPipelineInfo(
+      nonUserToken,
+      giBackend.expressContext.localEndpoint,
+      adminCsvPipelineDef.id
+    );
+    expectFalse(infoRes.success);
+  });
 });