Skip to content
AI-assisted, verified against source

TEST @claim

Test files only

This directive applies only inside HTTP blocks of test files run by the SQL test runner (npgsqlrest --test).

Add a claim to the acting principal of an in-process endpoint call. Placed inside an HTTP block, after the request line and before the body:

sql
sql
/*
GET /api/get-users
# @claim user_id=42
# @claim roles=admin
# @claim roles=auditor
*/
select status = 200, 'authorized call succeeds' from _response;

Semantics

  • Repeatable — including the same claim type twice (two roles claims above), exactly like a real multi-valued principal.
  • Any # @claim makes the request authenticated; a block with no # @claim is anonymous — an @authorize endpoint returns 401.
  • Role checks (@authorize roles ...) and claim-to-parameter bindings (@user_parameters, ParameterNameClaimsMapping) run exactly as in production — the directive injects the principal, everything downstream is the real authorization path.
  • // @claim is accepted as an alternative to # @claim.

Why not call the login endpoint?

@login/@logout endpoints are rejected in test mode (they manipulate real authentication schemes that don't exist in-process). Inject the principal directly instead — it is both faster and lets a test act as any user:

sql
sql
/*
POST /api/admin/delete-user
Content-Type: application/json
# @claim user_id=1
# @claim roles=admin

{"id": 42}
*/
select status = 200, 'admin can delete' from _response;

/*
POST /api/admin/delete-user
Content-Type: application/json
# @claim user_id=2
# @claim roles=viewer

{"id": 42}
*/
-- second block → second response table (_response_1, _response_2)
select status = 403, 'viewer cannot delete' from _response_2;

Comments