Run unit tests
After making input verification changes to the queries, running the tests will result in failures with the message, "User must sign this operation." This indicates success, as the original test implementation did not account for signing.
To fix this, you need to sign the test transactions using .sign(keypair). For example, in the test_create_entities function, sign the transaction with Alice's keypair:
val alice_kp = rell.test.keypairs.alice; // <--
function test_create_entities() {
rell.test.tx()
.op(create_user("Alice", alice))
.op(create_user("Bob", bob))
.run();
assert_equals(user @ { } (@sum 1), 2);
rell.test.tx()
.op(follow_user(alice, bob))
.op(make_post(alice, "My post"))
.sign(alice_kp) // <--
.run();
assert_true(is_following(alice, bob));
assert_equals(follower @ { } (@sum 1), 1);
assert_equals(post @ { } (@sum 1), 1);
rell.test.tx()
.op(unfollow_user(alice, bob))
.sign(alice_kp) // <--
.run();
assert_false(is_following(alice, bob));
assert_equals(follower @ { } (@sum 1), 0);
}
In the second test case, test_follower_calculation, you also need to sign the transaction:
function test_follower_calculation() {
...
rell.test.tx()
.op(follow_user(alice, bob))
.op(follow_user(alice, charlie))
.sign(alice_kp) // <--
.run();
...
}
For the last test case, Alice must sign the follow_user transaction while Bob signs the make_post transactions. Add a new constant for Bob's keypair and make the following adjustments:
val bob_kp = rell.test.keypairs.bob;
function test_pagination_of_posts() {
rell.test.tx()
.op(create_user("Alice", alice))
.op(create_user("Bob", bob)).run();
rell.test.tx()
.op(follow_user(alice, bob))
.sign(alice_kp) // <--
.run();
for (i in range(5)) {
rell.test.tx().op(make_post(bob, "Content %d".format(i))).sign(bob_kp).run(); // <--
}
...
}
Now, all tests work as expected.
Additional testing
Add a new test case to confirm that impersonation is not possible and that input validation works correctly:
val charlie_kp = rell.test.keypairs.charlie;
function test_input_verification() {
rell.test.tx()
.op(create_user("Alice", alice))
.op(create_user("Bob", bob)).run();
// Bob cannot impersonate Alice
rell.test.tx()
.op(follow_user(alice, bob))
.sign(bob_kp)
.run_must_fail();
rell.test.tx()
.op(make_post(alice, "My malicious post"))
.sign(bob_kp)
.run_must_fail();
// Alice cannot follow non-existing Charlie
val f1 = rell.test.tx()
.op(follow_user(alice, charlie))
.sign(alice_kp)
.run_must_fail();
assert_true(f1.message.contains("does not exist"));
// Charlie cannot create a post since he does not exist
val f2 = rell.test.tx()
.op(make_post(charlie, "My secret post"))
.sign(charlie_kp)
.run_must_fail();
assert_true(f2.message.contains("does not exist"));
}
Manual testing
To conduct manual testing, just like in the previous module, store the generated keypairs instead of just the public keys. You can do this by running:
chr keygen --file <target>
The Chromia CLI looks for .chromia/config, but you can override this using the --secret flag of chr tx. Save the keypairs for Alice and Bob as follows:
chr keygen --file .chromia/config-alice
chr keygen --file .chromia/config-bob
You can now use these keypairs for making transactions and ensure you sign with the correct key.
chr node start
chr tx --await create_user Alice 'x"<alice-pubkey>"'
chr tx --await create_user Bob 'x"<bob-pubkey>"'
chr tx --await --secret .chromia/config-bob follow_user 'x"<alice-pubkey>"' 'x"<bob-pubkey>"' # Fails
chr tx --await --secret .chromia/config-alice follow_user 'x"<alice-pubkey>"' 'x"<bob-pubkey>"' # Succeeds
Congratulations! You have learned how to perform basic input validation on queries and operations. In the next module, you will explore how to manage accounts more securely and structurally using the ft-library.