fix: address security issue with longest streak pg function (#129)

domhhv · web-flow · commit 3c7b1e7528f7 · 2024-11-16T14:51:25.000+01:00
diff --git a/supabase/migrations/20241106143657_get_longest_streak_security_fix.sql b/supabase/migrations/20241106143657_get_longest_streak_security_fix.sql
@@ -0,0 +1,35 @@
+set check_function_bodies = off;
+
+CREATE OR REPLACE FUNCTION public.get_longest_streak(habit_identifier integer)
+ RETURNS TABLE(habit_id integer, streak_start date, streak_end date, streak_length integer)
+ LANGUAGE plpgsql
+ SET search_path TO ''
+AS $function$ 
+BEGIN   
+    RETURN QUERY   
+    WITH consecutive_days AS (     
+        SELECT        
+            o.habit_id,       
+            o.day,       
+            o.day - INTERVAL '1 day' * ROW_NUMBER() OVER (PARTITION BY o.habit_id ORDER BY o.day) AS streak_id     
+        FROM public.occurrences o     
+        WHERE o.habit_id = habit_identifier   
+    ),   
+    streaks AS (     
+        SELECT       
+            o.habit_id::INT,       
+            MIN(o.day) AS streak_start,       
+            MAX(o.day) AS streak_end,       
+            COUNT(*)::INT AS streak_length     
+        FROM consecutive_days o     
+        GROUP BY o.habit_id, o.streak_id   
+    )   
+    SELECT o.habit_id, o.streak_start, o.streak_end, o.streak_length   
+    FROM streaks o   
+    ORDER BY o.streak_length DESC   
+    LIMIT 1; 
+END; 
+$function$
+;
+
+
