diff --git a/db/auth_copy_2.sqlite-shm b/db/auth_copy_2.sqlite-shm index e184ba9..8257510 100644 Binary files a/db/auth_copy_2.sqlite-shm and b/db/auth_copy_2.sqlite-shm differ diff --git a/db/auth_copy_2.sqlite-wal b/db/auth_copy_2.sqlite-wal index ba59f84..cfe147f 100644 Binary files a/db/auth_copy_2.sqlite-wal and b/db/auth_copy_2.sqlite-wal differ diff --git a/src/utils/auth.rs b/src/utils/auth.rs index f7c637c..ad53421 100644 --- a/src/utils/auth.rs +++ b/src/utils/auth.rs @@ -156,6 +156,9 @@ where S: Send + Sync, } } + +//TODO: Validate all hotel_ids first + Use a transaction + Batch query hotel names with IN (...) + pub async fn register_user ( State(state): State, RegisterPayload(payload): RegisterPayload @@ -168,29 +171,33 @@ pub async fn register_user ( .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error"))?; conn.execute( - "INSERT INTO users (username, password, displayname) VALUES (?1, ?2, ?3)", + "INSERT INTO users (username, password, displayname) + VALUES (?1, ?2, ?3)", params![payload.username, hashed_password, payload.displayname], ) .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?; let user_id = conn.last_insert_rowid(); - for hotel_id in payload.hotel_ids { + + for &hotel_id in &payload.hotel_ids { // more logic for security here //FIXME: needs to be the display name in the DB, scheme is currently wrong - let hotel_name = conn.execute( - "SELECT hotel_name - FROM hotels - WHERE id = ?1 ", - params![hotel_id], - ).map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?; + let hotel_name: String = conn + .query_row( + "SELECT hotel_name FROM hotels + WHERE id = ?1 ", + params![hotel_id], + |row| row.get(0), + ).map_err(|_| (StatusCode::BAD_REQUEST, "Invalid hotel ids"))?; conn.execute( - "INSERT INTO hotel_user_link (user_id, hotel_id, username, hotel_name) VALUES (?1, ?2, ?3, ?4)", + "INSERT INTO hotel_user_link (user_id, hotel_id, username, hotel_name) + VALUES (?1, ?2, ?3, ?4)", params![user_id, hotel_id, payload.username, hotel_name], ) - .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?; + .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "Link insert error"))?; } @@ -455,6 +462,11 @@ pub async fn create_refresh_token( let device_id_str = payload.device_id.to_string(); + let conn = state.logs_pool.get() + .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error".to_string()))?; + + + let argon2 = Argon2::default(); let salt = SaltString::generate(&mut OsRng); let mut bytes = [0u8; 64]; @@ -466,11 +478,6 @@ pub async fn create_refresh_token( .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))? .to_string(); - let conn = state.logs_pool.get() - .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error".to_string()))?; - - - // let mut stmt = conn.prepare( // "SELECT id, password FROM users WHERE username = ?1" @@ -527,6 +534,16 @@ pub async fn create_refresh_token( /*.map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "Error mapping hotel_ids".to_string())); */ + let mut exist_stmt = conn.prepare("SELECT id FROM refresh_token WHERE device_id = ?1 AND user_agent = ?2" + ) .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?; + + let existing_token_id: i32 = match exist_stmt.query_one(params![device_id_str,user_agent_str], |row| row.get (0)) { + Ok(id) => id, + Err(_) => return Err((StatusCode::INTERNAL_SERVER_ERROR, "error fetching credentials".to_string())), + }; + + + conn.execute( "INSERT INTO refresh_token (user_id, token_hash, device_id, user_agent, hotel_id_list) VALUES (?1, ?2, ?3, ?4, ?5)", @@ -668,6 +685,7 @@ pub async fn login_refresh_token ( }; + //FIXME: still problems when corrupted token exist if hotel_ids.is_empty() { return (StatusCode::UNAUTHORIZED, "No matching device").into_response(); }