From f7d99f0fb95f405e4db1065a95aff7d40a61672f Mon Sep 17 00:00:00 2001
From: Romain Mallard <romaimallard@gmail.com>
Date: Sat, 10 Jan 2026 11:57:39 +0100
Subject: [PATCH] scuffed createRefreshToken fix

---
 db/auth_copy_2.sqlite-shm | Bin 32768 -> 32768 bytes
 db/auth_copy_2.sqlite-wal | Bin 107152 -> 152472 bytes
 src/utils/auth.rs         |  48 ++++++++++++++++++++++++++------------
 3 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/db/auth_copy_2.sqlite-shm b/db/auth_copy_2.sqlite-shm
index e184ba970a793bd41d03cb3ab33a5c703a8706f4..825751094d52dc986bca043aa8d24e37f413f95c 100644
GIT binary patch
delta 241
zcmZo@U}|V!s+V}A%K!q*K+MR%AfO7Qg@E|NvC|*RRG7Y9JsN5>`H1O$%LevIyY`&x
zAyqxlC@=t-`yUBFg_#(nCN}0zd>|kRw48w*h&h0m3y8Uam=}ooHhz5S$SA+@<6ox5
ze_Z()6*hkS%*3b&;%|Nz^^b{B3B;WIDuItxnn9L9dE>{|Oq*XM^Dwi@Fvu~efVhmR
J8$U{m0RZXqPGkT8

delta 188
zcmZo@U}|V!s+V}A%K!qLK+MR%ARq;#g@8DMZRdsW6K8L@dNkB%@)6Vh4|A%ys=`jr
zBUL@nC@=t-`yUBFg_#%_CN}18R$;v5xY>Zwh<WiJSN_dPjGtIHzl-|E1QhzmH2GBm
SA5iE6)8-e+Jj_5Ak0bzPia)ae

diff --git a/db/auth_copy_2.sqlite-wal b/db/auth_copy_2.sqlite-wal
index ba59f848d606c1e6753e866a734a3b8884f62a3e..cfe147f143908c0c9bd67d26c0d6423d3be70259 100644
GIT binary patch
delta 3414
zcmb_fZERCj7`~?;w;#9d8B@4yWASbS+MCXOYRnYe%DkAt=)PJ5f4Hsm&eoNd?RFn3
za%r83{*W*m!4M>lXf%=_WSYf9B0n}vR1i%_Of*6H<u4W^G5A5^Ip?<Bz3pIQ+UDHT
zd(Qj5=Xsy=p7*>xI#0j-f$i`o;OOaN+dvt2<E?jVhU3CNPOFEaEo&*b*R{d9&N0l0
zmbLgh+k~X7Cf5byW5)px_}O=!2T|HYQPlLzw9*4=H(WcmaP67#1v~tTqTw6`|AIH+
zukZ%^3C^kC*~%7h4w~RCs{D9E25jDflxd^UYy`kyK))H(sB81Vmh9Z4U!*Q=`u4jM
z6&EocGr^-pvxsMd2G5sfga>TPPAl$g^5ZcLxKaPkk6t~SNnmhh6`T$loXdl|se<DM
z5f+CDo6tf8T8K~BZ-3hKWLxV%Uw14eaf8W`{oxeXN|jN_oeqvevg=SQN6m>EcCiCB
zY%~7>Q+;&}>!^k|{&X_U6trA1ICsFy@H8BU-L487&-`FNWglkFFo!Hxm`*2j%sFPJ
zngFe2B3=vI*a#-aQ{iXh(ug!TBFRxPl^l{1Vru_^k^yUHzu*f9T)?-jTi`+^^C8X?
zibX<Pmp>ppE%bA}{aw3!{d>5b!XC~S4D@vQk%3);Kfne3U42SW;QT!S&L8aVuIECd
zvNR%UwKa1pq-a=<hPZ&R8|f_SMWnIVK8a|ODeWAw8GcSmq)PN^qe?O*#gU#EkIAXp
z61yYP7$QRBO@2-8DIpV5nak`(z1s~Ylcfym*wHgrOXie3*R}UW+yBOzvO3yU&)Rlh
zusgst)!Xsz2L;8G+w%It7S?l%JI3=Fq0Yj3y<pNu*o~5vi9kG-7%F<T>0-0CXf{u=
zHX;=jMoGLZ6@y&AuwCdE{GGyp8mV%KggTD`S6ym3Eg~g*ViBx@ok%F*{Zdg_F1ZX5
z#<GRQ68F~3Ek!yk%JbgMG}~SQs8}K*O~}J>lxoDVGMY+~0Z~;Do7KK7UAD=>R#brW
zON+eA>Kt5xWjRl7SMJ!C@=BC7sELH4JN^ffa%x{Pl4qpI2Jc|0@?azOfcDZP^R?B}
z>@IhaPX(8Br%!Cwz1qDVOowteUDZ{wRqe~Y?j^`8ER+*&QTsJpH_~jM_nwx;TnH<P
zp&aG;k;IV0HALMe8Rel>WR&|$C`vvNuRf#r9;R7!S2S@|phibJzEH##?T|t)85i=n
z6WeG*wpO~IIy(thdIzwuEDJI+Ar12@lZQbUuH@Lsg-c3V(JfU<PH`OT!#FI<<H-?p
zZIH{TD2&n3kHq8y@$d`Ch;p}Bmu<Z?jT7G<;!f_o%F^(tl-MT~y;^iG7EO9E)_SDL
z!`sv^n4(vzkWKIUmBfE8q+LigUXnZto1BaPT<&0yaQlCW|F#EK9tB0Gnm5zzR`za3
zkHmxc2<d3vghZ8PWLt@>nKv$PwuOkAc*F9d%|z6QQdqS$SHW3upRZY`)_;Ee!;=Gh
zXU_G01NT~ujX-;5$dRd8V>P<<!!<TwWPyqT86%eS7GK=*{++prTR-CZ(aapdRrzk`
zjANQPa=z~%GkeDa9t1NT2QL`1?T6oU+qGa4C$ID0zZtE=gJyUG*W<U;ihO3cY#vU9
znC#CNO*?98aQ$6fjh|Ij_*q%GbVWXUIX*e{dzBqyK{YPIvg(R_JMb1rn{NNic<S%7
zuVbs|gDY%C`>&z2G{^rNN=tJW8ZFQB_S@H&uKr=zI7Xazo}eJ_T5t()-g)AD-)l}=
znx{c9V*#dY$Hbv*@0mJVP1-}-@DLgCzFcRiZZlhhUi`i>d-X81Ri!IwYcM^eO7xyt
UYpZ<R43LCjFzcJB!!p3|FZZS=UjP6A

delta 11
TcmbQSoO8lawuUW?6BYpg9)<-A

diff --git a/src/utils/auth.rs b/src/utils/auth.rs
index f7c637c..ad53421 100644
--- a/src/utils/auth.rs
+++ b/src/utils/auth.rs
@@ -156,6 +156,9 @@ where S: Send + Sync,
     }
 }
 
+
+//TODO: Validate all hotel_ids first + Use a transaction + Batch query hotel names with IN (...)
+
 pub async fn register_user (
     State(state): State<AppState>,
     RegisterPayload(payload): RegisterPayload
@@ -168,29 +171,33 @@ pub async fn register_user (
         .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error"))?;
 
     conn.execute(
-        "INSERT INTO users (username, password, displayname) VALUES (?1, ?2, ?3)",
+    "INSERT INTO users (username, password, displayname)
+        VALUES (?1, ?2, ?3)",
         params![payload.username, hashed_password, payload.displayname],
     )
     .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?;
     
     let user_id = conn.last_insert_rowid();
-    for hotel_id in payload.hotel_ids {
+    
+    for &hotel_id in &payload.hotel_ids {
         
         // more logic for security here
         //FIXME: needs to be the display name in the DB, scheme is currently wrong
         
-        let hotel_name = conn.execute(
-            "SELECT hotel_name
-            FROM hotels
-            WHERE id = ?1 ",
-            params![hotel_id],
-        ).map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?;
+        let hotel_name: String = conn
+            .query_row(
+                "SELECT hotel_name FROM hotels 
+                WHERE id = ?1 ",
+                params![hotel_id],
+                |row| row.get(0),
+            ).map_err(|_| (StatusCode::BAD_REQUEST, "Invalid hotel ids"))?;
         
         conn.execute(
-        "INSERT INTO hotel_user_link (user_id, hotel_id, username, hotel_name) VALUES (?1, ?2, ?3, ?4)",
+        "INSERT INTO hotel_user_link (user_id, hotel_id, username, hotel_name)
+            VALUES (?1, ?2, ?3, ?4)",
             params![user_id, hotel_id, payload.username, hotel_name],
         )
-        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?;
+        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "Link insert error"))?;
 
     }
 
@@ -455,6 +462,11 @@ pub async fn create_refresh_token(
 
     let device_id_str = payload.device_id.to_string();
 
+    let conn = state.logs_pool.get()
+        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error".to_string()))?;
+
+
+
     let argon2 = Argon2::default();
     let salt = SaltString::generate(&mut OsRng);
     let mut bytes = [0u8; 64];
@@ -466,11 +478,6 @@ pub async fn create_refresh_token(
         .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
         .to_string();
 
-    let conn = state.logs_pool.get()
-        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error".to_string()))?;
-
-
-    
  //   let mut stmt = conn.prepare(
  //       "SELECT id, password FROM users WHERE username = ?1"
 
@@ -527,6 +534,16 @@ pub async fn create_refresh_token(
 
      /*.map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "Error mapping hotel_ids".to_string())); */   
 
+            let mut exist_stmt = conn.prepare("SELECT id FROM refresh_token WHERE device_id = ?1 AND user_agent = ?2"
+    ) .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+    
+    let existing_token_id: i32 = match exist_stmt.query_one(params![device_id_str,user_agent_str], |row| row.get (0)) {
+        Ok(id) => id,
+        Err(_) => return Err((StatusCode::INTERNAL_SERVER_ERROR, "error fetching credentials".to_string())),
+    };
+
+
+
     conn.execute(
         "INSERT INTO refresh_token (user_id, token_hash, device_id, user_agent, hotel_id_list)
         VALUES (?1, ?2, ?3, ?4, ?5)",
@@ -668,6 +685,7 @@ pub async fn login_refresh_token (
         
     };
 
+    //FIXME: still problems when corrupted token exist
     if hotel_ids.is_empty() {
         return (StatusCode::UNAUTHORIZED, "No matching device").into_response();
     }