scuffed createRefreshToken fix

src/utils/auth.rs

@@ -156,6 +156,9 @@ where S: Send + Sync,
     }
 }
 
+
+//TODO: Validate all hotel_ids first + Use a transaction + Batch query hotel names with IN (...)
+
 pub async fn register_user (
     State(state): State<AppState>,
     RegisterPayload(payload): RegisterPayload
@@ -168,29 +171,33 @@ pub async fn register_user (
         .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error"))?;
 
     conn.execute(
-        "INSERT INTO users (username, password, displayname) VALUES (?1, ?2, ?3)",
+    "INSERT INTO users (username, password, displayname)
+        VALUES (?1, ?2, ?3)",
         params![payload.username, hashed_password, payload.displayname],
     )
     .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?;
     
     let user_id = conn.last_insert_rowid();
-    for hotel_id in payload.hotel_ids {
+    
+    for &hotel_id in &payload.hotel_ids {
         
         // more logic for security here
         //FIXME: needs to be the display name in the DB, scheme is currently wrong
         
-        let hotel_name = conn.execute(
-            "SELECT hotel_name
-            FROM hotels
+        let hotel_name: String = conn
+            .query_row(
+                "SELECT hotel_name FROM hotels 
                 WHERE id = ?1 ",
                 params![hotel_id],
-        ).map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?;
+                |row| row.get(0),
+            ).map_err(|_| (StatusCode::BAD_REQUEST, "Invalid hotel ids"))?;
         
         conn.execute(
-        "INSERT INTO hotel_user_link (user_id, hotel_id, username, hotel_name) VALUES (?1, ?2, ?3, ?4)",
+        "INSERT INTO hotel_user_link (user_id, hotel_id, username, hotel_name)
+            VALUES (?1, ?2, ?3, ?4)",
             params![user_id, hotel_id, payload.username, hotel_name],
         )
-        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB insert error"))?;
+        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "Link insert error"))?;
 
     }
 
@@ -455,6 +462,11 @@ pub async fn create_refresh_token(
 
     let device_id_str = payload.device_id.to_string();
 
+    let conn = state.logs_pool.get()
+        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error".to_string()))?;
+
+
+
     let argon2 = Argon2::default();
     let salt = SaltString::generate(&mut OsRng);
     let mut bytes = [0u8; 64];
@@ -466,11 +478,6 @@ pub async fn create_refresh_token(
         .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?
         .to_string();
 
-    let conn = state.logs_pool.get()
-        .map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "DB connection error".to_string()))?;
-
-
-    
  //   let mut stmt = conn.prepare(
  //       "SELECT id, password FROM users WHERE username = ?1"
 
@@ -527,6 +534,16 @@ pub async fn create_refresh_token(
 
      /*.map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, "Error mapping hotel_ids".to_string())); */   
 
+            let mut exist_stmt = conn.prepare("SELECT id FROM refresh_token WHERE device_id = ?1 AND user_agent = ?2"
+    ) .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()))?;
+    
+    let existing_token_id: i32 = match exist_stmt.query_one(params![device_id_str,user_agent_str], |row| row.get (0)) {
+        Ok(id) => id,
+        Err(_) => return Err((StatusCode::INTERNAL_SERVER_ERROR, "error fetching credentials".to_string())),
+    };
+
+
+
     conn.execute(
         "INSERT INTO refresh_token (user_id, token_hash, device_id, user_agent, hotel_id_list)
         VALUES (?1, ?2, ?3, ?4, ?5)",
@@ -668,6 +685,7 @@ pub async fn login_refresh_token (
         
     };
 
+    //FIXME: still problems when corrupted token exist
     if hotel_ids.is_empty() {
         return (StatusCode::UNAUTHORIZED, "No matching device").into_response();
     }