From bda9f85b86a07a9acb91392e869662e073d0e38d Mon Sep 17 00:00:00 2001
From: Radical <radical@radical.fun>
Date: Wed, 30 Apr 2025 11:12:01 +0000
Subject: [PATCH] feat: query user creation instead of using .execute on pool

This should increase security of the operation a ton, need to test if an escape is still possible
---
 src/api/v1/register.rs | 72 ++++++++++++++++++++----------------------
 1 file changed, 35 insertions(+), 37 deletions(-)

diff --git a/src/api/v1/register.rs b/src/api/v1/register.rs
index bf79819..93bf019 100644
--- a/src/api/v1/register.rs
+++ b/src/api/v1/register.rs
@@ -93,43 +93,41 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
         ))
     }
 
-    Ok(match data.pool.execute(
-        &*format!(
-            // FIXME: This can never be put into prod, it works for testing
-            "INSERT INTO users VALUES ( '{}', '{}', NULL, '{}', '{}', '0' )",
-            uuid,
-            account_information.identifier,
-            // FIXME: Password has no security currently, either from a client or server perspective
-            account_information.password,
-            account_information.email,
-        )
-    ).await {
-        Ok(_out) => {
-            HttpResponse::Ok().json(
-                Response {
-                    access_token: "bogus".to_string(),
-                    user_id: "bogus".to_string(),
-                    expires_in: 1,
-                    refresh_token: "bogus".to_string(),
+    // TODO: Check security of this implementation
+    Ok(match sqlx::query(&format!("INSERT INTO users VALUES ( '{}', $1, NULL, $2, $3, false )", uuid))
+        .bind(account_information.identifier)
+        // FIXME: Password has no security currently, either from a client or server perspective
+        .bind(account_information.password)
+        .bind(account_information.email)
+        .execute(&data.pool)
+        .await {
+            Ok(_out) => {
+                HttpResponse::Ok().json(
+                    Response {
+                        access_token: "bogus".to_string(),
+                        user_id: "bogus".to_string(),
+                        expires_in: 1,
+                        refresh_token: "bogus".to_string(),
+                    }
+                )
+            },
+            Err(error) => {
+                let err_msg = error.as_database_error().unwrap().message();
+    
+                match err_msg {
+                    err_msg if err_msg.contains("unique") && err_msg.contains("username_key") => HttpResponse::Forbidden().json(ResponseError {
+                        gorb_id_available: false,
+                        ..Default::default()
+                    }),
+                    err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => HttpResponse::Forbidden().json(ResponseError {
+                        email_available: false,
+                        ..Default::default()
+                    }),
+                    _ => {
+                        eprintln!("{}", err_msg);
+                        HttpResponse::InternalServerError().finish()
+                    }
                 }
-            )
-        },
-        Err(error) => {
-            let err_msg = error.as_database_error().unwrap().message();
-
-            match err_msg {
-                err_msg if err_msg.contains("unique") && err_msg.contains("username_key") => HttpResponse::Forbidden().json(ResponseError {
-                    gorb_id_available: false,
-                    ..Default::default()
-                }),
-                err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => HttpResponse::Forbidden().json(ResponseError {
-                    email_available: false,
-                    ..Default::default()
-                }),
-                _ => HttpResponse::Forbidden().json(ResponseError {
-                    ..Default::default()
-                })
-            }
-        },
+            },
     })
 }