gorb/backend
4
0
Fork 0
Code Issues 4 Pull requests 1 Projects Releases Packages 1 Wiki Activity Actions

feat: query user creation instead of using .execute on pool

Browse source 
This should increase security of the operation a ton, need to test if an escape is still possible
This commit is contained in:
Radical 2025-04-30 11:12:01 +00:00
parent 799a1ff49e
commit bda9f85b86
1 changed files with 35 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

24
src/api/v1/register.rs
View file

@ -93,17 +93,14 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
)) ))
} }
Ok(match data.pool.execute( // TODO: Check security of this implementation
&*format!( Ok(match sqlx::query(&format!("INSERT INTO users VALUES ( '{}', $1, NULL, $2, $3, false )", uuid))
// FIXME: This can never be put into prod, it works for testing .bind(account_information.identifier)
"INSERT INTO users VALUES ( '{}', '{}', NULL, '{}', '{}', '0' )",
uuid,
account_information.identifier,
// FIXME: Password has no security currently, either from a client or server perspective // FIXME: Password has no security currently, either from a client or server perspective
account_information.password, .bind(account_information.password)
account_information.email, .bind(account_information.email)
) .execute(&data.pool)
).await { .await {
Ok(_out) => { Ok(_out) => {
HttpResponse::Ok().json( HttpResponse::Ok().json(
Response { Response {
@ -126,9 +123,10 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
email_available: false, email_available: false,
..Default::default() ..Default::default()
}), }),
_ => HttpResponse::Forbidden().json(ResponseError { _ => {
..Default::default() eprintln!("{}", err_msg);
}) HttpResponse::InternalServerError().finish()
}
} }
}, },
}) })