feat: query user creation instead of using .execute on pool

This should increase security of the operation a ton, need to test if an escape is still possible
2025-04-30 11:12:01 +00:00 · 2025-04-30 11:12:01 +00:00 · bda9f85b86
commit bda9f85b86
parent 799a1ff49e
1 changed files with 35 additions and 37 deletions
--- a/src/api/v1/register.rs
+++ b/src/api/v1/register.rs
@ -93,43 +93,41 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
        ))
    }
-    Ok(match data.pool.execute(
+    // TODO: Check security of this implementation
-        &*format!(
+    Ok(match sqlx::query(&format!("INSERT INTO users VALUES ( '{}', $1, NULL, $2, $3, false )", uuid))
-            // FIXME: This can never be put into prod, it works for testing
+        .bind(account_information.identifier)
-            "INSERT INTO users VALUES ( '{}', '{}', NULL, '{}', '{}', '0' )",
+        // FIXME: Password has no security currently, either from a client or server perspective
-            uuid,
+        .bind(account_information.password)
-            account_information.identifier,
+        .bind(account_information.email)
-            // FIXME: Password has no security currently, either from a client or server perspective
+        .execute(&data.pool)
-            account_information.password,
+        .await {
-            account_information.email,
+            Ok(_out) => {
-        )
+                HttpResponse::Ok().json(
-    ).await {
+                    Response {
-        Ok(_out) => {
+                        access_token: "bogus".to_string(),
-            HttpResponse::Ok().json(
+                        user_id: "bogus".to_string(),
-                Response {
+                        expires_in: 1,
-                    access_token: "bogus".to_string(),
+                        refresh_token: "bogus".to_string(),
-                    user_id: "bogus".to_string(),
+                    }
-                    expires_in: 1,
+                )
-                    refresh_token: "bogus".to_string(),
+            },
            Err(error) => {
                let err_msg = error.as_database_error().unwrap().message();
                match err_msg {
                    err_msg if err_msg.contains("unique") && err_msg.contains("username_key") => HttpResponse::Forbidden().json(ResponseError {
                        gorb_id_available: false,
                        ..Default::default()
                    }),
                    err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => HttpResponse::Forbidden().json(ResponseError {
                        email_available: false,
                        ..Default::default()
                    }),
                    _ => {
                        eprintln!("{}", err_msg);
                        HttpResponse::InternalServerError().finish()
                    }
                }
-            )
+            },
        },
        Err(error) => {
            let err_msg = error.as_database_error().unwrap().message();
            match err_msg {
                err_msg if err_msg.contains("unique") && err_msg.contains("username_key") => HttpResponse::Forbidden().json(ResponseError {
                    gorb_id_available: false,
                    ..Default::default()
                }),
                err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => HttpResponse::Forbidden().json(ResponseError {
                    email_available: false,
                    ..Default::default()
                }),
                _ => HttpResponse::Forbidden().json(ResponseError {
                    ..Default::default()
                })
            }
        },
    })
 }