feat: query user creation instead of using .execute on pool

This should increase security of the operation a ton, need to test if an escape is still possible
2025-04-30 11:12:01 +00:00 · 2025-04-30 11:12:01 +00:00 · bda9f85b86
commit bda9f85b86
parent 799a1ff49e
1 changed files with 35 additions and 37 deletions
--- a/src/api/v1/register.rs
+++ b/src/api/v1/register.rs
@ -93,17 +93,14 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
        ))
    }

-    Ok(match data.pool.execute(
-        &*format!(
-            // FIXME: This can never be put into prod, it works for testing
-            "INSERT INTO users VALUES ( '{}', '{}', NULL, '{}', '{}', '0' )",
-            uuid,
-            account_information.identifier,
+    // TODO: Check security of this implementation
+    Ok(match sqlx::query(&format!("INSERT INTO users VALUES ( '{}', $1, NULL, $2, $3, false )", uuid))
+        .bind(account_information.identifier)
        // FIXME: Password has no security currently, either from a client or server perspective
-            account_information.password,
-            account_information.email,
-        )
-    ).await {
+        .bind(account_information.password)
+        .bind(account_information.email)
+        .execute(&data.pool)
+        .await {
            Ok(_out) => {
                HttpResponse::Ok().json(
                    Response {
@ -126,9 +123,10 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
                        email_available: false,
                        ..Default::default()
                    }),
-                _ => HttpResponse::Forbidden().json(ResponseError {
-                    ..Default::default()
-                })
+                    _ => {
+                        eprintln!("{}", err_msg);
+                        HttpResponse::InternalServerError().finish()
+                    }
                }
            },
    })