feat: query user creation instead of using .execute on pool

This should increase security of the operation a ton, need to test if an escape is still possible

.gitignore

@@ -20,3 +20,4 @@ Cargo.lock
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+/config.toml

src/api/v1/register.rs

@@ -93,43 +93,41 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
         ))
     }
 
-    Ok(match data.pool.execute(
-        &*format!(
-            // FIXME: This can never be put into prod, it works for testing
-            "INSERT INTO users VALUES ( '{}', '{}', NULL, '{}', '{}', '0' )",
-            uuid,
-            account_information.identifier,
-            // FIXME: Password has no security currently, either from a client or server perspective
-            account_information.password,
-            account_information.email,
-        )
-    ).await {
-        Ok(_out) => {
-            HttpResponse::Ok().json(
-                Response {
-                    access_token: "bogus".to_string(),
-                    user_id: "bogus".to_string(),
-                    expires_in: 1,
-                    refresh_token: "bogus".to_string(),
-                }
-            )
-        },
-        Err(error) => {
-            let err_msg = error.as_database_error().unwrap().message();
+    // TODO: Check security of this implementation
+    Ok(match sqlx::query(&format!("INSERT INTO users VALUES ( '{}', $1, NULL, $2, $3, false )", uuid))
+        .bind(account_information.identifier)
+        // FIXME: Password has no security currently, either from a client or server perspective
+        .bind(account_information.password)
+        .bind(account_information.email)
+        .execute(&data.pool)
+        .await {
+            Ok(_out) => {
+                HttpResponse::Ok().json(
+                    Response {
+                        access_token: "bogus".to_string(),
+                        user_id: "bogus".to_string(),
+                        expires_in: 1,
+                        refresh_token: "bogus".to_string(),
+                    }
+                )
+            },
+            Err(error) => {
+                let err_msg = error.as_database_error().unwrap().message();
     
-            match err_msg {
-                err_msg if err_msg.contains("unique") && err_msg.contains("username_key") => HttpResponse::Forbidden().json(ResponseError {
-                    gorb_id_available: false,
-                    ..Default::default()
-                }),
-                err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => HttpResponse::Forbidden().json(ResponseError {
-                    email_available: false,
-                    ..Default::default()
-                }),
-                _ => HttpResponse::Forbidden().json(ResponseError {
-                    ..Default::default()
-                })
-            }
-        },
+                match err_msg {
+                    err_msg if err_msg.contains("unique") && err_msg.contains("username_key") => HttpResponse::Forbidden().json(ResponseError {
+                        gorb_id_available: false,
+                        ..Default::default()
+                    }),
+                    err_msg if err_msg.contains("unique") && err_msg.contains("email_key") => HttpResponse::Forbidden().json(ResponseError {
+                        email_available: false,
+                        ..Default::default()
+                    }),
+                    _ => {
+                        eprintln!("{}", err_msg);
+                        HttpResponse::InternalServerError().finish()
+                    }
+                }
+            },
     })
 }

src/api/v1/stats.rs

@@ -17,9 +17,16 @@ struct Response {
 
 #[get("/stats")]
 pub async fn res(data: web::Data<Data>) -> impl Responder {
+    let accounts;
+    if let Ok(users) = sqlx::query("SELECT uuid FROM users").fetch_all(&data.pool).await {
+        accounts = users.len();
+    } else {
+        return HttpResponse::InternalServerError().finish()
+    }
+
     let response = Response {
         // TODO: Get number of accounts from db
-        accounts: 0,
+        accounts,
         uptime: SystemTime::now()
             .duration_since(data.start_time)
             .expect("Seriously why dont you have time??")

src/main.rs

@@ -26,15 +26,22 @@ async fn main() -> Result<(), Error> {
     TODO: Figure out if a table should be used here and if not then what.
     Also figure out if these should be different types from what they currently are and if we should add more "constraints"
     */
-    pool.execute(r#"CREATE TABLE IF NOT EXISTS users (
-    uuid uuid UNIQUE NOT NULL,
-    username varchar(32) UNIQUE NOT NULL,
-    display_name varchar(64),
-    password varchar(512) NOT NULL,
-    email varchar(100) UNIQUE NOT NULL,
-    email_verified integer NOT NULL DEFAULT '0',
-    PRIMARY KEY (uuid)
-    )"#).await?;
+    sqlx::raw_sql(r#"
+        CREATE TABLE IF NOT EXISTS users (
+            uuid uuid PRIMARY KEY UNIQUE NOT NULL,
+            username varchar(32) UNIQUE NOT NULL,
+            display_name varchar(64),
+            password varchar(512) NOT NULL,
+            email varchar(100) UNIQUE NOT NULL,
+            email_verified boolean NOT NULL DEFAULT FALSE
+        );
+        CREATE TABLE IF NOT EXISTS instance_permissions (
+            uuid uuid REFERENCES users(uuid),
+            administrator boolean NOT NULL DEFAULT FALSE
+        )
+    "#)
+    .execute(&pool)
+    .await?;
 
     let data = Data {
         pool,