From efae619cda07372c69fa4270651ba076e7591305 Mon Sep 17 00:00:00 2001
From: Radical <radical@radical.fun>
Date: Mon, 19 May 2025 15:04:41 +0200
Subject: [PATCH] refactor(auth): use builtin actix Json deserialization

---
 src/api/v1/auth/login.rs    | 31 ++++++++-----------------------
 src/api/v1/auth/register.rs | 25 +++++--------------------
 src/api/v1/auth/revoke.rs   | 23 +++++------------------
 3 files changed, 18 insertions(+), 61 deletions(-)

diff --git a/src/api/v1/auth/login.rs b/src/api/v1/auth/login.rs
index bc6af8c..b0bee13 100644
--- a/src/api/v1/auth/login.rs
+++ b/src/api/v1/auth/login.rs
@@ -1,8 +1,7 @@
 use std::time::{SystemTime, UNIX_EPOCH};
 
-use actix_web::{error, post, web, Error, HttpResponse};
+use actix_web::{post, web, Error, HttpResponse};
 use argon2::{PasswordHash, PasswordVerifier};
-use futures::StreamExt;
 use log::error;
 use serde::Deserialize;
 
@@ -19,25 +18,11 @@ struct LoginInformation {
     device_name: String,
 }
 
-const MAX_SIZE: usize = 262_144;
-
 #[post("/login")]
 pub async fn response(
-    mut payload: web::Payload,
+    login_information: web::Json<LoginInformation>,
     data: web::Data<Data>,
 ) -> Result<HttpResponse, Error> {
-    let mut body = web::BytesMut::new();
-    while let Some(chunk) = payload.next().await {
-        let chunk = chunk?;
-        // limit max size of in-memory payload
-        if (body.len() + chunk.len()) > MAX_SIZE {
-            return Err(error::ErrorBadRequest("overflow"));
-        }
-        body.extend_from_slice(&chunk);
-    }
-
-    let login_information = serde_json::from_slice::<LoginInformation>(&body)?;
-
     if !PASSWORD_REGEX.is_match(&login_information.password) {
         return Ok(HttpResponse::Forbidden().json(r#"{ "password_hashed": false }"#));
     }
@@ -45,7 +30,7 @@ pub async fn response(
     if EMAIL_REGEX.is_match(&login_information.username) {
         let row =
             sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE email = $1")
-                .bind(login_information.username)
+                .bind(&login_information.username)
                 .fetch_one(&data.pool)
                 .await;
 
@@ -67,15 +52,15 @@ pub async fn response(
         return Ok(login(
             data.clone(),
             uuid,
-            login_information.password,
+            login_information.password.clone(),
             password,
-            login_information.device_name,
+            login_information.device_name.clone(),
         )
         .await);
     } else if USERNAME_REGEX.is_match(&login_information.username) {
         let row =
             sqlx::query_as("SELECT CAST(uuid as VARCHAR), password FROM users WHERE username = $1")
-                .bind(login_information.username)
+                .bind(&login_information.username)
                 .fetch_one(&data.pool)
                 .await;
 
@@ -97,9 +82,9 @@ pub async fn response(
         return Ok(login(
             data.clone(),
             uuid,
-            login_information.password,
+            login_information.password.clone(),
             password,
-            login_information.device_name,
+            login_information.device_name.clone(),
         )
         .await);
     }
diff --git a/src/api/v1/auth/register.rs b/src/api/v1/auth/register.rs
index a56dd0e..6c1db45 100644
--- a/src/api/v1/auth/register.rs
+++ b/src/api/v1/auth/register.rs
@@ -1,11 +1,10 @@
 use std::time::{SystemTime, UNIX_EPOCH};
 
-use actix_web::{Error, HttpResponse, error, post, web};
+use actix_web::{Error, HttpResponse, post, web};
 use argon2::{
     PasswordHasher,
     password_hash::{SaltString, rand_core::OsRng},
 };
-use futures::StreamExt;
 use log::error;
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
@@ -54,21 +53,8 @@ impl Default for ResponseError {
     }
 }
 
-const MAX_SIZE: usize = 262_144;
-
 #[post("/register")]
-pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<HttpResponse, Error> {
-    let mut body = web::BytesMut::new();
-    while let Some(chunk) = payload.next().await {
-        let chunk = chunk?;
-        // limit max size of in-memory payload
-        if (body.len() + chunk.len()) > MAX_SIZE {
-            return Err(error::ErrorBadRequest("overflow"));
-        }
-        body.extend_from_slice(&chunk);
-    }
-    let account_information = serde_json::from_slice::<AccountInformation>(&body)?;
-
+pub async fn res(account_information: web::Json<AccountInformation>, data: web::Data<Data>) -> Result<HttpResponse, Error> {
     let uuid = Uuid::now_v7();
 
     if !EMAIL_REGEX.is_match(&account_information.email) {
@@ -107,10 +93,9 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
                 "INSERT INTO users (uuid, username, password, email) VALUES ( '{}', $1, $2, $3 )",
                 uuid
             ))
-            .bind(account_information.identifier)
-            // FIXME: Password has no security currently, either from a client or server perspective
+            .bind(&account_information.identifier)
             .bind(hashed_password.to_string())
-            .bind(account_information.email)
+            .bind(&account_information.email)
             .execute(&data.pool)
             .await
             {
@@ -140,7 +125,7 @@ pub async fn res(mut payload: web::Payload, data: web::Data<Data>) -> Result<Htt
                     if let Err(error) = sqlx::query(&format!("INSERT INTO refresh_tokens (token, uuid, created_at, device_name) VALUES ($1, '{}', $2, $3 )", uuid))
                         .bind(&refresh_token)
                         .bind(current_time)
-                        .bind(account_information.device_name)
+                        .bind(&account_information.device_name)
                         .execute(&data.pool)
                         .await {
                         error!("{}", error);
diff --git a/src/api/v1/auth/revoke.rs b/src/api/v1/auth/revoke.rs
index 9ebbb30..97d05a5 100644
--- a/src/api/v1/auth/revoke.rs
+++ b/src/api/v1/auth/revoke.rs
@@ -1,6 +1,6 @@
-use actix_web::{Error, HttpRequest, HttpResponse, error, post, web};
+use actix_web::{Error, HttpRequest, HttpResponse, post, web};
 use argon2::{PasswordHash, PasswordVerifier};
-use futures::{StreamExt, future};
+use futures::{future};
 use log::error;
 use serde::{Deserialize, Serialize};
 
@@ -23,12 +23,11 @@ impl Response {
     }
 }
 
-const MAX_SIZE: usize = 262_144;
-
+// TODO: Should maybe be a delete request?
 #[post("/revoke")]
 pub async fn res(
     req: HttpRequest,
-    mut payload: web::Payload,
+    revoke_request: web::Json<RevokeRequest>,
     data: web::Data<Data>,
 ) -> Result<HttpResponse, Error> {
     let headers = req.headers();
@@ -39,18 +38,6 @@ pub async fn res(
         return Ok(error);
     }
 
-    let mut body = web::BytesMut::new();
-    while let Some(chunk) = payload.next().await {
-        let chunk = chunk?;
-        // limit max size of in-memory payload
-        if (body.len() + chunk.len()) > MAX_SIZE {
-            return Err(error::ErrorBadRequest("overflow"));
-        }
-        body.extend_from_slice(&chunk);
-    }
-
-    let revoke_request = serde_json::from_slice::<RevokeRequest>(&body)?;
-
     let authorized = check_access_token(auth_header.unwrap(), &data.pool).await;
 
     if let Err(error) = authorized {
@@ -94,7 +81,7 @@ pub async fn res(
         "SELECT token FROM refresh_tokens WHERE uuid = '{}' AND device_name = $1",
         uuid
     ))
-    .bind(revoke_request.device_name)
+    .bind(&revoke_request.device_name)
     .fetch_all(&data.pool)
     .await;
 
-- 
2.47.2