Check CSRF and user existence

O01eg

Apr 13, 2022, 9:05 AM

TRBYOQBIJPJ72SX3TPI2OAKBUQH6FWVHTKT45LS2HVMBCAWCTULQC

Dependencies

• [2] I7JG43BJ Rename cache to use yet another
• [3] HZDCKIXQ Use constants for templates
• [4] WLWTNO4Y Create form to request game password change link
• [*] EVP2FSBH Split index page
• [*] 3HT5CE6S Manage TTL duration in config
• [*] 4MZ4VIR7 Initial commit

Change contents

• replacement in src/pages/query_reset_game_pwd.rs at line 24
  [3.749]→[3.1325:1473](∅→∅)
  − let body = match data.handlebars.render(

  − QUERY_RESET_GAME_PWD,

  − &PageData {

  − csrf: Uuid::new_v4(),

  − },

  − ) {
  [3.749]

  [3.822]
  + let csrf = Uuid::new_v4();

  +

  + {

  + let mut cache = data.cache_query_reset_game_pwd.lock().await;

  + cache.insert(

  + csrf,

  + (),

  + std::time::Duration::from_secs(data.cache_duration_sec),

  + );

  + }

  +

  + let body = match data

  + .handlebars

  + .render(QUERY_RESET_GAME_PWD, &PageData { csrf })

  + {
• replacement in src/pages/query_reset_game_pwd.rs at line 50
  [3.1611]→[2.130:197](∅→∅)
  − _form: web::Form<FormData>,

  − _data: web::Data<WebData<'_>>,
  [3.1611]

  [3.1676]
  + form: web::Form<FormData>,

  + data: web::Data<WebData<'_>>,
• edit in src/pages/query_reset_game_pwd.rs at line 53
  [3.1696]

  [3.1696]
  + let cached_data = {

  + let mut cache = data.cache_query_reset_game_pwd.lock().await;

  + cache.remove(&form.csrf)

  + };

  + if cached_data.is_none() {

  + log::warn!("Unknown data for CSRF: {}", form.csrf);

  + return HttpResponse::BadRequest().body("Incorrect");

  + }

  +

  + if form.contact_type != "email" {

  + log::warn!("Unknown data for contact type: {}", form.contact_type);

  + return HttpResponse::BadRequest().body("Incorrect");

  + }

  +

  + // check existence of contact

  + let dbclient_ro = match data.pool_ro.get().await {

  + Ok(c) => c,

  + Err(e) => {

  + log::error!("Pool RO error {}", e);

  + return HttpResponse::ServiceUnavailable().body(actix_web::body::None::new());

  + }

  + };

  + let stmt = match dbclient_ro.prepare("select 1 from auth.users u inner join auth.contacts c on u.player_name = c.player_name and c.is_active = true and c.delete_ts is null where u.player_name = $1 and c.protocol = ($2::text)::auth.contact_protocol and c.address = $3 limit 1").await {

  + Ok(stmt) => stmt,

  + Err(e) => {

  + log::error!("Pool RO statement error {}", e);

  + return HttpResponse::ServiceUnavailable().body(actix_web::body::None::new());

  + }

  + };

  + let rows = match dbclient_ro

  + .query_opt(&stmt, &[&form.login, &form.contact_type, &form.contact])

  + .await

  + {

  + Ok(rows) => rows,

  + Err(e) => {

  + log::error!("Pool RO query error {}", e);

  + return HttpResponse::ServiceUnavailable().body(actix_web::body::None::new());

  + }

  + };

  + if rows.is_none() {

  + return HttpResponse::NotFound().body("Not found");

  + }

  +
• edit in src/pages/mod.rs at line 30
  [2.267]

  [7.140]
  + pub cache_query_reset_game_pwd: Mutex<TtlCache<Uuid, ()>>,
• edit in src/main.rs at line 115
  [2.365]

  [7.203]
  + cache_query_reset_game_pwd: tokio::sync::Mutex::new(ttl_cache::TtlCache::new(

  + cache_capacity,

  + )),