From 8f33686a768594ea29084ae643e820bfbb59f682 Mon Sep 17 00:00:00 2001
From: ftbsc <dev@fantabos.co>
Date: Tue, 9 May 2023 01:29:25 +0200
Subject: [PATCH] fix!: selectedProfile is not guaranteed, fallback

this could possibly allow to claim any username? registration flow needs
to be rechecked!
---
 src/persistence.rs     | 2 +-
 src/proto.rs           | 3 ++-
 src/routes/auth.rs     | 2 +-
 src/routes/register.rs | 5 +++--
 4 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/persistence.rs b/src/persistence.rs
index 4d36cbe..3408770 100644
--- a/src/persistence.rs
+++ b/src/persistence.rs
@@ -2,7 +2,7 @@ use chrono::{Utc, Duration};
 use hmac::{Hmac, Mac};
 use jwt::SignWithKey;
 use rand::{rngs::OsRng, Rng, distributions::Alphanumeric};
-use sea_orm::{EntityTrait, DatabaseConnection, ActiveValue::NotSet, Set, DbErr, QueryFilter, DeleteResult, ColumnTrait};
+use sea_orm::{EntityTrait, DatabaseConnection, ActiveValue::NotSet, Set, DbErr, QueryFilter, ColumnTrait};
 use sha2::Sha384;
 use tracing::info;
 use std::collections::BTreeMap;
diff --git a/src/proto.rs b/src/proto.rs
index f33226c..5e47fed 100644
--- a/src/proto.rs
+++ b/src/proto.rs
@@ -112,7 +112,8 @@ pub struct RefreshRequest {
 pub struct RefreshResponse {
 	pub accessToken: String,
 	pub clientToken: String,
-	pub selectedProfile: Profile,
+	#[serde(skip_serializing_if = "Option::is_none")]
+	pub selectedProfile: Option<Profile>,
 	#[serde(skip_serializing_if = "Option::is_none")]
 	pub user: Option<User>,
 }
diff --git a/src/routes/auth.rs b/src/routes/auth.rs
index 27f4aea..e3c7129 100644
--- a/src/routes/auth.rs
+++ b/src/routes/auth.rs
@@ -58,7 +58,7 @@ pub async fn refresh(State(state): State<AppState>, Json(payload): Json<proto::R
 		let response = proto::RefreshResponse {
 			accessToken: new_access_token.to_string(),
 			clientToken: payload.clientToken,
-			selectedProfile: proto::Profile { id: user.uuid, name: user.name },
+			selectedProfile: Some(proto::Profile { id: user.uuid, name: user.name }),
 			user: None,
 		};
 
diff --git a/src/routes/register.rs b/src/routes/register.rs
index e1096f8..0086298 100644
--- a/src/routes/register.rs
+++ b/src/routes/register.rs
@@ -26,9 +26,10 @@ pub async fn register_unmigrated(State(state): State<AppState>, Json(payload): J
 	let doc = serde_json::from_str::<proto::RefreshResponse>(&response)
 		.map_err(|_| (StatusCode::UNAUTHORIZED, Json(proto::Error::simple("invalid token"))))?;
 
+	let profile = doc.selectedProfile.unwrap_or(payload.token.selectedProfile);
 	let user = doc.user.expect("user not found in response, even though we requested it!");
-	let name = doc.selectedProfile.name.clone();
-	let uuid = doc.selectedProfile.id;
+	let name = profile.name.clone();
+	let uuid = profile.id;
 
 	entities::user::Entity::insert(
 		entities::user::ActiveModel {