fix!: selectedProfile is not guaranteed, fallback
this could possibly allow to claim any username? registration flow needs to be rechecked!
This commit is contained in:
ftbsc
parent
c09f67ec55
commit
8f33686a76
4 changed files with 7 additions and 5 deletions
|
|
@ -2,7 +2,7 @@ use chrono::{Utc, Duration};
|
||||||
use hmac::{Hmac, Mac};
|
use hmac::{Hmac, Mac};
|
||||||
use jwt::SignWithKey;
|
use jwt::SignWithKey;
|
||||||
use rand::{rngs::OsRng, Rng, distributions::Alphanumeric};
|
use rand::{rngs::OsRng, Rng, distributions::Alphanumeric};
|
||||||
use sea_orm::{EntityTrait, DatabaseConnection, ActiveValue::NotSet, Set, DbErr, QueryFilter, DeleteResult, ColumnTrait};
|
use sea_orm::{EntityTrait, DatabaseConnection, ActiveValue::NotSet, Set, DbErr, QueryFilter, ColumnTrait};
|
||||||
use sha2::Sha384;
|
use sha2::Sha384;
|
||||||
use tracing::info;
|
use tracing::info;
|
||||||
use std::collections::BTreeMap;
|
use std::collections::BTreeMap;
|
||||||
|
|
|
||||||
|
|
@ -112,7 +112,8 @@ pub struct RefreshRequest {
|
||||||
pub struct RefreshResponse {
|
pub struct RefreshResponse {
|
||||||
pub accessToken: String,
|
pub accessToken: String,
|
||||||
pub clientToken: String,
|
pub clientToken: String,
|
||||||
pub selectedProfile: Profile,
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
|
pub selectedProfile: Option<Profile>,
|
||||||
#[serde(skip_serializing_if = "Option::is_none")]
|
#[serde(skip_serializing_if = "Option::is_none")]
|
||||||
pub user: Option<User>,
|
pub user: Option<User>,
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ pub async fn refresh(State(state): State<AppState>, Json(payload): Json<proto::R
|
||||||
let response = proto::RefreshResponse {
|
let response = proto::RefreshResponse {
|
||||||
accessToken: new_access_token.to_string(),
|
accessToken: new_access_token.to_string(),
|
||||||
clientToken: payload.clientToken,
|
clientToken: payload.clientToken,
|
||||||
selectedProfile: proto::Profile { id: user.uuid, name: user.name },
|
selectedProfile: Some(proto::Profile { id: user.uuid, name: user.name }),
|
||||||
user: None,
|
user: None,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -26,9 +26,10 @@ pub async fn register_unmigrated(State(state): State<AppState>, Json(payload): J
|
||||||
let doc = serde_json::from_str::<proto::RefreshResponse>(&response)
|
let doc = serde_json::from_str::<proto::RefreshResponse>(&response)
|
||||||
.map_err(|_| (StatusCode::UNAUTHORIZED, Json(proto::Error::simple("invalid token"))))?;
|
.map_err(|_| (StatusCode::UNAUTHORIZED, Json(proto::Error::simple("invalid token"))))?;
|
||||||
|
|
||||||
|
let profile = doc.selectedProfile.unwrap_or(payload.token.selectedProfile);
|
||||||
let user = doc.user.expect("user not found in response, even though we requested it!");
|
let user = doc.user.expect("user not found in response, even though we requested it!");
|
||||||
let name = doc.selectedProfile.name.clone();
|
let name = profile.name.clone();
|
||||||
let uuid = doc.selectedProfile.id;
|
let uuid = profile.id;
|
||||||
|
|
||||||
entities::user::Entity::insert(
|
entities::user::Entity::insert(
|
||||||
entities::user::ActiveModel {
|
entities::user::ActiveModel {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue