From db511d3fe50f05329615f718515fab1b80d9e06a Mon Sep 17 00:00:00 2001 From: metamuffin Date: Wed, 29 Jan 2025 18:03:06 +0100 Subject: no direct redb access --- server/src/routes/ui/account/mod.rs | 54 +++++++++++++------------------------ 1 file changed, 18 insertions(+), 36 deletions(-) (limited to 'server/src/routes/ui/account/mod.rs') diff --git a/server/src/routes/ui/account/mod.rs b/server/src/routes/ui/account/mod.rs index d73cf4c..6139a08 100644 --- a/server/src/routes/ui/account/mod.rs +++ b/server/src/routes/ui/account/mod.rs @@ -8,7 +8,7 @@ pub mod settings; use super::{error::MyError, layout::LayoutPage}; use crate::{ - database::DataAcid, + database::Database, routes::ui::{ account::session::Session, error::MyResult, home::rocket_uri_macro_r_home, layout::DynLayoutPage, @@ -18,10 +18,7 @@ use crate::{ use anyhow::anyhow; use argon2::{password_hash::Salt, Argon2, PasswordHasher}; use chrono::Duration; -use jellybase::{ - database::{Ser, TableExt, T_INVITE, T_USER}, - CONF, -}; +use jellybase::CONF; use jellycommon::user::{User, UserPermission}; use rocket::{ form::{Contextual, Form}, @@ -124,7 +121,7 @@ pub fn r_account_logout() -> DynLayoutPage<'static> { #[post("/account/register", data = "
")] pub fn r_account_register_post<'a>( - database: &'a State, + database: &'a State, _sess: Option, form: Form>, ) -> MyResult> { @@ -134,31 +131,16 @@ pub fn r_account_register_post<'a>( None => return Err(format_form_error(form)), }; - let txn = database.begin_write()?; - let mut invites = txn.open_table(T_INVITE)?; - let mut users = txn.open_table(T_USER)?; - - if invites.remove(&*form.invitation)?.is_none() { - Err(anyhow!("invitation invalid"))?; - } - let prev_user = users - .insert( - &*form.username, - Ser(User { - display_name: form.username.clone(), - name: form.username.clone(), - password: hash_password(&form.username, &form.password), - ..Default::default() - }), - )? - .map(|x| x.value().0); - if prev_user.is_some() { - Err(anyhow!("username taken"))?; - } - - drop(users); - drop(invites); - txn.commit()?; + database.register_user( + &form.invitation, + &form.username, + User { + display_name: form.username.clone(), + name: form.username.clone(), + password: hash_password(&form.username, &form.password), + ..Default::default() + }, + )?; Ok(LayoutPage { title: "Registration successful".to_string(), @@ -175,7 +157,7 @@ pub fn r_account_register_post<'a>( #[post("/account/login", data = "")] pub fn r_account_login_post( - database: &State, + database: &State, jar: &CookieJar, form: Form>, ) -> MyResult { @@ -202,17 +184,17 @@ pub fn r_account_logout_post(jar: &CookieJar) -> MyResult { } pub fn login_logic( - database: &DataAcid, + database: &Database, username: &str, password: &str, expire: Option, drop_permissions: Option>, ) -> MyResult { - // hashing the password regardless if the accounts exists to prevent timing attacks + // hashing the password regardless if the accounts exists to better resist timing attacks let password = hash_password(username, password); - let mut user = T_USER - .get(database, username)? + let mut user = database + .get_user(username)? .ok_or(anyhow!("invalid password"))?; if user.password != password { -- cgit v1.2.3-70-g09d2