separate user update forms. require password for deletion

author: curly <curly@infernal.garden> 2024-07-17 14:27:34 -0600
committer: curly <curly@infernal.garden> 2024-07-17 14:27:34 -0600
commit: d000e75ab0c20b266e90deec437e02329210db11 (patch)
tree: ede26f9e54c7d6c9b1e2719fde2c2dac15e87027 /src
parent: 12c1da413d09d48ce85bb46d0629166ce986b5d6 (diff)
download: poko_server-d000e75ab0c20b266e90deec437e02329210db11.tar.gz
poko_server-d000e75ab0c20b266e90deec437e02329210db11.tar.bz2
poko_server-d000e75ab0c20b266e90deec437e02329210db11.zip
2 files changed, 65 insertions, 25 deletions
diff --git a/src/db.rs b/src/db.rs
index ba86b91..053142a 100644
--- a/src/db.rs
+++ b/src/db.rs
@@ -64,8 +64,8 @@ impl User {
         self.name = new_name;
     }
 
-    fn update_password(&mut self, old_password: String, new_password: String) -> Result<(), String> {
-        if User::hash(&old_password) == self.hashed_password {
+    fn update_password(&mut self, old_password: &String, new_password: &String) -> Result<(), String> {
+        if self.same_password(old_password) {
             self.hashed_password = User::hash(&new_password);
             return Ok(());
         } else {
@@ -73,6 +73,10 @@ impl User {
         }
     }
 
+    fn same_password(&self, password: &String) -> bool {
+        User::hash(password) == self.hashed_password
+    }
+
     fn hash(t: &String) -> String {
         let hashed = Sha256::digest(&t);
         let hashed = base16ct::lower::encode_string(&hashed);
@@ -202,10 +206,9 @@ impl DB {
         Err("User Not Found".into())
     }
 
-    pub async fn update_user(&mut self, id: UID, session: &String, name: String, old_password: String, new_password: String) -> Result<(), String> {
+    pub async fn update_user_password(&mut self, id: UID, session: &String, old_password: &String, new_password: &String) -> Result<(), String> {
         self.get_user_authenticated(id, session).await?;
         let user = self.get_mut_user(id).await?;
-        user.update_name(name);
         user.update_password(old_password, new_password)?;
 
         self.save().await?;
@@ -213,6 +216,16 @@ impl DB {
         Ok(())
     }
 
+    pub async fn update_user_name(&mut self, id: UID, session: &String, name: &String) -> Result<(), String> {
+        self.get_user_authenticated(id, session).await?;
+        let user = self.get_mut_user(id).await?;
+        user.update_name(name.clone());
+
+        self.save().await?;
+
+        Ok(())
+    }
+
     pub async fn get_user_authenticated(&self, id: UID, session: &String) -> Result<&User, String> {
         match self.get_user(id) {
             Ok(u) => {
@@ -316,20 +329,25 @@ impl DB {
         r
     }
 
-    pub async fn delete_user(&mut self, id: UID, session: &String) -> Result<String, String> {
-        self.users = self.users.clone().into_iter().filter(|u| !u.authenticate(session) && id != u.id).collect();
-        self.uid_generator.delete_uid(id);
-
-        // Validate
-        let r = match self.get_user(id) {
-            Ok(_) => Err("Could not delete".into()),
-            Err(_) => {
-                Ok("Deleted".into())
-            },
-        };
-
-        let _ = self.save().await;
-        r
+    pub async fn delete_user(&mut self, id: UID, session: &String, password: &String) -> Result<String, String> {
+        let u = self.get_user(id)?;
+        if u.same_password(password) {
+            self.users = self.users.clone().into_iter().filter(|u| !u.authenticate(session) && id != u.id).collect();
+            self.uid_generator.delete_uid(id);
+    
+            // Validate
+            let r = match self.get_user(id) {
+                Ok(_) => Err("Could not delete".into()),
+                Err(_) => {
+                    Ok("Deleted".into())
+                },
+            };
+    
+            let _ = self.save().await;
+            r
+        } else {
+            return Err("Password does not match".into())
+        }
     }
 
     pub async fn transfer(&mut self, from: UID, to: UID, session: &String, color: Color, amount: usize) -> Result<(), String> {
diff --git a/src/main.rs b/src/main.rs
index 6b0ecec..8ddd853 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -174,27 +174,48 @@ async fn get_sessions(data: Json<LogoutForm>, db: &State<Mutex<DB>>) -> (Status,
     }
 }
 
+#[derive(Deserialize)]
+struct DeleteForm {
+    id: UID,
+    session: String,
+    password: String,
+}
+
 #[post("/delete", data="<data>", format="json")]
-async fn delete(data: Json<LogoutForm>, db: &State<Mutex<DB>>) -> (Status, Result<Json<String>, Json<String>>) {
+async fn delete(data: Json<DeleteForm>, db: &State<Mutex<DB>>) -> (Status, Result<Json<String>, Json<String>>) {
     let mut db = db.lock().await;
-    match db.delete_user(data.id, &data.session).await {
+    match db.delete_user(data.id, &data.session, &data.password).await {
         Ok(n) => (Status::Ok, Ok(n.into())),
         Err(n) => (Status::Unauthorized, Err(n.into())),
     }
 }
 
 #[derive(Deserialize)]
-struct UpdateForm {
+struct UpdateNameForm {
     id: UID,
     session: String,
     name: String,
+}
+#[derive(Deserialize)]
+struct UpdatePasswordForm {
+    id: UID,
+    session: String,
     old_password: String,
     new_password: String,
 }
-#[post("/update/info", data="<data>", format="json")]
-async fn update_user(data: Json<UpdateForm>, db: &State<Mutex<DB>>) -> (Status, Result<(), Json<String>>) {
+#[post("/name", data="<data>", format="json")]
+async fn update_password(data: Json<UpdateNameForm>, db: &State<Mutex<DB>>) -> (Status, Result<(), Json<String>>) {
+    let mut db = db.lock().await;
+    match db.update_user_name(data.id, &data.session, &data.name).await {
+        Ok(_) => (Status::Ok, Ok(())),
+        Err(n) => (Status::InternalServerError, Err(n.into()))
+    }
+}
+
+#[post("/password", data="<data>", format="json")]
+async fn update_name(data: Json<UpdatePasswordForm>, db: &State<Mutex<DB>>) -> (Status, Result<(), Json<String>>) {
     let mut db = db.lock().await;
-    match db.update_user(data.id, &data.session, data.name.clone(), data.old_password.clone(), data.new_password.clone()).await {
+    match db.update_user_password(data.id, &data.session, &data.old_password, &data.new_password).await {
         Ok(_) => (Status::Ok, Ok(())),
         Err(n) => (Status::InternalServerError, Err(n.into()))
     }
@@ -234,7 +255,8 @@ fn rocket() -> _ {
 
     rocket::build().manage(Mutex::new(DB::load(Config::new())))
     .mount("/", routes![index])
-    .mount("/user", routes![login, get_users_by_name, get_user_authenticated, get_user, new_user, get_all_users, logout, logout_all, get_sessions, delete, update_user])
+    .mount("/user", routes![login, get_users_by_name, get_user_authenticated, get_user, new_user, get_all_users, logout, logout_all, get_sessions, delete])
+    .mount("/user/update", routes![update_name, update_password])
     .mount("/transfer", routes![transfer_out])
     .attach(cors)
 }
 \ No newline at end of file
author	curly <curly@infernal.garden>	2024-07-17 14:27:34 -0600
committer	curly <curly@infernal.garden>	2024-07-17 14:27:34 -0600
commit	d000e75ab0c20b266e90deec437e02329210db11 (patch)
tree	ede26f9e54c7d6c9b1e2719fde2c2dac15e87027 /src
parent	12c1da413d09d48ce85bb46d0629166ce986b5d6 (diff)
download	poko_server-d000e75ab0c20b266e90deec437e02329210db11.tar.gz poko_server-d000e75ab0c20b266e90deec437e02329210db11.tar.bz2 poko_server-d000e75ab0c20b266e90deec437e02329210db11.zip