Merge pull request #46 from SEbbaDK/server-fix-access-check

Server fix access check
SEbbaDK · May 23, 2021 · 0aca160 · 0aca160
2 parents 1c3df6a + 98d150b
commit 0aca160
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/server/shard.yml b/server/shard.yml
@@ -1,5 +1,5 @@
 name: maptogether-server
-version: 0.3.0
+version: 0.3.1
 
 authors:
   - SEbbaDK

diff --git a/server/src/maptogether-server.cr b/server/src/maptogether-server.cr
@@ -29,17 +29,19 @@ module MapTogether::Server
 		end
 
 		macro check_auth(id, env, db)
-				%auth_head = {{env}}.request.headers["Authorization"]?
-				http_raise 400, "Authentication header is missing" if %auth_head == nil
-
-				%auth = %auth_head.as(String).split(" ")
+			%id = {{id}}.to_i64
+			%auth_head = {{env}}.request.headers["Authorization"]?
+			http_raise 400, "Authentication header is missing" if %auth_head == nil
+
+			%auth = %auth_head.as(String).split(" ")
 			http_raise 400, "Authentication header needs to be 'Basic <ACCESS_KEY>'" if %auth.size != 2
 
 			%atype, %key = %auth
 			http_raise 400, "Authentication type needs to be 'Basic'" if %atype != "Basic"
 
-			%aid = {{db}}.query_one "SELECT userid FROM users WHERE access = $1", %key, as: Int64
-			http_raise 401, "Authenticated user does not have permission for this (#{{{id}}} != #{%aid}" if {{id}} != %aid
+			%aid = {{db}}.query_one? "SELECT userid FROM users WHERE access = $1", %key, as: Int64
+			http_raise 401, "User #{%id} does not have the given access token" if %aid.nil?
+			http_raise 401, "Authenticated user does not have permission for this (#{%id} != #{%aid}" if %id != %aid
 		end
 
 		put "/user/:id" do |env|