From 528467ec401df119363f25c69ce2f7aa2649d5b5 Mon Sep 17 00:00:00 2001 From: SEbbaDK Date: Sun, 23 May 2021 12:19:05 +0200 Subject: [PATCH 1/3] server: Output better error message when access token not found --- server/src/maptogether-server.cr | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/server/src/maptogether-server.cr b/server/src/maptogether-server.cr index cc94528..f35b50c 100644 --- a/server/src/maptogether-server.cr +++ b/server/src/maptogether-server.cr @@ -29,16 +29,17 @@ module MapTogether::Server end macro check_auth(id, env, db) - %auth_head = {{env}}.request.headers["Authorization"]? - http_raise 400, "Authentication header is missing" if %auth_head == nil - - %auth = %auth_head.as(String).split(" ") + %auth_head = {{env}}.request.headers["Authorization"]? + http_raise 400, "Authentication header is missing" if %auth_head == nil + + %auth = %auth_head.as(String).split(" ") http_raise 400, "Authentication header needs to be 'Basic '" if %auth.size != 2 %atype, %key = %auth http_raise 400, "Authentication type needs to be 'Basic'" if %atype != "Basic" - %aid = {{db}}.query_one "SELECT userid FROM users WHERE access = $1", %key, as: Int64 + %aid = {{db}}.query_one? "SELECT userid FROM users WHERE access = $1", %key, as: Int64 + http_raise 401, "User #{{{id}}} does not have the given access token" if %aid.nil? http_raise 401, "Authenticated user does not have permission for this (#{{{id}}} != #{%aid}" if {{id}} != %aid end From 7b0ee7e22a3d0672b16ed8f3c141542d8c4b0550 Mon Sep 17 00:00:00 2001 From: SEbbaDK Date: Sun, 23 May 2021 13:24:40 +0200 Subject: [PATCH 2/3] server: Fix missing cast of id resulting in always failing auth --- server/src/maptogether-server.cr | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/src/maptogether-server.cr b/server/src/maptogether-server.cr index f35b50c..e0baede 100644 --- a/server/src/maptogether-server.cr +++ b/server/src/maptogether-server.cr @@ -29,6 +29,7 @@ module MapTogether::Server end macro check_auth(id, env, db) + %id = {{id}}.to_i64 %auth_head = {{env}}.request.headers["Authorization"]? http_raise 400, "Authentication header is missing" if %auth_head == nil @@ -39,8 +40,8 @@ module MapTogether::Server http_raise 400, "Authentication type needs to be 'Basic'" if %atype != "Basic" %aid = {{db}}.query_one? "SELECT userid FROM users WHERE access = $1", %key, as: Int64 - http_raise 401, "User #{{{id}}} does not have the given access token" if %aid.nil? - http_raise 401, "Authenticated user does not have permission for this (#{{{id}}} != #{%aid}" if {{id}} != %aid + http_raise 401, "User #{%id} does not have the given access token" if %aid.nil? + http_raise 401, "Authenticated user does not have permission for this (#{%id} != #{%aid}" if %id != %aid end put "/user/:id" do |env| From 98d150beeca0746550aa33f2e32c3a7aaaad542d Mon Sep 17 00:00:00 2001 From: SEbbaDK Date: Sun, 23 May 2021 13:27:08 +0200 Subject: [PATCH 3/3] server: Bump version number --- server/shard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/shard.yml b/server/shard.yml index 4c8fc81..e7f3ae8 100644 --- a/server/shard.yml +++ b/server/shard.yml @@ -1,5 +1,5 @@ name: maptogether-server -version: 0.3.0 +version: 0.3.1 authors: - SEbbaDK