funman300/Ferrous-Solitaire
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 28 Wiki Activity

fix(server): auth-guard avatar serving, atomic write, user_id assertion in merge

Browse Source 
- Move /avatars ServeDir behind require_auth middleware so avatar files
  can only be fetched by authenticated users (H-11)
- Make avatar upload atomic via .tmp write + rename, cleaning up stale
  extensions only after the rename succeeds (H-12)
- Return 401 instead of silently returning an empty username string when
  the user row is unexpectedly missing a username (L-17)
- Add user_id mismatch guard to merge(): returns local payload unchanged
  with a ConflictReport rather than silently cross-contaminating data (H-2)
- Truncate opt-in display_name to 32 chars client-side before sending,
  matching the server's DISPLAY_NAME_MAX validation (L-5)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
funman300
2026-05-17 20:22:38 -07:00
parent f8f1f26d64
commit 1eb40433a9
4 changed files with 24 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
solitaire_server/src/auth.rs
+13 -7
View File
@@ -336,7 +336,7 @@ pub async fn get_me(
Ok(Json(MeResponse {
id: user.user_id,
username: row.username.unwrap_or_default(),
username: row.username.ok_or(AppError::Unauthorized)?,
avatar_url: row.avatar_url,
}))
}
@@ -386,13 +386,19 @@ pub async fn upload_avatar(
std::fs::create_dir_all("avatars").map_err(|e| AppError::Internal(e.to_string()))?;
let filename = format!("{}.{}", user.user_id, ext);
let path = std::path::Path::new("avatars").join(&filename);
// Remove stale files with other extensions first.
let tmp_path = std::path::Path::new("avatars").join(format!("{}.{}.tmp", user.user_id, ext));
// Write to a temp file then atomically rename so concurrent readers never
// see a partially-written avatar.
std::fs::write(&tmp_path, &body).map_err(|e| AppError::Internal(e.to_string()))?;
std::fs::rename(&tmp_path, &path).map_err(|e| AppError::Internal(e.to_string()))?;
// Remove stale files with other extensions after the atomic rename.
for old_ext in &["jpg", "png", "webp", "gif"] {
let _ = std::fs::remove_file(
std::path::Path::new("avatars").join(format!("{}.{}", user.user_id, old_ext)),
);
if *old_ext != ext {
let _ = std::fs::remove_file(
std::path::Path::new("avatars").join(format!("{}.{}", user.user_id, old_ext)),
);
}
}
std::fs::write(&path, &body).map_err(|e| AppError::Internal(e.to_string()))?;
let avatar_url = format!("/avatars/{filename}");
sqlx::query!(
@@ -412,7 +418,7 @@ pub async fn upload_avatar(
Ok(Json(MeResponse {
id: user.user_id,
username: username.unwrap_or_default(),
username: username.ok_or(AppError::Unauthorized)?,
avatar_url: Some(avatar_url),
}))
}