funman300/Ferrous-Solitaire
1
1
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 28 Wiki Activity
Files
9b00af29d906430b40d1dbe8e64ad6ce2a7937b4
Ferrous-Solitaire/solitaire_server/src/replays.rs
T
funman300 38eefb22e8 fix(server): XSS, missing score submission, leaderboard never updated, no LIMIT 
- leaderboard.html, replays.html: escape user-supplied display_name and
  username before inserting into innerHTML to prevent stored XSS
- game.js: call POST /api/replays on win so browser-game completions are
  recorded; scores were never submitted before this fix
- replays.rs: after replay insert, upsert leaderboard best_score /
  best_time_secs for opted-in users when the new score beats their current
  best (classic mode only); scores were never updated before this fix
- leaderboard.rs: add LIMIT 100 to GET /api/leaderboard to prevent
  unbounded query growth

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 19:32:14 -07:00

218 lines
7.5 KiB
Rust
Raw Blame History

//! Winning-replay storage and retrieval.
//!
//! `POST /api/replays` — upload a winning replay (auth required).
//! `GET /api/replays/recent` — list the N most-recent replays across users.
//! `GET /api/replays/:id` — fetch a single replay's full JSON.
//!
//! The replay payload itself is opaque to the server — the desktop client
//! generates a `solitaire_data::Replay` and the web playback re-executes
//! the same atomic input list against a fresh `GameState`. The server
//! just persists, indexes, and serves the JSON; it does not validate the
//! semantics of the move list.
//!
//! Three columns are projected out of the replay JSON at insert time
//! (`final_score`, `time_seconds`, `recorded_at`) so list endpoints can
//! be served without scanning every blob.
use axum::{
extract::{Path, Query, State},
Json,
};
use chrono::Utc;
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use crate::{error::AppError, middleware::AuthenticatedUser, AppState};
// ---------------------------------------------------------------------------
// Wire types
// ---------------------------------------------------------------------------
/// Subset of `Replay` fields the server needs to project out of the
/// uploaded JSON to populate the denormalised columns. Mirrors the
/// fields on `solitaire_data::Replay`; we don't depend on
/// `solitaire_data` here because the server crate must not pull in
/// the desktop client's transitive dependencies.
#[derive(Debug, Deserialize)]
struct ReplayHeader {
seed: i64,
draw_mode: String,
mode: String,
time_seconds: i64,
final_score: i64,
recorded_at: String,
}
/// Successful upload acknowledgement. The server-minted `id` is what
/// the client / web UI uses to link to `/replays/<id>`.
#[derive(Debug, Serialize)]
pub struct ReplayUploadResponse {
/// UUID v4 minted server-side at insert time.
pub id: String,
}
/// One row in the recent-replays list. Just the projection columns —
/// the full move list lives behind `GET /api/replays/:id`.
#[derive(Debug, Serialize)]
pub struct ReplaySummary {
pub id: String,
pub username: String,
pub seed: i64,
pub draw_mode: String,
pub mode: String,
pub time_seconds: i64,
pub final_score: i64,
pub recorded_at: String,
pub received_at: String,
}
/// `GET /api/replays/recent?limit=N` — bound the result set so a
/// long-tail history doesn't ship megabytes per request.
#[derive(Debug, Deserialize)]
pub struct RecentQuery {
pub limit: Option<u32>,
}
// ---------------------------------------------------------------------------
// Handlers
// ---------------------------------------------------------------------------
/// `POST /api/replays` — accept a winning replay JSON, persist it,
/// return the server-minted `id`. Auth required (the upload is
/// attributed to the authenticated user).
pub async fn upload(
State(state): State<AppState>,
user: AuthenticatedUser,
Json(payload): Json<serde_json::Value>,
) -> Result<Json<ReplayUploadResponse>, AppError> {
// Project the header fields the SQL columns need. The full payload
// is stored verbatim — schema_version sits inside it and the
// playback path is what enforces compatibility.
let header: ReplayHeader = serde_json::from_value(payload.clone())
.map_err(|e| AppError::BadRequest(format!("replay JSON missing fields: {e}")))?;
let id = Uuid::new_v4().to_string();
let received_at = Utc::now().to_rfc3339();
let replay_json = serde_json::to_string(&payload)?;
sqlx::query!(
r#"INSERT INTO replays (
id, user_id, seed, draw_mode, mode, time_seconds, final_score,
recorded_at, received_at, replay_json
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"#,
id,
user.user_id,
header.seed,
header.draw_mode,
header.mode,
header.time_seconds,
header.final_score,
header.recorded_at,
received_at,
replay_json,
)
.execute(&state.pool)
.await?;
// Update leaderboard best score/time for opted-in users when this replay
// beats their existing best. Only classic mode counts for the leaderboard.
if header.mode == "classic" {
sqlx::query!(
r#"UPDATE leaderboard
SET best_score = ?,
best_time_secs = ?,
recorded_at = ?
WHERE user_id = ?
AND (
best_score IS NULL
OR ? > best_score
OR (? = best_score AND (best_time_secs IS NULL OR ? < best_time_secs))
)"#,
header.final_score,
header.time_seconds,
header.recorded_at,
user.user_id,
header.final_score,
header.final_score,
header.time_seconds,
)
.execute(&state.pool)
.await?;
}
Ok(Json(ReplayUploadResponse { id }))
}
/// `GET /api/replays/recent` — list the N most-recent replays across
/// every user, newest first. Auth not required so the web UI can show
/// a public "latest wins" feed without a logged-in client.
pub async fn recent(
State(state): State<AppState>,
Query(q): Query<RecentQuery>,
) -> Result<Json<Vec<ReplaySummary>>, AppError> {
// 50 is a sane upper bound so a `?limit=999999` request can't make
// the server allocate megabytes. 20 is the default for a quick feed.
let limit = q.limit.unwrap_or(20).min(50) as i64;
let rows = sqlx::query!(
r#"SELECT
r.id AS "id!: String",
u.username AS "username!: String",
r.seed AS "seed!: i64",
r.draw_mode AS "draw_mode!: String",
r.mode AS "mode!: String",
r.time_seconds AS "time_seconds!: i64",
r.final_score AS "final_score!: i64",
r.recorded_at AS "recorded_at!: String",
r.received_at AS "received_at!: String"
FROM replays r
JOIN users u ON u.id = r.user_id
ORDER BY r.received_at DESC
LIMIT ?"#,
limit,
)
.fetch_all(&state.pool)
.await?;
Ok(Json(
rows.into_iter()
.map(|r| ReplaySummary {
id: r.id,
username: r.username,
seed: r.seed,
draw_mode: r.draw_mode,
mode: r.mode,
time_seconds: r.time_seconds,
final_score: r.final_score,
recorded_at: r.recorded_at,
received_at: r.received_at,
})
.collect(),
))
}
/// `GET /api/replays/:id` — return the full replay JSON the desktop
/// client uploaded. Public; the web UI fetches this directly.
///
/// The server does not validate or transform the payload — what was
/// stored is what's returned. Schema-version compatibility is the
/// responsibility of the playback side (web UI), matching the
/// `schema_version` gate the desktop loader uses.
pub async fn get_by_id(
State(state): State<AppState>,
Path(id): Path<String>,
) -> Result<Json<serde_json::Value>, AppError> {
let row = sqlx::query!(
"SELECT replay_json FROM replays WHERE id = ?",
id,
)
.fetch_optional(&state.pool)
.await?;
let replay_json = row
.ok_or_else(|| AppError::NotFound("replay not found".into()))?
.replay_json;
let value: serde_json::Value = serde_json::from_str(&replay_json)?;
Ok(Json(value))
}
Reference in New Issue View Git Blame Copy Permalink