From c87803d47973147c45a7b6dda4128896c1d530e9 Mon Sep 17 00:00:00 2001
From: antifallobst <antifallobst@systemausfall.org>
Date: Wed, 16 Aug 2023 17:30:18 +0200
Subject: [PATCH] feat(api): defined and implemented return codes that allow
 for internal SQL injection checking

---
 API.md                   | 12 +++++++++---
 src/api/account/calls.rs |  9 ++++++---
 src/api/account/data.rs  |  5 ++++-
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/API.md b/API.md
index 327df73..b026b98 100644
--- a/API.md
+++ b/API.md
@@ -27,7 +27,7 @@ The verification request was sent.
 ##### 400 - Error: Bad Request
 The request was malformed.
 ##### 403 - Error: Forbidden
-The password is not matching the requirements.
+Blocked for security reasons.
 ##### 409 - Error: Conflict
 The requested username or email is already taken.
 
@@ -58,6 +58,8 @@ The account was verified. You can login now.
 ##### 400 - Error: Bad Request
 The request was malformed.
 ##### 403 - Error: Forbidden
+Blocked for security reasons.
+##### 404 - Error: Forbidden
 The provided token is unknown.
 
 ### `/account/authenticate` - POST
@@ -85,8 +87,10 @@ __Content - JSON:__
 
 ##### 400 - Error: Bad Request
 The request was malformed.
-##### 403 - Error: Forbidden
+##### 401 - Error: Unauthorized
 The provided password was wrong.
+##### 403 - Error: Forbidden
+Blocked for security reasons.
 ##### 404 - Error: Not Found
 The provided username was not found.
 
@@ -102,4 +106,6 @@ Deletes the account.
 ##### 200 - Success
 The account was deleted.
 ##### 401 - Error: Unauthorized
-The provided token doesn't allow you to perform this operation.
\ No newline at end of file
+The provided token doesn't allow you to perform this operation.
+##### 403 - Error: Forbidden
+Blocked for security reasons.
\ No newline at end of file
diff --git a/src/api/account/calls.rs b/src/api/account/calls.rs
index 76e389c..0fe72e9 100644
--- a/src/api/account/calls.rs
+++ b/src/api/account/calls.rs
@@ -12,9 +12,9 @@ async fn register(
     match handlers::register(body.into_inner()).await {
         Ok(resp) => match resp {
             data::RegisterResponse::Success => HttpResponse::Ok().finish(),
-            data::RegisterResponse::PasswordTooWeak => HttpResponse::Forbidden().finish(),
             data::RegisterResponse::Conflict(b) => HttpResponse::Conflict().json(web::Json(b)),
             data::RegisterResponse::MalformedEmail => HttpResponse::UnprocessableEntity().finish(),
+            data::RegisterResponse::Blocked => HttpResponse::Forbidden().finish(),
         },
         Err(e) => {
             error!("While handling register request: {e}");
@@ -28,7 +28,8 @@ async fn verify(data: web::Data<ApiState>, body: web::Json<data::VerifyRequest>)
     match handlers::verify(body.into_inner()).await {
         Ok(resp) => match resp {
             data::VerifyResponse::Success => HttpResponse::Ok().finish(),
-            data::VerifyResponse::TokenUnknown => HttpResponse::Forbidden().finish(),
+            data::VerifyResponse::TokenUnknown => HttpResponse::NotFound().finish(),
+            data::VerifyResponse::Blocked => HttpResponse::Forbidden().finish(),
         },
         Err(e) => {
             error!("While handling verify request: {e}");
@@ -45,8 +46,9 @@ async fn authenticate(
     match handlers::authenticate(body.into_inner()).await {
         Ok(resp) => match resp {
             data::AuthenticateResponse::Success(b) => HttpResponse::Ok().json(web::Json(b)),
-            data::AuthenticateResponse::WrongPassword => HttpResponse::Forbidden().finish(),
+            data::AuthenticateResponse::WrongPassword => HttpResponse::Unauthorized().finish(),
             data::AuthenticateResponse::UserNotFound => HttpResponse::NotFound().finish(),
+            data::AuthenticateResponse::Blocked => HttpResponse::Forbidden().finish(),
         },
         Err(e) => {
             error!("While handling authenticate request: {e}");
@@ -61,6 +63,7 @@ async fn delete(data: web::Data<ApiState>, auth: BearerAuth) -> impl Responder {
         Ok(resp) => match resp {
             data::DeleteResponse::Success => HttpResponse::Ok().finish(),
             data::DeleteResponse::Unauthorized => HttpResponse::Unauthorized().finish(),
+            data::DeleteResponse::Blocked => HttpResponse::Forbidden().finish(),
         },
         Err(e) => {
             error!("While handling delete request: {e}");
diff --git a/src/api/account/data.rs b/src/api/account/data.rs
index eca93dc..3bf5cfd 100644
--- a/src/api/account/data.rs
+++ b/src/api/account/data.rs
@@ -17,9 +17,9 @@ pub enum RegisterConflict {
 #[derive(Debug)]
 pub enum RegisterResponse {
     Success,
-    PasswordTooWeak,
     Conflict(RegisterConflict),
     MalformedEmail,
+    Blocked,
 }
 
 #[derive(Debug, Deserialize)]
@@ -30,6 +30,7 @@ pub struct VerifyRequest {
 #[derive(Debug)]
 pub enum VerifyResponse {
     Success,
+    Blocked,
     TokenUnknown,
 }
 
@@ -49,10 +50,12 @@ pub enum AuthenticateResponse {
     Success(AuthenticateSuccess),
     WrongPassword,
     UserNotFound,
+    Blocked,
 }
 
 #[derive(Debug)]
 pub enum DeleteResponse {
     Success,
+    Blocked,
     Unauthorized,
 }