Add receipt to DB to prevent double-use.

This commit is contained in:
Joe Ardent 2024-03-10 13:02:25 -07:00
parent 7d78302427
commit 861c6731c7
4 changed files with 58 additions and 23 deletions

4
Cargo.lock generated
View file

@ -2018,9 +2018,9 @@ dependencies = [
[[package]] [[package]]
name = "whoami" name = "whoami"
version = "1.5.0" version = "1.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0fec781d48b41f8163426ed18e8fc2864c12937df9ce54c88ede7bd47270893e" checksum = "a44ab49fad634e88f55bf8f9bb3abd2f27d7204172a112c7c9987e01c1c94ea9"
dependencies = [ dependencies = [
"redox_syscall", "redox_syscall",
"wasite", "wasite",

View file

@ -2,9 +2,9 @@ drop table if exists customers;
drop index if exists customers_username_dex; drop index if exists customers_username_dex;
drop index if exists customers_email_dex; drop index if exists customers_email_dex;
drop index if exists customers_invitation_dex; drop index if exists customers_invitation_dex;
drop trigger if exists update_last_updated_customers; drop trigger if exists update_customers_updated_at;
drop table if exists invitations; drop table if exists invitations;
drop index if exists invitations_owner_dex; drop index if exists invitations_owner_dex;
drop trigger if exists update_updated_at_invitations; drop trigger if exists update_invitations_updated_at;

View file

@ -13,7 +13,7 @@ create index if not exists customers_email_dex on customers (lower(billing_email
create index if not exists customers_receipt_dex on customers (receipt); create index if not exists customers_receipt_dex on customers (receipt);
create index if not exists customers_invitation_dex on customers (invitation); -- does this need to be created? it's already a foreign key create index if not exists customers_invitation_dex on customers (invitation); -- does this need to be created? it's already a foreign key
create trigger if not exists update_last_updated_customers create trigger if not exists update_customers_updated_at
after update on customers after update on customers
when OLD.updated_at = NEW.updated_at or OLD.updated_at is null when OLD.updated_at = NEW.updated_at or OLD.updated_at is null
BEGIN BEGIN
@ -32,7 +32,7 @@ create table if not exists invitations (
); );
create index if not exists invitations_owner_dex on invitations (owner); create index if not exists invitations_owner_dex on invitations (owner);
create trigger if not exists update_updated_at_invitations create trigger if not exists update_invitations_updated_at
after update on invitations after update on invitations
when OLD.updated_at = NEW.updated_at or OLD.updated_at is null when OLD.updated_at = NEW.updated_at or OLD.updated_at is null
BEGIN BEGIN

View file

@ -27,7 +27,11 @@ lazy_static! {
static ref MONTHLY_LINK: String = std::env::var("MONTHLY_LINK").unwrap(); static ref MONTHLY_LINK: String = std::env::var("MONTHLY_LINK").unwrap();
} }
/// Displays the signup form. //-************************************************************************
// handlers: get_signup, post_signup, and payment_success
//-************************************************************************
/// Displays the signup page with links to Stripe
pub async fn get_signup() -> impl IntoResponse { pub async fn get_signup() -> impl IntoResponse {
SignupPage { SignupPage {
monthly_link: Some((*MONTHLY_LINK).to_string()), monthly_link: Some((*MONTHLY_LINK).to_string()),
@ -40,36 +44,55 @@ pub async fn post_signup(
State(db): State<SqlitePool>, State(db): State<SqlitePool>,
Form(form): Form<SignupForm>, Form(form): Form<SignupForm>,
) -> Result<impl IntoResponse, CreateUserError> { ) -> Result<impl IntoResponse, CreateUserError> {
let receipt = form.receipt.trim();
if confirm_payment(&db, receipt).await {
log::info!("Confirmed payment again from {receipt}");
} else {
log::warn!("Attempt to use duplicate receipt {receipt}");
return Err(CreateUserError(CreateUserErrorKind::BadPayment));
}
let user = validate_signup(&form).await?; let user = validate_signup(&form).await?;
if create_user(&user) { if create_user(&user) {
log::info!("Created user {user:?}"); log::info!("Created user {user:?}");
insert_user(&db, &form.username, form.receipt.trim(), None).await; insert_customer(&db, &form.username, form.receipt.trim(), None).await;
Ok(SignupSuccessPage(user)) Ok(SignupSuccessPage(user))
} else { } else {
Err(CreateUserError(CreateUserErrorKind::UnknownEorr)) Err(CreateUserError(CreateUserErrorKind::UnknownEorr))
} }
} }
/// Redirected from Stripe with the receipt of payment. /// Redirected from Stripe with the receipt of payment, and shows the signup
pub async fn payment_success(receipt: Option<Path<String>>) -> impl IntoResponse { /// form for creating your account.
pub async fn payment_success(
State(db): State<SqlitePool>,
receipt: Option<Path<String>>,
) -> impl IntoResponse {
let receipt = if let Some(Path(receipt)) = receipt { let receipt = if let Some(Path(receipt)) = receipt {
receipt receipt
} else { } else {
return CreateUserError(CreateUserErrorKind::BadPayment).into_response(); return CreateUserError(CreateUserErrorKind::BadPayment).into_response();
}; };
let receipt = receipt.trim();
if confirm_payment(&db, receipt).await {
log::info!("Confirmed payment from {receipt}");
} else {
log::warn!("Attempt to use duplicate receipt {receipt}");
return CreateUserError(CreateUserErrorKind::BadPayment).into_response();
}
UserFormPage { UserFormPage {
receipt, receipt: receipt.to_string(),
..Default::default() ..Default::default()
} }
.into_response() .into_response()
} }
//-************************************************************************ //-************************************************************************
// helpers // private helpers for the handlers
//-************************************************************************ //-************************************************************************
async fn insert_user(db: &SqlitePool, username: &str, receipt: &str, invitation: Option<&str>) { async fn insert_customer(db: &SqlitePool, username: &str, receipt: &str, invitation: Option<&str>) {
sqlx::query!( match sqlx::query!(
"insert into customers (username, receipt, invitation) values (?, ?, ?)", "insert into customers (username, receipt, invitation) values (?, ?, ?)",
username, username,
receipt, receipt,
@ -77,7 +100,12 @@ async fn insert_user(db: &SqlitePool, username: &str, receipt: &str, invitation:
) )
.execute(db) .execute(db)
.await .await
.unwrap_or_default(); {
Ok(_) => {}
Err(e) => {
log::error!("Could not insert {receipt} for {username} into DB, got {e}");
}
}
} }
fn create_user(user: &User) -> bool { fn create_user(user: &User) -> bool {
@ -100,7 +128,21 @@ fn create_user(user: &User) -> bool {
} }
} }
fn confirm_payment(stripe_checkout_session_id: &str) -> bool { async fn confirm_payment(db: &SqlitePool, stripe_checkout_session_id: &str) -> bool {
// first check the receipt to see that it hasn't been used already
match sqlx::query_scalar!(
"select count(*) from customers where receipt = ?",
stripe_checkout_session_id
)
.fetch_one(db)
.await
.unwrap_or(0)
{
0 => {}
_ => return false,
}
// ok see if Stripe knows about it
let token = &*STRIPE_TOKEN; let token = &*STRIPE_TOKEN;
let url = format!("https://api.stripe.com/v1/checkout/sessions/{stripe_checkout_session_id}"); let url = format!("https://api.stripe.com/v1/checkout/sessions/{stripe_checkout_session_id}");
let json: serde_json::Value = ureq::get(&url) let json: serde_json::Value = ureq::get(&url)
@ -130,13 +172,6 @@ async fn validate_signup(form: &SignupForm) -> Result<User, CreateUserError> {
let username = form.username.trim(); let username = form.username.trim();
let password = form.password.trim(); let password = form.password.trim();
let verify = form.pw_verify.trim(); let verify = form.pw_verify.trim();
let receipt = form.receipt.trim();
if confirm_payment(receipt) {
log::info!("Confirmed payment from {receipt}");
} else {
return Err(CreateUserError(CreateUserErrorKind::BadPayment));
}
let name_len = username.graphemes(true).size_hint().1.unwrap_or(0); let name_len = username.graphemes(true).size_hint().1.unwrap_or(0);
// we are not ascii exclusivists around here // we are not ascii exclusivists around here