crystal-gauntlet/src/endpoints/accounts/registerAccount.cr

require "uri"
require "base64"
require "crypto/bcrypt/password"

include CrystalGauntlet

CrystalGauntlet.endpoints["/accounts/registerGJAccount.php"] = ->(context : HTTP::Server::Context): String {
  params = URI::Params.parse(context.request.body.not_nil!.gets_to_end)
  LOG.debug { params.inspect }

  if config_get("accounts.allow_registration").as(Bool | Nil) == false
    return "-1"
  end

  username = Clean.clean_basic(params["userName"])
  password = params["password"]
  email = params["email"]

  if username != params["userName"]
    return "-4"
  end

  if password.size < 6
    return "-8"
  end
  if username.size < 3
    return "-9"
  end

  # caps checks aren't required because `username` is already COLLATE NOCASE in the db
  username_exists = DATABASE.scalar "select count(*) from accounts where username = ?", username
  if username_exists != 0
    return "-2"
  end

  # todo: email checks, conditionally?

  password_hash = Crypto::Bcrypt::Password.create(password, cost: 10).to_s
  gjp2 = CrystalGauntlet::GJP.hash(password)
  next_id = IDs.get_next_id("accounts")
  DATABASE.exec "insert into accounts (id, username, password, email, gjp2) values (?, ?, ?, ?, ?)", next_id, username, password_hash, email, gjp2

  user_id = IDs.get_next_id("users")
  DATABASE.exec "insert into users (id, account_id, username, registered) values (?, ?, ?, 1)", user_id, next_id, username
  "1"
}
some minor refactoring 2022-12-30 17:04:27 +01:00			`require "uri"`
			`require "base64"`
			`require "crypto/bcrypt/password"`

			`include CrystalGauntlet`

refactor endpoint system context is now passed in instead of just the body will allow for ip bans and similar in the future :slugclose: 2023-01-03 08:02:50 +01:00			`CrystalGauntlet.endpoints["/accounts/registerGJAccount.php"] = ->(context : HTTP::Server::Context): String {`
			`params = URI::Params.parse(context.request.body.not_nil!.gets_to_end)`
pretty logs :) 2023-01-02 11:59:37 +01:00			`LOG.debug { params.inspect }`
some minor refactoring 2022-12-30 17:04:27 +01:00
config system 2022-12-31 09:16:43 +01:00			`if config_get("accounts.allow_registration").as(Bool \| Nil) == false`
			`return "-1"`
			`end`

refactor string cleaning 2022-12-31 20:05:39 +01:00			`username = Clean.clean_basic(params["userName"])`
some minor refactoring 2022-12-30 17:04:27 +01:00			`password = params["password"]`
			`email = params["email"]`

stricter requirements for accounts 2023-01-03 14:20:31 +01:00			`if username != params["userName"]`
			`return "-4"`
			`end`

			`if password.size < 6`
			`return "-8"`
			`end`
			`if username.size < 3`
			`return "-9"`
			`end`

tiny note about caps sensitivity in registerAccount 2022-12-31 03:16:46 +01:00			# caps checks aren't required because `username` is already COLLATE NOCASE in the db
some minor refactoring 2022-12-30 17:04:27 +01:00			`username_exists = DATABASE.scalar "select count(*) from accounts where username = ?", username`
			`if username_exists != 0`
			`return "-2"`
			`end`

make account usernames a unique key 2022-12-31 03:13:29 +01:00			`# todo: email checks, conditionally?`

some minor refactoring 2022-12-30 17:04:27 +01:00			`password_hash = Crypto::Bcrypt::Password.create(password, cost: 10).to_s`
			`gjp2 = CrystalGauntlet::GJP.hash(password)`
switch all auto-incrementing ids to a single tracking system this is to prevent ids from overlapping after a level is deleted this WILL cause issues on older databases. i will not be responsible 2023-01-02 14:32:31 +01:00			`next_id = IDs.get_next_id("accounts")`
some minor refactoring 2022-12-30 17:04:27 +01:00			`DATABASE.exec "insert into accounts (id, username, password, email, gjp2) values (?, ?, ?, ?, ?)", next_id, username, password_hash, email, gjp2`

switch all auto-incrementing ids to a single tracking system this is to prevent ids from overlapping after a level is deleted this WILL cause issues on older databases. i will not be responsible 2023-01-02 14:32:31 +01:00			`user_id = IDs.get_next_id("users")`
some minor refactoring 2022-12-30 17:04:27 +01:00			`DATABASE.exec "insert into users (id, account_id, username, registered) values (?, ?, ?, 1)", user_id, next_id, username`
			`"1"`
			`}`