code002lover/game_list
1
0
Fork 0
Code Issues 1 Pull Requests 10 Actions Packages Projects Releases Wiki Activity

Compare commits

base: code002lover:5729940a6250185111ca857884b2a4023037f186
Branches Tags
code002lover:master
code002lover:renovate/node-24.x-lockfile
code002lover:renovate/typescript-eslint-monorepo
code002lover:renovate/ts-proto-2.x-lockfile
code002lover:renovate/react-router-monorepo
code002lover:renovate/react-monorepo
code002lover:renovate/bufbuild-protobuf-2.x-lockfile
code002lover:renovate/bincode-3.x
code002lover:renovate/globals-17.x
code002lover:renovate/bcrypt-0.x
code002lover:renovate/vite-7.x
..
compare: code002lover:c84f617e5c03f33f832675ebc042d858c6205466
Branches Tags
code002lover:renovate/node-24.x-lockfile
code002lover:renovate/typescript-eslint-monorepo
code002lover:renovate/ts-proto-2.x-lockfile
code002lover:renovate/react-router-monorepo
code002lover:renovate/react-monorepo
code002lover:renovate/bufbuild-protobuf-2.x-lockfile
code002lover:renovate/bincode-3.x
code002lover:renovate/globals-17.x
code002lover:renovate/bcrypt-0.x
code002lover:renovate/vite-7.x
code002lover:master

3 Commits
5729940a62 ... c84f617e5c

Author SHA1 Message Date
code002lover
c84f617e5c use || instead of ?? 2026-01-19 16:07:58 +01:00
code002lover
15d3ab79bd use proper rand 2026-01-12 23:58:55 +01:00
code002lover
4abe8a53df do stuffs 2026-01-12 23:30:36 +01:00
12 changed files with 353 additions and 75 deletions
Show Stats Expand all files Collapse all files

1
Cargo.lock generated
View File

@ -147,6 +147,7 @@ dependencies = [
"prost",
"prost-build",
"prost-types",
"rand 0.9.2",
"reqwest",
"rocket",
"rocket_prost_responder_derive",

1
backend/Cargo.toml
View File

@ -19,6 +19,7 @@ serde_json = "1.0"
reqwest = { version = "0.13", features = ["json"] }
aes-gcm = "0.10"
base64 = "0.22"
rand = "0.9.2"
[build-dependencies]
prost-build = "0.14"

14
backend/src/auth.rs
View File

@ -1,13 +1,14 @@
use crate::auth_persistence::AuthStorage;
use crate::csrf::{CsrfState, set_csrf_cookie};
use crate::items;
use crate::proto_utils::Proto;
use rocket::State;
use rocket::futures::lock::Mutex;
use rocket::http::CookieJar;
use std::collections::{HashMap, HashSet};
use uuid::Uuid;
pub struct AuthState {
// Map token -> username
tokens: Mutex<HashMap<String, String>>,
storage: AuthStorage,
}
@ -65,7 +66,6 @@ impl<'r> rocket::request::FromRequest<'r> for Token {
match token {
Some(token) => {
// Check if token starts with "Bearer "
if let Some(token) = token.strip_prefix("Bearer ") {
let state = request.guard::<&State<AuthState>>().await.unwrap();
let tokens = state.tokens.lock().await;
@ -130,7 +130,9 @@ impl<'r> rocket::request::FromRequest<'r> for AdminToken {
#[post("/login", data = "<request>")]
pub async fn login(
state: &State<AuthState>,
csrf_state: &State<CsrfState>,
user_list: &State<Mutex<Vec<crate::User>>>,
jar: &CookieJar<'_>,
request: Proto<items::LoginRequest>,
) -> items::LoginResponse {
let req = request.into_inner();
@ -146,6 +148,9 @@ pub async fn login(
tokens.insert(token.clone(), req.username.clone());
state.storage.save_tokens(&tokens);
let csrf_token = csrf_state.generate_token();
set_csrf_cookie(jar, &csrf_token);
return items::LoginResponse {
token,
success: true,
@ -186,6 +191,8 @@ pub async fn logout(
pub async fn get_auth_status(
state: &State<AuthState>,
admin_state: &State<AdminState>,
csrf_state: &State<CsrfState>,
jar: &CookieJar<'_>,
request: Proto<items::AuthStatusRequest>,
) -> items::AuthStatusResponse {
let req = request.into_inner();
@ -195,6 +202,9 @@ pub async fn get_auth_status(
let admins = admin_state.admins.lock().await;
let is_admin = crate::store::is_admin(username, &admins);
let csrf_token = csrf_state.generate_token();
set_csrf_cookie(jar, &csrf_token);
items::AuthStatusResponse {
authenticated: true,
username: username.clone(),

36
backend/src/auth_persistence.rs
View File

@ -185,7 +185,7 @@ impl AuthStorage {
}
};
let nonce_bytes: [u8; NONCE_SIZE] = rand::thread_rng().generate_bytes();
let nonce_bytes: [u8; NONCE_SIZE] = rand::random();
let nonce = Nonce::from_slice(&nonce_bytes);
let ciphertext = match self.cipher.encrypt(nonce, plaintext.as_ref()) {
Ok(encrypted) => encrypted,
@ -225,37 +225,3 @@ impl AuthStorage {
}
}
}
mod rand {
use std::cell::Cell;
thread_local! {
static STATE: Cell<u64> = Cell::new(
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap_or_default()
.as_nanos() as u64
);
}
pub struct ThreadRng;
pub fn thread_rng() -> ThreadRng {
ThreadRng
}
impl ThreadRng {
pub fn generate_bytes<const N: usize>(&mut self) -> [u8; N] {
let mut result = [0u8; N];
STATE.with(|state| {
let mut s = state.get();
for byte in result.iter_mut() {
s = s.wrapping_mul(1103515245).wrapping_add(12345);
*byte = (s >> (s % 8)) as u8;
}
state.set(s);
});
result
}
}
}

95
backend/src/csrf.rs Normal file
View File

@ -0,0 +1,95 @@
use rocket::Build;
use rocket::Request;
use rocket::Rocket;
use rocket::fairing::{Fairing, Info, Kind};
use rocket::http::{Cookie, CookieJar, SameSite, Status};
use rocket::request::{FromRequest, Outcome};
use std::collections::HashSet;
use std::sync::Arc;
use uuid::Uuid;
const CSRF_COOKIE_NAME: &str = "csrf_token";
const CSRF_HEADER_NAME: &str = "X-CSRF-Token";
const CSRF_EXPIRATION_HOURS: u64 = 24;
#[derive(Clone)]
pub struct CsrfToken(pub String);
#[derive(Clone)]
pub struct CsrfState {
tokens: Arc<std::sync::Mutex<HashSet<String>>>,
}
impl CsrfState {
pub fn new() -> Self {
Self {
tokens: Arc::new(std::sync::Mutex::new(HashSet::new())),
}
}
pub fn generate_token(&self) -> String {
let token = Uuid::new_v4().to_string();
self.tokens.lock().unwrap().insert(token.clone());
token
}
pub fn validate_token(&self, token: &str) -> bool {
self.tokens.lock().unwrap().remove(token)
}
}
impl Default for CsrfState {
fn default() -> Self {
Self::new()
}
}
#[rocket::async_trait]
impl<'r> FromRequest<'r> for CsrfToken {
type Error = ();
async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
let header_token = request.headers().get_one(CSRF_HEADER_NAME);
let cookie_jar = request.guard::<&CookieJar<'_>>().await;
let cookie_token = match cookie_jar {
Outcome::Success(jar) => jar
.get(CSRF_COOKIE_NAME)
.map(|c: &Cookie<'_>| c.value().to_string()),
_ => None,
};
match (header_token, cookie_token) {
(Some(header), Some(cookie)) if header == cookie => {
Outcome::Success(CsrfToken(header.to_string()))
}
_ => Outcome::Error((Status::Forbidden, ())),
}
}
}
pub struct CsrfFairing;
#[rocket::async_trait]
impl Fairing for CsrfFairing {
fn info(&self) -> Info {
Info {
name: "CSRF Protection",
kind: Kind::Ignite,
}
}
async fn on_ignite(&self, rocket: Rocket<Build>) -> Result<Rocket<Build>, Rocket<Build>> {
Ok(rocket.manage(CsrfState::new()))
}
}
pub fn set_csrf_cookie(jar: &CookieJar<'_>, token: &str) {
jar.add(
Cookie::build((CSRF_COOKIE_NAME, token.to_owned()))
.http_only(true)
.same_site(SameSite::Strict)
.max_age(rocket::time::Duration::hours(CSRF_EXPIRATION_HOURS as i64))
.path("/"),
);
}

5
backend/src/lib.rs
View File

@ -7,8 +7,13 @@ pub mod items {
pub mod auth;
pub mod auth_persistence;
pub mod csrf;
pub mod proto_utils;
pub mod security_headers;
pub mod store;
pub mod validation;
pub use auth::AdminState;
pub use csrf::{CsrfFairing, CsrfState, CsrfToken, set_csrf_cookie};
pub use security_headers::SecurityHeaders;
pub use store::User;

121
backend/src/main.rs
View File

@ -4,9 +4,12 @@ use rocket::futures::lock::Mutex;
use backend::auth;
use backend::auth::AdminState;
use backend::csrf::{CsrfFairing, CsrfToken};
use backend::items::{self, Game};
use backend::proto_utils;
use backend::security_headers::SecurityHeaders;
use backend::store::{self, User, save_state};
use backend::validation;
#[macro_use]
extern crate rocket;
@ -17,6 +20,10 @@ async fn get_user(
user_list: &rocket::State<Mutex<Vec<User>>>,
name: &str,
) -> Option<items::Person> {
if validation::validate_username(name).is_err() {
return None;
}
let users = user_list.lock().await;
users
.iter()
@ -41,6 +48,10 @@ async fn get_game(
game_list: &rocket::State<Mutex<Vec<Game>>>,
title: &str,
) -> Option<items::Game> {
if validation::validate_game_title(title).is_err() {
return None;
}
let games = game_list.lock().await;
games
.iter()
@ -53,12 +64,16 @@ async fn get_games_batch(
_token: auth::Token,
game_list: &rocket::State<Mutex<Vec<Game>>>,
req: proto_utils::Proto<items::GetGameInfoRequest>,
) -> items::GameList {
let games = game_list.lock().await;
) -> Result<items::GameList, String> {
let req = req.into_inner();
let games_set: std::collections::HashSet<String> = req.games.into_iter().collect();
validation::validate_game_titles_batch(&games_set)?;
let games = game_list.lock().await;
let mut games = games.clone();
games.retain(|g| req.games.contains(&g.title));
items::GameList { games }
games.retain(|g| games_set.contains(&g.title));
Ok(items::GameList { games })
}
#[get("/games")]
@ -72,55 +87,77 @@ async fn get_games(
}
}
#[post("/game", data = "<game>")]
#[post("/game", data = "<game>", rank = 1)]
async fn add_game(
_token: auth::Token,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>,
game: proto_utils::Proto<items::Game>,
) -> Option<items::Game> {
let mut games = game_list.lock().await;
) -> Result<Option<items::Game>, String> {
let mut game = game.into_inner();
game.title = game.title.trim().to_string();
if game.remote_id == 0 {
return None;
validation::validate_game_title(&game.title)?;
validation::validate_remote_id(game.remote_id)?;
validation::validate_player_count(game.min_players, game.max_players)?;
validation::validate_price(game.price)?;
if game.title.len() > validation::MAX_GAME_TITLE_TRIMMED_LENGTH {
game.title = game
.title
.chars()
.take(validation::MAX_GAME_TITLE_TRIMMED_LENGTH)
.collect();
}
let users = user_list.lock().await;
let mut games = game_list.lock().await;
if let Some(existing) = games.iter().find(|g| {
g.title == game.title || (g.remote_id == game.remote_id && g.source == game.source)
}) {
return Some(existing.clone());
return Ok(Some(existing.clone()));
}
games.push(game.clone());
games.sort_unstable_by(|g1, g2| g1.title.cmp(&g2.title));
let users = user_list.lock().await;
save_state(&games, &users);
Some(game)
Ok(Some(game))
}
#[patch("/game", data = "<game>")]
#[patch("/game", data = "<game>", rank = 1)]
async fn update_game(
_token: auth::AdminToken,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>,
game: proto_utils::Proto<items::Game>,
) -> Option<items::Game> {
let mut games = game_list.lock().await;
let mut users = user_list.lock().await;
) -> Result<Option<items::Game>, String> {
let mut game = game.into_inner();
game.title = game.title.trim().to_string();
if game.remote_id == 0 {
return None;
validation::validate_game_title(&game.title)?;
validation::validate_remote_id(game.remote_id)?;
validation::validate_player_count(game.min_players, game.max_players)?;
validation::validate_price(game.price)?;
if game.title.len() > validation::MAX_GAME_TITLE_TRIMMED_LENGTH {
game.title = game
.title
.chars()
.take(validation::MAX_GAME_TITLE_TRIMMED_LENGTH)
.collect();
}
let mut users = user_list.lock().await;
let mut games = game_list.lock().await;
let mut r_existing = None;
if let Some(existing) = games.iter_mut().find(|g| {
@ -128,7 +165,6 @@ async fn update_game(
}) {
if existing.title != game.title {
let old_title = existing.title.clone();
// Update title for every opinion
for person in users.iter_mut() {
let opinion = person
.person
@ -154,16 +190,20 @@ async fn update_game(
save_state(&games, &users);
r_existing
Ok(r_existing)
}
#[delete("/game/<title>")]
#[delete("/game/<title>", rank = 1)]
async fn delete_game(
_token: auth::AdminToken,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>,
title: &str,
) -> Option<items::Game> {
) -> Result<Option<items::Game>, String> {
validation::validate_game_title(title)?;
let mut users = user_list.lock().await;
let mut games = game_list.lock().await;
if let Some(pos) = games
@ -172,30 +212,29 @@ async fn delete_game(
{
let game = games.remove(pos);
let mut users = user_list.lock().await;
for person in users.iter_mut() {
person.person.opinion.retain_mut(|o| o.title != game.title);
}
save_state(&games, &users);
return Some(game);
return Ok(Some(game));
}
None
Ok(None)
}
#[post("/refresh")]
#[post("/refresh", rank = 1)]
async fn refresh_state(
_token: auth::AdminToken,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>,
admin_state: &rocket::State<AdminState>,
) -> items::RefreshResponse {
if let Some((new_games, new_users)) = store::load_state() {
let mut games = game_list.lock().await;
let mut users = user_list.lock().await;
let mut games = game_list.lock().await;
let mut admins = admin_state.admins.lock().await;
*games = new_games;
@ -214,20 +253,22 @@ async fn refresh_state(
}
}
#[post("/opinion", data = "<req>")]
#[post("/opinion", data = "<req>", rank = 1)]
async fn add_opinion(
token: auth::Token,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>,
req: proto_utils::Proto<items::AddOpinionRequest>,
) -> Option<items::Person> {
) -> Result<Option<items::Person>, String> {
validation::validate_username(&token.username)?;
let games = game_list.lock().await;
let mut users = user_list.lock().await;
let mut result = None;
// Validate game exists
if !games.iter().any(|g| g.title == req.game_title) {
return None;
return Err("Game not found".to_string());
}
if let Some(user) = users
@ -235,6 +276,8 @@ async fn add_opinion(
.find(|u| u.person.name.to_lowercase() == token.username.to_lowercase())
{
let req = req.into_inner();
validation::validate_game_title(&req.game_title)?;
let opinion = items::Opinion {
title: req.game_title.clone(),
would_play: req.would_play,
@ -260,16 +303,19 @@ async fn add_opinion(
if result.is_some() {
save_state(&games, &users);
}
result
Ok(result)
}
#[patch("/opinion", data = "<req>")]
#[patch("/opinion", data = "<req>", rank = 1)]
async fn remove_opinion(
token: auth::Token,
_csrf: CsrfToken,
game_list: &rocket::State<Mutex<Vec<Game>>>,
user_list: &rocket::State<Mutex<Vec<User>>>,
req: proto_utils::Proto<items::RemoveOpinionRequest>,
) -> Option<items::Person> {
) -> Result<Option<items::Person>, String> {
validation::validate_username(&token.username)?;
let games = game_list.lock().await;
let mut users = user_list.lock().await;
let mut result = None;
@ -279,6 +325,7 @@ async fn remove_opinion(
.find(|u| u.person.name.to_lowercase() == token.username.to_lowercase())
{
let req = req.into_inner();
validation::validate_game_title(&req.game_title)?;
if let Some(existing) = user
.person
@ -294,7 +341,7 @@ async fn remove_opinion(
if result.is_some() {
save_state(&games, &users);
}
result
Ok(result)
}
mod cached_option;
@ -447,6 +494,8 @@ async fn main() -> Result<(), std::io::Error> {
});
rocket::build()
.attach(SecurityHeaders)
.attach(CsrfFairing)
.manage(Mutex::new(user_list))
.manage(auth::AuthState::new())
.manage(auth::AdminState::new())

33
backend/src/security_headers.rs Normal file
View File

@ -0,0 +1,33 @@
use rocket::fairing::{Fairing, Info, Kind};
use rocket::http::Header;
use rocket::{Request, Response};
pub struct SecurityHeaders;
#[rocket::async_trait]
impl Fairing for SecurityHeaders {
fn info(&self) -> Info {
Info {
name: "Security Headers",
kind: Kind::Response,
}
}
async fn on_response<'r>(&self, _request: &'r Request<'_>, response: &mut Response<'r>) {
response.set_header(Header::new("X-Content-Type-Options", "nosniff"));
response.set_header(Header::new("X-Frame-Options", "DENY"));
response.set_header(Header::new("X-XSS-Protection", "1; mode=block"));
response.set_header(Header::new(
"Referrer-Policy",
"strict-origin-when-cross-origin",
));
response.set_header(Header::new(
"Content-Security-Policy",
"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';",
));
response.set_header(Header::new(
"Permissions-Policy",
"geolocation=(), microphone=(), camera=()",
));
}
}

108
backend/src/validation.rs Normal file
View File

@ -0,0 +1,108 @@
use std::collections::HashSet;
pub const MAX_USERNAME_LENGTH: usize = 50;
pub const MIN_USERNAME_LENGTH: usize = 2;
pub const MAX_GAME_TITLE_LENGTH: usize = 200;
const MIN_GAME_TITLE_LENGTH: usize = 1;
pub const MAX_GAME_TITLE_TRIMMED_LENGTH: usize = 200;
pub const MAX_PRICE: u32 = 1_000_000;
pub const MAX_PLAYERS: u32 = 10_000;
const VALID_USERNAME_CHARS: &str =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
pub fn validate_username(username: &str) -> Result<(), String> {
let trimmed = username.trim();
if trimmed.is_empty() {
return Err("Username cannot be empty".to_string());
}
if trimmed.len() < MIN_USERNAME_LENGTH {
return Err(format!(
"Username must be at least {} characters long",
MIN_USERNAME_LENGTH
));
}
if trimmed.len() > MAX_USERNAME_LENGTH {
return Err(format!(
"Username must not exceed {} characters",
MAX_USERNAME_LENGTH
));
}
for c in trimmed.chars() {
if !VALID_USERNAME_CHARS.contains(c) {
return Err(format!(
"Username contains invalid character '{}'. Only alphanumeric characters, underscores and hyphens are allowed",
c
));
}
}
Ok(())
}
pub fn validate_game_title(title: &str) -> Result<(), String> {
if title.trim().is_empty() {
return Err("Game title cannot be empty".to_string());
}
if title.len() > MAX_GAME_TITLE_LENGTH {
return Err(format!(
"Game title must not exceed {} characters",
MAX_GAME_TITLE_LENGTH
));
}
Ok(())
}
pub fn validate_remote_id(remote_id: u64) -> Result<(), String> {
if remote_id == 0 {
return Err("Remote ID cannot be zero".to_string());
}
Ok(())
}
pub fn validate_player_count(min_players: u32, max_players: u32) -> Result<(), String> {
if min_players == 0 {
return Err("Minimum players must be at least 1".to_string());
}
if min_players > max_players {
return Err("Minimum players cannot be greater than maximum players".to_string());
}
if max_players > MAX_PLAYERS {
return Err(format!("Maximum players cannot exceed {}", MAX_PLAYERS));
}
Ok(())
}
pub fn validate_price(price: u32) -> Result<(), String> {
if price > MAX_PRICE {
return Err(format!("Price cannot exceed ${}", MAX_PRICE));
}
Ok(())
}
pub fn validate_game_titles_batch(titles: &HashSet<String>) -> Result<(), String> {
if titles.is_empty() {
return Ok(());
}
if titles.len() > 100 {
return Err("Cannot request more than 100 games at once".to_string());
}
for title in titles {
validate_game_title(title)?;
}
Ok(())
}

2
frontend/items.ts
View File

@ -1,6 +1,6 @@
// Code generated by protoc-gen-ts_proto. DO NOT EDIT.
// versions:
// protoc-gen-ts_proto v2.8.3
// protoc-gen-ts_proto v2.10.1
// protoc v6.33.1
// source: items.proto

10
frontend/src/api.ts
View File

@ -1,16 +1,26 @@
import { AuthStatusRequest, AuthStatusResponse } from "../items";
export const getCsrfToken = (): string | null => {
const match = document.cookie.match(/csrf_token=([^;]+)/);
return match ? decodeURIComponent(match[1]) : null;
};
export const apiFetch = async (
url: string,
options: RequestInit = {}
): Promise<Response> => {
const token = localStorage.getItem("token");
const csrfToken = getCsrfToken();
const headers = new Headers(options.headers);
if (token) {
headers.set("Authorization", `Bearer ${token}`);
}
if (csrfToken) {
headers.set("X-CSRF-Token", csrfToken);
}
const config = {
...options,
headers,

2
frontend/src/components/FilteredGamesList.tsx
View File

@ -35,7 +35,7 @@ export function FilteredGamesList({
const positiveCount = gameToPositive.get(game)?.size || 0;
const neutralCount = selectedPeopleCount - positiveCount;
const gameData = games.get(game);
const price = gameData?.price ?? 0;
const price = gameData?.price || 0;
return (
<Link