From 0911cdbe5cc75d4c22343b172f6baeab2727df39 Mon Sep 17 00:00:00 2001
From: Tobias Zoghaib <tobias.zoghaib@stud.uni-hannover.de>
Date: Wed, 13 Nov 2024 13:56:44 +0100
Subject: [PATCH] Rewrite database access for exercises

---
 software/backend/data/exercises.json      | 48 +++++++++---------
 software/backend/routes/account.routes.ts | 62 ++++++++++++-----------
 2 files changed, 56 insertions(+), 54 deletions(-)

diff --git a/software/backend/data/exercises.json b/software/backend/data/exercises.json
index 8ed2eed..c230bd5 100644
--- a/software/backend/data/exercises.json
+++ b/software/backend/data/exercises.json
@@ -23,10 +23,33 @@
         }
       ]
     },
+    {
+      "nameDe": "Broken Access Control",
+      "nameEn": "Broken Access Control",
+      "groupNr": 1,
+      "exercises": [
+        {
+          "nameDe": "Hilfe-Seite aufrufen",
+          "nameEn": "Access Help Page",
+          "exerciseNr": 1,
+          "descriptionDe": "Manipuliere die URL so, dass du die Hilfe-Seite erreichen kannst",
+          "descriptionEn": "Manipulate the URL and access the help page",
+          "solved": false
+        },
+        {
+          "nameDe": "Das ausgebuchte Konzert buchen",
+          "nameEn": "Book the unavailable concert",
+          "exerciseNr": 2,
+          "descriptionDe": "Manipuliere die URL so, dass du das ausgebuchte Konzert aufrufen kannst und buche ein Ticket dafür",
+          "descriptionEn": "Manipulate the URL and access the sold out concert and buy a ticket",
+          "solved": false
+        }
+      ]
+    },
     {
       "nameDe": "SQL Injections",
       "nameEn": "SQL Injections",
-      "groupNr": 1,
+      "groupNr": 2,
       "exercises": [
         {
           "nameDe": "Accountnamen auslesen",
@@ -54,29 +77,6 @@
         }
       ]
     },
-    {
-      "nameDe": "Broken Access Control",
-      "nameEn": "Broken Access Control",
-      "groupNr": 2,
-      "exercises": [
-        {
-          "nameDe": "Admin-Panel aufrufen",
-          "nameEn": "Access Admin Panel",
-          "exerciseNr": 1,
-          "descriptionDe": "Manipuliere die URL so, dass du das Admin-Panel erreichen kannst",
-          "descriptionEn": "Manipulate the URL and access the admin panel",
-          "solved": false
-        },
-        {
-          "nameDe": "Das versteckte Konzert buchen",
-          "nameEn": "Book the hidden concert",
-          "exerciseNr": 2,
-          "descriptionDe": "Manipuliere die URL so, dass du das ausgebuchte Konzert aufrufen kannst und buche ein Ticket dafür",
-          "descriptionEn": "Manipulate the URL and access the sold out concert and buy a ticket",
-          "solved": false
-        }
-      ]
-    },
     {
       "nameDe": "Cross-Site Scripting (XSS)",
       "nameEn": "Cross-Site Scripting (XSS)",
diff --git a/software/backend/routes/account.routes.ts b/software/backend/routes/account.routes.ts
index 5cab2c6..181c0d0 100644
--- a/software/backend/routes/account.routes.ts
+++ b/software/backend/routes/account.routes.ts
@@ -5,6 +5,7 @@ import { Address } from "../models/user/address.model";
 import { Payment } from "../models/user/payment.model";
 import { AccountRole } from "../models/user/accountRole.model";
 import { Exercise } from "../models/exercises/exercise.model";
+import { sequelize } from "../database";
 
 export const account = Router()
 
@@ -18,37 +19,38 @@ account.get("/", (req: Request, res: Response) => {
 })
 
 // Login user
-account.post("/login", (req: Request, res: Response) => {
-  Account.findOne({ 
-    where: { username: req.body.username },
-    include: [ Address, Payment, AccountRole ],
-    attributes: {
-      exclude: [
-        "accountRoleId"
-      ]
-    }
-  })
-    .then(account => {
-      if (account != null) {
-        if (account.dataValues.password == req.body.password) {
-          // Status: 200 OK
-          res.status(200).json(account)
-        } else {
-          // Status: 401 Unauthorized
-          res.status(401).json({
-            code: 401, 
-            message: "Unauthorized"
-          })
+account.post("/login", async (req: Request, res: Response) => {
+  // Using raw SQL code for SQL injections!
+  // todo: Inner join
+  const [results, metadata] = 
+    await sequelize.query(
+      "SELECT * FROM Accounts " +
+      "INNER JOIN Addresses ON Accounts.id=Addresses.accountId " +
+      "WHERE (username='" + req.body.username + 
+      "' AND password='" + req.body.password + "')")
+
+  // Mechanism to check exercise solved
+  if (results.length > 1) {
+    Exercise.update(
+        { solved: true },
+        {
+          where: {
+            nameEn: "Register"
+          }
         }
-      } else {
-        // Status: 400 Bad request
-        res.status(400).json({
-          code: 400, 
-          message: "Bad Request"
-        })
-      }
-    }
-  )
+      )
+  }
+
+  if (results.length != 0) {
+    // Status: 200 OK
+    res.status(200).json(results[0])
+  } else {
+    // Status: 401 Unauthorized
+    res.status(401).json({
+      code: 401, 
+      message: "Unauthorized"
+    })
+  }
 })
 
 // Creating a new user