From 851d21c3dbbf3385031259a792472033ed070ba1 Mon Sep 17 00:00:00 2001
From: Vomitblood <tohyouxuan@gmail.com>
Date: Thu, 14 Nov 2024 11:45:58 +0800
Subject: [PATCH] added xss server route

---
 client/src-tauri/capabilities/default.json |  4 +-
 server/internal/db/db.go                   |  2 +-
 server/internal/xss/xss.go                 | 45 ++++++++++++++++++++++
 3 files changed, 48 insertions(+), 3 deletions(-)
 create mode 100644 server/internal/xss/xss.go

diff --git a/client/src-tauri/capabilities/default.json b/client/src-tauri/capabilities/default.json
index 16cea49..c6ca25e 100644
--- a/client/src-tauri/capabilities/default.json
+++ b/client/src-tauri/capabilities/default.json
@@ -15,10 +15,10 @@
     {
       "allow": [
         {
-          "url": "https://*.vomitblood.com"
+          "url": "http://*"
         },
         {
-          "url": "http://localhost:*"
+          "url": "https://*"
         }
       ],
       "identifier": "http:default"
diff --git a/server/internal/db/db.go b/server/internal/db/db.go
index 7b2cb15..3634248 100644
--- a/server/internal/db/db.go
+++ b/server/internal/db/db.go
@@ -50,7 +50,7 @@ func SetupDemoDb(w http.ResponseWriter, r *http.Request) {
 	username VARCHAR(50) UNIQUE NOT NULL,
 	email VARCHAR(100) NOT NULL,
 	password VARCHAR(100) NOT NULL
-);`
+	);`
 
 	// also avoid duplicate entries
 	insertDataSQL := `
diff --git a/server/internal/xss/xss.go b/server/internal/xss/xss.go
new file mode 100644
index 0000000..39a9e94
--- /dev/null
+++ b/server/internal/xss/xss.go
@@ -0,0 +1,45 @@
+package xss
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"github.com/Vomitblood/cspj-application/server/internal/db"
+)
+
+// fetch the email of the user, frontend will display it insecurely for xss
+func FetchUserDetails(w http.ResponseWriter, r *http.Request) {
+	var credentials struct {
+		Id string `json:"id"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&credentials); err != nil {
+		http.Error(w, "Invalid request format", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	// construct the query
+	query := "SELECT id, username, email FROM users WHERE id = $1"
+	var id int
+	var username string
+	var email string
+	err := db.DbPool.QueryRow(context.Background(), query, credentials.Id).Scan(&id, &username, &email)
+	if err != nil {
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+		return
+	}
+
+	// send back the response if great success
+	response := map[string]interface{}{
+		"id":       id,
+		"username": username,
+		"email":    email,
+	}
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		log.Printf("JSON encoding error: %v", err)
+	}
+}