added xss server route

client/src-tauri/capabilities/default.json

@@ -15,10 +15,10 @@
     {
       "allow": [
         {
-          "url": "https://*.vomitblood.com"
+          "url": "http://*"
         },
         {
-          "url": "http://localhost:*"
+          "url": "https://*"
         }
       ],
       "identifier": "http:default"

server/internal/xss/xss.go

@@ -0,0 +1,45 @@
+package xss
+
+import (
+	"context"
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"github.com/Vomitblood/cspj-application/server/internal/db"
+)
+
+// fetch the email of the user, frontend will display it insecurely for xss
+func FetchUserDetails(w http.ResponseWriter, r *http.Request) {
+	var credentials struct {
+		Id string `json:"id"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&credentials); err != nil {
+		http.Error(w, "Invalid request format", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	// construct the query
+	query := "SELECT id, username, email FROM users WHERE id = $1"
+	var id int
+	var username string
+	var email string
+	err := db.DbPool.QueryRow(context.Background(), query, credentials.Id).Scan(&id, &username, &email)
+	if err != nil {
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+		return
+	}
+
+	// send back the response if great success
+	response := map[string]interface{}{
+		"id":       id,
+		"username": username,
+		"email":    email,
+	}
+	if err := json.NewEncoder(w).Encode(response); err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		log.Printf("JSON encoding error: %v", err)
+	}
+}