From b0b651f44d162ad0138e90a24fd901e197645d1b Mon Sep 17 00:00:00 2001 From: Kavin <20838718+FireMasterK@users.noreply.github.com> Date: Thu, 24 Feb 2022 19:06:38 +0000 Subject: [PATCH] Don't perform authentication checks in subscribed route. (#201) If the sessionId is invalid, false should be returned for subscribed, we make it the client's responsibility to ensure the sessionId is valid. --- .../me/kavin/piped/utils/ResponseHelper.java | 22 +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/src/main/java/me/kavin/piped/utils/ResponseHelper.java b/src/main/java/me/kavin/piped/utils/ResponseHelper.java index ec8f1f3..3199caf 100644 --- a/src/main/java/me/kavin/piped/utils/ResponseHelper.java +++ b/src/main/java/me/kavin/piped/utils/ResponseHelper.java @@ -703,21 +703,19 @@ public class ResponseHelper { Session s = DatabaseSessionFactory.createSession(); - User user = DatabaseHelper.getUserFromSessionWithSubscribed(s, session); - - if (user != null) { - if (user.getSubscribed().contains(channelId)) { - s.close(); - return Constants.mapper.writeValueAsBytes(new SubscribeStatusResponse(true)); - } - s.close(); - return Constants.mapper.writeValueAsBytes(new SubscribeStatusResponse(false)); - } + var cb = s.getCriteriaBuilder(); + var query = cb.createQuery(Long.class); + var root = query.from(User.class); + query.select(cb.count(root)) + .where(cb.and( + cb.equal(root.get("sessionId"), session), + cb.isMember(channelId, root.get("subscribed_ids")) + )); + var subscribed = s.createQuery(query).getSingleResult() > 0; s.close(); - return Constants.mapper.writeValueAsBytes(new AuthenticationFailureResponse()); - + return Constants.mapper.writeValueAsBytes(new SubscribeStatusResponse(subscribed)); } public static byte[] feedResponse(String session)