market api patches and cleanup

neveko-core/src/utils.rs

@@ -244,6 +244,10 @@ pub const fn message_limit() -> usize {
     9999
 }
 
+pub const fn image_limit() -> usize {
+    2048
+}
+
 /// Generate application gpg keys at startup if none exist
 async fn gen_app_gpg() {
     let mut gpg_key = gpg::find_key().unwrap_or(utils::empty_string());

neveko-market/curl.md

@@ -1,75 +0,0 @@
-# CURL / API docs
-
-```bash
-# [GET] get the current monero-wallet-rpc version
-curl http://127.0.0.1:8000/xmr/version
-
-# [POST] sign data (monero-wallet-rpc)
-curl http://127.0.0.1:38083/json_rpc --digest -u user:pass -d '{"jsonrpc":"2.0","id":"0","method":"sign","params":{"data":"some data here"}}' -H 'Content-Type: application/json'
-
-# [POST] get addresses (monero-wallet-rpc)
-curl http://127.0.0.1:38083/json_rpc --digest -u user:pass -d '{"jsonrpc":"2.0","id":"0","method":"get_address","params":{"account_index":0,"address_index":[0]}}' -H 'Content-Type: application/json'
-
-# [GET] login
-# customer or vendor
-# xmr address
-# aid - auth id
-# cvid - customer or vendor id (2nd api call finalizes login and creates it)
-# data - random bytes to sign
-# signature - generate signature with wallet private keys
-curl http://127.0.0.1:8000/login/<customer|vendor>/<XMR_ADDRESS>/<SIGNATURE>/<AID>/CID
-
-# [GET] information
-# customer or vendor
-# xmr address
-# customer or vendor id
-curl http://127.0.0.1:8000/<customer|vendor>/<XMR_ADDRESS>/<ID> -H 'token: <JWT>'
-
-# [PATCH] update
-# customer or vendor URI
-# <id> - i32
-# <data> - String
-# <update_type> - Enum => 0 - active, 1 - description, 2 - name, 3 - pgp
-curl -iv -X PATCH http://127.0.0.1:8000/<customer|vendor>/<XMR_ADDRESS>/update -d '{"cid": "CID", "name": "<name>", "pgp": "<pgp>", "xmr_address": "" }'
-
-# [GET]
-# create a new product
-curl -iv http://127.0.0.1:8000/product/<XMR_ADDRESS>/create -H 'token: <JWT>'
-
-# [GET]
-# return all products for a vendor
-curl -iv http://127.0.0.1:8000/products/<XMR_ADDRESS> -H 'token: <JWT>'
-
-# [PATCH] update product
-# <pid> - i32
-# <data> - String
-# <update_type> - Enum => 0 - in_stock, 1 - description, 2 - name, 3 - price 4 - qty
-curl -X PATCH http://127.0.0.1:8000/product/<XMR_ADDRESS>/update/<pid>/<data>/<update_type> -H 'token: <JWT>'
-
-# [GET]
-# intialize an order for a customer
-curl -iv http://127.0.0.1:8000/order/<XMR_ADDRESS>/create/<pid> -H 'token: <JWT>'
-
-# [GET]
-# get all orders
-# xmr address
-# customer | vendor
-curl -iv http://127.0.0.1:8000/orders/<XMR_ADDRESS>/<customer | vendor> -H 'token: <JWT>'
-
-# [PATCH]
-# modify order
-#           UpdateType::CustomerKex1 => 0,         // make output from customer
-#           UpdateType::CustomerKex2 => 1,         // use this for funding kex
-#           UpdateType::CustomerKex3 => 2,         // might need this later?
-#           UpdateType::CustomerMultisigInfo => 3, // prepare output from customer
-#           UpdateType::Deliver => 4,              // customer has received the item, released txset
-#           UpdateType::Hash => 5,                 // tx hash from funding the wallet order
-#           UpdateType::Ship => 6,                 // update ship date, app doesn't store tracking numbers
-#           UpdateType::Subaddress => 7,           // update address for payout
-#           UpdateType::VendorKex1 => 8,           // make output from vendor
-#           UpdateType::VendorKex2 => 9,           // use this for funding kex
-#           UpdateType::VendorKex3 => 10,          // might need this later?
-#           UpdateType::VendorMultisigInfo => 11,  // prepare output from vendor
-#           UpdateType::Quantity => 12,            // this can be updated until wallet is funded
-curl -X PATCH http://127.0.0.1:8000/order/<XMR_ADDRESS>/update/<pid>/<oid>/<data>/<update_type> -H 'token: <JWT>'
-```

neveko-market/src/controller.rs

@@ -28,7 +28,7 @@ pub async fn create_product(
 }
 
 /// Get a product by passing id
-#[post("/<pid>")]
+#[get("/<pid>")]
 pub async fn get_product(pid: String, _token: auth::BearerToken) -> Custom<Json<models::Product>> {
     let m_product: models::Product = product::find(&pid);
     Custom(Status::Ok, Json(m_product))
@@ -45,21 +45,21 @@ pub async fn update_product(
 }
 
 /// Return all products
-#[patch("/")]
+#[get("/")]
 pub async fn get_products(_token: auth::BearerToken) -> Custom<Json<Vec<models::Product>>> {
     let m_products: Vec<models::Product> = product::find_all();
     Custom(Status::Ok, Json(m_products))
 }
 
 /// Get a order by passing id
-#[post("/<orid>")]
+#[get("/<orid>")]
 pub async fn get_order(orid: String, _token: auth::BearerToken) -> Custom<Json<models::Order>> {
     let m_order: models::Order = order::find(&orid);
     Custom(Status::Ok, Json(m_order))
 }
 
 /// Get a order by passing id
-#[post("/")]
+#[get("/")]
 pub async fn get_orders(_token: auth::BearerToken) -> Custom<Json<Vec<models::Order>>> {
     let m_orders: Vec<models::Order> = order::find_all();
     Custom(Status::Ok, Json(m_orders))

neveko-market/src/product.rs

@@ -14,6 +14,10 @@ use rocket::serde::json::Json;
 /// Create a new product
 pub fn create(d: Json<Product>) -> Product {
     let pid: String = format!("product{}", utils::generate_rnd());
+    if !validate_product(&d) {
+        error!("invalid product");
+        return Default::default()
+    }
     let new_product = Product {
         pid: String::from(&pid),
         description: String::from(&d.description),
@@ -65,8 +69,10 @@ pub fn find_all() -> Vec<Product> {
     let i_v: Vec<String> = i_v_pid.map(|s| String::from(s)).collect();
     let mut products: Vec<Product> = Vec::new();
     for p in i_v {
-        let product: Product = find(&p);
+        let mut product: Product = find(&p);
         if product.pid != utils::empty_string() {
+            // don't return images
+            product.image = Vec::new();
             products.push(product);
         }
     }
@@ -87,3 +93,12 @@ pub fn modify(p: Json<Product>) -> Product {
     db::Interface::write(&s.env, &s.handle, &u_prod.pid, &Product::to_db(&u_prod));
     return u_prod;
 }
+
+/// check product field lengths to prevent db spam
+fn validate_product(p: &Json<Product>) -> bool {
+    info!("validating product: {}", &p.pid);
+    p.pid.len() < utils::string_limit()
+        && p.description.len() < utils::string_limit()
+        && p.name.len() < utils::string_limit()
+        && p.image.len() < utils::image_limit()
+}