audit every single transaction, keep only if makes sense (#2166)

proofcarryingdata · Nov 12, 2024 · 6db9cdb · 6db9cdb
1 parent 5ac3788
commit 6db9cdb
Show file tree

Hide file tree

Showing 21 changed files with 951 additions and 1,124 deletions.
diff --git a/apps/passport-server/src/application.ts b/apps/passport-server/src/application.ts
@@ -90,6 +90,7 @@ export async function stopApplication(app?: Zupass): Promise<void> {
   await stopServices(app.services);
   await stopHttpServer(app);
   await app.context.dbPool.end();
+  await app.context.internalPool.end();
 }
 
 async function getOverridenApis(

diff --git a/apps/passport-server/src/routing/routes/accountRoutes.ts b/apps/passport-server/src/routing/routes/accountRoutes.ts
@@ -13,7 +13,11 @@ import {
 } from "@pcd/passport-interface";
 import { normalizeEmail } from "@pcd/util";
 import express, { Request, Response } from "express";
-import { namedSqlTransaction } from "../../database/sqlQuery";
+import {
+  namedSqlTransaction,
+  sqlQueryWithPool,
+  sqlTransaction
+} from "../../database/sqlQuery";
 import { ApplicationContext, GlobalServices } from "../../types";
 import { logger } from "../../util/logger";
 import { checkExistsForRoute } from "../../util/util";
@@ -43,10 +47,8 @@ export function initAccountRoutes(
       checkExistsForRoute(userService);
       const email = normalizeEmail(checkQueryParam(req, "email"));
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/salt",
-        (client) => userService.getSaltByEmail(client, email)
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        userService.getSaltByEmail(client, email)
       );
 
       res.send(result satisfies SaltResponseValue);
@@ -86,10 +88,8 @@ export function initAccountRoutes(
       const force =
         checkBody<ConfirmEmailRequest, "force">(req, "force") === "true";
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/send-login-email",
-        (client) => userService.handleSendTokenEmail(client, email, force)
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        userService.handleSendTokenEmail(client, email, force)
       );
 
       if (result) {
@@ -115,10 +115,8 @@ export function initAccountRoutes(
       const token = checkBody<VerifyTokenRequest, "token">(req, "token");
       const email = checkBody<VerifyTokenRequest, "email">(req, "email");
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/verify-token",
-        (client) => userService.handleVerifyToken(client, token, email)
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        userService.handleVerifyToken(client, token, email)
       );
 
       res.status(200).json(result);
@@ -148,18 +146,15 @@ export function initAccountRoutes(
         "encryptionKey"
       );
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/one-click-login",
-        (client) =>
-          userService.handleOneClickLogin(
-            client,
-            email,
-            code,
-            commitment,
-            semaphore_v4_pubkey,
-            encryptionKey
-          )
+      const result = await sqlTransaction(context.dbPool, (client) =>
+        userService.handleOneClickLogin(
+          client,
+          email,
+          code,
+          commitment,
+          semaphore_v4_pubkey,
+          encryptionKey
+        )
       );
 
       res.status(200).json(result);
@@ -209,20 +204,17 @@ export function initAccountRoutes(
         "commitment"
       );
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/new-participant",
-        (client) =>
-          userService.handleNewUser(
-            client,
-            token,
-            email,
-            commitment,
-            semaphore_v4_pubkey,
-            salt,
-            encryptionKey,
-            autoRegister
-          )
+      const result = await sqlTransaction(context.dbPool, (client) =>
+        userService.handleNewUser(
+          client,
+          token,
+          email,
+          commitment,
+          semaphore_v4_pubkey,
+          salt,
+          encryptionKey,
+          autoRegister
+        )
       );
 
       res.status(200).json(result);
@@ -241,10 +233,8 @@ export function initAccountRoutes(
       checkExistsForRoute(userService);
       const pcd = checkBody<AgreeTermsRequest, "pcd">(req, "pcd");
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/upgrade-with-v4-commitment",
-        (client) => userService.handleAddV4Commitment(client, pcd)
+      const result = await sqlTransaction(context.dbPool, (client) =>
+        userService.handleAddV4Commitment(client, pcd)
       );
 
       if (result.success) {
@@ -265,10 +255,8 @@ export function initAccountRoutes(
       checkExistsForRoute(userService);
       const pcd = checkBody<AgreeTermsRequest, "pcd">(req, "pcd");
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/account/agree-terms",
-        (client) => userService.handleAgreeTerms(client, pcd)
+      const result = await sqlTransaction(context.dbPool, (client) =>
+        userService.handleAgreeTerms(client, pcd)
       );
 
       if (result.success) {
@@ -304,11 +292,8 @@ export function initAccountRoutes(
     clusterProxy(),
     async (req: Request, res: Response) => {
       checkExistsForRoute(userService);
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/v2/account/user/:uuid",
-        (client) =>
-          userService.handleGetUser(client, checkUrlParam(req, "uuid"))
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        userService.handleGetUser(client, checkUrlParam(req, "uuid"))
       );
 
       res.status(200).json(result);
@@ -323,11 +308,8 @@ export function initAccountRoutes(
     clusterProxy(),
     async (req: Request, res: Response) => {
       checkExistsForRoute(userService);
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/pcdpass/participant/:uuid",
-        (client) =>
-          userService.handleGetUser(client, checkUrlParam(req, "uuid"))
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        userService.handleGetUser(client, checkUrlParam(req, "uuid"))
       );
 
       res.status(200).json(result);
@@ -342,11 +324,8 @@ export function initAccountRoutes(
     clusterProxy(),
     async (req: Request, res: Response) => {
       checkExistsForRoute(userService);
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/zuzalu/participant/:uuid",
-        (client) =>
-          userService.handleGetUser(client, checkUrlParam(req, "uuid"))
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        userService.handleGetUser(client, checkUrlParam(req, "uuid"))
       );
 
       res.status(200).json(result);

diff --git a/apps/passport-server/src/routing/routes/e2eeRoutes.ts b/apps/passport-server/src/routing/routes/e2eeRoutes.ts
@@ -3,7 +3,7 @@ import {
   UploadEncryptedStorageRequest
 } from "@pcd/passport-interface";
 import express, { Request, Response } from "express";
-import { namedSqlTransaction } from "../../database/sqlQuery";
+import { sqlQueryWithPool, sqlTransaction } from "../../database/sqlQuery";
 import { ApplicationContext, GlobalServices } from "../../types";
 import { logger } from "../../util/logger";
 import { checkExistsForRoute } from "../../util/util";
@@ -30,10 +30,8 @@ export function initE2EERoutes(
       checkExistsForRoute(e2eeService);
       const request = req.body as ChangeBlobKeyRequest;
 
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/sync/v3/changeBlobKey",
-        (client) => e2eeService.handleChangeBlobKey(client, request)
+      const result = await sqlTransaction(context.dbPool, (client) =>
+        e2eeService.handleChangeBlobKey(client, request)
       );
 
       res.status(200).json(result);
@@ -55,15 +53,12 @@ export function initE2EERoutes(
     clusterProxy(),
     async (req: Request, res: Response) => {
       checkExistsForRoute(e2eeService);
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/sync/v3/load/",
-        (client) =>
-          e2eeService.handleLoad(
-            client,
-            checkQueryParam(req, "blobKey"),
-            checkOptionalQueryParam(req, "knownRevision")
-          )
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        e2eeService.handleLoad(
+          client,
+          checkQueryParam(req, "blobKey"),
+          checkOptionalQueryParam(req, "knownRevision")
+        )
       );
 
       res.status(200).json(result);
@@ -88,10 +83,8 @@ export function initE2EERoutes(
     async (req: Request, res: Response) => {
       checkExistsForRoute(e2eeService);
       const request = req.body as UploadEncryptedStorageRequest;
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/sync/v3/save",
-        (client) => e2eeService.handleSave(client, request)
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        e2eeService.handleSave(client, request)
       );
 
       res.status(200).json(result);

diff --git a/apps/passport-server/src/routing/routes/frogcryptoRoutes.ts b/apps/passport-server/src/routing/routes/frogcryptoRoutes.ts
@@ -15,7 +15,7 @@ import {
 } from "@pcd/passport-interface";
 import express, { Request, Response } from "express";
 import urljoin from "url-join";
-import { namedSqlTransaction } from "../../database/sqlQuery";
+import { sqlQueryWithPool } from "../../database/sqlQuery";
 import { ApplicationContext, GlobalServices } from "../../types";
 import { logger } from "../../util/logger";
 import { checkExistsForRoute } from "../../util/util";
@@ -72,10 +72,8 @@ export function initFrogcryptoRoutes(
 
   app.get("/frogcrypto/scoreboard", clusterProxy(), async (req, res) => {
     checkExistsForRoute(frogcryptoService);
-    const result = await namedSqlTransaction(
-      context.dbPool,
-      "/frogcrypto/scoreboard",
-      (client) => frogcryptoService.getScoreboard(client)
+    const result = await sqlQueryWithPool(context.dbPool, (client) =>
+      frogcryptoService.getScoreboard(client)
     );
     res.json(result);
   });
@@ -85,29 +83,23 @@ export function initFrogcryptoRoutes(
     clusterProxy(),
     async (req, res) => {
       checkExistsForRoute(frogcryptoService);
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/frogcrypto/telegram-handle-sharing",
-        (client) =>
-          frogcryptoService.updateTelegramHandleSharing(
-            client,
-            req.body as FrogCryptoShareTelegramHandleRequest
-          )
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        frogcryptoService.updateTelegramHandleSharing(
+          client,
+          req.body as FrogCryptoShareTelegramHandleRequest
+        )
       );
       res.json(result satisfies FrogCryptoShareTelegramHandleResponseValue);
     }
   );
 
   app.post("/frogcrypto/user-state", clusterProxy(), async (req, res) => {
     checkExistsForRoute(frogcryptoService);
-    const result = await namedSqlTransaction(
-      context.dbPool,
-      "/frogcrypto/user-state",
-      (client) =>
-        frogcryptoService.getUserState(
-          client,
-          req.body as FrogCryptoUserStateRequest
-        )
+    const result = await sqlQueryWithPool(context.dbPool, (client) =>
+      frogcryptoService.getUserState(
+        client,
+        req.body as FrogCryptoUserStateRequest
+      )
     );
     res.json(result satisfies FrogCryptoUserStateResponseValue);
   });
@@ -124,14 +116,11 @@ export function initFrogcryptoRoutes(
 
   app.post("/frogcrypto/admin/frogs", clusterProxy(), async (req, res) => {
     checkExistsForRoute(frogcryptoService);
-    const result = await namedSqlTransaction(
-      context.dbPool,
-      "/frogcrypto/admin/frogs",
-      (client) =>
-        frogcryptoService.updateFrogData(
-          client,
-          req.body as FrogCryptoUpdateFrogsRequest
-        )
+    const result = await sqlQueryWithPool(context.dbPool, (client) =>
+      frogcryptoService.updateFrogData(
+        client,
+        req.body as FrogCryptoUpdateFrogsRequest
+      )
     );
     res.json(result satisfies FrogCryptoUpdateFrogsResponseValue);
   });
@@ -141,29 +130,23 @@ export function initFrogcryptoRoutes(
     clusterProxy(),
     async (req, res) => {
       checkExistsForRoute(frogcryptoService);
-      const result = await namedSqlTransaction(
-        context.dbPool,
-        "/frogcrypto/admin/delete-frogs",
-        (client) =>
-          frogcryptoService.deleteFrogData(
-            client,
-            req.body as FrogCryptoDeleteFrogsRequest
-          )
+      const result = await sqlQueryWithPool(context.dbPool, (client) =>
+        frogcryptoService.deleteFrogData(
+          client,
+          req.body as FrogCryptoDeleteFrogsRequest
+        )
       );
       res.json(result satisfies FrogCryptoDeleteFrogsResponseValue);
     }
   );
 
   app.post("/frogcrypto/admin/feeds", clusterProxy(), async (req, res) => {
     checkExistsForRoute(frogcryptoService);
-    const result = await namedSqlTransaction(
-      context.dbPool,
-      "/frogcrypto/admin/feeds",
-      (client) =>
-        frogcryptoService.updateFeedData(
-          client,
-          req.body as FrogCryptoUpdateFeedsRequest
-        )
+    const result = await sqlQueryWithPool(context.dbPool, (client) =>
+      frogcryptoService.updateFeedData(
+        client,
+        req.body as FrogCryptoUpdateFeedsRequest
+      )
     );
     res.json(result satisfies FrogCryptoUpdateFeedsResponseValue);
   });