From d5fb59c572bf1d34508ec221890d4ef429d8ea06 Mon Sep 17 00:00:00 2001
From: Jan Ole Zabel <jan.zabel@posteo.de>
Date: Sat, 15 Oct 2022 14:39:42 +0200
Subject: [PATCH 1/2] Merge two item loops

---
 src/endpoints.rs | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/endpoints.rs b/src/endpoints.rs
index 6e44a05..7f4270f 100644
--- a/src/endpoints.rs
+++ b/src/endpoints.rs
@@ -252,12 +252,16 @@ pub async fn transfer(
 
     // Retrieve all items
     let mut items = Vec::new();
-    for item in &transfer.bought_items {
-        match db.get_item(*item).await {
+    for item_id in &transfer.bought_items {
+        match db.get_item(*item_id).await {
             Ok(item) => {
                 if item.location != transfer.receiver {
                     return Err(Custom(Status::Forbidden, ()))
                 }
+                if item.price < 0 {
+                    error!("Refusing purchase of item {item_id} which has negative price");
+                    return Err(Custom(Status::Forbidden, ()))
+                }
 
                 items.push(item)
             },
@@ -289,13 +293,6 @@ pub async fn transfer(
         return Err(Custom(Status::PaymentRequired, ()));
     }
 
-    for item in &transfer.bought_items {
-        let item = db.get_item(*item).await.expect("Failed to fetch item");
-        if item.price < 0 {
-            return Err(Custom(Status::Forbidden, ()))
-        }
-    }
-
     // transfer the money
     db.transfer(sender.clone(), receiver.clone(), amount, transfer.bought_items.clone())
         .await
-- 
GitLab


From 69485a482e06a1ad18b2d448e813a7fc1fc5e0fc Mon Sep 17 00:00:00 2001
From: Jan Ole Zabel <jan.zabel@posteo.de>
Date: Sat, 15 Oct 2022 14:46:50 +0200
Subject: [PATCH 2/2] Add information how to test without Oauth

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 5ec8d44..f91c170 100644
--- a/README.md
+++ b/README.md
@@ -16,3 +16,20 @@ compile and start the application:
 ```
 cargo run
 ```
+
+## Test without fiddling with OAuth:
+Insert fake tokens into your local test DB to bypass Oauth:
+```sql
+INSERT INTO accounts VALUES ('joz',0);
+INSERT INTO accounts VALUES ('mzb',0);
+INSERT INTO tokens(token,username,timestamp) VALUES('Hallo','joz',0)
+INSERT INTO tokens(token,username,timestamp) VALUES('Hallöchen','mzb',0)
+```
+```bash
+sqlite3 database.sqlite "UPDATE tokens SET timestamp=$(date +%s)"
+```
+Do something with the API:
+```sh
+curl -X POST -H 'MATEPAY-TOKEN: Hallöchen' -d '{"to_account": "joz", "amount": 1000}' http://localhost:8000/api/v1/central-bank-transfer
+```
+It is also wise to insert the token cookie into your browser.
-- 
GitLab