From 2f8c2d3f077efe3b5032ed581e6b50628ffa96db Mon Sep 17 00:00:00 2001
From: Flashfyre <flashfireex@gmail.com>
Date: Thu, 25 Apr 2024 09:56:56 -0400
Subject: [PATCH] Match trainer and secret ID on update for data integrity

---
 api/endpoints.go       | 37 +++++++++++++++++++++++++++++++++++++
 api/savedata/update.go |  2 +-
 db/account.go          | 18 ++++++++++++++++++
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/api/endpoints.go b/api/endpoints.go
index 14569b1..5e0f51c 100644
--- a/api/endpoints.go
+++ b/api/endpoints.go
@@ -203,6 +203,43 @@ func handleSaveData(w http.ResponseWriter, r *http.Request) {
 			httpError(w, r, fmt.Errorf("session out of date"), http.StatusBadRequest)
 			return
 		}
+
+		var trainerId = 0
+		var secretId = 0
+
+		if r.URL.Path != "/savedata/update" || datatype == 1 {
+			if r.URL.Query().Has("trainerId") && r.URL.Query().Has("secretId") {
+				trainerId, err = strconv.Atoi(r.URL.Query().Get("trainerId"))
+				if err != nil {
+					httpError(w, r, err, http.StatusBadRequest)
+					return
+				}
+
+				secretId, err = strconv.Atoi(r.URL.Query().Get("secretId"))
+				if err != nil {
+					httpError(w, r, err, http.StatusBadRequest)
+					return
+				}
+			}
+		} else {
+			trainerId = save.(defs.SystemSaveData).TrainerId
+			secretId = save.(defs.SystemSaveData).SecretId
+		}
+
+		storedTrainerId, storedSecretId, err := db.FetchTrainerIds(uuid)
+		if err != nil {
+			httpError(w, r, err, http.StatusInternalServerError)
+			return
+		}
+
+		if storedTrainerId > 0 || storedSecretId > 0 {
+			if trainerId != storedTrainerId || secretId != storedSecretId {
+				httpError(w, r, fmt.Errorf("session out of date"), http.StatusBadRequest)
+				return
+			}
+		} else {
+			db.UpdateTrainerIds(trainerId, secretId, uuid)
+		}
 	}
 
 	switch r.URL.Path {
diff --git a/api/savedata/update.go b/api/savedata/update.go
index 7c75dbc..5d34e5b 100644
--- a/api/savedata/update.go
+++ b/api/savedata/update.go
@@ -35,7 +35,7 @@ func Update(uuid []byte, slot int, save any) error {
 			return fmt.Errorf("invalid system data")
 		}
 
-		if save.GameVersion != "1.0.2" {
+		if save.GameVersion != "1.0.3" {
 			return fmt.Errorf("client version out of date")
 		}
 
diff --git a/db/account.go b/db/account.go
index 21b7a32..614b667 100644
--- a/db/account.go
+++ b/db/account.go
@@ -175,6 +175,24 @@ func FetchAccountKeySaltFromUsername(username string) ([]byte, []byte, error) {
 	return key, salt, nil
 }
 
+func FetchTrainerIds(uuid []byte) (trainerId int, secretId int, err error) {
+	err = handle.QueryRow("SELECT trainerId, secretId FROM accounts WHERE uuid = ?", uuid).Scan(&trainerId, &secretId)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	return trainerId, secretId, nil
+}
+
+func UpdateTrainerIds(trainerId int, secretId int, uuid []byte) error {
+	_, err := handle.Exec("UPDATE accounts SET trainerId = ?, secretId = ? WHERE uuid = ?", trainerId, secretId, uuid)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func IsActiveSession(token []byte) (bool, error) {
 	var active int
 	err := handle.QueryRow("SELECT `active` FROM sessions WHERE token = ?", token).Scan(&active)