Description:
Every single HTTP handler contains this placeholder pattern:
// TODO: Extract user ID from JWT token
let user_id = Uuid::new_v4(); // Placeholder - should come from auth middleware
This means every request — score reporting, dispute creation, tournament creation, matchmaking, and Elo queries — is processed with a randomly generated UUID as the caller's identity. There is zero authentication enforcement anywhere in the request pipeline despite JwtService being fully implemented.
Affected files:
src/http/matches.rs — all 9 handlerssrc/http/tournaments.rs — all 7 handlers
Steps to reproduce: Send any POST to /api/matches/{id}/report without an Authorization header. The request is accepted and processed.
Expected behavior: Requests without a valid Authorization: Bearer <token> header must be rejected with 401 Unauthorized.
Proposed fix:
- Create an Actix-Web
FromRequest extractor that reads the Authorization header, calls JwtService::validate_token, and returns Claims.
- Inject
JwtService as web::Data<Arc<Mutex<JwtService>>> in main.rs.
- Replace every
let user_id = Uuid::new_v4() with claims.sub.parse::<Uuid>().
- Apply the extractor to all protected routes.
Description:
Every single HTTP handler contains this placeholder pattern:
This means every request — score reporting, dispute creation, tournament creation, matchmaking, and Elo queries — is processed with a randomly generated UUID as the caller's identity. There is zero authentication enforcement anywhere in the request pipeline despite
JwtServicebeing fully implemented.Affected files:
src/http/matches.rs— all 9 handlerssrc/http/tournaments.rs— all 7 handlersSteps to reproduce: Send any POST to
/api/matches/{id}/reportwithout anAuthorizationheader. The request is accepted and processed.Expected behavior: Requests without a valid
Authorization: Bearer <token>header must be rejected with401 Unauthorized.Proposed fix:
FromRequestextractor that reads theAuthorizationheader, callsJwtService::validate_token, and returnsClaims.JwtServiceasweb::Data<Arc<Mutex<JwtService>>>inmain.rs.let user_id = Uuid::new_v4()withclaims.sub.parse::<Uuid>().