fix(review): address PR review findings

- Restore @RolesAllowed("Admin") on official bot creation (security regression) - Pre-assign UUID before first persist in createOfficialBotAccount/syncOfficialBots to eliminate two-persist fragility (token-less entity on second-write failure) - Add nullable = false to OfficialBotAccount.token column - Replace JSON string interpolation in publishBotGameStart with objectMapper - Replace specific hprof PID filename in .gitignore with *.hprof wildcard Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-09 13:55:36 +02:00
parent c9cf92266c
commit 4021a39912
5 changed files with 22 additions and 11 deletions
@@ -53,4 +53,4 @@ modules/tournament/src/main/resources/keys/dev-public.pem
 modules/account/src/main/resources/keys/dev-private.pem
 modules/account/src/main/resources/keys/dev-public.pem
 modules/core/src/main/resources/keys/dev-public.pem
-java_pid2736.hprof
+*.hprof
@@ -76,6 +76,6 @@ class OfficialBotAccount extends PanacheEntityBase:

  var createdAt: Instant = uninitialized

-  @Column(length = 1024)
+  @Column(nullable = false, length = 1024)
  var token: String = uninitialized
  // scalafix:on
@@ -195,7 +195,7 @@ class AccountResource:

  @POST
  @Path("/official-bots")
-  @RolesAllowed(Array("**"))
+  @RolesAllowed(Array("Admin"))
  def createOfficialBot(req: CreateBotAccountRequest): Response =
    accountService.createOfficialBotAccount(req.name) match
      case Right(bot) =>
@@ -201,11 +201,12 @@ class AccountService:

  @Transactional
  def createOfficialBotAccount(botName: String): Either[AccountError, OfficialBotAccount] =
+    val id  = UUID.randomUUID()
    val bot = new OfficialBotAccount()
+    bot.id = id
    bot.name = botName
    bot.createdAt = Instant.now()
-    officialBotAccountRepository.persist(bot)
-    bot.token = generateBotToken(bot.id, bot.name)
+    bot.token = generateBotToken(id, botName)
    officialBotAccountRepository.persist(bot)
    Right(bot)

@@ -213,11 +214,12 @@ class AccountService:
  def syncOfficialBots(botNames: List[String]): Unit =
    botNames.foreach { name =>
      if officialBotAccountRepository.findByName(name).isEmpty then
+        val id  = UUID.randomUUID()
        val bot = new OfficialBotAccount()
+        bot.id = id
        bot.name = name
        bot.createdAt = Instant.now()
-        officialBotAccountRepository.persist(bot)
-        bot.token = generateBotToken(bot.id, bot.name)
+        bot.token = generateBotToken(id, name)
        officialBotAccountRepository.persist(bot)
        log.infof("Auto-registered official bot: %s", name)
    }
@@ -1,5 +1,6 @@
 package de.nowchess.tournament.service

+import com.fasterxml.jackson.databind.ObjectMapper
 import de.nowchess.tournament.client.{CoreCreateGameRequest, CoreGameClient, CorePlayerInfo, CoreTimeControl}
 import de.nowchess.tournament.config.RedisConfig
 import de.nowchess.tournament.domain.{Tournament, TournamentPairing, TournamentParticipant}
@@ -40,8 +41,9 @@ class TournamentService:
  @RestClient
  var coreGameClient: CoreGameClient = uninitialized

-  @Inject var redis: RedisDataSource   = uninitialized
-  @Inject var redisConfig: RedisConfig = uninitialized
+  @Inject var redis: RedisDataSource     = uninitialized
+  @Inject var redisConfig: RedisConfig   = uninitialized
+  @Inject var objectMapper: ObjectMapper = uninitialized
  // scalafix:on

  @Transactional
@@ -187,8 +189,15 @@ class TournamentService:
      botAccountId: String,
  ): Unit =
    val channel = s"${redisConfig.prefix}:bot:$botName:events"
-    val payload =
-      s"""{"type":"gameStart","gameId":"$gameId","playingAs":"$playingAs","difficulty":1500,"botAccountId":"$botAccountId"}"""
+    val payload = objectMapper.writeValueAsString(
+      Map(
+        "type"         -> "gameStart",
+        "gameId"       -> gameId,
+        "playingAs"    -> playingAs,
+        "difficulty"   -> 1500,
+        "botAccountId" -> botAccountId,
+      ),
+    )
    Try(redis.pubsub(classOf[String]).publish(channel, payload)) match
      case Failure(ex) => log.warnf(ex, "Failed to publish gameStart to bot channel %s", channel)
      case Success(_)  => ()