From 98d2f75f98cad95cb3b9b84e4986ca2781fa456c Mon Sep 17 00:00:00 2001
From: "Sergio C. Arteaga" <tegioz@icloud.com>
Date: Mon, 9 Nov 2020 09:03:53 +0100
Subject: [PATCH] Fix user alias availability check (#832)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Related to #831

Signed-off-by: Sergio Castaño Arteaga <tegioz@icloud.com>
---
 internal/user/manager.go | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/internal/user/manager.go b/internal/user/manager.go
index a8eb8e72..c388e7f3 100644
--- a/internal/user/manager.go
+++ b/internal/user/manager.go
@@ -18,19 +18,25 @@ import (
 
 const (
 	// Database queries
-	checkUserAliasAvailDBQ = `select user_id from "user" where alias = $1`
-	checkUserCredsDBQ      = `select user_id, password from "user" where email = $1 and password is not null and email_verified = true`
-	deleteSessionDBQ       = `delete from session where session_id = $1`
-	getAPIKeyUserIDDBQ     = `select user_id from api_key where key = $1`
-	getSessionDBQ          = `select user_id, floor(extract(epoch from created_at)) from session where session_id = $1`
-	getUserIDDBQ           = `select user_id from "user" where email = $1`
-	getUserPasswordDBQ     = `select password from "user" where user_id = $1 and password is not null`
-	getUserProfileDBQ      = `select get_user_profile($1::uuid)`
-	registerSessionDBQ     = `select register_session($1::jsonb)`
-	registerUserDBQ        = `select register_user($1::jsonb)`
-	updateUserPasswordDBQ  = `select update_user_password($1::uuid, $2::text, $3::text)`
-	updateUserProfileDBQ   = `select update_user_profile($1::uuid, $2::jsonb)`
-	verifyEmailDBQ         = `select verify_email($1::uuid)`
+	checkUserAliasAvailDBQ = `
+		select user_id
+		from "user" u
+		join email_verification_code c using (user_id)
+		where u.alias = $1
+		and current_timestamp - '1 day'::interval < c.created_at
+	`
+	checkUserCredsDBQ     = `select user_id, password from "user" where email = $1 and password is not null and email_verified = true`
+	deleteSessionDBQ      = `delete from session where session_id = $1`
+	getAPIKeyUserIDDBQ    = `select user_id from api_key where key = $1`
+	getSessionDBQ         = `select user_id, floor(extract(epoch from created_at)) from session where session_id = $1`
+	getUserIDDBQ          = `select user_id from "user" where email = $1`
+	getUserPasswordDBQ    = `select password from "user" where user_id = $1 and password is not null`
+	getUserProfileDBQ     = `select get_user_profile($1::uuid)`
+	registerSessionDBQ    = `select register_session($1::jsonb)`
+	registerUserDBQ       = `select register_user($1::jsonb)`
+	updateUserPasswordDBQ = `select update_user_password($1::uuid, $2::text, $3::text)`
+	updateUserProfileDBQ  = `select update_user_profile($1::uuid, $2::jsonb)`
+	verifyEmailDBQ        = `select verify_email($1::uuid)`
 )
 
 var (