From 0e73430d70025222cf0858358c04f0992e38afee Mon Sep 17 00:00:00 2001
From: MrEisbear <eisbear@albioncloud.de>
Date: Sat, 14 Jun 2025 19:15:32 -0500
Subject: [PATCH 1/2] fix(api): implement atomic transfers and constant-time
 key comparison

---
 app.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/app.py b/app.py
index 9ff2818..5eb2bb1 100644
--- a/app.py
+++ b/app.py
@@ -7,6 +7,7 @@ import mysql.connector
 import os
 from dotenv import load_dotenv
 import jwt
+import hmac
 
 load_dotenv()
 app = Flask(__name__)
@@ -156,11 +157,17 @@ def transfer():
         return jsonify({"error":"User not found"}), 404
     if sender["balance"] < amount:
         return jsonify({"error": "Insufficient funds"}), 400
-    with db.cursor(dictionary=True) as cur:
-        cur.execute("UPDATE users SET balance = balance - %s WHERE bid = %s", (amount, fbid))
-        cur.execute("UPDATE users SET balance = balance + %s WHERE bid = %s", (amount, tbid))
-    db.commit()
-    return jsonify({"message": "Transfer successful"}), 200
+    try:
+        db.start_transaction()
+        with db.cursor(dictionary=True) as cur:
+            cur.execute("UPDATE users SET balance = balance - %s WHERE bid = %s", (amount, fbid))
+            cur.execute("UPDATE users SET balance = balance + %s WHERE bid = %s", (amount, tbid))
+        db.commit()
+        return jsonify({"message": "Transfer successful"}), 200
+    except mysql.connector.Error as err:
+        db.rollback()
+        print(f"Transactional Error: {err}")
+        return jsonify({"error": "A database error occurred during the transfer."}), 500
 
 
 @app.route('/admin/change-password', methods=['POST', 'PATCH'])
@@ -171,7 +178,8 @@ def change_password():
     key = data.get('key')
     if not bid or not new_password or not key:
         return jsonify({"error": "BID, new password, and key are required"}), 400
-    if key != os.getenv('ADMIN_KEY'):
+    oskey = os.getenv('ADMIN_KEY')
+    if not oskey or not hmac.compare_digest(key, oskey):
         return jsonify({"error": "Admin Key required"}), 403
     user = get_user(bid)
     if not user:

From e8c84ba809e8eaa200dd01b2dc97d7f652d1c9cb Mon Sep 17 00:00:00 2001
From: MrEisbear <eisbear@albioncloud.de>
Date: Sat, 14 Jun 2025 19:18:28 -0500
Subject: [PATCH 2/2] Stop tracking IDE settings and environment file

---
 .gitignore | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2ef4401..940489f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-.venv
+.venv/
 .env
-.idea
+.idea/