Move incomplete registrations to database

AuroraLS3 · AuroraLS3 · commit 53e0dfeede50 · 2026-06-28T18:17:57.000+03:00
Affects issues: - Fixed #2286
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/commands/subcommands/RegistrationCommands.java b/Plan/common/src/main/java/com/djrapitops/plan/commands/subcommands/RegistrationCommands.java
@@ -56,6 +56,7 @@ public class RegistrationCommands {
     private final ActiveCookieStore activeCookieStore;
     private final LinkCommands linkCommands;
     private final Confirmation confirmation;
+    private final RegistrationBin registrationBin;
     private final PluginLogger logger;
     private final ErrorLogger errorLogger;
 
@@ -66,7 +67,7 @@ public RegistrationCommands(
             DBSystem dbSystem,
             ActiveCookieStore activeCookieStore,
             LinkCommands linkCommands,
-            Confirmation confirmation,
+            Confirmation confirmation, RegistrationBin registrationBin,
             PluginLogger logger,
             ErrorLogger errorLogger
     ) {
@@ -77,6 +78,7 @@ public RegistrationCommands(
         this.activeCookieStore = activeCookieStore;
         this.linkCommands = linkCommands;
         this.confirmation = confirmation;
+        this.registrationBin = registrationBin;
         this.logger = logger;
         this.errorLogger = errorLogger;
     }
@@ -108,7 +110,7 @@ public void onRegister(CMDSender sender, @Untrusted Arguments arguments) {
 
     public void registerUsingCode(CMDSender sender, @Untrusted String code, @Untrusted Arguments arguments) {
         UUID linkedToUUID = sender.getUUID().orElse(null);
-        User user = RegistrationBin.register(code, linkedToUUID)
+        User user = registrationBin.register(code, linkedToUUID)
                 .orElseThrow(() -> new IllegalArgumentException(locale.getString(FailReason.USER_INFORMATION_NOT_FOUND)));
         String permissionGroup = getPermissionGroup(sender, arguments)
                 .orElseThrow(() -> new IllegalArgumentException(locale.getString(FailReason.NO_PERMISSION_GROUP)));
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/WebServerSystem.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/WebServerSystem.java
@@ -18,6 +18,7 @@
 
 import com.djrapitops.plan.SubSystem;
 import com.djrapitops.plan.delivery.webserver.auth.ActiveCookieStore;
+import com.djrapitops.plan.delivery.webserver.auth.RegistrationBin;
 import com.djrapitops.plan.delivery.webserver.http.WebServer;
 import com.djrapitops.plan.storage.file.PublicHtmlFiles;
 import net.playeranalytics.plugin.server.PluginLogger;
@@ -35,19 +36,21 @@ public class WebServerSystem implements SubSystem {
 
     private final Addresses addresses;
     private final ActiveCookieStore activeCookieStore;
+    private final RegistrationBin registrationBin;
     private final PublicHtmlFiles publicHtmlFiles;
     private final WebServer webServer;
     private final PluginLogger logger;
 
     @Inject
     public WebServerSystem(
             Addresses addresses,
-            ActiveCookieStore activeCookieStore,
+            ActiveCookieStore activeCookieStore, RegistrationBin registrationBin,
             PublicHtmlFiles publicHtmlFiles,
             WebServer webServer,
             PluginLogger logger) {
         this.addresses = addresses;
         this.activeCookieStore = activeCookieStore;
+        this.registrationBin = registrationBin;
         this.publicHtmlFiles = publicHtmlFiles;
         this.webServer = webServer;
         this.logger = logger;
@@ -76,4 +79,16 @@ public WebServer getWebServer() {
     public Addresses getAddresses() {
         return addresses;
     }
+
+    public ActiveCookieStore getActiveCookieStore() {
+        return activeCookieStore;
+    }
+
+    public RegistrationBin getRegistrationBin() {
+        return registrationBin;
+    }
+
+    public PublicHtmlFiles getPublicHtmlFiles() {
+        return publicHtmlFiles;
+    }
 }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/auth/IncompleteRegistration.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/auth/IncompleteRegistration.java
@@ -0,0 +1,61 @@
+/*
+ *  This file is part of Player Analytics (Plan).
+ *
+ *  Plan is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Lesser General Public License v3 as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  Plan is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public License
+ *  along with Plan. If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.djrapitops.plan.delivery.webserver.auth;
+
+import com.djrapitops.plan.delivery.domain.auth.User;
+import com.djrapitops.plan.utilities.dev.Untrusted;
+
+import java.util.Collections;
+import java.util.UUID;
+
+/**
+ * @author AuroraLS3
+ */
+public class IncompleteRegistration {
+    @Untrusted
+    private final String username;
+    private final String passwordHash;
+    private final String code;
+    private final long expiresAfter;
+
+    public IncompleteRegistration(@Untrusted String username, String passwordHash, String code, long expiresAfter) {
+        this.username = username;
+        this.passwordHash = passwordHash;
+        this.code = code;
+        this.expiresAfter = expiresAfter;
+    }
+
+    public User toUser(UUID linkedToUUID) {
+        return new User(username, null, linkedToUUID, passwordHash, null, Collections.emptyList());
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPasswordHash() {
+        return passwordHash;
+    }
+
+    public String getCode() {
+        return code;
+    }
+
+    public long getExpiresAfter() {
+        return expiresAfter;
+    }
+}
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/auth/RegistrationBin.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/auth/RegistrationBin.java
@@ -17,13 +17,16 @@
 package com.djrapitops.plan.delivery.webserver.auth;
 
 import com.djrapitops.plan.delivery.domain.auth.User;
+import com.djrapitops.plan.storage.database.DBSystem;
+import com.djrapitops.plan.storage.database.queries.objects.WebUserQueries;
+import com.djrapitops.plan.storage.database.sql.tables.webuser.RegistrationTable;
+import com.djrapitops.plan.storage.database.transactions.webuser.StoreIncompleteRegistrationTransaction;
 import com.djrapitops.plan.utilities.PassEncryptUtil;
 import com.djrapitops.plan.utilities.dev.Untrusted;
-import com.github.benmanes.caffeine.cache.Cache;
-import com.github.benmanes.caffeine.cache.Caffeine;
 import org.apache.commons.codec.digest.DigestUtils;
 
-import java.util.Collections;
+import javax.inject.Inject;
+import javax.inject.Singleton;
 import java.util.Optional;
 import java.util.UUID;
 import java.util.concurrent.TimeUnit;
@@ -33,46 +36,41 @@
  *
  * @author AuroraLS3
  */
+@Singleton
 public class RegistrationBin {
 
-    private static final Cache<String, AwaitingForRegistration> REGISTRATION_BIN = Caffeine.newBuilder()
-            .expireAfterAccess(15, TimeUnit.MINUTES)
-            .build();
+    private final DBSystem dbSystem;
 
-    private RegistrationBin() {
-        // Hide static cache constructor
+    @Inject
+    public RegistrationBin(DBSystem dbSystem) {
+        this.dbSystem = dbSystem;
     }
 
-    public static String addInfoForRegistration(@Untrusted String username, @Untrusted String password) {
+    public String addInfoForRegistration(@Untrusted String username, @Untrusted String password) {
         String hash = PassEncryptUtil.createHash(password);
-        String code = DigestUtils.sha256Hex(username + password + System.currentTimeMillis()).substring(0, 12);
-        REGISTRATION_BIN.put(code, new AwaitingForRegistration(username, hash));
-        return code;
-    }
+        String code = DigestUtils.sha256Hex(username + hash + System.currentTimeMillis()).substring(0, 12);
+        long expiresAfter = System.currentTimeMillis() + TimeUnit.MINUTES.toMillis(15L);
 
-    public static Optional<User> register(@Untrusted String code, UUID linkedToUUID) {
-        AwaitingForRegistration found = REGISTRATION_BIN.getIfPresent(code);
-        if (found == null) return Optional.empty();
-        REGISTRATION_BIN.invalidate(code);
-        return Optional.of(found.toUser(linkedToUUID));
+        dbSystem.getDatabase().executeTransaction(new StoreIncompleteRegistrationTransaction(
+                new IncompleteRegistration(username, hash, code, expiresAfter)
+        ));
+        return code;
     }
 
-    public static boolean contains(@Untrusted String code) {
-        return REGISTRATION_BIN.getIfPresent(code) != null;
+    public Optional<User> register(@Untrusted String code, UUID linkedToUUID) {
+        return dbSystem.getDatabase().query(WebUserQueries.fetchIncompleteRegistration(code))
+                .map(registration -> {
+                    dbSystem.getDatabase().executeInTransaction(RegistrationTable.DELETE_BY_CODE, registration.getCode());
+                    return registration.toUser(linkedToUUID);
+                });
     }
 
-    private static class AwaitingForRegistration {
-        @Untrusted
-        private final String username;
-        private final String passwordHash;
-
-        public AwaitingForRegistration(@Untrusted String username, String passwordHash) {
-            this.username = username;
-            this.passwordHash = passwordHash;
-        }
-
-        public User toUser(UUID linkedToUUID) {
-            return new User(username, null, linkedToUUID, passwordHash, null, Collections.emptyList());
-        }
+    public boolean contains(@Untrusted String code) {
+        // This method is used to check if registration was completed by the user.
+        // There's a bug here where incomplete registration can be cleaned up before registration completes while register window is open
+        // Which can lead to a confusing situation where user gets "Registration succeeded, you can now log in"-message
+        // Even though the user was not actually registered.
+        Optional<IncompleteRegistration> incompleteRegistration = dbSystem.getDatabase().query(WebUserQueries.fetchIncompleteRegistration(code));
+        return incompleteRegistration.isPresent();
     }
 }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java
@@ -49,10 +49,12 @@
 public class RegisterResolver implements NoAuthResolver {
 
     private final DBSystem dbSystem;
+    private final RegistrationBin registrationBin;
 
     @Inject
-    public RegisterResolver(DBSystem dbSystem) {
+    public RegisterResolver(DBSystem dbSystem, RegistrationBin registrationBin) {
         this.dbSystem = dbSystem;
+        this.registrationBin = registrationBin;
     }
 
     @GET
@@ -85,7 +87,7 @@ public Response getResponse(Request request) {
         if (checkCode.isPresent()) {
             return Response.builder()
                     .setStatus(200)
-                    .setJSONContent(Collections.singletonMap("success", !RegistrationBin.contains(checkCode.get())))
+                    .setJSONContent(Collections.singletonMap("success", !registrationBin.contains(checkCode.get())))
                     .build();
         }
 
@@ -97,7 +99,7 @@ public Response getResponse(Request request) {
 
         @Untrusted String password = getPassword(form, query);
         try {
-            String code = RegistrationBin.addInfoForRegistration(username, password);
+            String code = registrationBin.addInfoForRegistration(username, password);
             return Response.builder()
                     .setStatus(200)
                     .setJSONContent(Maps.builder(String.class, Object.class)
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/Database.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/Database.java
@@ -138,11 +138,11 @@ protected void performOperations() {
         });
     }
 
-    default CompletableFuture<?> executeInTransaction(String sql) {
+    default CompletableFuture<?> executeInTransaction(String sql, Object... parameters) {
         return executeInTransaction(new ExecStatement(sql) {
             @Override
-            public void prepare(PreparedStatement statement) {
-                // Nothing to prepare
+            public void prepare(PreparedStatement statement) throws SQLException {
+                QueryParameterSetter.setParameters(statement, parameters);
             }
         });
     }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/objects/WebUserQueries.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/queries/objects/WebUserQueries.java
@@ -20,6 +20,7 @@
 import com.djrapitops.plan.delivery.domain.datatransfer.preferences.Preferences;
 import com.djrapitops.plan.delivery.web.resolver.request.WebUser;
 import com.djrapitops.plan.delivery.webserver.auth.CookieMetadata;
+import com.djrapitops.plan.delivery.webserver.auth.IncompleteRegistration;
 import com.djrapitops.plan.storage.database.queries.Query;
 import com.djrapitops.plan.storage.database.queries.QueryAllStatement;
 import com.djrapitops.plan.storage.database.sql.building.Select;
@@ -169,8 +170,8 @@ private static User extractUser(ResultSet set) throws SQLException {
         String permissionGroup = set.getString(WebGroupTable.NAME);
         String userPermissions = set.getString("user_permissions");
         List<String> permissions = userPermissions != null ? Arrays.stream(userPermissions.split(","))
-                                                             .filter(permission -> !permission.isEmpty())
-                                                             .collect(Collectors.toList()) : List.of();
+                .filter(permission -> !permission.isEmpty())
+                .collect(Collectors.toList()) : List.of();
         return new User(username, linkedTo != null ? linkedTo : "console", linkedToUUID, passwordHash, permissionGroup, new HashSet<>(permissions));
     }
 
@@ -288,4 +289,17 @@ public static Query<Set<Integer>> fetchPreferencesUserIds() {
         String sql = SELECT + WebUserPreferencesTable.WEB_USER_ID + FROM + WebUserPreferencesTable.TABLE_NAME;
         return db -> db.querySet(sql, row -> row.getInt(WebUserPreferencesTable.WEB_USER_ID));
     }
+
+    public static Query<Optional<IncompleteRegistration>> fetchIncompleteRegistration(@Untrusted String code) {
+        return db -> db.queryOptional(RegistrationTable.SELECT_BY_CODE, WebUserQueries::extractIncompleteRegistration, code, System.currentTimeMillis());
+    }
+
+    private static IncompleteRegistration extractIncompleteRegistration(ResultSet set) throws SQLException {
+        return new IncompleteRegistration(
+                set.getString(RegistrationTable.USERNAME),
+                set.getString(RegistrationTable.SALT_PASSWORD_HASH),
+                set.getString(RegistrationTable.CODE),
+                set.getLong(RegistrationTable.EXPIRY_TIME)
+        );
+    }
 }
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/sql/tables/webuser/RegistrationTable.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/sql/tables/webuser/RegistrationTable.java
@@ -0,0 +1,60 @@
+/*
+ *  This file is part of Player Analytics (Plan).
+ *
+ *  Plan is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Lesser General Public License v3 as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  Plan is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public License
+ *  along with Plan. If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.djrapitops.plan.storage.database.sql.tables.webuser;
+
+import com.djrapitops.plan.storage.database.DBType;
+import com.djrapitops.plan.storage.database.sql.building.CreateTableBuilder;
+import com.djrapitops.plan.storage.database.sql.building.Insert;
+
+import static com.djrapitops.plan.storage.database.sql.building.Sql.*;
+
+/**
+ * Represents plan_incomplete_registration table.
+ *
+ * @author AuroraLS3
+ */
+public class RegistrationTable {
+
+    public static final String TABLE_NAME = "plan_incomplete_registration";
+
+    public static final String ID = "id";
+    public static final String USERNAME = "username";
+    public static final String SALT_PASSWORD_HASH = "salted_password_hash";
+    public static final String CODE = "code";
+    public static final String EXPIRY_TIME = "expiry_time";
+
+    public static final String INSERT_STATEMENT = Insert.values(TABLE_NAME, USERNAME, SALT_PASSWORD_HASH, CODE, EXPIRY_TIME);
+
+    public static final String DELETE_EXPIRED = DELETE_FROM + TABLE_NAME + WHERE + EXPIRY_TIME + "<=?";
+    public static final String DELETE_BY_CODE = DELETE_FROM + TABLE_NAME + WHERE + CODE + "=?";
+
+    public static final String SELECT_BY_CODE = SELECT + "*" + FROM + TABLE_NAME + WHERE + CODE + "=?" + AND + EXPIRY_TIME + ">?";
+
+    private RegistrationTable() {
+        /* Static SQL utility class */
+    }
+
+    public static String createTableSql(DBType dbType) {
+        return CreateTableBuilder.create(TABLE_NAME, dbType)
+                .column(ID, INT).primaryKey()
+                .column(USERNAME, varchar(100)).notNull().unique()
+                .column(SALT_PASSWORD_HASH, varchar(100)).notNull()
+                .column(CODE, varchar(12)).notNull().unique()
+                .column(EXPIRY_TIME, LONG).notNull()
+                .toString();
+    }
+}
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/transactions/init/CreateTablesTransaction.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/transactions/init/CreateTablesTransaction.java
@@ -50,7 +50,8 @@ public static String[] tableNames() {
                 SecurityTable.TABLE_NAME,
                 WebUserPreferencesTable.TABLE_NAME,
                 PluginVersionTable.TABLE_NAME,
-                AllowlistBounceTable.TABLE_NAME
+                AllowlistBounceTable.TABLE_NAME,
+                RegistrationTable.TABLE_NAME
         };
     }
 
@@ -84,6 +85,7 @@ protected void performOperations() {
         execute(WebUserPreferencesTable.createTableSQL(dbType));
         execute(PluginVersionTable.createTableSQL(dbType));
         execute(AllowlistBounceTable.createTableSQL(dbType));
+        execute(RegistrationTable.createTableSql(dbType));
 
         // DataExtension tables
         execute(ExtensionIconTable.createTableSQL(dbType));
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/database/transactions/webuser/StoreIncompleteRegistrationTransaction.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/database/transactions/webuser/StoreIncompleteRegistrationTransaction.java
diff --git a/Plan/common/src/main/java/com/djrapitops/plan/storage/upkeep/DBCleanTask.java b/Plan/common/src/main/java/com/djrapitops/plan/storage/upkeep/DBCleanTask.java
diff --git a/Plan/common/src/test/java/com/djrapitops/plan/delivery/webserver/auth/RegistrationBinTest.java b/Plan/common/src/test/java/com/djrapitops/plan/delivery/webserver/auth/RegistrationBinTest.java
diff --git a/Plan/common/src/test/java/extension/FullSystemExtension.java b/Plan/common/src/test/java/extension/FullSystemExtension.java

Original file line number	Diff line number	Diff line change
`@@ -138,11 +138,11 @@ protected void performOperations() {`
`138`	`138`	`});`
`139`	`139`	`}`
`140`	`140`
`141`		`- default CompletableFuture<?> executeInTransaction(String sql) {`
	`141`	`+ default CompletableFuture<?> executeInTransaction(String sql, Object... parameters) {`
`142`	`142`	`return executeInTransaction(new ExecStatement(sql) {`
`143`	`143`	`@Override`
`144`		`- public void prepare(PreparedStatement statement) {`
`145`		`- // Nothing to prepare`
	`144`	`+ public void prepare(PreparedStatement statement) throws SQLException {`
	`145`	`+ QueryParameterSetter.setParameters(statement, parameters);`
`146`	`146`	`}`
`147`	`147`	`});`
`148`	`148`	`}`