From e3561b731deb497298dab29e4458d8564b3eaf54 Mon Sep 17 00:00:00 2001
From: "s0wlz (Matthias Puchstein)" <matthias@puchstein.lu>
Date: Tue, 28 Apr 2026 03:55:54 +0200
Subject: [PATCH] fix(attendance): propagate cookie header errors, guard
 missing room in checkin

---
 backend/src/routes/checkin.rs | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/backend/src/routes/checkin.rs b/backend/src/routes/checkin.rs
index a0928ff..2103ad0 100644
--- a/backend/src/routes/checkin.rs
+++ b/backend/src/routes/checkin.rs
@@ -1,6 +1,6 @@
 use axum::{
     extract::{Path, State},
-    http::{HeaderMap, HeaderValue, StatusCode},
+    http::{HeaderMap, StatusCode},
     response::{IntoResponse, Response},
     routing::{get, post},
     Json, Router,
@@ -197,15 +197,14 @@ async fn post_checkin(
             .fetch_optional(&pool)
             .await?;
 
-            if let Some(r) = room {
-                let elements: Vec<LayoutElement> = serde_json::from_str(&r.layout_json)
-                    .unwrap_or_default();
-                let valid = elements
-                    .iter()
-                    .any(|e| &e.id == seat_id && e.kind == "seat");
-                if !valid {
-                    return Err(AppError::BadRequest("invalid seat".into()));
-                }
+            let room_row = room.ok_or(AppError::NotFound)?;
+            let elements: Vec<LayoutElement> = serde_json::from_str(&room_row.layout_json)
+                .unwrap_or_default();
+            let valid = elements
+                .iter()
+                .any(|e| &e.id == seat_id && e.kind == "seat");
+            if !valid {
+                return Err(AppError::BadRequest("invalid seat".into()));
             }
         }
         (None, None) => {}
@@ -265,7 +264,7 @@ async fn post_checkin(
         "code": req.code,
         "student_id": req.student_id,
     }))
-    .unwrap()
+    .expect("serializing static json shape is infallible")
     .replace('"', "%22");
 
     let cookie_val = format!(
@@ -273,11 +272,10 @@ async fn post_checkin(
         identity_json
     );
 
+    let header_val = axum::http::HeaderValue::from_str(&cookie_val)
+        .map_err(|_| AppError::BadRequest("invalid cookie value".into()))?;
     let mut response = Json(json!({"ok": true})).into_response();
-    response.headers_mut().insert(
-        axum::http::header::SET_COOKIE,
-        HeaderValue::from_str(&cookie_val).unwrap(),
-    );
+    response.headers_mut().insert(axum::http::header::SET_COOKIE, header_val);
     Ok(response)
 }