From 2ff0e890ec3ecd5c904f1eaeab918e1c75dad589 Mon Sep 17 00:00:00 2001
From: Letro Bot <noreply@letro.com>
Date: Wed, 8 Apr 2026 17:58:54 +0330
Subject: [PATCH] Validate postnumbers on the register route

---
 crates/handlers/src/views/register/mod.rs     | 24 ++++++++++---------
 .../handlers/src/views/register/password.rs   |  2 +-
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/crates/handlers/src/views/register/mod.rs b/crates/handlers/src/views/register/mod.rs
index f1e2975fd..a04bcc3ca 100644
--- a/crates/handlers/src/views/register/mod.rs
+++ b/crates/handlers/src/views/register/mod.rs
@@ -82,8 +82,7 @@ pub(super) async fn validate_registration_username(
                 user_agent,
             },
         })
-        .await
-        .map_err(InternalError::from_anyhow)?;
+        .await?;
 
     for violation in res.violations {
         match violation.field.as_deref() {
@@ -127,7 +126,10 @@ pub(super) async fn validate_registration_username(
                 );
             }
             Err(e) => {
-                tracing::error!(error = &e as &dyn std::error::Error, "postnumber resolver error");
+                tracing::error!(
+                    error = &e as &dyn std::error::Error,
+                    "postnumber resolver error"
+                );
                 state.add_error_on_form(FormError::Internal);
             }
         }
@@ -140,18 +142,19 @@ async fn render(
     locale: mas_i18n::DataLocale,
     mut ctx: RegisterContext,
     action: OptionalPostAuthAction,
-    mut repo: &mut BoxRepository,
+    csrf_token: impl ToString,
+    repo: &mut BoxRepository,
     templates: &Templates,
 ) -> Result<String, InternalError> {
     let post_action = action
-        .load_context(&mut repo)
+        .load_context(repo)
         .await
         .map_err(InternalError::from_anyhow)?;
     if let Some(action) = post_action {
         ctx = ctx.with_post_action(action);
     }
 
-    Ok(templates.render_register(&ctx.with_language(locale))?)
+    Ok(templates.render_register(&ctx.with_csrf(csrf_token).with_language(locale))?)
 }
 
 #[tracing::instrument(name = "handlers.views.register.get", skip_all)]
@@ -211,8 +214,9 @@ pub(crate) async fn get(
 
     let content = render(
         locale,
-        RegisterContext::new(providers).with_csrf(csrf_token.form_value()).inner,
+        RegisterContext::new(providers),
         query,
+        csrf_token.form_value(),
         &mut repo,
         &templates,
     )
@@ -267,11 +271,9 @@ pub(crate) async fn post(
     if !state.is_valid() {
         let content = render(
             locale,
-            RegisterContext::new(providers)
-                .with_form_state(state)
-                .with_csrf(csrf_token.form_value())
-                .inner,
+            RegisterContext::new(providers).with_form_state(state),
             form.action,
+            csrf_token.form_value(),
             &mut repo,
             &templates,
         )
diff --git a/crates/handlers/src/views/register/password.rs b/crates/handlers/src/views/register/password.rs
index 3ef3d8ede..696af7b4f 100644
--- a/crates/handlers/src/views/register/password.rs
+++ b/crates/handlers/src/views/register/password.rs
@@ -26,7 +26,7 @@ use mas_router::UrlBuilder;
 use mas_storage::{
     BoxRepository, RepositoryAccess,
     queue::{QueueJobRepositoryExt as _, SendEmailAuthenticationCodeJob},
-    user::{UserEmailRepository, UserRepository},
+    user::UserEmailRepository,
 };
 use mas_templates::{
     FieldError, FormError, FormState, PasswordRegisterContext, RegisterFormField, TemplateContext,