From b3ef075e54f18c4785910887a7e2478c8121b382 Mon Sep 17 00:00:00 2001
From: Caleb Bae <baecal000@gmail.com>
Date: Wed, 29 Apr 2026 15:56:48 -0500
Subject: [PATCH] Reject empty QR codes to close signup auth bypass

---
 server/router/admin.go |  9 +++++----
 server/router/judge.go | 19 ++++++++-----------
 2 files changed, 13 insertions(+), 15 deletions(-)

diff --git a/server/router/admin.go b/server/router/admin.go
index ec539ad..f3bf4ad 100644
--- a/server/router/admin.go
+++ b/server/router/admin.go
@@ -632,8 +632,8 @@ func CheckQRCode(ctx *gin.Context) {
 		return
 	}
 
-	// Send OK if QR code is right
-	if options.QRCode == qrReq.Code {
+	// Send OK or reject empty values
+	if qrReq.Code != "" && options.QRCode != "" && options.QRCode == qrReq.Code {
 		ctx.JSON(http.StatusOK, gin.H{"ok": 1})
 	} else {
 		ctx.JSON(http.StatusOK, gin.H{"ok": 0})
@@ -663,8 +663,9 @@ func CheckTrackQRCode(ctx *gin.Context) {
 		return
 	}
 
-	// Send OK if QR code is right
-	if options.TrackQRCodes[track] == qrReq.Code {
+	// Send OK or reject empty values
+	expected := options.TrackQRCodes[track]
+	if qrReq.Code != "" && expected != "" && expected == qrReq.Code {
 		ctx.JSON(http.StatusOK, gin.H{"ok": 1})
 	} else {
 		ctx.JSON(http.StatusOK, gin.H{"ok": 0})
diff --git a/server/router/judge.go b/server/router/judge.go
index cd7da51..6572a39 100644
--- a/server/router/judge.go
+++ b/server/router/judge.go
@@ -1052,17 +1052,14 @@ func AddJudgeFromQR(ctx *gin.Context) {
 			return err
 		}
 
-		// Make sure the code is correct
-		if qrReq.Track == "" {
-			if qrReq.Code != options.QRCode {
-				ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid QR code"})
-				return err
-			}
-		} else {
-			if qrReq.Code != options.TrackQRCodes[qrReq.Track] {
-				ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid QR code"})
-				return err
-			}
+		// Make sure the code is correct and reject empty code
+		expectedCode := options.QRCode
+		if qrReq.Track != "" {
+			expectedCode = options.TrackQRCodes[qrReq.Track]
+		}
+		if qrReq.Code == "" || expectedCode == "" || qrReq.Code != expectedCode {
+			ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid QR code"})
+			return err
 		}
 
 		// Check if the judge already exists