From eb025637142246578f5e6a7b79adc55c2ecaae9e Mon Sep 17 00:00:00 2001
From: Andrew Lalis <andrewlalisofficial@gmail.com>
Date: Thu, 16 Feb 2023 20:40:03 +0100
Subject: [PATCH] Improved upload flow, fixed vulnerability in search.

---
 .../config/ErrorResponseHandler.java          |   4 +
 .../gymboard_api/config/SecurityConfig.java   |   2 -
 .../gymboard_api/config/WebComponents.java    |  16 +++
 .../gymboard_api/config/WebConfig.java        |  13 ---
 .../api/dto/ApiValidationException.java       |  17 +++
 .../domains/api/dto/ValidationResponse.java   |  22 ++++
 .../submission/ExerciseSubmissionService.java |  70 ++++++++---
 gymboard-app/src/api/main/submission.ts       |   7 +-
 gymboard-app/src/i18n/en-US/index.ts          |   7 +-
 gymboard-app/src/i18n/nl-NL/index.ts          |   2 +-
 .../src/pages/gym/GymSubmissionPage.vue       | 109 +++++++++++-------
 .../index/WeightedWildcardQueryBuilder.java   |   4 +-
 12 files changed, 197 insertions(+), 76 deletions(-)
 delete mode 100644 gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebConfig.java
 create mode 100644 gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ApiValidationException.java
 create mode 100644 gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ValidationResponse.java

diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/ErrorResponseHandler.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/ErrorResponseHandler.java
index 9fe8f23..5b47b50 100644
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/ErrorResponseHandler.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/ErrorResponseHandler.java
@@ -1,5 +1,6 @@
 package nl.andrewlalis.gymboard_api.config;
 
+import nl.andrewlalis.gymboard_api.domains.api.dto.ApiValidationException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -33,6 +34,9 @@ public class ErrorResponseHandler {
 			}
 		}
 		responseContent.put("message", message);
+		if (e instanceof ApiValidationException validationException) {
+			responseContent.put("validation_messages", validationException.getValidationResponse().getMessages());
+		}
 		return ResponseEntity.status(e.getStatusCode()).body(responseContent);
 	}
 }
diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/SecurityConfig.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/SecurityConfig.java
index 9c84819..78af6c7 100644
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/SecurityConfig.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/SecurityConfig.java
@@ -55,8 +55,6 @@ public class SecurityConfig {
 				).permitAll()
 				.requestMatchers(// Allow the following POST endpoints to be public.
 						HttpMethod.POST,
-						"/gyms/*/submissions",
-						"/gyms/*/submissions/upload",
 						"/auth/token",
 						"/auth/register",
 						"/auth/activate",
diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebComponents.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebComponents.java
index 6ec6652..4ca698c 100644
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebComponents.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebComponents.java
@@ -1,5 +1,8 @@
 package nl.andrewlalis.gymboard_api.config;
 
+import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.CdnClient;
+import nl.andrewlalis.gymboard_api.util.ULID;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@@ -11,4 +14,17 @@ public class WebComponents {
 	public PasswordEncoder passwordEncoder() {
 		return new BCryptPasswordEncoder(10);
 	}
+
+	@Bean
+	public ULID ulid() {
+		return new ULID();
+	}
+
+	@Value("${app.cdn-origin}")
+	private String cdnOrigin;
+
+	@Bean
+	public CdnClient cdnClient() {
+		return new CdnClient(cdnOrigin);
+	}
 }
diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebConfig.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebConfig.java
deleted file mode 100644
index f78f351..0000000
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/config/WebConfig.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package nl.andrewlalis.gymboard_api.config;
-
-import nl.andrewlalis.gymboard_api.util.ULID;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class WebConfig {
-	@Bean
-	public ULID ulid() {
-		return new ULID();
-	}
-}
diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ApiValidationException.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ApiValidationException.java
new file mode 100644
index 0000000..587ae51
--- /dev/null
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ApiValidationException.java
@@ -0,0 +1,17 @@
+package nl.andrewlalis.gymboard_api.domains.api.dto;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class ApiValidationException extends ResponseStatusException {
+	private final ValidationResponse validationResponse;
+
+	public ApiValidationException(ValidationResponse validationResponse) {
+		super(HttpStatus.BAD_REQUEST, "Validation failed.");
+		this.validationResponse = validationResponse;
+	}
+
+	public ValidationResponse getValidationResponse() {
+		return validationResponse;
+	}
+}
diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ValidationResponse.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ValidationResponse.java
new file mode 100644
index 0000000..001b184
--- /dev/null
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/dto/ValidationResponse.java
@@ -0,0 +1,22 @@
+package nl.andrewlalis.gymboard_api.domains.api.dto;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class ValidationResponse {
+	private boolean valid = true;
+	private List<String> messages = new ArrayList<>();
+
+	public void addMessage(String message) {
+		this.messages.add(message);
+		this.valid = false;
+	}
+
+	public boolean isValid() {
+		return valid;
+	}
+
+	public List<String> getMessages() {
+		return messages;
+	}
+}
diff --git a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/service/submission/ExerciseSubmissionService.java b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/service/submission/ExerciseSubmissionService.java
index 08681a6..a2f2cec 100644
--- a/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/service/submission/ExerciseSubmissionService.java
+++ b/gymboard-api/src/main/java/nl/andrewlalis/gymboard_api/domains/api/service/submission/ExerciseSubmissionService.java
@@ -3,13 +3,13 @@ package nl.andrewlalis.gymboard_api.domains.api.service.submission;
 import nl.andrewlalis.gymboard_api.domains.api.dao.GymRepository;
 import nl.andrewlalis.gymboard_api.domains.api.dao.ExerciseRepository;
 import nl.andrewlalis.gymboard_api.domains.api.dao.submission.SubmissionRepository;
-import nl.andrewlalis.gymboard_api.domains.api.dto.CompoundGymId;
-import nl.andrewlalis.gymboard_api.domains.api.dto.SubmissionPayload;
-import nl.andrewlalis.gymboard_api.domains.api.dto.SubmissionResponse;
+import nl.andrewlalis.gymboard_api.domains.api.dto.*;
 import nl.andrewlalis.gymboard_api.domains.api.model.Gym;
 import nl.andrewlalis.gymboard_api.domains.api.model.WeightUnit;
 import nl.andrewlalis.gymboard_api.domains.api.model.Exercise;
 import nl.andrewlalis.gymboard_api.domains.api.model.submission.Submission;
+import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.CdnClient;
+import nl.andrewlalis.gymboard_api.domains.api.service.cdn_client.UploadsClient;
 import nl.andrewlalis.gymboard_api.domains.auth.dao.UserRepository;
 import nl.andrewlalis.gymboard_api.domains.auth.model.User;
 import nl.andrewlalis.gymboard_api.util.ULID;
@@ -36,16 +36,18 @@ public class ExerciseSubmissionService {
 	private final ExerciseRepository exerciseRepository;
 	private final SubmissionRepository submissionRepository;
 	private final ULID ulid;
+	private final CdnClient cdnClient;
 
 	public ExerciseSubmissionService(GymRepository gymRepository,
 									 UserRepository userRepository, ExerciseRepository exerciseRepository,
 									 SubmissionRepository submissionRepository,
-									 ULID ulid) {
+									 ULID ulid, CdnClient cdnClient) {
 		this.gymRepository = gymRepository;
 		this.userRepository = userRepository;
 		this.exerciseRepository = exerciseRepository;
 		this.submissionRepository = submissionRepository;
 		this.ulid = ulid;
+		this.cdnClient = cdnClient;
 	}
 
 	@Transactional(readOnly = true)
@@ -64,16 +66,22 @@ public class ExerciseSubmissionService {
 	 */
 	@Transactional
 	public SubmissionResponse createSubmission(CompoundGymId id, String userId, SubmissionPayload payload) {
-		User user = userRepository.findById(userId)
-				.orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN));
 		Gym gym = gymRepository.findByCompoundId(id)
 				.orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND));
+		User user = userRepository.findById(userId)
+				.orElseThrow(() -> new ResponseStatusException(HttpStatus.FORBIDDEN));
+		if (!user.isActivated()) throw new ResponseStatusException(HttpStatus.FORBIDDEN);
 		Exercise exercise = exerciseRepository.findById(payload.exerciseShortName())
 				.orElseThrow(() -> new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid exercise."));
 
-		// TODO: Validate the submission data.
+		var validationResponse = validateSubmissionData(gym, user, exercise, payload);
+		if (!validationResponse.isValid()) {
+			throw new ApiValidationException(validationResponse);
+		}
 
 		// Create the submission.
+		LocalDateTime performedAt = payload.performedAt();
+		if (performedAt == null) performedAt = LocalDateTime.now();
 		BigDecimal rawWeight = BigDecimal.valueOf(payload.weight());
 		WeightUnit weightUnit = WeightUnit.parse(payload.weightUnit());
 		BigDecimal metricWeight = BigDecimal.valueOf(payload.weight());
@@ -81,17 +89,47 @@ public class ExerciseSubmissionService {
 			metricWeight = WeightUnit.toKilograms(rawWeight);
 		}
 		Submission submission = submissionRepository.saveAndFlush(new Submission(
-				ulid.nextULID(),
-				gym,
-				exercise,
-				user,
-				LocalDateTime.now(),
+				ulid.nextULID(), gym, exercise, user,
+				performedAt,
 				payload.videoFileId(),
-				rawWeight,
-				weightUnit,
-				metricWeight,
-				payload.reps()
+				rawWeight, weightUnit, metricWeight, payload.reps()
 		));
 		return new SubmissionResponse(submission);
 	}
+
+	private ValidationResponse validateSubmissionData(Gym gym, User user, Exercise exercise, SubmissionPayload data) {
+		ValidationResponse response = new ValidationResponse();
+		LocalDateTime cutoff = LocalDateTime.now().minusDays(3);
+		if (data.performedAt() != null && data.performedAt().isAfter(LocalDateTime.now())) {
+			response.addMessage("Cannot submit an exercise from the future.");
+		}
+		if (data.performedAt() != null && data.performedAt().isBefore(cutoff)) {
+			response.addMessage("Cannot submit an exercise too far in the past.");
+		}
+		if (data.reps() < 1 || data.reps() > 500) {
+			response.addMessage("Invalid rep count.");
+		}
+		BigDecimal rawWeight = BigDecimal.valueOf(data.weight());
+		WeightUnit weightUnit = WeightUnit.parse(data.weightUnit());
+		BigDecimal metricWeight = WeightUnit.toKilograms(rawWeight, weightUnit);
+
+		if (metricWeight.compareTo(BigDecimal.ZERO) <= 0 || metricWeight.compareTo(BigDecimal.valueOf(1000.0)) > 0) {
+			response.addMessage("Invalid weight.");
+		}
+
+		try {
+			UploadsClient.FileMetadataResponse metadata = cdnClient.uploads.getFileMetadata(data.videoFileId());
+			if (metadata == null) {
+				response.addMessage("Missing video file.");
+			} else if (!metadata.availableForDownload()) {
+				response.addMessage("File not yet available for download.");
+			} else if (!"video/mp4".equals(metadata.mimeType())) {
+				response.addMessage("Invalid video file format.");
+			}
+		} catch (Exception e) {
+			log.error("Error fetching file metadata.", e);
+			throw new ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Error fetching uploaded video file metadata.");
+		}
+		return response;
+	}
 }
diff --git a/gymboard-app/src/api/main/submission.ts b/gymboard-app/src/api/main/submission.ts
index 3818e72..edce481 100644
--- a/gymboard-app/src/api/main/submission.ts
+++ b/gymboard-app/src/api/main/submission.ts
@@ -4,12 +4,12 @@ import { api } from 'src/api/main/index';
 import { getGymCompoundId, GymRoutable } from 'src/router/gym-routing';
 import { DateTime } from 'luxon';
 import {User} from 'src/api/main/auth';
+import {AuthStoreType} from 'stores/auth-store';
 
 /**
  * The data that's sent when creating a submission.
  */
 export interface ExerciseSubmissionPayload {
-  name: string;
   exerciseShortName: string;
   weight: number;
   weightUnit: string;
@@ -59,10 +59,11 @@ class SubmissionsModule {
 
   public async createSubmission(
     gym: GymRoutable,
-    payload: ExerciseSubmissionPayload
+    payload: ExerciseSubmissionPayload,
+    authStore: AuthStoreType
   ): Promise<ExerciseSubmission> {
     const gymId = getGymCompoundId(gym);
-    const response = await api.post(`/gyms/${gymId}/submissions`, payload);
+    const response = await api.post(`/gyms/${gymId}/submissions`, payload, authStore.axiosConfig);
     return parseSubmission(response.data);
   }
 }
diff --git a/gymboard-app/src/i18n/en-US/index.ts b/gymboard-app/src/i18n/en-US/index.ts
index 765bf9f..04e5c38 100644
--- a/gymboard-app/src/i18n/en-US/index.ts
+++ b/gymboard-app/src/i18n/en-US/index.ts
@@ -31,13 +31,18 @@ export default {
       recentLifts: 'Recent Lifts',
     },
     submitPage: {
-      name: 'Your Name',
+      loginToSubmit: 'Login or register to submit your lift',
       exercise: 'Exercise',
       weight: 'Weight',
       reps: 'Repetitions',
       date: 'Date',
       upload: 'Video File to Upload',
       submit: 'Submit',
+      submitUploading: 'Uploading video...',
+      submitCreatingSubmission: 'Creating submission...',
+      submitVideoProcessing: 'Processing...',
+      submitComplete: 'Submission complete!',
+      submitFailed: 'Submission processing failed. Please try again later.',
     },
   },
   userPage: {
diff --git a/gymboard-app/src/i18n/nl-NL/index.ts b/gymboard-app/src/i18n/nl-NL/index.ts
index d83c6f4..11d3e72 100644
--- a/gymboard-app/src/i18n/nl-NL/index.ts
+++ b/gymboard-app/src/i18n/nl-NL/index.ts
@@ -31,7 +31,7 @@ export default {
       recentLifts: 'Recente liften',
     },
     submitPage: {
-      name: 'Jouw naam',
+      loginToSubmit: 'Log in of meld je aan om je lift te indienen',
       exercise: 'Oefening',
       weight: 'Gewicht',
       reps: 'Repetities',
diff --git a/gymboard-app/src/pages/gym/GymSubmissionPage.vue b/gymboard-app/src/pages/gym/GymSubmissionPage.vue
index 3d79498..2787dd6 100644
--- a/gymboard-app/src/pages/gym/GymSubmissionPage.vue
+++ b/gymboard-app/src/pages/gym/GymSubmissionPage.vue
@@ -11,17 +11,10 @@ A high-level overview of the submission process is as follows:
 5. We wait on the submission page until the submission is done processing, then show a message and navigate to the submission page.
 -->
 <template>
-  <q-page v-if="gym">
+  <q-page v-if="gym && authStore.loggedIn">
     <!-- The below form contains the fields that will become part of the submission. -->
     <q-form @submit="onSubmitted">
       <SlimForm>
-        <div class="row">
-          <q-input
-            :label="$t('gymPage.submitPage.name')"
-            v-model="submissionModel.name"
-            class="col-12"
-          />
-        </div>
         <div class="row">
           <q-select
             :options="exerciseOptions"
@@ -76,57 +69,66 @@ A high-level overview of the submission process is as follows:
         </div>
         <div class="row">
           <q-btn
-            :label="$t('gymPage.submitPage.submit')"
+            :label="submitButtonLabel"
             color="primary"
             type="submit"
             class="q-mt-md col-12"
             :disable="!submitButtonEnabled()"
           />
         </div>
-        <div class="row text-center" v-if="infoMessage">
-          <p>{{ infoMessage }}</p>
-        </div>
       </SlimForm>
     </q-form>
   </q-page>
+
+  <!-- If the user is not logged in, show a link to log in. -->
+  <q-page v-if="!authStore.loggedIn">
+    <div class="q-mt-lg text-center">
+      <router-link :to="`/login?next=${route.fullPath}`" class="text-primary">Login or register to submit your lift</router-link>
+    </div>
+  </q-page>
 </template>
 
 <script setup lang="ts">
-import { onMounted, ref, Ref } from 'vue';
-import { getGymFromRoute, getGymRoute } from 'src/router/gym-routing';
+import {onMounted, ref, Ref} from 'vue';
+import {getGymFromRoute} from 'src/router/gym-routing';
 import SlimForm from 'components/SlimForm.vue';
 import api from 'src/api/main';
-import { Gym } from 'src/api/main/gyms';
-import { Exercise } from 'src/api/main/exercises';
-import { useRouter } from 'vue-router';
-import { sleep } from 'src/utils';
-import { uploadVideoToCDN, VideoProcessingStatus, waitUntilVideoProcessingComplete } from 'src/api/cdn';
+import {Gym} from 'src/api/main/gyms';
+import {Exercise} from 'src/api/main/exercises';
+import {useRoute, useRouter} from 'vue-router';
+import {showApiErrorToast, sleep} from 'src/utils';
+import {uploadVideoToCDN, VideoProcessingStatus, waitUntilVideoProcessingComplete} from 'src/api/cdn';
+import {useAuthStore} from 'stores/auth-store';
+import {useI18n} from 'vue-i18n';
+import {useQuasar} from "quasar";
+
+const authStore = useAuthStore();
+const router = useRouter();
+const route = useRoute();
+const i18n = useI18n();
+const quasar = useQuasar();
 
 interface Option {
   value: string;
   label: string;
 }
 
-const router = useRouter();
-
 const gym: Ref<Gym | undefined> = ref<Gym>();
 const exercises: Ref<Array<Exercise> | undefined> = ref<Array<Exercise>>();
 const exerciseOptions: Ref<Array<Option>> = ref([]);
 let submissionModel = ref({
-  name: '',
   exerciseShortName: '',
   weight: 100,
   weightUnit: 'Kg',
   reps: 1,
   videoFileId: '',
-  videoFile: null,
   date: new Date().toLocaleDateString('en-CA'),
 });
 const selectedVideoFile: Ref<File | undefined> = ref<File>();
 const weightUnits = ['KG', 'LBS'];
 
 const submitting = ref(false);
-const infoMessage: Ref<string | undefined> = ref();
+const submitButtonLabel = ref(i18n.t('gymPage.submitPage.submit'));
 
 onMounted(async () => {
   try {
@@ -154,30 +156,59 @@ function validateForm() {
   return true;
 }
 
+/**
+ * Runs through the entire submission process.
+ */
 async function onSubmitted() {
-  if (!selectedVideoFile.value || !gym.value) throw new Error('Invalid state.');
+  if (!selectedVideoFile.value || !gym.value) return;
+
   submitting.value = true;
   try {
-    infoMessage.value = 'Uploading video...';
+    // 1. Upload the video to the CDN.
+    submitButtonLabel.value = i18n.t('gymPage.submitPage.submitUploading');
     await sleep(1000);
     submissionModel.value.videoFileId = await uploadVideoToCDN(selectedVideoFile.value);
-    infoMessage.value = 'Creating submission...';
-    await sleep(1000);
-    const submission = await api.gyms.submissions.createSubmission(
-      gym.value,
-      submissionModel.value
-    );
-    infoMessage.value = 'Submission processing...';
-    const finalStatus = await waitUntilVideoProcessingComplete(submission.videoFileId);
-    if (finalStatus === VideoProcessingStatus.COMPLETED) {
-      infoMessage.value = 'Submission complete!';
-      await sleep(1000);
-      await router.push(getGymRoute(gym.value));
+
+    // 2. Wait for the video to be processed.
+    submitButtonLabel.value = i18n.t('gymPage.submitPage.submitVideoProcessing');
+    const processingStatus = await waitUntilVideoProcessingComplete(submissionModel.value.videoFileId);
+
+    // 3. If successful upload, create the submission.
+    if (processingStatus === VideoProcessingStatus.COMPLETED) {
+      try {
+        submitButtonLabel.value = i18n.t('gymPage.submitPage.submitCreatingSubmission');
+        await sleep(1000);
+        const submission = await api.gyms.submissions.createSubmission(
+          gym.value,
+          submissionModel.value,
+          authStore
+        );
+        submitButtonLabel.value = i18n.t('gymPage.submitPage.submitComplete');
+        await sleep(2000);
+        await router.push(`/submissions/${submission.id}`);
+      } catch (error: any) {
+        if (error.response && error.response.status === 400) {
+          quasar.notify({
+            message: error.response.data.message,
+            type: 'warning',
+            position: 'top'
+          });
+          submitButtonLabel.value = i18n.t('gymPage.submitPage.submitFailed');
+          await sleep(3000);
+        } else {
+          showApiErrorToast(i18n, quasar);
+        }
+      }
+    // Otherwise, report the failed submission and give up.
     } else {
-      infoMessage.value = 'Submission processing failed. Please try again later.';
+      submitButtonLabel.value = i18n.t('gymPage.submitPage.submitFailed');
+      await sleep(3000);
     }
+  } catch (error: any) {
+    showApiErrorToast(i18n, quasar);
   } finally {
     submitting.value = false;
+    submitButtonLabel.value = i18n.t('gymPage.submitPage.submit');
   }
 }
 </script>
diff --git a/gymboard-search/src/main/java/nl/andrewlalis/gymboardsearch/index/WeightedWildcardQueryBuilder.java b/gymboard-search/src/main/java/nl/andrewlalis/gymboardsearch/index/WeightedWildcardQueryBuilder.java
index 6e795c9..ffa6462 100644
--- a/gymboard-search/src/main/java/nl/andrewlalis/gymboardsearch/index/WeightedWildcardQueryBuilder.java
+++ b/gymboard-search/src/main/java/nl/andrewlalis/gymboardsearch/index/WeightedWildcardQueryBuilder.java
@@ -23,7 +23,9 @@ public class WeightedWildcardQueryBuilder {
 	}
 
 	public Optional<Query> build(String rawSearchQuery) {
-		if (rawSearchQuery == null || rawSearchQuery.isBlank()) return Optional.empty();
+		if (rawSearchQuery == null) return Optional.empty();
+		rawSearchQuery = rawSearchQuery.replaceAll("\\*", "");
+		if (rawSearchQuery.isBlank()) return Optional.empty();
 		String[] terms = rawSearchQuery.toLowerCase().split("\\s+");
 		for (String term : terms) {
 			String searchTerm = term + "*";