dylan/gander
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

UPDATE: fixed signup method and added input sanitisation

Browse Source
This commit is contained in:
white
2025-01-27 11:21:55 +00:00
parent e0d748ed06
commit 3dc44da69a
4 changed files with 60 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
web_server/blueprints/authentication.py
View File

@@ -2,7 +2,7 @@ from flask import Blueprint, session, request, jsonify
from werkzeug.security import generate_password_hash, check_password_hash
from flask_cors import cross_origin
from database.database import Database
from blueprints.utils import login_required
from blueprints.utils import login_required, sanitizer
auth_bp = Blueprint("auth", __name__)
@@ -31,7 +31,20 @@ def signup():
"error_fields": fields,
"message": "Missing required fields"
}), 400
# Sanitize the inputs
try:
username = sanitizer(username, "username")
email = sanitizer(email, "email")
password = sanitizer(password, "password")
except ValueError as e:
return jsonify({
"account_created": False,
"error_fields": fields,
"message": "Invalid input received"
}), 400
# Create a connection to the database
db = Database()
cursor = db.create_connection()
@@ -64,14 +77,13 @@ def signup():
# Create new user
cursor.execute(
"""INSERT INTO users
(username, password, email, num_followers, isPartenered, bio)
VALUES (?, ?, ?, ?, ?, ?)""",
(username, password, email, num_followers, bio)
VALUES (?, ?, ?, ?, ?)""",
(
username,
generate_password_hash(password),
email,
0,
0,
"This user does not have a Bio."
)
)

2
web_server/blueprints/chat.py
View File

@@ -74,7 +74,7 @@ def send_chat(data):
"""
# Take the message information from frontend
chatter_id = data.get("chatter_id") # Need to change this to get session info
chatter_id = session.get("username")
stream_id = data.get("stream_id")
message = data.get("message")

42
web_server/blueprints/utils.py
View File

@@ -1,5 +1,6 @@
from flask import redirect, url_for, request, g, session
from functools import wraps
from re import match
def logged_in_user():
g.user = session.get("username", None)
@@ -21,4 +22,43 @@ def admin_required(view):
if g.admin != "admin":
return redirect(url_for("login", next=request.url))
return view(*args, **kwargs)
return wrapped_view
return wrapped_view
import re
def sanitizer(user_input: str, input_type="username") -> str:
"""
Sanitizes user input based on the specified input type.
`input_type`: The type of input to sanitize (e.g., 'username', 'email', 'password').
"""
# Strip leading and trailing whitespace
sanitised_input = user_input.strip()
# Define allowed patterns and length constraints for each type
rules = {
"username": {
"pattern": r"^[a-zA-Z0-9_]+$", # Alphanumeric + underscores
"min_length": 3,
"max_length": 50,
},
"email": {
"pattern": r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$", # Standard email regex
"min_length": 5,
"max_length": 128,
},
"password": {
"pattern": r"^[\S]+$", # Non-whitespace characters only
"min_length": 8,
"max_length": 256,
},
}
# Get the validation rules for the specified type
r = rules.get(input_type)
if not r or \
not (r["min_length"] <= len(sanitised_input) <= r["max_length"]) or \
not re.match(r["pattern"], sanitised_input):
raise ValueError("Unaccepted character or length in input")
return sanitised_input

4
web_server/database/users.sql
View File

@@ -7,9 +7,9 @@ CREATE TABLE users
user_id INTEGER PRIMARY KEY AUTOINCREMENT,
username VARCHAR(50) NOT NULL,
password VARCHAR(256) NOT NULL,
email VARCHAR(64) NOT NULL,
email VARCHAR(128) NOT NULL,
num_followers INTEGER NOT NULL,
bio TEXT
bio VARCHAR(1024)
);
SELECT * FROM users;