From 3dc44da69a7704ea12366b72e70ce6cbac4b01c7 Mon Sep 17 00:00:00 2001
From: white <122345776@umail.ucc.ie>
Date: Mon, 27 Jan 2025 11:21:55 +0000
Subject: [PATCH] UPDATE: fixed signup method and added input sanitisation

---
 web_server/blueprints/authentication.py | 20 +++++++++---
 web_server/blueprints/chat.py           |  2 +-
 web_server/blueprints/utils.py          | 42 ++++++++++++++++++++++++-
 web_server/database/users.sql           |  4 +--
 4 files changed, 60 insertions(+), 8 deletions(-)

diff --git a/web_server/blueprints/authentication.py b/web_server/blueprints/authentication.py
index 0012fbc..40caec0 100644
--- a/web_server/blueprints/authentication.py
+++ b/web_server/blueprints/authentication.py
@@ -2,7 +2,7 @@ from flask import Blueprint, session, request, jsonify
 from werkzeug.security import generate_password_hash, check_password_hash
 from flask_cors import cross_origin
 from database.database import Database
-from blueprints.utils import login_required
+from blueprints.utils import login_required, sanitizer
 
 auth_bp = Blueprint("auth", __name__)
 
@@ -31,7 +31,20 @@ def signup():
             "error_fields": fields,
             "message": "Missing required fields"
         }), 400
+    
+    # Sanitize the inputs
+    try:
+        username = sanitizer(username, "username")
+        email = sanitizer(email, "email")
+        password = sanitizer(password, "password")
+    except ValueError as e:
+        return jsonify({
+            "account_created": False,
+            "error_fields": fields,
+            "message": "Invalid input received"
+        }), 400
 
+    # Create a connection to the database
     db = Database()
     cursor = db.create_connection()
 
@@ -64,14 +77,13 @@ def signup():
         # Create new user
         cursor.execute(
             """INSERT INTO users 
-               (username, password, email, num_followers, isPartenered, bio)
-               VALUES (?, ?, ?, ?, ?, ?)""",
+               (username, password, email, num_followers, bio)
+               VALUES (?, ?, ?, ?, ?)""",
             (
                 username,
                 generate_password_hash(password),
                 email,
                 0,
-                0,
                 "This user does not have a Bio."
             )
         )
diff --git a/web_server/blueprints/chat.py b/web_server/blueprints/chat.py
index d0b580a..a792b78 100644
--- a/web_server/blueprints/chat.py
+++ b/web_server/blueprints/chat.py
@@ -74,7 +74,7 @@ def send_chat(data):
     """
 
     # Take the message information from frontend
-    chatter_id = data.get("chatter_id") # Need to change this to get session info
+    chatter_id = session.get("username")
     stream_id = data.get("stream_id")
     message = data.get("message")
 
diff --git a/web_server/blueprints/utils.py b/web_server/blueprints/utils.py
index 2ccf32c..a496a8d 100644
--- a/web_server/blueprints/utils.py
+++ b/web_server/blueprints/utils.py
@@ -1,5 +1,6 @@
 from flask import redirect, url_for, request, g, session
 from functools import wraps
+from re import match
 
 def logged_in_user():
     g.user = session.get("username", None)
@@ -21,4 +22,43 @@ def admin_required(view):
         if g.admin != "admin":
             return redirect(url_for("login", next=request.url))
         return view(*args, **kwargs)
-    return wrapped_view
\ No newline at end of file
+    return wrapped_view
+
+import re
+
+def sanitizer(user_input: str, input_type="username") -> str:
+    """
+    Sanitizes user input based on the specified input type.
+    
+    `input_type`: The type of input to sanitize (e.g., 'username', 'email', 'password').
+    """
+    # Strip leading and trailing whitespace
+    sanitised_input = user_input.strip()
+
+    # Define allowed patterns and length constraints for each type
+    rules = {
+        "username": {
+            "pattern": r"^[a-zA-Z0-9_]+$",  # Alphanumeric + underscores
+            "min_length": 3,
+            "max_length": 50,
+        },
+        "email": {
+            "pattern": r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$",  # Standard email regex
+            "min_length": 5,
+            "max_length": 128,
+        },
+        "password": {
+            "pattern": r"^[\S]+$",  # Non-whitespace characters only
+            "min_length": 8,
+            "max_length": 256,
+        },
+    }
+
+    # Get the validation rules for the specified type
+    r = rules.get(input_type)
+    if not r or \
+    not (r["min_length"] <= len(sanitised_input) <= r["max_length"]) or \
+    not re.match(r["pattern"], sanitised_input):
+        raise ValueError("Unaccepted character or length in input")
+
+    return sanitised_input
diff --git a/web_server/database/users.sql b/web_server/database/users.sql
index 764de41..2c89fb7 100644
--- a/web_server/database/users.sql
+++ b/web_server/database/users.sql
@@ -7,9 +7,9 @@ CREATE TABLE users
     user_id INTEGER PRIMARY KEY AUTOINCREMENT,
     username VARCHAR(50) NOT NULL,
     password VARCHAR(256) NOT NULL,
-    email VARCHAR(64) NOT NULL,
+    email VARCHAR(128) NOT NULL,
     num_followers INTEGER NOT NULL,
-    bio TEXT
+    bio VARCHAR(1024)
 );
 
 SELECT * FROM users;