UPDATE: fixed signup method and added input sanitisation
This commit is contained in:
white
@@ -2,7 +2,7 @@ from flask import Blueprint, session, request, jsonify
|
|||||||
from werkzeug.security import generate_password_hash, check_password_hash
|
from werkzeug.security import generate_password_hash, check_password_hash
|
||||||
from flask_cors import cross_origin
|
from flask_cors import cross_origin
|
||||||
from database.database import Database
|
from database.database import Database
|
||||||
from blueprints.utils import login_required
|
from blueprints.utils import login_required, sanitizer
|
||||||
|
|
||||||
auth_bp = Blueprint("auth", __name__)
|
auth_bp = Blueprint("auth", __name__)
|
||||||
|
|
||||||
@@ -31,7 +31,20 @@ def signup():
|
|||||||
"error_fields": fields,
|
"error_fields": fields,
|
||||||
"message": "Missing required fields"
|
"message": "Missing required fields"
|
||||||
}), 400
|
}), 400
|
||||||
|
|
||||||
|
# Sanitize the inputs
|
||||||
|
try:
|
||||||
|
username = sanitizer(username, "username")
|
||||||
|
email = sanitizer(email, "email")
|
||||||
|
password = sanitizer(password, "password")
|
||||||
|
except ValueError as e:
|
||||||
|
return jsonify({
|
||||||
|
"account_created": False,
|
||||||
|
"error_fields": fields,
|
||||||
|
"message": "Invalid input received"
|
||||||
|
}), 400
|
||||||
|
|
||||||
|
# Create a connection to the database
|
||||||
db = Database()
|
db = Database()
|
||||||
cursor = db.create_connection()
|
cursor = db.create_connection()
|
||||||
|
|
||||||
@@ -64,14 +77,13 @@ def signup():
|
|||||||
# Create new user
|
# Create new user
|
||||||
cursor.execute(
|
cursor.execute(
|
||||||
"""INSERT INTO users
|
"""INSERT INTO users
|
||||||
(username, password, email, num_followers, isPartenered, bio)
|
(username, password, email, num_followers, bio)
|
||||||
VALUES (?, ?, ?, ?, ?, ?)""",
|
VALUES (?, ?, ?, ?, ?)""",
|
||||||
(
|
(
|
||||||
username,
|
username,
|
||||||
generate_password_hash(password),
|
generate_password_hash(password),
|
||||||
email,
|
email,
|
||||||
0,
|
0,
|
||||||
0,
|
|
||||||
"This user does not have a Bio."
|
"This user does not have a Bio."
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -74,7 +74,7 @@ def send_chat(data):
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
# Take the message information from frontend
|
# Take the message information from frontend
|
||||||
chatter_id = data.get("chatter_id") # Need to change this to get session info
|
chatter_id = session.get("username")
|
||||||
stream_id = data.get("stream_id")
|
stream_id = data.get("stream_id")
|
||||||
message = data.get("message")
|
message = data.get("message")
|
||||||
|
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
from flask import redirect, url_for, request, g, session
|
from flask import redirect, url_for, request, g, session
|
||||||
from functools import wraps
|
from functools import wraps
|
||||||
|
from re import match
|
||||||
|
|
||||||
def logged_in_user():
|
def logged_in_user():
|
||||||
g.user = session.get("username", None)
|
g.user = session.get("username", None)
|
||||||
@@ -21,4 +22,43 @@ def admin_required(view):
|
|||||||
if g.admin != "admin":
|
if g.admin != "admin":
|
||||||
return redirect(url_for("login", next=request.url))
|
return redirect(url_for("login", next=request.url))
|
||||||
return view(*args, **kwargs)
|
return view(*args, **kwargs)
|
||||||
return wrapped_view
|
return wrapped_view
|
||||||
|
|
||||||
|
import re
|
||||||
|
|
||||||
|
def sanitizer(user_input: str, input_type="username") -> str:
|
||||||
|
"""
|
||||||
|
Sanitizes user input based on the specified input type.
|
||||||
|
|
||||||
|
`input_type`: The type of input to sanitize (e.g., 'username', 'email', 'password').
|
||||||
|
"""
|
||||||
|
# Strip leading and trailing whitespace
|
||||||
|
sanitised_input = user_input.strip()
|
||||||
|
|
||||||
|
# Define allowed patterns and length constraints for each type
|
||||||
|
rules = {
|
||||||
|
"username": {
|
||||||
|
"pattern": r"^[a-zA-Z0-9_]+$", # Alphanumeric + underscores
|
||||||
|
"min_length": 3,
|
||||||
|
"max_length": 50,
|
||||||
|
},
|
||||||
|
"email": {
|
||||||
|
"pattern": r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$", # Standard email regex
|
||||||
|
"min_length": 5,
|
||||||
|
"max_length": 128,
|
||||||
|
},
|
||||||
|
"password": {
|
||||||
|
"pattern": r"^[\S]+$", # Non-whitespace characters only
|
||||||
|
"min_length": 8,
|
||||||
|
"max_length": 256,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
# Get the validation rules for the specified type
|
||||||
|
r = rules.get(input_type)
|
||||||
|
if not r or \
|
||||||
|
not (r["min_length"] <= len(sanitised_input) <= r["max_length"]) or \
|
||||||
|
not re.match(r["pattern"], sanitised_input):
|
||||||
|
raise ValueError("Unaccepted character or length in input")
|
||||||
|
|
||||||
|
return sanitised_input
|
||||||
|
|||||||
@@ -7,9 +7,9 @@ CREATE TABLE users
|
|||||||
user_id INTEGER PRIMARY KEY AUTOINCREMENT,
|
user_id INTEGER PRIMARY KEY AUTOINCREMENT,
|
||||||
username VARCHAR(50) NOT NULL,
|
username VARCHAR(50) NOT NULL,
|
||||||
password VARCHAR(256) NOT NULL,
|
password VARCHAR(256) NOT NULL,
|
||||||
email VARCHAR(64) NOT NULL,
|
email VARCHAR(128) NOT NULL,
|
||||||
num_followers INTEGER NOT NULL,
|
num_followers INTEGER NOT NULL,
|
||||||
bio TEXT
|
bio VARCHAR(1024)
|
||||||
);
|
);
|
||||||
|
|
||||||
SELECT * FROM users;
|
SELECT * FROM users;
|
||||||
|
|||||||
Reference in New Issue
Block a user