UPDATE: fixed signup method and added input sanitisation

web_server/blueprints/authentication.py

@@ -2,7 +2,7 @@ from flask import Blueprint, session, request, jsonify
 from werkzeug.security import generate_password_hash, check_password_hash
 from flask_cors import cross_origin
 from database.database import Database
-from blueprints.utils import login_required
+from blueprints.utils import login_required, sanitizer
 
 auth_bp = Blueprint("auth", __name__)
 
@@ -32,6 +32,19 @@ def signup():
             "message": "Missing required fields"
         }), 400
     
+    # Sanitize the inputs
+    try:
+        username = sanitizer(username, "username")
+        email = sanitizer(email, "email")
+        password = sanitizer(password, "password")
+    except ValueError as e:
+        return jsonify({
+            "account_created": False,
+            "error_fields": fields,
+            "message": "Invalid input received"
+        }), 400
+
+    # Create a connection to the database
     db = Database()
     cursor = db.create_connection()
 
@@ -64,14 +77,13 @@ def signup():
         # Create new user
         cursor.execute(
             """INSERT INTO users 
-               (username, password, email, num_followers, isPartenered, bio)
-               VALUES (?, ?, ?, ?, ?, ?)""",
+               (username, password, email, num_followers, bio)
+               VALUES (?, ?, ?, ?, ?)""",
             (
                 username,
                 generate_password_hash(password),
                 email,
                 0,
-                0,
                 "This user does not have a Bio."
             )
         )

web_server/blueprints/chat.py

@@ -74,7 +74,7 @@ def send_chat(data):
     """
 
     # Take the message information from frontend
-    chatter_id = data.get("chatter_id") # Need to change this to get session info
+    chatter_id = session.get("username")
     stream_id = data.get("stream_id")
     message = data.get("message")
 

web_server/blueprints/utils.py

@@ -1,5 +1,6 @@
 from flask import redirect, url_for, request, g, session
 from functools import wraps
+from re import match
 
 def logged_in_user():
     g.user = session.get("username", None)
@@ -22,3 +23,42 @@ def admin_required(view):
             return redirect(url_for("login", next=request.url))
         return view(*args, **kwargs)
     return wrapped_view
+
+import re
+
+def sanitizer(user_input: str, input_type="username") -> str:
+    """
+    Sanitizes user input based on the specified input type.
+    
+    `input_type`: The type of input to sanitize (e.g., 'username', 'email', 'password').
+    """
+    # Strip leading and trailing whitespace
+    sanitised_input = user_input.strip()
+
+    # Define allowed patterns and length constraints for each type
+    rules = {
+        "username": {
+            "pattern": r"^[a-zA-Z0-9_]+$",  # Alphanumeric + underscores
+            "min_length": 3,
+            "max_length": 50,
+        },
+        "email": {
+            "pattern": r"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$",  # Standard email regex
+            "min_length": 5,
+            "max_length": 128,
+        },
+        "password": {
+            "pattern": r"^[\S]+$",  # Non-whitespace characters only
+            "min_length": 8,
+            "max_length": 256,
+        },
+    }
+
+    # Get the validation rules for the specified type
+    r = rules.get(input_type)
+    if not r or \
+    not (r["min_length"] <= len(sanitised_input) <= r["max_length"]) or \
+    not re.match(r["pattern"], sanitised_input):
+        raise ValueError("Unaccepted character or length in input")
+
+    return sanitised_input

web_server/database/users.sql

@@ -7,9 +7,9 @@ CREATE TABLE users
     user_id INTEGER PRIMARY KEY AUTOINCREMENT,
     username VARCHAR(50) NOT NULL,
     password VARCHAR(256) NOT NULL,
-    email VARCHAR(64) NOT NULL,
+    email VARCHAR(128) NOT NULL,
     num_followers INTEGER NOT NULL,
-    bio TEXT
+    bio VARCHAR(1024)
 );
 
 SELECT * FROM users;