From 8c37edd027b52426ffdaf715da7cbbe613b4df8e Mon Sep 17 00:00:00 2001 From: Tim Farrell Date: Thu, 1 Feb 2024 14:04:48 -0600 Subject: [PATCH] Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack. --- backend/apps/web/routers/auths.py | 4 ++-- backend/utils/utils.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/apps/web/routers/auths.py b/backend/apps/web/routers/auths.py index f45c67ac..d06539f8 100644 --- a/backend/apps/web/routers/auths.py +++ b/backend/apps/web/routers/auths.py @@ -93,7 +93,7 @@ async def update_password( async def signin(form_data: SigninForm): user = Auths.authenticate_user(form_data.email.lower(), form_data.password) if user: - token = create_token(data={"email": user.email}) + token = create_token(data={"id": user.id}) return { "token": token, @@ -132,7 +132,7 @@ async def signup(request: Request, form_data: SignupForm): ) if user: - token = create_token(data={"email": user.email}) + token = create_token(data={"id": user.id}) # response.set_cookie(key='token', value=token, httponly=True) return { diff --git a/backend/utils/utils.py b/backend/utils/utils.py index 8b722554..9b146bbc 100644 --- a/backend/utils/utils.py +++ b/backend/utils/utils.py @@ -60,8 +60,8 @@ def extract_token_from_auth_header(auth_header: str): def get_current_user(auth_token: HTTPAuthorizationCredentials = Depends(HTTPBearer())): data = decode_token(auth_token.credentials) - if data != None and "email" in data: - user = Users.get_user_by_email(data["email"]) + if data != None and "id" in data: + user = Users.get_user_by_id(data["id"]) if user is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED,