Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack.

2024-02-01 14:04:48 -06:00 · 2024-02-01 14:04:48 -06:00 · 8c37edd027
commit 8c37edd027
parent 2c1dacb9b6
2 changed files with 4 additions and 4 deletions
--- a/backend/utils/utils.py
+++ b/backend/utils/utils.py
@ -60,8 +60,8 @@ def extract_token_from_auth_header(auth_header: str):

 def get_current_user(auth_token: HTTPAuthorizationCredentials = Depends(HTTPBearer())):
    data = decode_token(auth_token.credentials)
-    if data != None and "email" in data:
-        user = Users.get_user_by_email(data["email"])
+    if data != None and "id" in data:
+        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,