Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack.

2024-02-01 14:04:48 -06:00 · 2024-02-01 14:04:48 -06:00 · 8c37edd027
commit 8c37edd027
parent 2c1dacb9b6
2 changed files with 4 additions and 4 deletions
--- a/backend/apps/web/routers/auths.py
+++ b/backend/apps/web/routers/auths.py
@ -93,7 +93,7 @@ async def update_password(
 async def signin(form_data: SigninForm):
    user = Auths.authenticate_user(form_data.email.lower(), form_data.password)
    if user:
-        token = create_token(data={"email": user.email})
+        token = create_token(data={"id": user.id})
        return {
            "token": token,
@ -132,7 +132,7 @@ async def signup(request: Request, form_data: SignupForm):
        )
        if user:
-            token = create_token(data={"email": user.email})
+            token = create_token(data={"id": user.id})
            # response.set_cookie(key='token', value=token, httponly=True)
            return {
--- a/backend/utils/utils.py
+++ b/backend/utils/utils.py
@ -60,8 +60,8 @@ def extract_token_from_auth_header(auth_header: str):
 def get_current_user(auth_token: HTTPAuthorizationCredentials = Depends(HTTPBearer())):
    data = decode_token(auth_token.credentials)
-    if data != None and "email" in data:
+    if data != None and "id" in data:
-        user = Users.get_user_by_email(data["email"])
+        user = Users.get_user_by_id(data["id"])
        if user is None:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,