Skip to content

Validation/signup+login#51

Merged
ademboukabes merged 9 commits into
developfrom
validation/signup+login
Jun 1, 2026
Merged

Validation/signup+login#51
ademboukabes merged 9 commits into
developfrom
validation/signup+login

Conversation

@Tyjfre-j
Copy link
Copy Markdown
Collaborator

@Tyjfre-j Tyjfre-j commented Jun 1, 2026

Fixes the mobile auth hardening issues documented in docs/problem-fixes/:

  • Reject empty, whitespace-only, oversized, or unnormalized auth fields.
  • Split ambiguous register/login behavior into explicit /register and /login flows.
  • Bound mobile auth email length to 255 chars to match DB constraints.
  • Handle concurrent signup duplicate-email races as 409 Conflict.
  • Prevent bcrypt 72-byte truncation by SHA-256 pre-hashing before bcrypt.
  • Enforce registration password complexity.
  • Add Redis-backed rate limiting for mobile register/login by email and client IP.
  • Update Pydantic v2 config usage for worker/settings models.

Tyjfre-j added 9 commits May 31, 2026 08:54
@Tyjfre-j
Validate mobile auth required fields
2b18248
@Tyjfre-j
fix(auth): split register/login endpoints and fix stale e2e test
992e8f1 
- Replace ambiguous /user/auth/register-login with explicit /register and /login
- Add MobileRegisterRequest and MobileLoginRequest schemas (shared base)
- Add AuthService.mobile_register() (409 on existing email) and mobile_login() (401 on unknown email)
- Update e2e validation test to target both new endpoints instead of removed register-login
- Add unit + e2e tests for intent validation
- Add problem-fix documentation (002)
@Tyjfre-j
fix(mobile-auth): bound email length to 255 characters at schema level
b54e2c1
@Tyjfre-j
fix(mobile-auth): handle concurrent register race condition and retur…
916aa2b 
…n 409
@Tyjfre-j
fix(security): prevent Bcrypt 72-byte truncation using SHA-256 pre-ha…
be306b2 
…shing
@Tyjfre-j
fix(security): enforce password complexity rules at signup level
0c67f16
@Tyjfre-j
Fix mobile auth validation and rate limiting
c5183a2
@Tyjfre-j
fix mypy errors
7fe865e
@Tyjfre-j
fix ruff errors
983a14f
@ademboukabes ademboukabes self-requested a review June 1, 2026 13:54
ademboukabes
ademboukabes approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ademboukabes ademboukabes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work on this PR, the implementation of all 8 security points is extremely solid

@ademboukabes ademboukabes merged commit fdf0610 into develop Jun 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ademboukabes ademboukabes ademboukabes approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tyjfre-j @ademboukabes