fix IDOR vulnerability in idor_profile_page by adding session authorization

[semgrep-code-brandong1-demo]

Fix IDOR vulnerability in the profile page that allowed users to access other users' profiles by manipulating the user_id cookie.

Changes

• Fixed NameError where user.password was referenced before user was defined
• Reordered logic to fetch user from database before validating session token
• Added null checks for both user_id and session_token cookies
• Added authorization check to verify the session token belongs to the requested user

Why

The original code had two critical issues:

1. The session_token check on line 40 referenced an undefined variable user, causing a NameError on every request
2. Even if the check worked, there was no verification that the authenticated session corresponded to the user_id being accessed

The fix ensures that the session_token in the cookie must match the password hash of the user whose profile is being requested. This binds the session to a specific user and prevents attackers from accessing other profiles by simply changing the user_id cookie value.

Semgrep Finding Details

The idor_profile_page function reads user_id directly from a user-controllable cookie (line 44: request.cookies.get('user_id')) and uses it to query the database for that user's profile without any ownership verification. The session_token check on line 40 references an undefined variable 'user', causing a NameError that makes the authentication check non-functional. Even if the session check worked, there is no authorization logic verifying that the authenticated user's session corresponds to the requested user_id.

@36804960 requested Semgrep Assistant generate this pull request to fix a finding.

---

⚠️ Review carefully before merging. This PR was generated by AI and may cause breaking changes or introduce new vulnerabilities.