Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: removed unique username and email validations, added other validations to backend #60

Merged
merged 7 commits into from
Jan 24, 2024
Merged

fix: removed unique username and email validations, added other validations to backend #60

merged 7 commits into from
Jan 24, 2024

Conversation

nicolasauler
Copy link
Owner

@nicolasauler nicolasauler commented Jan 24, 2024
edited

To make the application secure, we need to avoid user enumeration, this PR starts the effort, we need:

This PR also adds validations that occurred only when using the application via front, to the backend as well.
And as a bonus, the PR moves script loading to the appropriate html pages, instead of loading them all at the base template.
And also removes unnecessary db accesses when user is already in session.

Closes #59
Closes #57

@nicolasauler
Moved js loading: htmx extensions, hyperscript and plotly.
ba0c4de
@nicolasauler
Adding validation to sign up.
18b5a56 
TODO: add validation to changepassword.
@nicolasauler
Adding validation to change_password backend.
6f64bc3
@nicolasauler
Removed email uniqueness validation: to avoid enumerating users.
776a58f 
Now two types of emails are sent to the users after sign up:
- Welcome email, when the email was not alreay used
- Forgot password email, when it was already used
TODO: consistent response times for both cases: avoiding user
enumeration through timing attacks
TODO: forgot password functionality
@nicolasauler nicolasauler self-assigned this Jan 24, 2024
@nicolasauler nicolasauler mentioned this pull request Jan 24, 2024
Closed
This was referenced Jan 24, 2024
Closed
Open
@nicolasauler
Copy link
Owner Author

QA: email was sent and sign up flow has been checked.

@nicolasauler
Copy link
Owner Author

QA: password verification at backend has been checked by sending requests directly with curl

@nicolasauler nicolasauler merged commit 4d094d3 into main Jan 24, 2024
4 checks passed
@nicolasauler nicolasauler deleted the more-tracing branch January 24, 2024 22:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@nicolasauler nicolasauler

Labels
None yet
Projects
None yet
Milestone
0.2 - Expenses overview with manual o...
1 participant
@nicolasauler