Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Contributor backend 21 #144

Merged
merged 56 commits into from
Nov 13, 2024
Merged

feat: Contributor backend 21 #144

merged 56 commits into from
Nov 13, 2024

Conversation

SKairinos
Copy link
Contributor

@SKairinos SKairinos commented Nov 7, 2024

This change is Reviewable

@SKairinos SKairinos linked an issue Nov 11, 2024 that may be closed by this pull request
Copy link
Contributor

@faucomte97 faucomte97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 35 of 35 files at r1, all commit messages.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @SKairinos)


codeforlife/models/abstract_base_user.py line 56 at r1 (raw file):

        """A flag designating if this contributor has authenticated."""
        try:
            return self.is_active and not self.session.is_expired

Same question here about whether is_active includes being verified?


codeforlife/forms.py line 64 at r1 (raw file):

                "Incorrect user class.",
                code="incorrect_user_class",
            )

This would allow an attacker to enumerate existing email addresses on our system.

Code quote:

        if not isinstance(user, self.get_user_class()):
            raise ValidationError(
                "Incorrect user class.",
                code="incorrect_user_class",
            )

codeforlife/forms.py line 69 at r1 (raw file):

                "User is not active",
                code="user_not_active",
            )

This is not as much of an issue since they're inactive accounts but it could still provide the attacker with a list of emails to exclude from their brute force attack.

In both of these cases, I feel like we should raise the same Error of "invalid login" to keep it vague. In the same way that currently, we raise the same error if the credentials are incorrect or if the user's email isn't verified yet.

Which leads me to this question: what if a user tries to log in with an unverified email address? Does that fall under not user.is_active? If not, we should also raise the same error if they are unverified still.

Code quote:

        if not user.is_active:
            raise ValidationError(
                "User is not active",
                code="user_not_active",
            )

Copy link
Contributor Author

@SKairinos SKairinos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @faucomte97)


codeforlife/forms.py line 64 at r1 (raw file):

Previously, faucomte97 (Florian Aucomte) wrote…

This would allow an attacker to enumerate existing email addresses on our system.

I don't agree because in order for this error to be raised the user would have needed to first successfully logged in. At this point in the flow, we are just sanity checking they have logged in as the correct user type.

In theory, this error should NEVER be raise. If this error is raised it'll be because of a server/developer error (not user error) as it shouldn't be possible for the user to log in as the incorrect type. For example, a student user shouldn't be allowed to log in a teacher user.


codeforlife/forms.py line 69 at r1 (raw file):

Previously, faucomte97 (Florian Aucomte) wrote…

This is not as much of an issue since they're inactive accounts but it could still provide the attacker with a list of emails to exclude from their brute force attack.

In both of these cases, I feel like we should raise the same Error of "invalid login" to keep it vague. In the same way that currently, we raise the same error if the credentials are incorrect or if the user's email isn't verified yet.

Which leads me to this question: what if a user tries to log in with an unverified email address? Does that fall under not user.is_active? If not, we should also raise the same error if they are unverified still.

See above. I don't agree because in order for this error to be raised the user would have needed to first successfully logged in.

Agreed that we should raise the same error if they are unverified.


codeforlife/models/abstract_base_user.py line 56 at r1 (raw file):

Previously, faucomte97 (Florian Aucomte) wrote…

Same question here about whether is_active includes being verified?

Fixing this issue but not in the abstract base user class. Instead, the fix belongs in codeforlife.user.models.User.is_authenticated (included in this PR).

Copy link
Contributor

@faucomte97 faucomte97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 1 of 1 files at r2, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on @SKairinos)


codeforlife/forms.py line 64 at r1 (raw file):

Previously, SKairinos (Stefan Kairinos) wrote…

I don't agree because in order for this error to be raised the user would have needed to first successfully logged in. At this point in the flow, we are just sanity checking they have logged in as the correct user type.

In theory, this error should NEVER be raise. If this error is raised it'll be because of a server/developer error (not user error) as it shouldn't be possible for the user to log in as the incorrect type. For example, a student user shouldn't be allowed to log in a teacher user.

Fair point, I hadn't considered this would only happen after successful login 👍

@SKairinos SKairinos merged commit bb617bf into main Nov 13, 2024
4 of 6 checks passed
@SKairinos SKairinos deleted the contributor-backend-21 branch November 13, 2024 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Migrate db abstract testing framework
2 participants