Add all info from signup post to get_or_create_user #48
Conversation
bad3982 to
2bc9006
Compare
nativeauthenticator/handlers.py
Outdated
| password = self.get_body_argument('password', strip=False) | ||
| user = self.authenticator.get_or_create_user(username, password) | ||
| body = self.request.body.decode('utf-8') | ||
| body_arguments = dict(parse.parse_qsl(body)) |
There was a problem hiding this comment.
Does self.request.get_arguments() work instead?
There was a problem hiding this comment.
I also think we should explicitly list the arguments we wanna pass, since POST can contain arbitrary variables. For example, what happens if POST contains an 'id' parameter? Does that allow users to override ID? Or it might cause problems for a new paramter we introduce in the future...
There was a problem hiding this comment.
In general, never trust user input! https://www.enisa.europa.eu/publications/info-notes/the-dangers-of-trusting-user-input (and plenty of other things on the web). Always whitelist and validate that what we are getting is something we explicitly allow
There was a problem hiding this comment.
yeah, it will probably override it. I'll have to restructure this to avoid this kind of problems.
There was a problem hiding this comment.
the get_arguments return a dictionary but every result is a list of bytes. Like this:
{'username': [b'john'], 'pw': [b'password']}
There was a problem hiding this comment.
hmm, https://www.tornadoweb.org/en/stable/web.html#tornado.web.RequestHandler.get_arguments says it should be unicode. I wonder if this is a version thing?
But yeah, whitelisting is more important than the get_arguments
There was a problem hiding this comment.
I'm not sure what you think is best. Could you explain please?
There was a problem hiding this comment.
ah, sorry. by 'whitelisting', I mean we should only accept and use arguments from the user explicitly, like you were doing before this PR with:
password = self.get_body_argument('password', strip=False)
Similarly, we should have
password = self.get_body_argument('password', strip=False)
email = self.get_body_argument('email', strip=False)
This way, when looking at the code, we know exactly what arguments are being passed through, rather than relying on the right set of arguments to come from the user and be considered 'safe'
| try: | ||
| user_info = UserInfo(**infos) | ||
| self.db.add(user_info) | ||
| except AssertionError: |
There was a problem hiding this comment.
What raises an AssertionError?
There was a problem hiding this comment.
if the email is not validated by the ORM function, it will return an AssertionError. We can see this behavior being tested here:
2bc9006 to
c288c2a
Compare
c288c2a to
0ba0882
Compare
When creating a new user with email, the handler was not passing this information to the function
get_or_create_userand the email was not being stored. This fixes this problem