feat: implement password hashing for user authentication and storage

game_collection/models.py

@@ -3,18 +3,18 @@ from flask_sqlalchemy import SQLAlchemy
 db = SQLAlchemy()
 
 class Game(db.Model):
-    __tablename__ = 'games'  # Ensure the table name is set to 'games'
+    __tablename__ = 'games'
     id = db.Column(db.Integer, primary_key=True)
     image = db.Column(db.String(255))
     title = db.Column(db.String(100), nullable=False)
-    date = db.Column(db.String(10), nullable=False)  # Ensure date is not nullable
+    date = db.Column(db.String(10), nullable=False)
     buyer = db.Column(db.String(100))
     owned = db.Column(db.Boolean, nullable=False)
 
 class User(db.Model):
-    __tablename__ = 'users'  # Ensure the table name is set to 'users'
+    __tablename__ = 'users'
     id = db.Column(db.Integer, primary_key=True)
     username = db.Column(db.String(100), nullable=False, unique=True)
-    password = db.Column(db.String(100), nullable=False)
-    role = db.Column(db.String(10), nullable=False)  # 'user' or 'admin'
-    last_login = db.Column(db.String(20), nullable=True)  # Last login timestamp
+    password = db.Column(db.String(128), nullable=False)  # Increased length for hashed passwords
+    role = db.Column(db.String(10), nullable=False)
+    last_login = db.Column(db.String(20), nullable=True)

game_collection/user_management.py

@@ -1,23 +1,22 @@
 from flask import Blueprint, request, jsonify, g
 from models import db, User
 from datetime import datetime
+from werkzeug.security import generate_password_hash, check_password_hash
 
 user_bp = Blueprint('user', __name__)
 
 def authenticate():
-    # Hier wird die Authentifizierung überprüft (z.B. durch Token oder Session)
     username = request.headers.get('X-Username')
     password = request.headers.get('X-Password')
     if username and password:
-        user = User.query.filter_by(username=username, password=password).first()
-        if user:
+        user = User.query.filter_by(username=username).first()
+        if user and check_password_hash(user.password, password):
             g.user = user
             return True
     return False
 
 @user_bp.before_request
 def before_request():
-    # Überprüfen, ob der Benutzer angemeldet ist, außer bei Login
     if request.endpoint not in ['user.login_user']:
         if not authenticate():
             return jsonify({'message': 'Unauthorized access!'}), 401
@@ -25,10 +24,11 @@ def before_request():
 @user_bp.route('/users', methods=['POST'])
 def create_user():
     data = request.json
+    hashed_password = generate_password_hash(data['password'])
     new_user = User(
         username=data['username'],
-        password=data['password'],
-        role=data.get('role', 'user'),  # Default role is 'user'
+        password=hashed_password,
+        role=data.get('role', 'user'),
         last_login=None
     )
     db.session.add(new_user)
@@ -38,8 +38,8 @@ def create_user():
 @user_bp.route('/users/login', methods=['POST'])
 def login_user():
     data = request.json
-    user = User.query.filter_by(username=data['username'], password=data['password']).first()
-    if user:
+    user = User.query.filter_by(username=data['username']).first()
+    if user and check_password_hash(user.password, data['password']):
         user.last_login = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
         db.session.commit()
         return jsonify({'message': 'Login successful!', 'role': user.role}), 200