feat: implement password hashing for user authentication and storage

2024-09-02 10:43:07 +02:00 · 2024-09-02 10:43:07 +02:00 · 7047f7c7e8
commit 7047f7c7e8
parent 54061aac2c
2 changed files with 14 additions and 14 deletions
--- a/game_collection/models.py
+++ b/game_collection/models.py
@ -3,18 +3,18 @@ from flask_sqlalchemy import SQLAlchemy
 db = SQLAlchemy()

 class Game(db.Model):
-    __tablename__ = 'games'  # Ensure the table name is set to 'games'
+    __tablename__ = 'games'
    id = db.Column(db.Integer, primary_key=True)
    image = db.Column(db.String(255))
    title = db.Column(db.String(100), nullable=False)
-    date = db.Column(db.String(10), nullable=False)  # Ensure date is not nullable
+    date = db.Column(db.String(10), nullable=False)
    buyer = db.Column(db.String(100))
    owned = db.Column(db.Boolean, nullable=False)

 class User(db.Model):
-    __tablename__ = 'users'  # Ensure the table name is set to 'users'
+    __tablename__ = 'users'
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(100), nullable=False, unique=True)
-    password = db.Column(db.String(100), nullable=False)
-    role = db.Column(db.String(10), nullable=False)  # 'user' or 'admin'
-    last_login = db.Column(db.String(20), nullable=True)  # Last login timestamp
+    password = db.Column(db.String(128), nullable=False)  # Increased length for hashed passwords
+    role = db.Column(db.String(10), nullable=False)
+    last_login = db.Column(db.String(20), nullable=True)
--- a/game_collection/user_management.py
+++ b/game_collection/user_management.py
@ -1,23 +1,22 @@
 from flask import Blueprint, request, jsonify, g
 from models import db, User
 from datetime import datetime
+from werkzeug.security import generate_password_hash, check_password_hash

 user_bp = Blueprint('user', __name__)

 def authenticate():
-    # Hier wird die Authentifizierung überprüft (z.B. durch Token oder Session)
    username = request.headers.get('X-Username')
    password = request.headers.get('X-Password')
    if username and password:
-        user = User.query.filter_by(username=username, password=password).first()
-        if user:
+        user = User.query.filter_by(username=username).first()
+        if user and check_password_hash(user.password, password):
            g.user = user
            return True
    return False

@user_bp.before_request
 def before_request():
-    # Überprüfen, ob der Benutzer angemeldet ist, außer bei Login
    if request.endpoint not in ['user.login_user']:
        if not authenticate():
            return jsonify({'message': 'Unauthorized access!'}), 401
@ -25,10 +24,11 @@ def before_request():
@user_bp.route('/users', methods=['POST'])
 def create_user():
    data = request.json
+    hashed_password = generate_password_hash(data['password'])
    new_user = User(
        username=data['username'],
-        password=data['password'],
-        role=data.get('role', 'user'),  # Default role is 'user'
+        password=hashed_password,
+        role=data.get('role', 'user'),
        last_login=None
    )
    db.session.add(new_user)
@ -38,8 +38,8 @@ def create_user():
@user_bp.route('/users/login', methods=['POST'])
 def login_user():
    data = request.json
-    user = User.query.filter_by(username=data['username'], password=data['password']).first()
-    if user:
+    user = User.query.filter_by(username=data['username']).first()
+    if user and check_password_hash(user.password, data['password']):
        user.last_login = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
        db.session.commit()
        return jsonify({'message': 'Login successful!', 'role': user.role}), 200