Merge pull request #185 from Bestagons/password_hash

Password hash

app_backend/app/routers/user.py

@@ -5,6 +5,7 @@
 import json
 from bson import BSON
 from bson import json_util, ObjectId
+import bcrypt
 
 from app.auth_handler import signJWT
 from database import db
@@ -35,20 +36,34 @@ async def login(login: UserLogin, resp: Response):
     email = login.email
     password = login.password
 
-    user = {
-        "email": email,
-        "password": password
-    }
+    # get user with email
+    user = db.get_user_by_email(email, display_password=True)
 
-    db_user: dict = db.get_user(user)
-
-    if db_user is None:
+    # check if user exists
+    if user is None:
+        resp.status_code = status.HTTP_400_BAD_REQUEST
+        return {"err": "Invalid email or password."}
+
+    # check if password is correct
+    try:
+        if user['password'] != password and not bcrypt.checkpw(password.encode('utf-8'), user['password']):
+            resp.status_code = status.HTTP_400_BAD_REQUEST
+            return {"err": "Invalid email or password."}
+    except TypeError:
         resp.status_code = status.HTTP_400_BAD_REQUEST
-        return {"err": "This user does not exist. Please try different credentials."}, {}, None
+        return {"err": "Invalid email or password."}
 
-    db_user["_id"] = str(db_user['_id'])
+    # if db_user is None:
+    #     resp.status_code = status.HTTP_400_BAD_REQUEST
+    #     return {"err": "This user does not exist. Please try different credentials."}, {}, None
 
-    return {"msg": "Successfully logged in"}, signJWT(db_user['_id'], email), json.dumps(db_user, sort_keys=True, indent=4, default=json_util.default)
+    user["_id"] = str(user['_id'])
+
+    # drop password from user
+    user.pop("password")
+
+    return {"msg": "Successfully logged in"}, signJWT(user['_id'], email), \
+           json.dumps(user, sort_keys=True, indent=4, default=json_util.default)
 
 """
     register implements the /register/ route
@@ -91,11 +106,14 @@ async def register(login: UserRegister, resp: Response):
         resp.status_code = status.HTTP_400_BAD_REQUEST
         return {"err": "Invalid password. It must be 8 to 20 characters and have at least one upper case letter, one lower case letter, and one digit."}
 
+    # hash the password
+    hashed_password = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt())
+
     # adds user to the database
     new_user = {
         "name": name,
         "email": email,
-        "password": password
+        "password": hashed_password
     }
 
     msg = db.save_user_in_db(new_user)

app_backend/database.py

@@ -59,10 +59,12 @@ def get_user_by_uuid(self, uuid):
         users = self.db["users"]
         return users.find_one({"_id": ObjectId(uuid)}, {"password": 0})
 
-    def get_user_by_email(self, email):
+    def get_user_by_email(self, email, display_password=False):
         users = self.db["users"]
-        return users.find_one({'email': email}, {"password": 0})
-
+        if display_password:
+            return users.find_one({"email": email})
+        else:
+            return users.find_one({'email': email}, {"password": 0})
 
     def get_user(self, login_info: dict):
         users = self.db["users"]

app_backend/requirements.txt

@@ -34,3 +34,4 @@ uvicorn==0.15.0
 wrapt==1.12.1
 firebase_admin
 pyjwt
+bcrypt

app_backend/tests/user_test.py

@@ -26,7 +26,8 @@ def to_json(self):
 
     for test_case in test_cases:
         response = client.post("user/login", json=test_case.to_json())
-        msg, _, _ = response.json()
+        msg = response.json()
+        print(msg)
         assert response.status_code == test_case.expects_code
         assert ("err" in msg) == test_case.expects_err