Skip to content

fix: adds rate limiting, email validation, password max [#53]#65

Merged
robert-7 merged 2 commits into
mainfrom
security-auth-hardening
Apr 12, 2026
Merged

fix: adds rate limiting, email validation, password max [#53]#65
robert-7 merged 2 commits into
mainfrom
security-auth-hardening

Conversation

@robert-7

@robert-7 robert-7 commented Apr 12, 2026

Copy link
Copy Markdown
Owner

Summary

  • harden the authentication flow with Flask-Limiter rate limits on POST /login and POST /register
  • require a valid email address during registration and expand password support to 8-128 characters
  • replace duplicate-email feedback with a generic registration failure message to reduce user enumeration
  • remove the user_id = count() + 1 race by retrying registration on unique-key conflicts while preserving the existing user_id-based schema
  • validate that a submitted courseID exists before creating an enrollment
  • make /logout POST-only and move the nav logout action to a CSRF-protected form
  • expand route and Playwright coverage and keep the branch at 100% Python coverage

Notes

  • This keeps the current user_id-based enrollment/session flow intact instead of migrating the app to Mongo _id, which avoids a larger schema and seed-data change while still addressing the registration race condition.
  • The Playwright walkthrough was updated to use the new logout button behavior.

Testing

  • docker compose exec course-enrollment-app python -m pytest
  • docker compose run --rm e2e-tests
  • pre-commit run --files application/__init__.py application/forms.py application/routes.py tests/conftest.py tests/test_routes.py requirements.txt
  • pre-commit run --files application/forms.py application/routes.py application/templates/includes/nav.html tests/test_routes.py e2e/ui-walkthrough.spec.js
  • pre-commit run --files tests/test_routes.py AGENTS.md
  • make codecov

Closes #53

@codecov

codecov Bot commented Apr 12, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@robert-7 robert-7 merged commit 1a31782 into main Apr 12, 2026
5 checks passed
@robert-7 robert-7 deleted the security-auth-hardening branch April 12, 2026 22:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Authentication hardening and input validation

1 participant