Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack.

2025-06-26 18:26:48 +00:00 · 2024-02-01 14:04:48 -06:00
parent 2c1dacb9b6
commit 8c37edd027
2 changed files with 4 additions and 4 deletions
--- a/backend/apps/web/routers/auths.py
+++ b/backend/apps/web/routers/auths.py
@@ -93,7 +93,7 @@ async def update_password(
 async def signin(form_data: SigninForm):
    user = Auths.authenticate_user(form_data.email.lower(), form_data.password)
    if user:
-        token = create_token(data={"email": user.email})
+        token = create_token(data={"id": user.id})

        return {
            "token": token,
@@ -132,7 +132,7 @@ async def signup(request: Request, form_data: SignupForm):
        )

        if user:
-            token = create_token(data={"email": user.email})
+            token = create_token(data={"id": user.id})
            # response.set_cookie(key='token', value=token, httponly=True)

            return {