Skip to content

Reject existing-user claims in FastAPI signup flow#204

Open
PrivateBasicsApp wants to merge 5 commits into
etesync:masterfrom
PrivateBasicsApp:master
Open

Reject existing-user claims in FastAPI signup flow#204
PrivateBasicsApp wants to merge 5 commits into
etesync:masterfrom
PrivateBasicsApp:master

Conversation

@PrivateBasicsApp

Copy link
Copy Markdown

Prevent unauthenticated account takeover where /signup/ could initialize UserInfo for a pre-provisioned user and immediately return a valid auth token.

Details:

  • Preserve existing new-user creation logic and UserInfo initialization for truly new accounts.
  • In signup_save (etebase_server/fastapi/routers/authentication.py) check for an existing username via get_user_queryset(...).get(...) and immediately raise HttpError("user_exists", ...) (HTTP 409) if found.
  • Remove the previous behavior that only rejected the request when instance already had a userinfo, so the endpoint is now strictly for new-user creation.

Details:
- base.txt: Django >=5.2,<6.0, pin fastapi==0.138.2, and raise the redis
  floor to >=5.0 (drops the 4.2.0rc1 pre-release marker that was keeping
  the runtime on the redis 5.1.0b6 beta)
- development.txt: constrain dev deps to the runtime pins via
  -c requirements.txt
- Regenerate both lockfiles with pip-compile --generate-hashes for
  reproducible, hash-verified installs

Runtime now requires Python >=3.10 (Django 5.2).
+ pyproject.toml: set DJANGO_SETTINGS_MODULE for pytest-django
+ dev deps: add pytest-django (requirements.in/development.txt + regenerated requirements-dev.txt)
Chore/update dependencies (Django 5.2, FastAPI 0.138 + security)etesync#205
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant