admin/WerkoutAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c80c66c2e5b6c04967a5064de9c55c14c69627f6
WerkoutAPI/registered_user/views.py
Trey t c80c66c2e5 Codebase hardening: 102 fixes across 35+ files 
Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas:

- Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker
- Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes
- Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic
- Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe
- Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support
- Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping
- Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing
- Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 22:29:14 -06:00

137 lines
5.2 KiB
Python
Raw Blame History

from .models import RegisteredUser
from rest_framework.decorators import api_view
from rest_framework.response import Response
from rest_framework import status
from .serializers import RegisteredUserSerializer, CreateRegisteredUserThroughUserSerializer, CreateRegisteredUserSerializer
from django.contrib.auth.models import User
from rest_framework.authtoken.models import Token
from django.contrib.auth import authenticate
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.decorators import authentication_classes
from rest_framework.decorators import permission_classes
from django.shortcuts import get_object_or_404
from django.db import transaction
import json
@api_view(['GET'])
def all_registered_users(request):
users = RegisteredUser.objects.all()
serializer = RegisteredUserSerializer(users, many=True)
return Response(data=serializer.data, status=status.HTTP_200_OK)
@api_view(['POST'])
@authentication_classes([])
def create_registered_user(request):
_serializer = CreateRegisteredUserSerializer(data=request.data)
if not _serializer.is_valid():
return Response(_serializer.errors, status=status.HTTP_400_BAD_REQUEST)
email = request.data["email"]
# Note: DB unique constraint on email is the real guard against race conditions
if User.objects.filter(email=email).exists():
return Response({"email": [ "Email in use" ] }, status=status.HTTP_409_CONFLICT)
serializer = CreateRegisteredUserThroughUserSerializer(data=request.data)
if serializer.is_valid():
with transaction.atomic():
new_registered_user = serializer.save()
serializer = RegisteredUserSerializer(new_registered_user, many=False)
token = get_object_or_404(Token, user=new_registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@api_view(['POST'])
@authentication_classes([])
def login_registered_user(request):
email = request.data.get("email", "").strip()
password = request.data.get("password", "")
# Try authenticating with the input as username first, then by email lookup
user = authenticate(username=email, password=password)
if user is None:
from django.contrib.auth.models import User
try:
user_obj = User.objects.get(email=email)
user = authenticate(username=user_obj.username, password=password)
except User.DoesNotExist:
pass
if user is not None:
registered_user = get_object_or_404(RegisteredUser, user=user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
else:
return Response({"detail": "Invalid email or password"}, status=status.HTTP_401_UNAUTHORIZED)
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def update_registered_user(request):
registered_user = get_object_or_404(RegisteredUser, user=request.user)
email = request.data.get("email")
first_name = request.data.get("first_name")
last_name = request.data.get("last_name")
image = request.data.get("image")
registered_user.first_name = first_name
registered_user.last_name = last_name
registered_user.user.email = email
registered_user.image = image
registered_user.save()
registered_user.user.save()
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def update_password(request):
current_password = request.data.get("current_password")
new_password = request.data.get("new_password")
user = request.user
success = user.check_password(current_password)
if success:
user.set_password(new_password)
user.save()
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
else:
return Response(status=status.HTTP_400_BAD_REQUEST)
@api_view(['GET'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def refresh(request):
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
Reference in New Issue View Git Blame Copy Permalink