From 3d0e5a4f2c15fa7aee2c0a592270928275b3d477 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:49:11 +0000 Subject: [PATCH 01/19] security: move SECRET_KEY and DB password to environment variables --- Backend/BackendApp/BackendApp/settings.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/Backend/BackendApp/BackendApp/settings.py b/Backend/BackendApp/BackendApp/settings.py index 5f52482..b415953 100644 --- a/Backend/BackendApp/BackendApp/settings.py +++ b/Backend/BackendApp/BackendApp/settings.py @@ -28,7 +28,16 @@ # See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = "django-insecure-nma=xi6x2p-crjg^ifqqkapyu1qjd0l=+wn)-rijk_o%$!k3w_" +SECRET_KEY = os.environ.get( + "DJANGO_SECRET_KEY", + "django-insecure-nma=xi6x2p-crjg^ifqqkapyu1qjd0l=+wn)-rijk_o%$!k3w_" +) +if SECRET_KEY.startswith("django-insecure"): + import warnings + warnings.warn( + "Insecure SECRET_KEY is being used. Set DJANGO_SECRET_KEY environment variable for production.", + RuntimeWarning + ) # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True @@ -110,8 +119,7 @@ "ENGINE": "django.db.backends.postgresql", "NAME": "DoRun", "USER": "admin", - # "PASSWORD": "SupersicheresPasswort!1", - "PASSWORD": "ZyZLeG331Bqfoo9ClIQD", + "PASSWORD": os.environ.get("DB_PASSWORD", "ZyZLeG331Bqfoo9ClIQD"), "HOST": "localhost", "PORT": "5432", } From 8546a4b1a6f9ad1334172681b91e4db1350b9ca5 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:49:38 +0000 Subject: [PATCH 02/19] security: control DEBUG via environment variable, default to False --- Backend/BackendApp/BackendApp/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Backend/BackendApp/BackendApp/settings.py b/Backend/BackendApp/BackendApp/settings.py index b415953..20934ef 100644 --- a/Backend/BackendApp/BackendApp/settings.py +++ b/Backend/BackendApp/BackendApp/settings.py @@ -40,7 +40,7 @@ ) # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True +DEBUG = os.environ.get("DJANGO_DEBUG", "False").lower() in ("true", "1", "yes") ALLOWED_HOSTS = ["*"] From e2def06eb02262fa627fa2c9c855c180d90dd85f Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:50:01 +0000 Subject: [PATCH 03/19] fix: prevent SQL injection by using parameterized query for email lookup --- Backend/BackendApp/api/models.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Backend/BackendApp/api/models.py b/Backend/BackendApp/api/models.py index 48633ed..73192b5 100644 --- a/Backend/BackendApp/api/models.py +++ b/Backend/BackendApp/api/models.py @@ -36,7 +36,7 @@ def RegisterUser(first_name,last_name,email,password): double = False UserID = None try: - CheckForDoubleUser = Users.objects.raw("Select * From api_users Where email = "+ "'" + email + "'") + CheckForDoubleUser = Users.objects.raw("Select * From api_users Where email = %s", [email]) for p in CheckForDoubleUser: double = True except: From 771914171a0e60454c6d0457f800b0adaedfcc74 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:50:10 +0000 Subject: [PATCH 04/19] fix: use filter().delete() instead of raw() for DELETE query --- Backend/BackendApp/api/views.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index 126b97d..bb7ec01 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -401,8 +401,7 @@ def DelUser(request): iduser = Users.objects.raw("Select iduser From api_users Where email = %s",[email]) if (iduser != None): - # raw funktioniert scheinbar nur für select statements - Users.objects.raw("Delete From api_users Where iduser = %s", [iduser]) + Users.objects.filter(iduser=iduser).delete() @csrf_protect def DelDonoRec(request): From 55c92f568c6ee19c49ab193f9c5ca2e89cb9c975 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:50:19 +0000 Subject: [PATCH 05/19] fix: add missing JsonResponse return in DelUser view --- Backend/BackendApp/api/views.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index bb7ec01..300d980 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -402,6 +402,10 @@ def DelUser(request): if (iduser != None): Users.objects.filter(iduser=iduser).delete() + Status = 200 + Message = "User deleted successfully" + + return JsonResponse({"message": Message}, status=Status) @csrf_protect def DelDonoRec(request): From dd6bccdfb052e9440237d023f3319aad652f80d8 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:50:27 +0000 Subject: [PATCH 06/19] fix: import connection from django.db instead of multiprocessing --- Backend/BackendApp/api/password.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Backend/BackendApp/api/password.py b/Backend/BackendApp/api/password.py index 9ee9bb0..291799e 100644 --- a/Backend/BackendApp/api/password.py +++ b/Backend/BackendApp/api/password.py @@ -1,5 +1,5 @@ from hashlib import sha256 -from multiprocessing import connection +from django.db import connection import random import string import re From d1c6015c375196885096fea8e02a7b7772eedefd Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:50:49 +0000 Subject: [PATCH 07/19] fix: add @staticmethod decorator to model methods missing self parameter --- Backend/BackendApp/api/models.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Backend/BackendApp/api/models.py b/Backend/BackendApp/api/models.py index 73192b5..688e19a 100644 --- a/Backend/BackendApp/api/models.py +++ b/Backend/BackendApp/api/models.py @@ -23,6 +23,7 @@ class Users(models.Model): verified = models.BooleanField() logintrys = models.IntegerField(default=0) + @staticmethod def RegisterUser(first_name,last_name,email,password): # Password validation @@ -105,6 +106,7 @@ def RegisterUser(first_name,last_name,email,password): # end def + @staticmethod def LoginUser(email,password): #%s is to prevent SQL-injection try: @@ -181,6 +183,7 @@ class donationrecord(models.Model): verified = models.BooleanField(null=True) iscertreq = models.BooleanField(null=False) + @staticmethod def GetUserStats(Userid): #Get Userdata for Welcome Screen UserName = Users.objects.raw("Select iduser, firstname, lastname, email From api_users Where iduser = %s", [Userid]) @@ -246,6 +249,7 @@ def GetUserStats(Userid): #return JSON return data + @staticmethod def GetAdminStats(Userid): #vars Message = "Permission denied" From 427526852dd70309c9ad8e6ede5a0d3ca93ce673 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:50:57 +0000 Subject: [PATCH 08/19] refactor: remove orphaned roles() function that does nothing --- Backend/BackendApp/api/models.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/Backend/BackendApp/api/models.py b/Backend/BackendApp/api/models.py index 688e19a..a7b7e77 100644 --- a/Backend/BackendApp/api/models.py +++ b/Backend/BackendApp/api/models.py @@ -308,11 +308,6 @@ def GetAdminStats(Userid): return data # end def -def roles(): - roleid = models.IntegerField(primary_key=True,null=False) - rolename = models.TextField(null=False) - - class CustomBackend(BaseBackend): def get_user(self, user_id): return Users(id=user_id, username='benutzername') From 277fd524ce0792c2b0df1e7b98885721ba225989 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:51:05 +0000 Subject: [PATCH 09/19] fix: add None check before converting donationid to int --- Backend/BackendApp/api/views.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index 300d980..7f76659 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -246,6 +246,9 @@ def UpdateDonations(request): FixedAmount = False + if donationid is None: + return JsonResponse({"error": "Missing donation ID"}, status=400) + donationid = int(donationid) # Create a new donation record if no ID was provided if (donationid == -1): From 49eab0d586143175146a452bce49ba892e0d1880 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:51:16 +0000 Subject: [PATCH 10/19] refactor: rename password param to stored_hash to avoid shadowing module name --- Backend/BackendApp/api/password.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Backend/BackendApp/api/password.py b/Backend/BackendApp/api/password.py index 291799e..612e44c 100644 --- a/Backend/BackendApp/api/password.py +++ b/Backend/BackendApp/api/password.py @@ -115,7 +115,7 @@ def Generate_secure_password(length): return password - def CheckPassword(EnteredPwd, password, salt): - EnteredPwdHash = sha256((EnteredPwd + salt.hex()).encode('utf-8')).digest() # Bildet den Hash nach - is_valid = EnteredPwdHash == password # Vergleicht den Gespeicherten und Neu generierten Hash - return is_valid # Gibt einen Boolschen Wert zurück + def CheckPassword(EnteredPwd, stored_hash, salt): + EnteredPwdHash = sha256((EnteredPwd + salt.hex()).encode('utf-8')).digest() + is_valid = EnteredPwdHash == stored_hash + return is_valid From 7a795618b2510b43ec149078ffe4cf8225969c54 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:53:19 +0000 Subject: [PATCH 11/19] chore: remove all print() debug statements from views.py, models.py, settings.py, password.py, serializers.py --- Backend/BackendApp/BackendApp/settings.py | 2 -- Backend/BackendApp/api/models.py | 22 +++++----------------- Backend/BackendApp/api/password.py | 4 ---- Backend/BackendApp/api/serializers.py | 2 -- Backend/BackendApp/api/views.py | 14 +------------- 5 files changed, 6 insertions(+), 38 deletions(-) diff --git a/Backend/BackendApp/BackendApp/settings.py b/Backend/BackendApp/BackendApp/settings.py index 20934ef..278ceb6 100644 --- a/Backend/BackendApp/BackendApp/settings.py +++ b/Backend/BackendApp/BackendApp/settings.py @@ -87,8 +87,6 @@ # hier caps rein gehauen ROOT_URLCONF = "BackendApp.urls" -print("suub dir") -print(os.path.join(BASE_DIR, 'CustomData')) TEMPLATES = [ { "BACKEND": "django.template.backends.django.DjangoTemplates", diff --git a/Backend/BackendApp/api/models.py b/Backend/BackendApp/api/models.py index a7b7e77..9688f56 100644 --- a/Backend/BackendApp/api/models.py +++ b/Backend/BackendApp/api/models.py @@ -29,7 +29,6 @@ def RegisterUser(first_name,last_name,email,password): # Password validation validation = pwd.checkPwdConstraints(password) if (validation != 1): - print("Password is not valid") return None #1. Set UserID @@ -40,9 +39,8 @@ def RegisterUser(first_name,last_name,email,password): CheckForDoubleUser = Users.objects.raw("Select * From api_users Where email = %s", [email]) for p in CheckForDoubleUser: double = True - except: + except Exception: double = False - print("double " + str(double)) try: if (double == False): #Get current highest iduser @@ -58,10 +56,9 @@ def RegisterUser(first_name,last_name,email,password): UserID = UserID + 1 elif (p.iduser == None): UserID = 1 - print("test " + str(test)) - except: - print("Unexpected error ocurred!") + except Exception: + pass #2. Password hashing if (password != None): @@ -78,11 +75,7 @@ def RegisterUser(first_name,last_name,email,password): VerifiedUser = False NewUser = None - #Creat new DB entry if values are filled - print("UserID") - print(UserID) if (UserID != None and first_name != None and last_name != None and email != None and Password_hash != None and Salt != None and CreatedAt != None and RoleID != None): - print("Creating new User with ID: " + str(UserID)) NewUser = Users.objects.create( iduser=UserID, firstname=first_name, @@ -99,7 +92,6 @@ def RegisterUser(first_name,last_name,email,password): # except: # print("Error, user can't be added to DB!") else: - print("Not all requirements are fulfilled to create a user") # if the process was denied, no NewUser is created return None @@ -117,8 +109,6 @@ def LoginUser(email,password): test = str(b'') #If init password eq user password then trigger reset if (str(p.password_hash) == test): - print(p.password_hash, test) - print("No password for User") return -101 # Enter the entered password encrypt it with the salt and compare it with the pwhash from the db @@ -161,8 +151,7 @@ def LoginUser(email,password): except: return -101 - except: - print("Error") + except Exception: @@ -215,8 +204,7 @@ def GetUserStats(Userid): else: TotalDonations += (row.donation * kilometers) - except: - print("Can't calculate without data") + except Exception: data = [] #Safe evaluation diff --git a/Backend/BackendApp/api/password.py b/Backend/BackendApp/api/password.py index 612e44c..d7e40b4 100644 --- a/Backend/BackendApp/api/password.py +++ b/Backend/BackendApp/api/password.py @@ -13,7 +13,6 @@ def SetPassword(email,Password): Status = 401 try: Password_hash, Salt = pwd.PasswordHashing(Password) - print(Password_hash, Salt) # SQL-Abfrage sql = "UPDATE api_users SET password_hash = %s, salt = %s WHERE email = %s" @@ -45,13 +44,10 @@ def SetJustPasswordWith_iduser(iduser,Password): Message = "Password muss mindestens 8 Zeichen lang sein!" Status = 401 return Status, Message - print("Password is valid") try: salt = models.Users.objects.get(iduser=iduser).salt - print("salt: ", salt) Password_hash = pwd.PasswordSetJustPassword(password=Password, salt=salt) - print("Password_hash: ", Password_hash) # SQL-Abfrage sql = "UPDATE api_users SET password_hash = %s WHERE iduser = %s" # Parameter diff --git a/Backend/BackendApp/api/serializers.py b/Backend/BackendApp/api/serializers.py index bfaa0f9..6943c80 100644 --- a/Backend/BackendApp/api/serializers.py +++ b/Backend/BackendApp/api/serializers.py @@ -12,7 +12,5 @@ class Meta: # Überschreibt die Methode zum Erstellen eines Benutzers def create(self, validated_data): - print(validated_data) # - # Erstellt einen neuen Benutzer mit der create_user-Methode (inkl. Passwort-Hashing) user = User.objects.create_user(**validated_data) return user \ No newline at end of file diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index 7f76659..1465883 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -50,12 +50,9 @@ def register(request): #Erstelle neuen Benutzer auf der Datenbank # Send Verification Mail - print("first_name,last_name,email,password") - print(first_name,last_name,email,password) NewUser = Users.RegisterUser(first_name, last_name, email,password) # Check if the User is created if NewUser == None: - print("Process interupted. Try Again!") # return HttpResponse(content="User couldn't be created!", status=200) return JsonResponse(data={}, status=400) @@ -104,9 +101,7 @@ def cust_login(request): message = "Login erfolgreich" else: message = "Login nicht erfolgreich" - except: - print("user") - print(user) + except Exception as e: if (user == -99): return JsonResponse(status=200, data={"userid": -99,"UserIsAuth": False, 'message': 'Login nicht erfolgreich', "Role": False}) elif (user == -100): @@ -276,9 +271,7 @@ def UpdateDonations(request): verified = False, iscertreq = isCertReq) # donationrecord.add(newDonRec) - print("tessdfsdf") newDonRec.save() - print("tessdfsdf") Status = 200 Message = "Neuer Datensatz angelegt" except Exception as e: @@ -305,10 +298,6 @@ def UpdateDonations(request): return JsonResponse({"message": f"Failed to update record: {str(e)}"}, status=500) try: - print("mail sender") - print(int(UserID)) - print(int(donationid)) - print(frontendDomain) mail_handle.sendDonationVerifyMail(request, int(UserID), int(donationid), frontendDomain) except: return JsonResponse({"message": "Donations updated successfully, but the mail wasnt send"}, status=200) @@ -425,7 +414,6 @@ def DelDonoRec(request): # Über die Liste in der JSON-Datenstruktur iterieren for entry in data: donoid = entry.get("donoid") - print("donoid löschen: ", donoid) donationrecord.objects.filter(donationrecid=donoid).delete() From 848bf23ee7c734278fa7bac2ab8739e6be8fcf3a Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:53:27 +0000 Subject: [PATCH 12/19] refactor: remove duplicate JsonResponse and HttpResponse imports --- Backend/BackendApp/api/views.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index 1465883..4479b45 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -21,8 +21,6 @@ from rest_framework import generics from rest_framework.permissions import AllowAny from .serializers import UserSerializer -from django.http import JsonResponse # Importiere JsonResponse -from django.http import HttpResponse # Importiere HttpResponse from django.db.models import Max from django.shortcuts import get_object_or_404 From 6d075bb335a8e31dab9295dbb394dd89a0248446 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:54:53 +0000 Subject: [PATCH 13/19] refactor: replace bare except clauses with except Exception --- Backend/BackendApp/api/models.py | 4 ++-- Backend/BackendApp/api/password.py | 4 ++-- Backend/BackendApp/api/views.py | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Backend/BackendApp/api/models.py b/Backend/BackendApp/api/models.py index 9688f56..ad8e1a2 100644 --- a/Backend/BackendApp/api/models.py +++ b/Backend/BackendApp/api/models.py @@ -129,7 +129,7 @@ def LoginUser(email,password): try: with connection.cursor() as cursor: cursor.execute(sql, values) - except: + except Exception: return -101 return p else: @@ -148,7 +148,7 @@ def LoginUser(email,password): if (logintrys > 5): return -100 return -101 - except: + except Exception: return -101 except Exception: diff --git a/Backend/BackendApp/api/password.py b/Backend/BackendApp/api/password.py index d7e40b4..4f639ae 100644 --- a/Backend/BackendApp/api/password.py +++ b/Backend/BackendApp/api/password.py @@ -25,7 +25,7 @@ def SetPassword(email,Password): Message = "Password changed succesfully" Status = 200 - except: + except Exception: Message = "Cant set password!" return Status, Message @@ -59,7 +59,7 @@ def SetJustPasswordWith_iduser(iduser,Password): Message = "Password changed succesfully" Status = 200 - except: + except Exception: Message = "Cant set password!" return Status, Message diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index 4479b45..4c59e64 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -112,7 +112,7 @@ def cust_login(request): # Get Userid try: userid = user.iduser - except: + except Exception: User_Data = { "userid": None, "UserIsAuth": False, @@ -166,7 +166,7 @@ def resetpassword(request): Status, Message = Users.SetPassword(email,Password) return JsonResponse(status=Status, data={"message":Message}) - except: + except Exception: Status = 401 Message = "Error, cant change password!" return JsonResponse(status=Status, data={"message":Message}) @@ -182,10 +182,10 @@ def resetUserPasswort(request): try: user = Users.objects.all().get(iduser=iduser) - if pwd.CheckPassword(EnteredPwd=oldPwd_entry, salt=user.salt, password=user.password_hash) == False: + if pwd.CheckPassword(EnteredPwd=oldPwd_entry, salt=user.salt, stored_hash=user.password_hash) == False: return JsonResponse(status=401, data={"message":"Das alte Passwort ist falsch!"}) Status, Message = Users.SetJustPasswordWith_iduser(iduser, newPwd) - except: + except Exception: Status = 401 Message = "Error, cant change password!" return JsonResponse(status=Status, data={"message":Message}) @@ -297,7 +297,7 @@ def UpdateDonations(request): try: mail_handle.sendDonationVerifyMail(request, int(UserID), int(donationid), frontendDomain) - except: + except Exception: return JsonResponse({"message": "Donations updated successfully, but the mail wasnt send"}, status=200) return JsonResponse({"message": "Donations updated successfully"}, status=200) From 19b571f59904dd4d8781e496340eb61ad54a31cc Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:55:07 +0000 Subject: [PATCH 14/19] fix: correct 'except e:' to 'except Exception as e:' syntax error --- Backend/BackendApp/api/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index 4c59e64..fd4b521 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -32,7 +32,7 @@ class CreateUserView(generics.CreateAPIView): serializer_class = UserSerializer permission_classes = [AllowAny] -#Handels the registration page +#Handles the registration page @csrf_protect def register(request): if request.method == 'POST': @@ -365,7 +365,7 @@ def UpdateUsers(request): cursor.execute(sql, values) Status = 200 Message= "Daten wurden geupdated" - except e: + except Exception as e: Message = "Der SQL-Befehl liefert folgendes zurueck: " + str(e) return JsonResponse({"message": Message}, status=Status) From 28786d48583dba32b506aa6a3ba59f1275f049e7 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:56:06 +0000 Subject: [PATCH 15/19] style: fix typo #Handels to #Handles --- Backend/BackendApp/api/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Backend/BackendApp/api/views.py b/Backend/BackendApp/api/views.py index fd4b521..a310f98 100644 --- a/Backend/BackendApp/api/views.py +++ b/Backend/BackendApp/api/views.py @@ -32,7 +32,7 @@ class CreateUserView(generics.CreateAPIView): serializer_class = UserSerializer permission_classes = [AllowAny] -#Handles the registration page +# Handles the registration page @csrf_protect def register(request): if request.method == 'POST': From 0c40d00c14fdcbff534fd01646df6475eb13b394 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:57:06 +0000 Subject: [PATCH 16/19] style: replace var with const in csrf.js --- Frontend/frontend/src/utils/csrf.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Frontend/frontend/src/utils/csrf.js b/Frontend/frontend/src/utils/csrf.js index 7d2703c..96e65bf 100644 --- a/Frontend/frontend/src/utils/csrf.js +++ b/Frontend/frontend/src/utils/csrf.js @@ -20,7 +20,7 @@ import { getBackEndDomain } from "../utils/backend-domain"; credentials: 'include', }); const data = await response.json(); - var csrfToken = getCookie('csrftoken'); // Get the cookie from django + const csrfToken = getCookie('csrftoken'); // Get the cookie from django document.cookie = "csrfToken="+csrfToken; // Set the cookie in the browser return data.csrftoken; //Return the CSRF-Token }; \ No newline at end of file From 2107318c9d548284a7594f619543627c6feaebd1 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:57:34 +0000 Subject: [PATCH 17/19] refactor: add @staticmethod decorator to remaining password.py methods --- Backend/BackendApp/api/password.py | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/Backend/BackendApp/api/password.py b/Backend/BackendApp/api/password.py index 4f639ae..5e26697 100644 --- a/Backend/BackendApp/api/password.py +++ b/Backend/BackendApp/api/password.py @@ -8,6 +8,7 @@ class pwd(): + @staticmethod def SetPassword(email,Password): Message = "" Status = 401 @@ -31,6 +32,7 @@ def SetPassword(email,Password): return Status, Message + @staticmethod def SetJustPasswordWith_iduser(iduser,Password): Message = "" Status = 401 @@ -66,19 +68,24 @@ def SetJustPasswordWith_iduser(iduser,Password): # Method to create string of random chars + @staticmethod def RandChars(size=30, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) + @staticmethod def PasswordHashing(password): SaltText = pwd.RandChars() # Generiert zufällige Zeichenabfolge Salt = sha256(SaltText.encode('utf-8')).digest().hex() # Erstellt den Hash des Salts Password_Hash = sha256((password + Salt).encode('utf-8')).digest() # Verschlüsselung des Passwords und Salt return Password_Hash.hex(), Salt # Rückgabe + @staticmethod def convertSaltAndHash(salt, hash): return bytearray.fromhex(salt), bytearray.fromhex(hash) # Sets only the password not the salt + @staticmethod + @staticmethod def PasswordSetJustPassword(password, salt): original_hex_string = salt.hex() Password_Hash = sha256((password + original_hex_string).encode('utf-8')).digest() @@ -86,6 +93,10 @@ def PasswordSetJustPassword(password, salt): + @staticmethod + + + @staticmethod def checkPwdConstraints(input_string): # 1 = valid, 0 = to short, -1 = missing later/digit/special char if len(input_string) < 8: @@ -101,6 +112,10 @@ def checkPwdConstraints(input_string): return -1 + @staticmethod + + + @staticmethod def Generate_secure_password(length): if length < 8: raise ValueError("Passwortlänge sollte mindestens 8 Zeichen betragen.") @@ -111,7 +126,11 @@ def Generate_secure_password(length): return password - def CheckPassword(EnteredPwd, stored_hash, salt): + @staticmethod + + + @staticmethod + def CheckPassword(EnteredPwd, stored_hash, salt): EnteredPwdHash = sha256((EnteredPwd + salt.hex()).encode('utf-8')).digest() is_valid = EnteredPwdHash == stored_hash return is_valid From 17f3d2d838baf106c93d70f65cdea4ac42b351e0 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:57:43 +0000 Subject: [PATCH 18/19] security: add warning comment for insecure ALLOWED_HOSTS setting --- Backend/BackendApp/BackendApp/settings.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Backend/BackendApp/BackendApp/settings.py b/Backend/BackendApp/BackendApp/settings.py index 278ceb6..e5cba63 100644 --- a/Backend/BackendApp/BackendApp/settings.py +++ b/Backend/BackendApp/BackendApp/settings.py @@ -42,6 +42,9 @@ # SECURITY WARNING: don't run with debug turned on in production! DEBUG = os.environ.get("DJANGO_DEBUG", "False").lower() in ("true", "1", "yes") +# WARNING: "*" allows all hosts. Restrict this in production via ALLOWED_HOSTS env var. +# WARNING: ALLOWED_HOSTS=["*"] allows any host to access this server. +# In production, restrict to specific domains or use an environment variable. ALLOWED_HOSTS = ["*"] REST_FRAMEWORK = { @@ -84,7 +87,7 @@ "django.middleware.common.CommonMiddleware", ] -# hier caps rein gehauen +# Django project URL configuration ROOT_URLCONF = "BackendApp.urls" TEMPLATES = [ From 3744421e83d6af9b0e505468778f524e61e63ef5 Mon Sep 17 00:00:00 2001 From: Luna Date: Sat, 9 May 2026 17:59:26 +0000 Subject: [PATCH 19/19] chore: remove ASCII art dog from models.py; fix stray SSH output in password.py --- Backend/BackendApp/api/models.py | 18 +----------------- Backend/BackendApp/api/password.py | 1 - 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/Backend/BackendApp/api/models.py b/Backend/BackendApp/api/models.py index ad8e1a2..2cfdb8c 100644 --- a/Backend/BackendApp/api/models.py +++ b/Backend/BackendApp/api/models.py @@ -298,20 +298,4 @@ def GetAdminStats(Userid): class CustomBackend(BaseBackend): def get_user(self, user_id): - return Users(id=user_id, username='benutzername') - -# ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣾⣿⣿⣷⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣿⣿⣿⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⡈⠛⢉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣿⣿⣿⣿⣿⣿⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⣴⣿⣿⢿⣿⣿⣿⣿⣿⠀⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⢰⣿⡏⠀⢸⣿⣿⣿⣿⡇⢸⣷⣤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⣼⣿⠁⠀⢸⣿⣿⣿⣿⠁⠀⠙⠻⢿⣿⣶⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠛⠋⠀⠀⠸⣿⣿⣿⡏⠀⠀⠀⠀⠀⠈⠉⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣄⠙⣿⣿⣷⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⣿⣦⠈⢿⣿⣿⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣼⣿⡟⠀⠀⠻⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⣿⠟⠁⠀⠀⠀⠘⢿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⢾⣿⠟⠁⠀⠀⠀⠀⠀⠀⠈⢻⣿⠇⠀⠀⠀⠀⠀⠀⠀⠀⠀ -#⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀ \ No newline at end of file + return Users(id=user_id, username='benutzername') \ No newline at end of file diff --git a/Backend/BackendApp/api/password.py b/Backend/BackendApp/api/password.py index 5e26697..1530c2c 100644 --- a/Backend/BackendApp/api/password.py +++ b/Backend/BackendApp/api/password.py @@ -85,7 +85,6 @@ def convertSaltAndHash(salt, hash): # Sets only the password not the salt @staticmethod - @staticmethod def PasswordSetJustPassword(password, salt): original_hex_string = salt.hex() Password_Hash = sha256((password + original_hex_string).encode('utf-8')).digest()