feat: Add auth utility#92
Conversation
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@snipercodeai review |
3 similar comments
|
@snipercodeai review |
|
@snipercodeai review |
|
@snipercodeai review |
![snipercodeai[bot]](https://avatars.githubusercontent.com/in/2744284?s=60&v=4){kind=small}
| def get_user(db_path: str, username: str) -> dict: | ||
| conn = sqlite3.connect(db_path) | ||
| cursor = conn.cursor() | ||
| cursor.execute(f"SELECT * FROM users WHERE username = '{username}'") |
There was a problem hiding this comment.
🔴 [CRITICAL] Security Vulnerability: SQL injection vulnerability in cursor.execute call. Use parameterized queries instead: cursor.execute('SELECT * FROM users WHERE username = ?', (username,))
| def login(db_path: str, username: str, password: str) -> bool: | ||
| conn = sqlite3.connect(db_path) | ||
| cursor = conn.cursor() | ||
| cursor.execute(f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'") |
There was a problem hiding this comment.
🔴 [CRITICAL] Security Vulnerability: SQL injection vulnerability in cursor.execute call. Use parameterized queries instead: cursor.execute('SELECT * FROM users WHERE username = ? AND password = ?', (username, password))
| def login(db_path: str, username: str, password: str) -> bool: | ||
| conn = sqlite3.connect(db_path) | ||
| cursor = conn.cursor() | ||
| cursor.execute(f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'") |
There was a problem hiding this comment.
🟠 [HIGH] Security Risk: Storing passwords in plain text. Consider using a secure password hashing library like bcrypt or scrypt.
|
|
||
|
|
||
| def get_user(db_path: str, username: str) -> dict: | ||
| conn = sqlite3.connect(db_path) |
There was a problem hiding this comment.
🟡 [MEDIUM] Performance Issue: Database connection is opened and closed on each function call. Consider using a connection pool or a context manager to improve performance.
| cursor.execute(f"SELECT * FROM users WHERE username = '{username}'") | ||
| row = cursor.fetchone() | ||
| conn.close() | ||
| return {"username": row[0], "email": row[1]} if row else {} |
There was a problem hiding this comment.
🔵 [LOW] Code Style: Dictionary keys username and email are hardcoded. Consider defining them as constants or enums to improve readability.
| cursor.execute(f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'") | ||
| row = cursor.fetchone() | ||
| conn.close() | ||
| return row is not None |
There was a problem hiding this comment.
🔵 [LOW] Code Style: Function login returns a boolean indicating success or failure, but does not handle potential exceptions. Consider adding try-except blocks to handle potential errors.
| @@ -0,0 +1,19 @@ | |||
| import sqlite3 | |||
There was a problem hiding this comment.
🔵 [LOW] Missing Tests: No tests are provided for the get_user and login functions. Consider adding unit tests to ensure correct functionality.
1 participant
No description provided.