Description
It appears the front-end is passing plaintext passwords to the backend server where they are hashed before being stored in the database. This is not very secure since the password is sent in plaintext and the server has access to plaintext passwords that could end up in logs.
Steps to Reproduce
No response
Relevant Code
|
async def authenticate_user(email: str, password: str) -> Optional[User]: |
|
"""Authenticate user with email and password""" |
|
user = await get_user_by_email(email) |
|
if not user: |
|
return None |
|
if not verify_password(password, user.hashed_password): |
|
return None |
|
return user |
Other Notes
This requires moving password hashing to the frontend application. Since frontend and backend are being maintained together in this one repository, we should not worry about maintaining backwards-compat.
Description
It appears the front-end is passing plaintext passwords to the backend server where they are hashed before being stored in the database. This is not very secure since the password is sent in plaintext and the server has access to plaintext passwords that could end up in logs.
Steps to Reproduce
No response
Relevant Code
CCAI-Demo/multi_llm_chatbot_backend/app/core/auth.py
Lines 64 to 71 in 62a6005
Other Notes
This requires moving password hashing to the frontend application. Since frontend and backend are being maintained together in this one repository, we should not worry about maintaining backwards-compat.