first commit

2026-01-17 15:21:41 -05:00
commit b93d41c1ae
36 changed files with 3391 additions and 0 deletions
--- a/routes/auth/register.py
+++ b/routes/auth/register.py
@@ -0,0 +1,71 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+from database import get_db
+from models import Account_User, Customer_Customer
+from schemas import UserCreate, UserResponse
+from passlib.context import CryptContext
+from datetime import datetime
+
+pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
+
+def get_password_hash(password):
+    return pwd_context.hash(password)
+
+
+def escape_like_pattern(value: str) -> str:
+    """Escape special characters for SQL LIKE patterns.
+
+    Escapes %, _, and \ which have special meaning in LIKE clauses
+    to prevent SQL injection via wildcards.
+    """
+    # Escape backslash first, then the wildcards
+    return value.replace('\\', '\\\\').replace('%', '\\%').replace('_', '\\_')
+
+
+router = APIRouter()
+
+@router.post("/register", response_model=UserResponse)
+async def register(user: UserCreate, db: AsyncSession = Depends(get_db)):
+    # Verify passwords match
+    if user.password != user.confirm_password:
+        raise HTTPException(status_code=400, detail="Passwords do not match")
+
+    # Check if customer exists in Customer_Customer table
+    # Escape SQL LIKE wildcards to prevent injection attacks
+    escaped_house_number = escape_like_pattern(user.house_number)
+    customer_result = await db.execute(
+        select(Customer_Customer).where(
+            (Customer_Customer.account_number == user.account_number) &
+            (Customer_Customer.customer_address.like(f'{escaped_house_number} %', escape='\\'))
+        )
+    )
+    customer = customer_result.scalar_one_or_none()
+    if not customer:
+        raise HTTPException(status_code=400, detail="Customer not found with provided account and house number")
+
+    # Check if email already registered
+    result = await db.execute(select(Account_User).where(Account_User.email == user.email))
+    if result.scalar_one_or_none():
+        raise HTTPException(status_code=400, detail="Email already registered")
+
+    username = f"{user.account_number}-{user.house_number}"
+    hashed_password = get_password_hash(user.password)
+    db_user = Account_User(
+        username=username,
+        account_number=user.account_number,
+        house_number=user.house_number,
+        password_hash=hashed_password,
+        member_since=datetime.utcnow(),
+        email=user.email,
+        last_seen=datetime.utcnow(),
+        admin=0,
+        admin_role=0,
+        confirmed=1,
+        active=1,
+        user_id=customer.id
+    )
+    db.add(db_user)
+    await db.commit()
+    await db.refresh(db_user)
+    return db_user