Skip to content

Feat/secure authentication#395

Open
Q1009 wants to merge 15 commits into
OpenClassrooms-Student-Center:masterfrom
Q1009:feat/secure-authentication
Open

Feat/secure authentication#395
Q1009 wants to merge 15 commits into
OpenClassrooms-Student-Center:masterfrom
Q1009:feat/secure-authentication

Conversation

@Q1009

@Q1009 Q1009 commented Jun 26, 2026

Copy link
Copy Markdown
  1. User session on the server
  • Added session support in server.py.
  • On login through POST /showSummary, the club email and name are stored in session.
  • Added centralized access helpers with getLoggedClub() and requireLogin().
  • logout now clears the session with session.clear().
  • Added a logoutAndRedirect() helper to centralize logout before returning to the index.
  • Added a GET /dashboard route to return to the user page after login.
  1. Protected routes
  • GET /book// now requires a session.
  • POST /purchasePlaces now requires a session.
  • If the user is not logged in, the app flashes Please log in first. and redirects to the home page after clearing the session.
  • Redirects to the index now log the user out to avoid keeping an inconsistent session state.
  1. Booking and purchase flow hardening
  • In booking.html, the hidden club field was removed.
  • The booking_key is now built from the session club in server.py, which prevents form spoofing.
  • Booking now uses the session club as the source of truth.
  1. Navigation and user display
  • Added a navigation menu in welcome.html and booking.html.
  • The points board link and logout action are grouped in that menu.
  • The Logged in as indicator is displayed under the page title, outside the navigation menu.
  • In points_board.html, the back link now depends on session state:
    • logged-in user: back to the dashboard
    • no logged-in user: back to the index
  • index.html was simplified and now includes the points board link in the navigation.

Quentin Tellier added 15 commits June 1, 2026 19:08
…ls dans le module utils. Implémentation des tests unitaires pour les fonctions utils. Affichage des messages flash dans le template index. Création des fonctions utils pour le login.
- move route registration into create_app
- inject clubs and competitions into the app factory for tests
- use current_app.config inside route handlers
- add pytest warning filters for Flask/Werkzeug deprecations
- Replace fragile [0] indexing with safe getClubByName/getCompetitionByName
  lookups in /book route
- Validate config data presence and handle missing club/competition separately
- Make JSON loaders return None on errors (OSError, JSONDecodeError, KeyError)
- Add helper functions for safe dictionary lookups
- Update corresponding unit tests to match new None-return behavior
harden the purchase route when clubs/competitions data is missing or invalid
replace fragile list indexing with safe lookup helpers
add getClubPoints/getCompetitionPlaces with invalid-input handling
add validateBooking to enforce available club points checks
display flash messages on the booking page when validation fails
update available places only after successful validation
- Update flash message to display the number of places purchased
- Remove unnecessary blank lines
…nstraints

- Implement dynamic max value for booking input based on club points, available places, and 12-place cap
- Add HTML5 validation (min, required) and disable submit when no booking possible
- Add server-side validation to reject requests exceeding 12-place limit
…elcome

- Add isCompetitionBookable utility function to check if competition can be booked
- Implement buildCompetitionsView to add canBook flag to competitions
- Hide Book Places link when competition is no longer bookable
- Protect /book route to prevent bypassing via direct URL
- Fix welcome page header to show club name instead of email
- Update mock competition dates to 2026
…n purchasePlaces route

- rename validateBooking → isBookingValid in utils and server
- add competition bookability check in /purchasePlaces route to prevent
  booking a past/full competition via direct POST request
- update import in server.py accordingly
- add updateClubPoints helper to safely deduct club points
- add updateCompetitionPlaces helper to safely deduct competition places
- use the new helpers in purchase flow instead of inline update logic
- keep booking confirmation flow unchanged while making updates reusable and safer
…tion

- add booking tracker by club/competition pair in app config
- pass already booked places to purchase validation
- block booking when cumulative total exceeds 12 places
- extend validation for zero/negative places and insufficient competition places
- persist cumulative counter only after successful purchase
- on validation error, render welcome with flash messages
-add new public route /pointsBoard (no login required)
-render a dedicated read-only page listing each club with available points
-handle missing clubs data with flash error + redirect to home
-add navigation link to points board from home page
-add navigation link to points board from welcome page
…es when clearing session, and add logout confirmation flash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant