cherrytomaten / getoutside_backend Goto Github PK

The assignment of user Ids should not be consecutively, as this is a big security concern.

Why is exposing the PK bad?

By their nature, Auto Incremented primary keys grow by one for each new entry. This is great for avoiding collision, but it means that they are easily guessable. If you somehow find out that a user with the ID 27 exists, it most probably means that there are at least 26 other users with IDs 1 to 26. An attacker can try to exploit this by sending requests with different IDs. Furthermore, since the Administrator is usually the first user registered, it can easily guess the ID and try to get access.

There were also many reports, even on high-profile sites, where a full or partial dump of the contents could be done by simply incrementing the ID. This is how Parler data was exposed, for example. Other such attacks are rather easy to find, so exposing the internal ID is bad practice. You can still use an auto-incremented primary key internal and use it for all foreign keys as well, but whenever it is sent externally, an alternative must be found.

If this doesn't issue to much work, i would recommect using uuids instead.

Route:

https://cherrytomaten.herokuapp.com/authentication/user/create/

How to reproduce error:

Versuch ein User zu registrieren, der bereits existiert.

Expected behavior:

403 Server response

Actual behavior:

500 interal Server Error

duplicate key value violates unique constraint "authentication_customuser_username_key"
DETAIL:  Key (username)=(testUser99) already exists.