wip

2026-02-16 16:17:17 -05:00
parent 3848be32e8
commit d600dde97f
15 changed files with 700 additions and 38 deletions
--- a/backend/api/auth_api.py
+++ b/backend/api/auth_api.py
@@ -39,7 +39,11 @@ def signup():
    email = data.get('email', '')
    norm_email = normalize_email(email)    

-    if users_db.search(UserQuery.email == norm_email):
+    existing = users_db.get(UserQuery.email == norm_email)
+    if existing:
+        user = User.from_dict(existing)
+        if user.marked_for_deletion:
+            return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
        return jsonify({'error': 'Email already exists', 'code': EMAIL_EXISTS}), 400

    token = secrets.token_urlsafe(32)
@@ -78,6 +82,10 @@ def verify():
            status = 'error'
            reason = 'Invalid token'
            code = INVALID_TOKEN
+        elif user.marked_for_deletion:
+            status = 'error'
+            reason = 'Account marked for deletion'
+            code = ACCOUNT_MARKED_FOR_DELETION
        else:
            created_str = user.verify_token_created
            if not created_str:
@@ -175,6 +183,8 @@ def me():
        user = User.from_dict(user_dict) if user_dict else None
        if not user:
            return jsonify({'error': 'User not found', 'code': USER_NOT_FOUND}), 404
+        if user.marked_for_deletion:
+            return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
        return jsonify({
            'email': user.email,
            'id': user_id,
@@ -201,14 +211,14 @@ def request_password_reset():
    user_dict = users_db.get(UserQuery.email == norm_email)
    user = User.from_dict(user_dict) if user_dict else None
    if user:
-        # Silently ignore reset requests for marked accounts (don't leak account status)
-        if not user.marked_for_deletion:
-            token = secrets.token_urlsafe(32)
-            now_iso = datetime.utcnow().isoformat()
-            user.reset_token = token
-            user.reset_token_created = now_iso
-            users_db.update(user.to_dict(), UserQuery.email == norm_email)
-            send_reset_password_email(norm_email, token)
+        if user.marked_for_deletion:
+            return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
+        token = secrets.token_urlsafe(32)
+        now_iso = datetime.utcnow().isoformat()
+        user.reset_token = token
+        user.reset_token_created = now_iso
+        users_db.update(user.to_dict(), UserQuery.email == norm_email)
+        send_reset_password_email(norm_email, token)

    return jsonify({'message': success_msg}), 200