Improve app testing security

thinknimble · Oct 25, 2024 · eb1c0cf · eb1c0cf
1 parent a16b513
commit eb1c0cf
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 1 deletion.
diff --git a/{{cookiecutter.project_slug}}/.env.example b/{{cookiecutter.project_slug}}/.env.example
@@ -148,6 +148,8 @@ SMTP_PORT='587'
 SMTP_VALID_TESTING_DOMAINS='thinknimble.com'
 DEFAULT_FROM_EMAIL='{{ cookiecutter.project_name }} <noreply@{{ cookiecutter.project_slug }}.com>'
 {% endif %}
+USE_EMAIL_ALLOWLIST=True
+EMAIL_ALLOWLIST=['admin@thinknimble.com']
 
 # Testing (NOTE: Heroku and Github Actions will need to have matching values for some of these)
 DJANGO_SUPERUSER_PASSWORD='!!!DJANGO_SECRET_KEY!!!'

diff --git a/{{cookiecutter.project_slug}}/app.json b/{{cookiecutter.project_slug}}/app.json
@@ -1,5 +1,6 @@
 {
   "name": "{{ cookiecutter.project_name }}",
+  "stack": "heroku-24",
   "env": {
     "ALLOWED_HOSTS": {
       "value": ".herokuapp.com"
@@ -27,6 +28,12 @@
     },
     "SECRET_KEY": {
       "generator": "secret"
+    },
+    "USE_EMAIL_ALLOWLIST": {
+      "value": "True"
+    },
+    "EMAIL_ALLOWLIST": {
+      "value": ["admin@thinknimble.com"]
     }
   },
   "addons": ["heroku-postgresql:standard-0", "papertrail:choklad"],

diff --git a/{{cookiecutter.project_slug}}/server/{{cookiecutter.project_slug}}/core/serializers.py b/{{cookiecutter.project_slug}}/server/{{cookiecutter.project_slug}}/core/serializers.py
@@ -1,3 +1,6 @@
+from email.utils import parseaddr
+
+from django.conf import settings
 from django.contrib.auth import login
 from django.contrib.auth.password_validation import validate_password
 from rest_framework import serializers
@@ -61,10 +64,33 @@ class Meta:
             "last_name": {"required": True},
         }
 
+    def _validate_name(self, value):
+        """
+        There are MANY unique names out there, so let users input whatever they want.
+        BUT...alert the devs if we see something odd.
+        """
+        if not "".join(a.split()).isalpha():
+            logger.warning(f"User signup with non-alphabetic characters in their name: {value}")
+
+    def validate_first_name(self, value):
+        self._validate_name(value)
+        return value
+
+    def validate_last_name(self, value):
+        self._validate_name(value)
+        return value
+
+    def validate_email(self, value):
+        value = value.lower()
+        if settings.USE_EMAIL_ALLOWLIST and value not in settings.EMAIL_ALLOWLIST:
+            raise ValidationError(detail="Invalid email")
+        # TODO - Test on new Python versions. It SHOULD raise validation errors
+        parseaddr(value)
+        return value
+
     def validate(self, data):
         password = data.get("password")
         validate_password(password)
-
         return data
 
     def create(self, validated_data):

diff --git a/{{cookiecutter.project_slug}}/server/{{cookiecutter.project_slug}}/settings.py b/{{cookiecutter.project_slug}}/server/{{cookiecutter.project_slug}}/settings.py
@@ -260,6 +260,9 @@
 else:
     EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 
+USE_EMAIL_ALLOWLIST = config("USE_EMAIL_ALLOWLIST", cast=bool, default=False)
+EMAIL_ALLOWLIST = config("EMAIL_ALLOWLIST", default=[])
+
 # STORAGES
 # ----------------------------------------------------------------------------