During testing it was discovered that the /login endpoint does not perform a full suite of server side validation of the registration form before it saves data to the database.
During test writing, attempting to register a user with the an existing username resulted in the database throwing a unique constraint error, suggesting that this check did not occur before the data was committed to the database.
More testing will need to be undertaken what vulnerabilities exist and a solution should be developed. Suggestions could be to implement the validators in the signup form. Another would be to make the functions in the validation endpoints modular so that they can be reused in the login function. I acknowledge that at this stage of the project, it may be difficult to refactor the code in time to implement a solution.
Tested by creating an account with existing username and the server-side validation works as expected, i.e. the duplicate user credential is not added to the database:
During testing it was discovered that the /login endpoint does not perform a full suite of server side validation of the registration form before it saves data to the database.
During test writing, attempting to register a user with the an existing username resulted in the database throwing a unique constraint error, suggesting that this check did not occur before the data was committed to the database.
More testing will need to be undertaken what vulnerabilities exist and a solution should be developed. Suggestions could be to implement the validators in the signup form. Another would be to make the functions in the validation endpoints modular so that they can be reused in the login function. I acknowledge that at this stage of the project, it may be difficult to refactor the code in time to implement a solution.