Feat/secure app

[stephan271c]

Description

This PR implements a secure user authentication system for the Flask application.

• Provides secure user registration and login functionality with proper security measures to protect user data and prevent common vulnerabilities.
• Added user registration endpoint with strong password validation, secure password hashing using bcrypt, user login with authentication, user listing (for admin), health check endpoint with database connectivity testing, comprehensive input validation using Pydantic models, and extensive unit tests covering all functionality.
• this adds new endpoints without modifying existing functionality.

Type of Change

• New feature (non-breaking change that adds functionality)
• Security enhancement

Testing

• Unit tests added/updated
• Integration tests added/updated
• All tests pass locally (pytest)
• Pre-commit hooks pass (pre-commit run --all-files)
• Manual testing completed

Security Checklist

Review and address each security item before merging:

Authentication & Authorization

• No hardcoded credentials or secrets in code
• Password requirements are enforced appropriately
• Sensitive data not logged or exposed
• Authentication tokens/session handling is secure (password-based auth only, no tokens used)
• Access controls implemented correctly (basic registration/login without advanced access controls)

Input Validation & Sanitization

• All user inputs are validated (Pydantic models used)
• SQL injection prevention (parameterized queries)
• Cross-site scripting (XSS) prevention (JSON API response, no HTML output. Not applicable)
• Cross-site request forgery (CSRF) protection (Not applicable as this is a stateless API)
• File upload security (not applicable)

Configuration & Secrets

• Environment variables used for secrets (DATABASE_URL, SECRET_KEY, FLASK_DEBUG)
• No sensitive data committed to Git
• Secret detection scans pass (assumed via CI)
• Secure default configurations (debug disabled by default)

Code Security

• Bandit security linting passes
• No known vulnerabilities in dependencies (pinned versions used)
• No insecure functions/patterns used
• Error messages don't leak sensitive information

Database & Data Handling

• No SQL injection vulnerabilities (parameterized queries used)
• Database connections properly handled (try/finally blocks with context managers implicit)
• Data encryption where required (passwords hashed with bcrypt)
• Migration scripts safe and tested (no migrations - simple schema)

Logging & Monitoring

• Sensitive data not logged
• Error handling doesn't expose internal details
• Security-relevant events logged appropriately (successful login, failed login warnings)

Dependencies

• Dependencies scanned for vulnerabilities (safety check, etc.)
• Requirements.txt up to date and pinned versions used
• No unnecessary dependencies added

Production Readiness

• Debug mode disabled by default
• HTTPS required for production endpoints (not enforced, should be handled at reverse proxy/CDN)
• Rate limiting implemented if needed (not implemented - could be added)
• Monitoring and alerting configured (basic logging setup)

Documentation Updates

• README updated if necessary (app/dependencies documented in requirements.txt)
• API documentation updated for new endpoints (needs API docs for routes)
• Code comments added for complex logic (basic comments in place)
• CHANGELOG updated (if applicable)

Deployment Notes

No special deployment considerations. Ensure environment variables are set appropriately. Database is simple SQLite.

Screenshots (if applicable)

N/A - API endpoints, no visual UI.

Checklist

• I have read the CONTRIBUTING guidelines
• My code follows the project's coding standards
• I have tested my changes thoroughly
• I have updated documentation as needed
• All CI checks pass
• Security checklist is completed