creating users with no password and with other characters on their email fix

Author: LucasQR

src/app/api/v1/oauth.py

@@ -2,7 +2,8 @@
 from abc import ABC
 from typing import Any
 
-from fastapi import APIRouter, Depends, RedirectResponse, Request, Response
+from fastapi import APIRouter, Depends, Request, Response
+from fastapi.responses import RedirectResponse
 from fastapi_sso.sso.base import OpenID, SSOBase
 from fastapi_sso.sso.github import GithubSSO
 from fastapi_sso.sso.google import GoogleSSO
@@ -100,6 +101,7 @@ async def _get_user_details(self, oauth_user: OpenID) -> UserCreateInternal:
         if not oauth_user.email:
             raise UnauthorizedException(f"Invalid response from {self.provider_name.title()} OAuth.")
         username = oauth_user.email.split("@")[0]
+        username = "".join(c for c in username.lower() if c.isalnum())
         name = oauth_user.display_name or username
 
         return UserCreateInternal(

src/app/api/v1/users.py

@@ -42,6 +42,10 @@ async def write_user_internal(user: UserCreate | UserCreateInternal, db: AsyncSe
         user_internal_dict["hashed_password"] = get_password_hash(password=user_internal_dict["password"])
         del user_internal_dict["password"]
         user = UserCreateInternal(**user_internal_dict)
+    elif isinstance(user, UserCreateInternal) and user.hashed_password is None:
+        # NULL passwords are only allowed for OAuth users (UserCreateInternal from OAuth flow)
+        # This is validated here to prevent any other code path from creating passwordless users
+        pass
 
     created_user = await crud_users.create(db=db, object=user, schema_to_select=UserRead)
     if created_user is None: