Enforce positive blockchain transactions

2026-03-17 05:57:21 -05:00 · 2025-11-16 01:56:18 -06:00
parent b2f933762a
commit 509747d4d9
4 changed files with 113 additions and 9 deletions
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -1,8 +1,8 @@
 """Authentication routes"""
-from fastapi import APIRouter, Depends, HTTPException, status
-from fastapi.security import OAuth2PasswordRequestForm
+from fastapi import APIRouter, Depends, HTTPException, status, Form
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
+from typing import Optional

 from app.database import get_db
 from app.models.user import User
@@ -19,6 +19,29 @@ from datetime import datetime

 router = APIRouter(prefix="/api/auth", tags=["Authentication"])

+# Backwards compatibility for modules importing get_current_user from this router
+get_current_user = get_current_active_user
+
+
+class SimpleOAuth2PasswordRequestForm:
+    """Minimal form parser compatible with OAuth2 password flow"""
+
+    def __init__(
+        self,
+        grant_type: Optional[str] = Form(default=None),
+        username: str = Form(...),
+        password: str = Form(...),
+        scope: str = Form(default=""),
+        client_id: Optional[str] = Form(default=None),
+        client_secret: Optional[str] = Form(default=None)
+    ):
+        self.grant_type = grant_type
+        self.username = username
+        self.password = password
+        self.scopes = scope.split()
+        self.client_id = client_id
+        self.client_secret = client_secret
+

@router.post("/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
 async def register(user_data: UserCreate, db: AsyncSession = Depends(get_db)):
@@ -61,7 +84,7 @@ async def register(user_data: UserCreate, db: AsyncSession = Depends(get_db)):

@router.post("/login", response_model=Token)
 async def login(
-    form_data: OAuth2PasswordRequestForm = Depends(),
+    form_data: SimpleOAuth2PasswordRequestForm = Depends(),
    db: AsyncSession = Depends(get_db)
 ):
    """Login and get access token"""
--- a/backend/app/routers/blockchain.py
+++ b/backend/app/routers/blockchain.py
@@ -3,7 +3,7 @@ from fastapi import APIRouter, Depends, HTTPException, status, BackgroundTasks
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, and_, or_, desc, func
 from typing import List, Optional
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from datetime import datetime

 from app.database import get_db
@@ -15,9 +15,12 @@ from app.services.blockchain import BlockchainService
 router = APIRouter(prefix="/api/blockchain", tags=["Blockchain"])


+MIN_TRANSACTION_AMOUNT = 0.0001
+
+
 class TransactionCreate(BaseModel):
    to_address: str
-    amount: float
+    amount: float = Field(gt=0, description="Amount to transfer; must be positive")
    message: Optional[str] = None


@@ -92,6 +95,18 @@ async def create_transaction(
    db: AsyncSession = Depends(get_db)
 ):
    """Create a new transaction"""
+    if tx_data.amount <= 0:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Transaction amount must be greater than zero"
+        )
+
+    if tx_data.amount < MIN_TRANSACTION_AMOUNT:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Transactions must be at least {MIN_TRANSACTION_AMOUNT} tokens"
+        )
+
    # Check balance
    if current_user.balance < tx_data.amount:
        raise HTTPException(
@@ -121,6 +136,11 @@ async def create_transaction(
    )

    # Update balances (simplified - in production would be done on block confirmation)
+    if tx_data.amount <= 0:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Transaction amount must be greater than zero"
+        )
    current_user.balance -= tx_data.amount
    recipient.balance += tx_data.amount