Even though "User.email" is enforced as unique at signup, it is not a unique...

Even though "User.email" is enforced as unique at signup, it is not a unique field in the database. Let's use "User.id" instead. This also makes it more difficult to do a session stealing attack.

backend/apps/web/routers/auths.py

@@ -93,7 +93,7 @@ async def update_password(
 async def signin(form_data: SigninForm):
     user = Auths.authenticate_user(form_data.email.lower(), form_data.password)
     if user:
-        token = create_token(data={"email": user.email})
+        token = create_token(data={"id": user.id})
 
         return {
             "token": token,
@@ -132,7 +132,7 @@ async def signup(request: Request, form_data: SignupForm):
         )
 
         if user:
-            token = create_token(data={"email": user.email})
+            token = create_token(data={"id": user.id})
             # response.set_cookie(key='token', value=token, httponly=True)
 
             return {

backend/utils/utils.py

@@ -60,8 +60,8 @@ def extract_token_from_auth_header(auth_header: str):
 
 def get_current_user(auth_token: HTTPAuthorizationCredentials = Depends(HTTPBearer())):
     data = decode_token(auth_token.credentials)
-    if data != None and "email" in data:
-        user = Users.get_user_by_email(data["email"])
+    if data != None and "id" in data:
+        user = Users.get_user_by_id(data["id"])
         if user is None:
             raise HTTPException(
                 status_code=status.HTTP_401_UNAUTHORIZED,