Force lowercase username, remove from session

db/sqlite.py

@@ -122,7 +122,7 @@ class DB:
         return self._db().execute('''
             select user_id, password
             from users
-            where name = ?
+            where name = lower(?)
             ''',
             (username,)
         ).fetchone()
@@ -138,7 +138,7 @@ class DB:
 
     def get_user_private_info(self, user_id):
         return self._db().execute('''
-            select about
+            select name, about
             from users
             where user_id = ?
             ''',
@@ -156,6 +156,15 @@ class DB:
         )
         db.commit()
 
+    def get_user_name(self, user_id):
+        return self._db().execute('''
+            select name
+            from users
+            where user_id = ?
+            ''',
+            (user_id,)
+        ).fetchone()
+
     def add_thread(self, author_id, forum_id, title, text, time):
         db = self._db()
         c = db.cursor()
@@ -288,7 +297,7 @@ class DB:
         c = db.cursor()
         c.execute('''
             insert into users(name, password, join_time)
-            values (?, ?, ?)
+            values (lower(?), ?, ?)
             ''',
             (username, password, time)
         )

main.py

@@ -75,7 +75,6 @@ def login():
             if verify_password(request.form['password'], hash):
                 flash('Logged in', 'success')
                 session['user_id'] = id
-                session['username'] = request.form['username']
                 return redirect(url_for('index'))
         else:
             # Sleep to reduce effectiveness of bruteforce
@@ -98,12 +97,14 @@ def user_edit():
     if request.method == 'POST':
         about = request.form['about'].replace('\r', '')
         db.set_user_private_info(user_id, about)
+        name, = db.get_user_name(user_id)
+        flash('Updated profile', 'success')
     else:
-        about, = db.get_user_private_info(user_id)
+        name, about = db.get_user_private_info(user_id)
 
     return render_template(
         'user_edit.html',
-        name = session.get('username', '???'),
+        name = name,
         title = 'Edit profile',
         about = about
     )

templates/base.html

@@ -10,7 +10,7 @@
 		<a class=logo href="{{ url_for('index') }}">A</a>
 		<div style="margin:auto"></div>
 		{% if 'user_id' in session %}
-		<a href="{{ url_for('user_edit') }}">{{ session.get('username', '???') }}</a>
+		<a href="{{ url_for('user_edit') }}">User panel</a>
 		<span>|</span>
 		<a href="{{ url_for('logout') }}">Logout</a>
 		{% else %}

templates/user_edit.html

@@ -1,9 +1,13 @@
 {% extends 'base.html' %}
 
 {% block content %}
+<p><a href="{{ url_for('user_info', user_id = session['user_id']) }}">View public profile</a></p>
 <form method="post">
-	<p>{{ name }}</p>
-	<p><textarea name="about">{{ about }}</textarea></p>
-	<p><input type="submit" value="Update"></p>
+<table>
+<tr><td>Username</td><td>{{ name }}</td></tr>
+<tr><td>ID</td><td>{{ session['user_id'] }}</td></tr>
+<tr><td>About</td><td><textarea name="about">{{ about }}</textarea></td></tr>
 </form>
+</table>
+<input type="submit" value="Update">
 {% endblock %}

test/init_db.txt

@@ -1,12 +1,12 @@
 insert into users (name, password, email, join_time) values (
-	"Foo",
+	"foo",
 	-- supasecret
 	"$argon2id$v=19$m=65536,t=3,p=4$qBWCEAKgdA4BYOy915qzlg$KhGy3UF0QMlplt2eB7r7QNL2kDcggXUimRWUrWql8sI",
 	"foo@bar.baz",
 	0
 );
 insert into users (name, password, email, join_time) values (
-	"Bar",
+	"bar",
 	-- abraca
 	"$argon2id$v=19$m=65536,t=3,p=4$klJKCUFoDaF07j3nPCeEUA$lCphd5n1YIs8MaVop2vGNirwknkh91qJIZHMuBOlgWA",
 	"bar@foo.baz",