UserCreateSchema does not require all properties while they seem required

[benoit74]

• Location: API

Problem

When someone was creating a user, we've got following exception, leading to a 500 response:

1733292679921	ERROR:uwsgi_file__app_main:Exception on /v1/users/ [POST]
1733292679921	Traceback (most recent call last):
1733292679921	  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2190, in wsgi_app
1733292679921	    response = self.full_dispatch_request()
1733292679921	  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1486, in full_dispatch_request
1733292679921	    rv = self.handle_user_exception(e)
1733292679921	  File "/usr/local/lib/python3.8/site-packages/flask_cors/extension.py", line 165, in wrapped_function
1733292679921	    return cors_after_request(app.make_response(f(*args, **kwargs)))
1733292679921	  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1484, in full_dispatch_request
1733292679921	    rv = self.dispatch_request()
1733292679921	  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1469, in dispatch_request
1733292679921	    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
1733292679921	  File "/app/./routes/base.py", line 20, in __call__
1733292679921	    return handler(*args, **kwargs)
1733292679921	  File "/app/./routes/__init__.py", line 35, in wrapper
1733292679921	    return f(*args, **kwargs)
1733292679921	  File "/app/./db/__init__.py", line 50, in inner
1733292679921	    return func(*args, **kwargs)
1733292679921	  File "/app/./routes/__init__.py", line 53, in wrapper
1733292679921	    return f(*args, **kwargs)
1733292679921	  File "/app/./routes/users/user.py", line 62, in post
1733292679921	    email=request_json["email"],
1733292679921	KeyError: 'email'
1733292679922	[pid: 30|app: 0|req: 8631/19159] 100.64.6.69 () {68 vars in 1813 bytes} [Wed Dec  4 06:11:19 2024] POST /v1/users/ => generated 265 bytes in 9 msecs (HTTP/1.1 500) 4 headers in 168 bytes (1 switches on core 0)
1733292679923	100.64.6.69 - - [04/Dec/2024:06:11:19 +0000] "POST /v1/users/ HTTP/1.1" 500 265 "https://farm.openzim.org/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.0 Safari/605.1.15" "185.72.67.134"

Reproducing steps

Create a user without any email

Analysis

Create user endpoint is at

zimfarm/dispatcher/backend/src/routes/users/user.py

Lines 51 to 76 in 6b4dc7a

	@authenticate
	@dbsession
	@require_perm("users", "create")
	def post(self, token: AccessToken.Payload, session: Session):
	try:
	request_json = UserCreateSchema().load(request.get_json())
	except ValidationError as e:
	raise http_errors.InvalidRequestJSON(e.messages)
	orm_user = dbm.User(
	username=request_json["username"],
	email=request_json["email"],
	password_hash=generate_password_hash(request_json["password"]),
	scope=ROLES.get(request_json["role"]),
	deleted=False,
	)
	session.add(orm_user)
	try:
	session.flush()
	except IntegrityError:
	raise errors.BadRequest("User already exists")
	user_id = orm_user.id
	return jsonify({"_id": user_id})

It relies on UserCreateSchema at

zimfarm/dispatcher/backend/src/common/schemas/parameters.py

Lines 146 to 150 in 6b4dc7a

	class UserCreateSchema(Schema):
	username = username_field
	password = String(required=True, validate=validate_not_empty)
	email = email_field
	role = String(required=True, validate=validate_role)

This schema does not require all fields, while it probably should