[Week 4] Implement Input Validation & Sanitization

[asyncnavi]

Description

Implement input validation and sanitization across all authentication endpoints to prevent injection attacks and ensure data integrity.

Tasks

• Use Ecto changesets for validation
• Validate all email formats
• Sanitize user inputs
• Validate password complexity
• Check for SQL injection vulnerabilities (Ecto should handle)
• Prevent XSS in responses
• Validate request body structure
• Add CSRF protection for cookie-based auth (if applicable)

Validation Rules

Email

• Valid email format
• Must contain @ symbol
• Domain must exist in university_domains
• Maximum length: 255 characters

Password

• Minimum 8 characters
• Maximum 128 characters
• Complexity requirements (from password security issue)

Device Info

• device_id: alphanumeric, max 255 chars
• device_type: enum (mobile, desktop, tablet)
• user_agent: sanitized string, max 500 chars

OTP Code

• Exactly 6 digits
• Numeric only

Implementation Example

def signup_changeset(attrs) do
  %User{}
  |> cast(attrs, [:email, :password])
  |> validate_required([:email, :password])
  |> validate_email()
  |> validate_password()
  |> validate_university_domain()
end

Security Headers

Add to endpoint configuration:

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 1; mode=block

Definition of Done

• All inputs validated
• Sanitization implemented
• Security headers added
• Error messages don't leak info
• Tests covering validation
• Security review completed