Fullstack Flask Coding Website. Feedback Please!

Hello everyone! I’ve made another flask website for coding purposes. If you have anything to say, any bugs to report, etc; Please tell me.

https://code-crystals.tk/

The website has some special coding features such as a live website that updates as you code, a fully-functional code Ace Editor, and more!

I made this in about fourteen hours.
Thanks for reading!
Happy Coding!

1 Like

Very nice!

Some small feedback:

  • the login/signup pages take one out of the “base” template, so you’d have to use a back button in case you were just browsing around.

  • the login has no feedback if i try to put dummy data (like 1 char length user and pass), this could be a bit more descriptive

  • the password requirements to create an account are a bit weak, so this is another area that can improve for security.

  • if i try to create a blank project (with the template provided), i can’t (but no feedback messages).

I agree that the authentication for signing up is quite weak so I might use Javascript to fix that up a bit. If you try to create a blank project, you can’t because you have to make at least one change before saving it.

Thanks for the feedback, btw.

1 Like

Honestly, it’s hard to give proper feedback without seeing your Flask code.

However, there are a couple of things I noticed from just poking at it with a stick:

  • In general, I don’t like using Flask for anything that requires user management and authentication. Flask is pretty barebones and you have to re-implement that yourself every time. That makes it more prone to human error.

  • When I originally took a look at your site, I could access every user’s settings and emails without even being logged in. I could even change their email and username. This is unacceptable for any app that is trusted with sensitive information. It looks like you’ve now fixed that problem, but it was there long enough that anyone could have scraped your site and stolen all the emails in an instant.

  • When trying to access pages that don’t exist, there are some circumstances where I get the WSGI debug error page. That’s not good. I can see the names of some of your files, what the app is querying, etc. In short, more security holes. When a site is live, user-side error messages should not expose any of the inner workings of the app. The debug error page allows execution of arbitrary python code if your pin is entered, and that could easily be bruteforced.

  • Users can’t delete their projects.

  • A lot of the links are broken

  • There are plenty of other bugs, as pointed out by @toastedpitabread

In short, it’s a good start but you’ve got a long way to go. Our feedback here is really limited by the fact that you haven’t shared your backend code. The frontend looks nice, but I’d suggest spending more than 14 hours on it before letting people sign up with their personal information.

Okay, I’ll try and fix some of those. Thanks for pointing them out.
I don’t know what happened. Before, projects could be deleted but not anymore.

I did forgot to install psycopg2 so maybe that’s why you are seeing the wsgi page.

If you’re looking to get stronger in this is might be really worth looking into basic cyber security study (I think CC is coming up with some later in the year).

Even if you plan to use more streamlined frameworks like django it’s good to know where the sensitive spots are and keep loosely up-to-date with changes.

2 Likes