Integrate user login, social sharing, push notifications, and camera …

[GYFX35]

…access

Summary by Sourcery

Integrate social sharing, Web Push notifications, and camera-based profile picture upload by adding service worker support, subscription management, profile picture storage, and social sharing links.

New Features:

• Add social sharing buttons for Twitter, Facebook, and LinkedIn on post pages
• Implement Web Push notifications with service worker registration and subscription endpoint
• Enable camera access for users to capture and upload profile pictures

Enhancements:

• Store and display user profile pictures and default avatars across the app
• Display user avatars alongside posts and comments

Chores:

• Add PushSubscription model and profile_picture field with corresponding Alembic migrations
• Include service worker file and configure VAPID keys for push notifications

[sourcery-ai]

Reviewer's Guide

This PR integrates social sharing, web push notifications, and camera-based profile picture capture by extending templates with client-side scripts, enhancing backend models and routes with new endpoints and migrations, and configuring necessary VAPID keys.

Class diagram for updated User and new PushSubscription models

classDiagram
    class User {
        +id: Integer
        +username: String
        +profile_picture: String
        +push_subscriptions: [PushSubscription]
        ...
    }
    class PushSubscription {
        +id: Integer
        +user_id: Integer
        +subscription_json: Text
    }
    User "1" -- "*" PushSubscription: has

Loading

File-Level Changes

Change	Details	Files
Integrated web push notifications	Added push enable button and service worker registration with subscription logic Created static service worker (sw.js) for handling push events Defined PushSubscription model and added corresponding migration Implemented send_push_notification helper and /push_subscribe endpoint Configured VAPID keys and claims in config	templates/base.html static/sw.js app/models.py migrations/versions/004dbb570159_add_push_subscription_model.py config.py app/routes.py private_key.pem public_key.pem vapid_keys.json
Added social sharing links to posts	Created sharing section with Twitter, Facebook, and LinkedIn links	templates/post.html
Enabled camera-based profile picture capture and display	Added change picture UI, video stream, and capture logic in user template Implemented upload_profile_picture endpoint decoding and storing images Extended User model with profile_picture field and added migration Created default avatar script Updated templates to display user avatars in posts and comments	templates/user.html app/routes.py app/models.py migrations/versions/1f3fe9f0a885_add_profile_picture_to_user_model.py create_avatar.py templates/post.html templates/index.html

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[guardrails]

⚠️ We detected 2 security issues in this pull request:

Hard-Coded Secrets (2)

Severity	Details	Docs
Medium	Title: Contains a private key CARE/config.py Line 12 in 59e0547 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6nDgKZZsxcdlIYM4	📚
Medium	Title: Contains a private key CARE/private_key.pem Line 2 in 59e0547 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg6nDgKZZsxcdlIYM4	📚

More info on how to fix Hard-Coded Secrets in Python and General.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[sourcery-ai]

Hey @GYFX35 - I've reviewed your changes and found some issues that need to be addressed.

Blocking issues:

• Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (link)
• Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. (link)
• Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file. (link)
• Validate and sanitize image data before saving. (link)

General comments:

• The VAPID private/public keys shouldn’t be hard-coded in config.py—load them from environment variables or a secure vault instead of committing them to source control.
• Consider refactoring the inline JS for push notifications and camera capture into separate static JS modules for better maintainability and caching.
• Calling send_push_notification synchronously in your route handlers can slow down responses—offload push dispatch to a background worker and add logic to clean up invalid subscriptions.

Prompt for AI Agents

Please address the comments from this code review:
## Overall Comments
- The VAPID private/public keys shouldn’t be hard-coded in config.py—load them from environment variables or a secure vault instead of committing them to source control.
- Consider refactoring the inline JS for push notifications and camera capture into separate static JS modules for better maintainability and caching.
- Calling `send_push_notification` synchronously in your route handlers can slow down responses—offload push dispatch to a background worker and add logic to clean up invalid subscriptions.

## Individual Comments

### Comment 1
<location> `app/routes.py:268` </location>
<code_context>
         return redirect(url_for('login'))
     return render_template('register.html', title='Register', form=form)
+
+def send_push_notification(user, title, body):
+    for subscription in user.push_subscriptions:
+        try:
+            webpush(
+                subscription_info=json.loads(subscription.subscription_json),
+                data=json.dumps({'title': title, 'body': body}),
+                vapid_private_key=app.config['VAPID_PRIVATE_KEY'],
+                vapid_claims=app.config['VAPID_CLAIMS']
+            )
+        except Exception as e:
+            print(f"Error sending push notification: {e}")
+
</code_context>

<issue_to_address>
Consider logging push notification errors more robustly.

Using a logging framework instead of print statements will ensure errors are properly recorded and easier to track in production.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
+def send_push_notification(user, title, body):
+    for subscription in user.push_subscriptions:
+        try:
+            webpush(
+                subscription_info=json.loads(subscription.subscription_json),
+                data=json.dumps({'title': title, 'body': body}),
+                vapid_private_key=app.config['VAPID_PRIVATE_KEY'],
+                vapid_claims=app.config['VAPID_CLAIMS']
+            )
+        except Exception as e:
+            print(f"Error sending push notification: {e}")
+
=======
+import logging
+
+def send_push_notification(user, title, body):
+    for subscription in user.push_subscriptions:
+        try:
+            webpush(
+                subscription_info=json.loads(subscription.subscription_json),
+                data=json.dumps({'title': title, 'body': body}),
+                vapid_private_key=app.config['VAPID_PRIVATE_KEY'],
+                vapid_claims=app.config['VAPID_CLAIMS']
+            )
+        except Exception as e:
+            logging.error(f"Error sending push notification to user {user.id}: {e}", exc_info=True)
+
>>>>>>> REPLACE

</suggested_fix>

### Comment 2
<location> `app/routes.py:284` </location>
<code_context>
+@login_required
+def push_subscribe():
+    subscription_info = request.get_json()
+    subscription = PushSubscription(user_id=current_user.id, subscription_json=json.dumps(subscription_info))
+    db.session.add(subscription)
+    db.session.commit()
</code_context>

<issue_to_address>
Prevent duplicate push subscriptions for a user.

Currently, the code adds a new PushSubscription for each request without verifying if one already exists for the user. Please add a check to prevent duplicate subscriptions.
</issue_to_address>

### Comment 3
<location> `app/routes.py:293` </location>
<code_context>
+@login_required
+def upload_profile_picture():
+    data = request.get_json()
+    image_data = data['image'].split(',')[1]
+    filename = f"{current_user.id}.png"
+    filepath = os.path.join(app.static_folder, 'profile_pics', filename)
</code_context>

<issue_to_address>
Validate and sanitize image data before saving.

Add checks to confirm the image data is a valid base64-encoded PNG and handle cases where the data is malformed or missing to avoid errors and security risks.
</issue_to_address>

### Comment 4
<location> `templates/user.html:37` </location>
<code_context>
+        captureBtn.addEventListener('click', function() {
+            context.drawImage(cameraStream, 0, 0, 320, 240);
+            const dataURL = canvas.toDataURL('image/png');
+            fetch('{{ url_for('upload_profile_picture') }}', {
+                method: 'POST',
+                headers: {
</code_context>

<issue_to_address>
Handle errors and provide user feedback for profile picture upload.

Add error handling to the fetch request and notify users if the upload fails to enhance user experience.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
        captureBtn.addEventListener('click', function() {
            context.drawImage(cameraStream, 0, 0, 320, 240);
            const dataURL = canvas.toDataURL('image/png');
            fetch('{{ url_for('upload_profile_picture') }}', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({ image: dataURL })
            }).then(function(response) {
                if (response.ok) {
                    window.location.reload();
                }
            });
        });
=======
        captureBtn.addEventListener('click', function() {
            context.drawImage(cameraStream, 0, 0, 320, 240);
            const dataURL = canvas.toDataURL('image/png');
            fetch('{{ url_for('upload_profile_picture') }}', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({ image: dataURL })
            }).then(function(response) {
                if (response.ok) {
                    window.location.reload();
                } else {
                    alert('Failed to upload profile picture. Please try again.');
                }
            }).catch(function(error) {
                alert('An error occurred while uploading your profile picture. Please check your connection and try again.');
                console.error('Profile picture upload error:', error);
            });
        });
>>>>>>> REPLACE

</suggested_fix>

### Comment 5
<location> `templates/post.html:20` </location>
<code_context>
                 <a href="{{ url_for('tag', id=tag.id) }}">{{ tag.name }}</a>
             {% endfor %}
         </p>
+        <div class="social-sharing">
+            <h4>Share this post:</h4>
+            <a href="https://twitter.com/intent/tweet?url={{ request.url }}&text={{ post.title }}" target="_blank">Twitter</a>
</code_context>

<issue_to_address>
Sanitize and encode URLs and text in social sharing links.

Using raw values for URLs and text in sharing links can lead to issues with special characters. Please apply URL encoding to these parameters.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
            <a href="https://twitter.com/intent/tweet?url={{ request.url }}&text={{ post.title }}" target="_blank">Twitter</a>
            <a href="https://www.facebook.com/sharer/sharer.php?u={{ request.url }}" target="_blank">Facebook</a>
            <a href="https://www.linkedin.com/shareArticle?mini=true&url={{ request.url }}&title={{ post.title }}&summary={{ post.content }}" target="_blank">LinkedIn</a>
=======
            <a href="https://twitter.com/intent/tweet?url={{ request.url|urlencode }}&text={{ post.title|urlencode }}" target="_blank">Twitter</a>
            <a href="https://www.facebook.com/sharer/sharer.php?u={{ request.url|urlencode }}" target="_blank">Facebook</a>
            <a href="https://www.linkedin.com/shareArticle?mini=true&url={{ request.url|urlencode }}&title={{ post.title|urlencode }}&summary={{ post.content|urlencode }}" target="_blank">LinkedIn</a>
>>>>>>> REPLACE

</suggested_fix>

### Comment 6
<location> `templates/post.html:32` </location>
<code_context>
         {% for comment in comments %}
             <article>
-                <p><a href="{{ url_for('user', username=comment.author.username) }}">{{ comment.author.username }}</a> {{ _('says:') }}</p>
+                <p><img src="{{ comment.author.profile_picture or url_for('static', filename='default_avatar.png') }}" alt="Profile Picture" width="32" height="32"> <a href="{{ url_for('user', username=comment.author.username) }}">{{ comment.author.username }}</a> {{ _('says:') }}</p>
                 <p>{{ comment.body }}</p>
             </article>
</code_context>

<issue_to_address>
Consider lazy loading for comment author profile images.

Using 'loading="lazy"' on profile images will defer their loading until needed, reducing initial page load time.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
                <p><img src="{{ comment.author.profile_picture or url_for('static', filename='default_avatar.png') }}" alt="Profile Picture" width="32" height="32"> <a href="{{ url_for('user', username=comment.author.username) }}">{{ comment.author.username }}</a> {{ _('says:') }}</p>
=======
                <p><img src="{{ comment.author.profile_picture or url_for('static', filename='default_avatar.png') }}" alt="Profile Picture" width="32" height="32" loading="lazy"> <a href="{{ url_for('user', username=comment.author.username) }}">{{ comment.author.username }}</a> {{ _('says:') }}</p>
>>>>>>> REPLACE

</suggested_fix>

### Comment 7
<location> `app/models.py:24` </location>
<code_context>
     last_message_read_time = db.Column(db.DateTime)
     is_expert = db.Column(db.Boolean, default=False)
+    profile_picture = db.Column(db.String(120), nullable=True)
+    push_subscriptions = db.relationship('PushSubscription', backref='user', lazy='dynamic')

     def set_password(self, password):
</code_context>

<issue_to_address>
Consider cascade deletion for push subscriptions.

Adding 'cascade="all, delete-orphan"' to the relationship will ensure push subscriptions are removed when a user is deleted, preventing orphaned records.
</issue_to_address>

<suggested_fix>
<<<<<<< SEARCH
    push_subscriptions = db.relationship('PushSubscription', backref='user', lazy='dynamic')
=======
    push_subscriptions = db.relationship(
        'PushSubscription',
        backref='user',
        lazy='dynamic',
        cascade="all, delete-orphan"
    )
>>>>>>> REPLACE

</suggested_fix>

## Security Issues

### Issue 1
<location> `private_key.pem:1` </location>

<issue_to_address>
**security (private-key):** Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

*Source: gitleaks*
</issue_to_address>

### Issue 2
<location> `config.py:11` </location>

<issue_to_address>
**security (private-key):** Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

*Source: gitleaks*
</issue_to_address>

### Issue 3
<location> `private_key.pem:1` </location>

<issue_to_address>
**security (generic.secrets.security.detected-private-key):** Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.

*Source: opengrep*
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

suggestion: Consider logging push notification errors more robustly.

Using a logging framework instead of print statements will ensure errors are properly recorded and easier to track in production.

Suggested change

	def send_push_notification(user, title, body):
	for subscription in user.push_subscriptions:
	try:
	webpush(
	subscription_info=json.loads(subscription.subscription_json),
	data=json.dumps({'title': title, 'body': body}),
	vapid_private_key=app.config['VAPID_PRIVATE_KEY'],
	vapid_claims=app.config['VAPID_CLAIMS']
	)
	except Exception as e:
	print(f"Error sending push notification: {e}")
	+import logging
	+
	+def send_push_notification(user, title, body):
	+ for subscription in user.push_subscriptions:
	+ try:
	+ webpush(
	+ subscription_info=json.loads(subscription.subscription_json),
	+ data=json.dumps({'title': title, 'body': body}),
	+ vapid_private_key=app.config['VAPID_PRIVATE_KEY'],
	+ vapid_claims=app.config['VAPID_CLAIMS']
	+ )
	+ except Exception as e:
	+ logging.error(f"Error sending push notification to user {user.id}: {e}", exc_info=True)
	+

[sourcery-ai]

suggestion (bug_risk): Prevent duplicate push subscriptions for a user.

Currently, the code adds a new PushSubscription for each request without verifying if one already exists for the user. Please add a check to prevent duplicate subscriptions.

[sourcery-ai]

🚨 suggestion (security): Validate and sanitize image data before saving.

Add checks to confirm the image data is a valid base64-encoded PNG and handle cases where the data is malformed or missing to avoid errors and security risks.

[sourcery-ai]

suggestion: Handle errors and provide user feedback for profile picture upload.

Add error handling to the fetch request and notify users if the upload fails to enhance user experience.

Suggested change

	captureBtn.addEventListener('click', function() {
	context.drawImage(cameraStream, 0, 0, 320, 240);
	const dataURL = canvas.toDataURL('image/png');
	fetch('{{ url_for('upload_profile_picture') }}', {
	method: 'POST',
	headers: {
	'Content-Type': 'application/json'
	},
	body: JSON.stringify({ image: dataURL })
	}).then(function(response) {
	if (response.ok) {
	window.location.reload();
	}
	});
	});
	captureBtn.addEventListener('click', function() {
	context.drawImage(cameraStream, 0, 0, 320, 240);
	const dataURL = canvas.toDataURL('image/png');
	fetch('{{ url_for('upload_profile_picture') }}', {
	method: 'POST',
	headers: {
	'Content-Type': 'application/json'
	},
	body: JSON.stringify({ image: dataURL })
	}).then(function(response) {
	if (response.ok) {
	window.location.reload();
	} else {
	alert('Failed to upload profile picture. Please try again.');
	}
	}).catch(function(error) {
	alert('An error occurred while uploading your profile picture. Please check your connection and try again.');
	console.error('Profile picture upload error:', error);
	});
	});

[sourcery-ai]

🚨 suggestion (security): Sanitize and encode URLs and text in social sharing links.

Using raw values for URLs and text in sharing links can lead to issues with special characters. Please apply URL encoding to these parameters.

Suggested change

	<a href="https://twitter.com/intent/tweet?url={{ request.url }}&text={{ post.title }}" target="_blank">Twitter</a>
	<a href="https://www.facebook.com/sharer/sharer.php?u={{ request.url }}" target="_blank">Facebook</a>
	<a href="https://www.linkedin.com/shareArticle?mini=true&url={{ request.url }}&title={{ post.title }}&summary={{ post.content }}" target="_blank">LinkedIn</a>
	<a href="https://twitter.com/intent/tweet?url={{ request.url|urlencode }}&text={{ post.title|urlencode }}" target="_blank">Twitter</a>
	<a href="https://www.facebook.com/sharer/sharer.php?u={{ request.url|urlencode }}" target="_blank">Facebook</a>
	<a href="https://www.linkedin.com/shareArticle?mini=true&url={{ request.url|urlencode }}&title={{ post.title|urlencode }}&summary={{ post.content|urlencode }}" target="_blank">LinkedIn</a>

[sourcery-ai]

suggestion (performance): Consider lazy loading for comment author profile images.

Using 'loading="lazy"' on profile images will defer their loading until needed, reducing initial page load time.

Suggested change

	<p><img src="{{ comment.author.profile_picture or url_for('static', filename='default_avatar.png') }}" alt="Profile Picture" width="32" height="32"> <a href="{{ url_for('user', username=comment.author.username) }}">{{ comment.author.username }}</a> {{ _('says:') }}</p>
	<p><img src="{{ comment.author.profile_picture or url_for('static', filename='default_avatar.png') }}" alt="Profile Picture" width="32" height="32" loading="lazy"> <a href="{{ url_for('user', username=comment.author.username) }}">{{ comment.author.username }}</a> {{ _('says:') }}</p>

[sourcery-ai]

suggestion: Consider cascade deletion for push subscriptions.

Adding 'cascade="all, delete-orphan"' to the relationship will ensure push subscriptions are removed when a user is deleted, preventing orphaned records.

Suggested change

	push_subscriptions = db.relationship('PushSubscription', backref='user', lazy='dynamic')
	push_subscriptions = db.relationship(
	'PushSubscription',
	backref='user',
	lazy='dynamic',
	cascade="all, delete-orphan"
	)

[sourcery-ai]

security (private-key): Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

Source: gitleaks

[sourcery-ai]

security (private-key): Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.

Source: gitleaks

[sourcery-ai]

security (generic.secrets.security.detected-private-key): Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.

Source: opengrep