# [CRUCIBLE-SEED]
# category: sql_injection
# severity: critical
# language: python
# expected: SQL injection in Flask route via f-string in SQL query

from flask import Flask, request, jsonify
import psycopg2

app = Flask(__name__)


def get_db():
    return psycopg2.connect(dbname="appdb", user="app", password="app", host="localhost")


@app.route("/users/login", methods=["POST"])
def login():
    data = request.get_json()
    username = data.get("username", "")
    password = data.get("password", "")

    conn = get_db()
    cur = conn.cursor()
    # Classic SQL injection auth bypass
    query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
    cur.execute(query)
    user = cur.fetchone()

    if not user:
        return jsonify({"error": "Invalid credentials"}), 401
    return jsonify({"user_id": user[0], "username": user[1]})


@app.route("/products")
def products():
    category = request.args.get("category", "")
    sort_by = request.args.get("sort", "name")
    conn = get_db()
    cur = conn.cursor()
    cur.execute(f"SELECT * FROM products WHERE category = '{category}' ORDER BY {sort_by}")
    return jsonify(cur.fetchall())
