Curating usernames in sign-up and stash load tool.

src/auth.js

@@ -26,7 +26,7 @@ async function login(credentials) {
 		throw new HttpError('Authentication is disabled', 405);
 	}
 
-	const user = await fetchUser(credentials.username, true);
+	const user = await fetchUser(credentials.username.trim(), true);
 
 	if (!user) {
 		throw new HttpError('Username or password incorrect', 401);
@@ -46,10 +46,24 @@ async function signup(credentials) {
 		throw new HttpError('Authentication is disabled', 405);
 	}
 
-	if (!credentials.username) {
+	const curatedUsername = credentials.username.trim();
+
+	if (!curatedUsername) {
 		throw new HttpError('Username required', 400);
 	}
 
+	if (curatedUsername.length < config.auth.usernameLength[0]) {
+		throw new HttpError('Username is too short', 400);
+	}
+
+	if (curatedUsername.length > config.auth.usernameLength[1]) {
+		throw new HttpError('Username is too long', 400);
+	}
+
+	if (!config.auth.usernamePattern.test(curatedUsername)) {
+		throw new HttpError('Username contains invalid characters', 400);
+	}
+
 	if (!credentials.email) {
 		throw new HttpError('E-mail required', 400);
 	}
@@ -59,7 +73,7 @@ async function signup(credentials) {
 	}
 
 	const existingUser = await knex('users')
-		.where('username', credentials.username)
+		.where('username', curatedUsername)
 		.orWhere('email', credentials.email)
 		.first();
 
@@ -73,7 +87,7 @@ async function signup(credentials) {
 
 	const [userId] = await knex('users')
 		.insert({
-			username: credentials.username,
+			username: curatedUsername,
 			email: credentials.email,
 			password: storedPassword,
 		})