1.227.3

Curating usernames in sign-up and stash load tool.
2023-06-08 03:57:53 +02:00 · 2023-06-08 03:57:50 +02:00
5 changed files with 24 additions and 8 deletions
--- a/config/default.js
+++ b/config/default.js
@ -37,6 +37,8 @@ module.exports = {
 	auth: {
 		login: true,
 		signup: true,
+		usernameLength: [2, 24],
+		usernamePattern: /^[a-zA-Z0-9_-]$/,
 	},
 	exclude: {
 		channels: [
--- a/package-lock.json
+++ b/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "traxxx",
-    "version": "1.227.2",
+    "version": "1.227.3",
    "lockfileVersion": 2,
    "requires": true,
    "packages": {
        "": {
            "name": "traxxx",
-            "version": "1.227.2",
+            "version": "1.227.3",
            "license": "ISC",
            "dependencies": {
                "@casl/ability": "^5.2.2",
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name": "traxxx",
-    "version": "1.227.2",
+    "version": "1.227.3",
    "description": "All the latest porn releases in one place",
    "main": "src/app.js",
    "scripts": {
--- a/src/auth.js
+++ b/src/auth.js
@ -26,7 +26,7 @@ async function login(credentials) {
 		throw new HttpError('Authentication is disabled', 405);
 	}

-	const user = await fetchUser(credentials.username, true);
+	const user = await fetchUser(credentials.username.trim(), true);

 	if (!user) {
 		throw new HttpError('Username or password incorrect', 401);
@ -46,10 +46,24 @@ async function signup(credentials) {
 		throw new HttpError('Authentication is disabled', 405);
 	}

-	if (!credentials.username) {
+	const curatedUsername = credentials.username.trim();
+
+	if (!curatedUsername) {
 		throw new HttpError('Username required', 400);
 	}

+	if (curatedUsername.length < config.auth.usernameLength[0]) {
+		throw new HttpError('Username is too short', 400);
+	}
+
+	if (curatedUsername.length > config.auth.usernameLength[1]) {
+		throw new HttpError('Username is too long', 400);
+	}
+
+	if (!config.auth.usernamePattern.test(curatedUsername)) {
+		throw new HttpError('Username contains invalid characters', 400);
+	}
+
 	if (!credentials.email) {
 		throw new HttpError('E-mail required', 400);
 	}
@ -59,7 +73,7 @@ async function signup(credentials) {
 	}

 	const existingUser = await knex('users')
-		.where('username', credentials.username)
+		.where('username', curatedUsername)
 		.orWhere('email', credentials.email)
 		.first();

@ -73,7 +87,7 @@ async function signup(credentials) {

 	const [userId] = await knex('users')
 		.insert({
-			username: credentials.username,
+			username: curatedUsername,
 			email: credentials.email,
 			password: storedPassword,
 		})
--- a/src/tools/stashes-load.js
+++ b/src/tools/stashes-load.js
@ -120,7 +120,7 @@ async function load() {

 		const user = await knex('users')
 			.select('id')
-			.where('username', stash.username)
+			.where('username', stash.username.trim())
 			.first();

 		if (!user) {
Author	SHA1	Message	Date
DebaucheryLibrarian	81f504f33e	1.227.3	2023-06-08 03:57:53 +02:00
DebaucheryLibrarian	914838e367	Curating usernames in sign-up and stash load tool.	2023-06-08 03:57:50 +02:00