From 914838e3672245d534fda09a700753fbde81dfc3 Mon Sep 17 00:00:00 2001 From: DebaucheryLibrarian Date: Thu, 8 Jun 2023 03:57:50 +0200 Subject: [PATCH] Curating usernames in sign-up and stash load tool. --- config/default.js | 2 ++ src/auth.js | 22 ++++++++++++++++++---- src/tools/stashes-load.js | 2 +- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/config/default.js b/config/default.js index 84426567..79dfa5aa 100755 --- a/config/default.js +++ b/config/default.js @@ -37,6 +37,8 @@ module.exports = { auth: { login: true, signup: true, + usernameLength: [2, 24], + usernamePattern: /^[a-zA-Z0-9_-]$/, }, exclude: { channels: [ diff --git a/src/auth.js b/src/auth.js index 6220b180..7dadf8c9 100755 --- a/src/auth.js +++ b/src/auth.js @@ -26,7 +26,7 @@ async function login(credentials) { throw new HttpError('Authentication is disabled', 405); } - const user = await fetchUser(credentials.username, true); + const user = await fetchUser(credentials.username.trim(), true); if (!user) { throw new HttpError('Username or password incorrect', 401); @@ -46,10 +46,24 @@ async function signup(credentials) { throw new HttpError('Authentication is disabled', 405); } - if (!credentials.username) { + const curatedUsername = credentials.username.trim(); + + if (!curatedUsername) { throw new HttpError('Username required', 400); } + if (curatedUsername.length < config.auth.usernameLength[0]) { + throw new HttpError('Username is too short', 400); + } + + if (curatedUsername.length > config.auth.usernameLength[1]) { + throw new HttpError('Username is too long', 400); + } + + if (!config.auth.usernamePattern.test(curatedUsername)) { + throw new HttpError('Username contains invalid characters', 400); + } + if (!credentials.email) { throw new HttpError('E-mail required', 400); } @@ -59,7 +73,7 @@ async function signup(credentials) { } const existingUser = await knex('users') - .where('username', credentials.username) + .where('username', curatedUsername) .orWhere('email', credentials.email) .first(); @@ -73,7 +87,7 @@ async function signup(credentials) { const [userId] = await knex('users') .insert({ - username: credentials.username, + username: curatedUsername, email: credentials.email, password: storedPassword, }) diff --git a/src/tools/stashes-load.js b/src/tools/stashes-load.js index 731f32c5..e915a7be 100644 --- a/src/tools/stashes-load.js +++ b/src/tools/stashes-load.js @@ -120,7 +120,7 @@ async function load() { const user = await knex('users') .select('id') - .where('username', stash.username) + .where('username', stash.username.trim()) .first(); if (!user) {