diff options
author | Tor Andersson <tor@ccxvii.net> | 2021-05-16 18:28:42 +0200 |
---|---|---|
committer | Tor Andersson <tor@ccxvii.net> | 2021-05-16 18:31:19 +0200 |
commit | 30b4e77af028fc4899df1d7d145be6ff9e4335c8 (patch) | |
tree | 455d92c5e291b57c52e0b8043072a0c15b3dac0f | |
parent | 304f528f813beec76acf621ba6df5e3e0cb59eba (diff) | |
download | server-30b4e77af028fc4899df1d7d145be6ff9e4335c8.tar.gz |
server: Validate user names.
Allow only alphanumeric characters and apostrophe, dash and underscore.
-rw-r--r-- | server.js | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -121,6 +121,16 @@ function clean_user_name(name) { return name; } +const USER_NAME_RE = /^[\p{Alpha}\p{Number}'_-]+( [\p{Alpha}\p{Number}'_-]+)*$/u; + +function is_valid_user_name(name) { + if (name.length < 2) + return false; + if (name.length > 50) + return false; + return USER_NAME_RE.test(name); +} + function hash_password(password, salt) { let hash = crypto.createHash('sha256'); hash.update(password); @@ -198,6 +208,8 @@ function local_signup(req, name, password, done) { try { let mail = req.body.mail; name = clean_user_name(name); + if (!is_valid_user_name(name)) + return done(null, false, req.flash('message', "Invalid user name!")); LOG(req, "POST /signup", name, mail); if (is_blacklisted(req.connection.remoteAddress, mail)) return setTimeout(() => done(null, false, req.flash('message', "Sorry, but this IP or account has been banned.")), 1000); |