server: Validate user names.

Allow only alphanumeric characters and apostrophe, dash and underscore.
author: Tor Andersson <tor@ccxvii.net> 2021-05-16 18:28:42 +0200
committer: Tor Andersson <tor@ccxvii.net> 2021-05-16 18:31:19 +0200
commit: 30b4e77af028fc4899df1d7d145be6ff9e4335c8 (patch)
tree: 455d92c5e291b57c52e0b8043072a0c15b3dac0f /server.js
parent: 304f528f813beec76acf621ba6df5e3e0cb59eba (diff)
download: server-30b4e77af028fc4899df1d7d145be6ff9e4335c8.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/server.js b/server.js
index 2ac4725..edf3ef9 100644
--- a/server.js
+++ b/server.js
@@ -121,6 +121,16 @@ function clean_user_name(name) {
 	return name;
 }
 
+const USER_NAME_RE = /^[\p{Alpha}\p{Number}'_-]+( [\p{Alpha}\p{Number}'_-]+)*$/u;
+
+function is_valid_user_name(name) {
+	if (name.length < 2)
+		return false;
+	if (name.length > 50)
+		return false;
+	return USER_NAME_RE.test(name);
+}
+
 function hash_password(password, salt) {
 	let hash = crypto.createHash('sha256');
 	hash.update(password);
@@ -198,6 +208,8 @@ function local_signup(req, name, password, done) {
 	try {
 		let mail = req.body.mail;
 		name = clean_user_name(name);
+		if (!is_valid_user_name(name))
+			return done(null, false, req.flash('message', "Invalid user name!"));
 		LOG(req, "POST /signup", name, mail);
 		if (is_blacklisted(req.connection.remoteAddress, mail))
 			return setTimeout(() => done(null, false, req.flash('message', "Sorry, but this IP or account has been banned.")), 1000);
author	Tor Andersson <tor@ccxvii.net>	2021-05-16 18:28:42 +0200
committer	Tor Andersson <tor@ccxvii.net>	2021-05-16 18:31:19 +0200
commit	30b4e77af028fc4899df1d7d145be6ff9e4335c8 (patch)
tree	455d92c5e291b57c52e0b8043072a0c15b3dac0f /server.js
parent	304f528f813beec76acf621ba6df5e3e0cb59eba (diff)
download	server-30b4e77af028fc4899df1d7d145be6ff9e4335c8.tar.gz