feat: enforcing alphanumerical usernames

2023-10-11 12:32:01 +02:00 · 2023-10-11 12:32:01 +02:00 · ce4fe91f7d
parent bc610ef22a
commit ce4fe91f7d
4 changed files with 12 additions and 9 deletions
--- a/docs/account/register.md
+++ b/docs/account/register.md
@ -15,6 +15,8 @@ This verification link will time out after 10 minutes.
 | password | The password used for authentication.  |
 | email    | The email address used for validation. |

+The username has to alphanumerical.
+
 The password has to meet the following criteria:
 - minimum length: 12 characters
 - numbers
@ -39,10 +41,10 @@ __Content - JSON:__
 |----------|----------------------------------------------------------------------|
 | conflict | Can be `username` or `email`, depending on what caused the conflict. |
 ### 422 - Error: Unprocessable Entity
-The email is malformed, or the password does not meet the criteria.
+The email or username is malformed, or the password does not meet the criteria.

 __Content - JSON:__

-| Field   | Description                                                         |
-|---------|---------------------------------------------------------------------|
-| problem | Can be `email` or `password`, depending on what caused the problem. |
+| Field   | Description                                                                     |
+|---------|---------------------------------------------------------------------------------|
+| problem | Can be `email`, `username` or `password`, depending on what caused the problem. |
--- a/src/api/account/calls.rs
+++ b/src/api/account/calls.rs
@ -16,7 +16,6 @@ async fn register(
            data::RegisterResponse::Unprocessable(b) => {
                HttpResponse::UnprocessableEntity().json(web::Json(b))
            }
-            data::RegisterResponse::Blocked => HttpResponse::Forbidden().finish(),
        },
        Err(e) => {
            error!("While handling register request: {e}");
--- a/src/api/account/data.rs
+++ b/src/api/account/data.rs
@ -18,6 +18,7 @@ pub enum RegisterConflict {
 #[serde(tag = "problem", rename_all = "snake_case")]
 pub enum RegisterUnprocessable {
    Email,
+    Username,
    Password,
 }

@ -26,7 +27,6 @@ pub enum RegisterResponse {
    Success,
    Conflict(RegisterConflict),
    Unprocessable(RegisterUnprocessable),
-    Blocked,
 }

 #[derive(Debug, Deserialize)]
--- a/src/api/account/handlers.rs
+++ b/src/api/account/handlers.rs
@ -13,8 +13,10 @@ pub async fn register(
    pool: &PgPool,
    request: data::RegisterRequest,
 ) -> Result<data::RegisterResponse> {
-    if is_sql_injection(&request.username) {
-        return Ok(data::RegisterResponse::Blocked);
+    if !request.username.is_alpha() {
+        return Ok(data::RegisterResponse::Unprocessable(
+            data::RegisterUnprocessable::Username,
+        ));
    }

    // Check if the username is already taken
@ -106,7 +108,7 @@ pub async fn verify(pool: &PgPool, request: data::VerifyRequest) -> Result<data:
    let auth_token = AuthToken::new(pool, &token.account, chrono::Duration::days(7)).await?;

    Ok(data::VerifyResponse::Success(data::VerifySuccess {
-        token: auth_token.token
+        token: auth_token.token,
    }))
 }