From ce4fe91f7dbf555fc3e824a729d6c68b9d043241 Mon Sep 17 00:00:00 2001
From: antifallobst <antifallobst@systemausfall.org>
Date: Wed, 11 Oct 2023 12:32:01 +0200
Subject: [PATCH] feat: enforcing alphanumerical usernames

---
 docs/account/register.md    | 10 ++++++----
 src/api/account/calls.rs    |  1 -
 src/api/account/data.rs     |  2 +-
 src/api/account/handlers.rs |  8 +++++---
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/docs/account/register.md b/docs/account/register.md
index f8301ff..cf20657 100644
--- a/docs/account/register.md
+++ b/docs/account/register.md
@@ -15,6 +15,8 @@ This verification link will time out after 10 minutes.
 | password | The password used for authentication.  |
 | email    | The email address used for validation. |
 
+The username has to alphanumerical.
+
 The password has to meet the following criteria:
 - minimum length: 12 characters
 - numbers
@@ -39,10 +41,10 @@ __Content - JSON:__
 |----------|----------------------------------------------------------------------|
 | conflict | Can be `username` or `email`, depending on what caused the conflict. |
 ### 422 - Error: Unprocessable Entity
-The email is malformed, or the password does not meet the criteria.
+The email or username is malformed, or the password does not meet the criteria.
 
 __Content - JSON:__
 
-| Field   | Description                                                         |
-|---------|---------------------------------------------------------------------|
-| problem | Can be `email` or `password`, depending on what caused the problem. |
\ No newline at end of file
+| Field   | Description                                                                     |
+|---------|---------------------------------------------------------------------------------|
+| problem | Can be `email`, `username` or `password`, depending on what caused the problem. |
diff --git a/src/api/account/calls.rs b/src/api/account/calls.rs
index 6049ce2..ab08410 100644
--- a/src/api/account/calls.rs
+++ b/src/api/account/calls.rs
@@ -16,7 +16,6 @@ async fn register(
             data::RegisterResponse::Unprocessable(b) => {
                 HttpResponse::UnprocessableEntity().json(web::Json(b))
             }
-            data::RegisterResponse::Blocked => HttpResponse::Forbidden().finish(),
         },
         Err(e) => {
             error!("While handling register request: {e}");
diff --git a/src/api/account/data.rs b/src/api/account/data.rs
index 1f37eb8..60243ed 100644
--- a/src/api/account/data.rs
+++ b/src/api/account/data.rs
@@ -18,6 +18,7 @@ pub enum RegisterConflict {
 #[serde(tag = "problem", rename_all = "snake_case")]
 pub enum RegisterUnprocessable {
     Email,
+    Username,
     Password,
 }
 
@@ -26,7 +27,6 @@ pub enum RegisterResponse {
     Success,
     Conflict(RegisterConflict),
     Unprocessable(RegisterUnprocessable),
-    Blocked,
 }
 
 #[derive(Debug, Deserialize)]
diff --git a/src/api/account/handlers.rs b/src/api/account/handlers.rs
index f84d0e4..05d652c 100644
--- a/src/api/account/handlers.rs
+++ b/src/api/account/handlers.rs
@@ -13,8 +13,10 @@ pub async fn register(
     pool: &PgPool,
     request: data::RegisterRequest,
 ) -> Result<data::RegisterResponse> {
-    if is_sql_injection(&request.username) {
-        return Ok(data::RegisterResponse::Blocked);
+    if !request.username.is_alpha() {
+        return Ok(data::RegisterResponse::Unprocessable(
+            data::RegisterUnprocessable::Username,
+        ));
     }
 
     // Check if the username is already taken
@@ -106,7 +108,7 @@ pub async fn verify(pool: &PgPool, request: data::VerifyRequest) -> Result<data:
     let auth_token = AuthToken::new(pool, &token.account, chrono::Duration::days(7)).await?;
 
     Ok(data::VerifyResponse::Success(data::VerifySuccess {
-        token: auth_token.token
+        token: auth_token.token,
     }))
 }