feat(backend): disallow some names due to potential confusion or potential errors

2023-08-10 18:26:53 +02:00 · 2023-08-10 18:26:53 +02:00 · c92f4c4ba7
commit c92f4c4ba7
parent eba31f8bda
3 changed files with 38 additions and 8 deletions
--- a/backend/db/member.go
+++ b/backend/db/member.go
@ -3,6 +3,7 @@ package db
 import (
 	"context"
 	"regexp"
+	"strings"
 	"time"

 	"emperror.dev/errors"
@ -40,10 +41,18 @@ const (
 // member names must match this regex
 var memberNameRegex = regexp.MustCompile("^[^@\\?!#/\\\\[\\]\"\\{\\}'$%&()+<=>^|~`,]{1,100}$")

+// List of member names that cannot be used because they would break routing or be inaccessible due to page conflicts.
+var invalidMemberNames = []string{
+	".",
+	"..",
+	"edit",
+}
+
 func MemberNameValid(name string) bool {
-	// These two names will break routing, but periods should still be allowed in names otherwise.
-	if name == "." || name == ".." {
-		return false
+	for i := range invalidMemberNames {
+		if strings.EqualFold(name, invalidMemberNames[i]) {
+			return false
+		}
 	}

 	return memberNameRegex.MatchString(name)
--- a/backend/db/user.go
+++ b/backend/db/user.go
@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"regexp"
+	"strings"
 	"time"

 	"codeberg.org/pronounscc/pronouns.cc/backend/common"
@ -138,12 +139,22 @@ const (
 // usernames must match this regex
 var usernameRegex = regexp.MustCompile(`^[\w-.]{2,40}$`)

-func UsernameValid(username string) (err error) {
-	// This name would break routing, but periods should still be allowed in names otherwise.
-	if username == ".." {
-		return ErrInvalidUsername
-	}
+// List of usernames that cannot be used, because they could create confusion, conflict with other pages, or cause bugs.
+var invalidUsernames = []string{
+	"..",
+	"admin",
+	"administrator",
+	"mod",
+	"moderator",
+	"api",
+	"page",
+	"pronouns",
+	"settings",
+	"pronouns.cc",
+	"pronounscc",
+}

+func UsernameValid(username string) (err error) {
 	if !usernameRegex.MatchString(username) {
 		if len(username) < 2 {
 			return ErrUsernameTooShort
@ -153,6 +164,13 @@ func UsernameValid(username string) (err error) {

 		return ErrInvalidUsername
 	}
+
+	for i := range invalidUsernames {
+		if strings.EqualFold(username, invalidUsernames[i]) {
+			return ErrBannedUsername
+		}
+	}
+
 	return nil
 }

@ -163,6 +181,7 @@ const (
 	ErrInvalidUsername  = errors.Sentinel("username contains invalid characters")
 	ErrUsernameTooShort = errors.Sentinel("username is too short")
 	ErrUsernameTooLong  = errors.Sentinel("username is too long")
+	ErrBannedUsername   = errors.Sentinel("username is banned")
 )

 const (
--- a/backend/routes/user/patch_user.go
+++ b/backend/routes/user/patch_user.go
@ -232,6 +232,8 @@ func (s *Server) patchUser(w http.ResponseWriter, r *http.Request) error {
 				return server.APIError{Code: server.ErrUsernameTaken}
 			case db.ErrInvalidUsername:
 				return server.APIError{Code: server.ErrInvalidUsername}
+			case db.ErrBannedUsername:
+				return server.APIError{Code: server.ErrInvalidUsername, Details: "That username cannot be used."}
 			default:
 				return errors.Wrap(err, "updating username")
 			}