feat(backend): disallow some names due to potential confusion or potential errors

backend/db/member.go

@@ -3,6 +3,7 @@ package db
 import (
 	"context"
 	"regexp"
+	"strings"
 	"time"
 
 	"emperror.dev/errors"
@@ -40,11 +41,19 @@ const (
 // member names must match this regex
 var memberNameRegex = regexp.MustCompile("^[^@\\?!#/\\\\[\\]\"\\{\\}'$%&()+<=>^|~`,]{1,100}$")
 
+// List of member names that cannot be used because they would break routing or be inaccessible due to page conflicts.
+var invalidMemberNames = []string{
+	".",
+	"..",
+	"edit",
+}
+
 func MemberNameValid(name string) bool {
-	// These two names will break routing, but periods should still be allowed in names otherwise.
+	for i := range invalidMemberNames {
-	if name == "." || name == ".." {
+		if strings.EqualFold(name, invalidMemberNames[i]) {
 			return false
 		}
+	}
 
 	return memberNameRegex.MatchString(name)
 }

backend/db/user.go

@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"regexp"
+	"strings"
 	"time"
 
 	"codeberg.org/pronounscc/pronouns.cc/backend/common"
@@ -138,12 +139,22 @@ const (
 // usernames must match this regex
 var usernameRegex = regexp.MustCompile(`^[\w-.]{2,40}$`)
 
-func UsernameValid(username string) (err error) {
+// List of usernames that cannot be used, because they could create confusion, conflict with other pages, or cause bugs.
-	// This name would break routing, but periods should still be allowed in names otherwise.
+var invalidUsernames = []string{
-	if username == ".." {
+	"..",
-		return ErrInvalidUsername
+	"admin",
-	}
+	"administrator",
+	"mod",
+	"moderator",
+	"api",
+	"page",
+	"pronouns",
+	"settings",
+	"pronouns.cc",
+	"pronounscc",
+}
 
+func UsernameValid(username string) (err error) {
 	if !usernameRegex.MatchString(username) {
 		if len(username) < 2 {
 			return ErrUsernameTooShort
@@ -153,6 +164,13 @@ func UsernameValid(username string) (err error) {
 
 		return ErrInvalidUsername
 	}
+
+	for i := range invalidUsernames {
+		if strings.EqualFold(username, invalidUsernames[i]) {
+			return ErrBannedUsername
+		}
+	}
+
 	return nil
 }
 
@@ -163,6 +181,7 @@ const (
 	ErrInvalidUsername  = errors.Sentinel("username contains invalid characters")
 	ErrUsernameTooShort = errors.Sentinel("username is too short")
 	ErrUsernameTooLong  = errors.Sentinel("username is too long")
+	ErrBannedUsername   = errors.Sentinel("username is banned")
 )
 
 const (

backend/routes/user/patch_user.go

@@ -232,6 +232,8 @@ func (s *Server) patchUser(w http.ResponseWriter, r *http.Request) error {
 				return server.APIError{Code: server.ErrUsernameTaken}
 			case db.ErrInvalidUsername:
 				return server.APIError{Code: server.ErrInvalidUsername}
+			case db.ErrBannedUsername:
+				return server.APIError{Code: server.ErrInvalidUsername, Details: "That username cannot be used."}
 			default:
 				return errors.Wrap(err, "updating username")
 			}