TheCloud/PronounsPage
1
0
Fork 0
mirror of https://gitlab.com/PronounsPage/PronounsPage.git synced 2025-10-01 09:04:01 -04:00
Code Issues Packages Projects Releases Wiki Activity

#272 disallow usernames that look like filenames

Browse Source
This commit is contained in:
Andrea Vos 2021-10-29 22:36:39 +02:00
parent e53cc82229
commit 8dde2215d5
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
components/Account.vue
View File

@ -208,6 +208,7 @@
} }
this.$store.commit('setToken', response.token); this.$store.commit('setToken', response.token);
this.username = this.$user().username;
this.$cookies.set('token', this.$store.state.token, cookieSettings); this.$cookies.set('token', this.$store.state.token, cookieSettings);
this.message = 'crud.saved'; this.message = 'crud.saved';
this.messageIcon = 'check-circle'; this.messageIcon = 'check-circle';

14
server/routes/user.js
View File

@ -26,6 +26,8 @@ const isSpam = (email) => {
|| email.length > 128; || email.length > 128;
} }
const replaceExtension = username => username.replace(/\.(txt|jpg|jpeg|png|pdf|gif|doc|docx|csv)$/i, '_$1');
const saveAuthenticator = async (db, type, user, payload, validForMinutes = null) => { const saveAuthenticator = async (db, type, user, payload, validForMinutes = null) => {
const id = ulid(); const id = ulid();
await db.get(SQL`INSERT INTO authenticators (id, userId, type, payload, validUntil) VALUES ( await db.get(SQL`INSERT INTO authenticators (id, userId, type, payload, validUntil) VALUES (
@ -76,10 +78,12 @@ const invalidateAuthenticator = async (db, id) => {
const defaultUsername = async (db, email) => { const defaultUsername = async (db, email) => {
const base = normalise( const base = normalise(
email.substring(0, email.includes('@') ? email.indexOf('@') : email.length) replaceExtension(
.padEnd(4, '0') email.substring(0, email.includes('@') ? email.indexOf('@') : email.length)
.substring(0, 14) .padEnd(4, '0')
.replace(new RegExp(`[^${USERNAME_CHARS}]`, 'g'), '_') .substring(0, 14)
.replace(new RegExp(`[^${USERNAME_CHARS}]`, 'g'), '_')
)
); );
const conflicts = (await db.all(SQL`SELECT usernameNorm FROM users WHERE usernameNorm LIKE ${normalise(base) + '%'}`)) const conflicts = (await db.all(SQL`SELECT usernameNorm FROM users WHERE usernameNorm LIKE ${normalise(base) + '%'}`))
@ -295,6 +299,8 @@ router.post('/user/change-username', handleErrorAsync(async (req, res) => {
return res.json({ error: 'user.account.changeUsername.invalid' }); return res.json({ error: 'user.account.changeUsername.invalid' });
} }
req.body.username = replaceExtension(req.body.username);
const dbUser = await req.db.get(SQL`SELECT * FROM users WHERE usernameNorm = ${normalise(req.body.username)}`); const dbUser = await req.db.get(SQL`SELECT * FROM users WHERE usernameNorm = ${normalise(req.body.username)}`);
if (dbUser && dbUser.id !== req.user.id) { if (dbUser && dbUser.id !== req.user.id) {
return res.json({ error: 'user.account.changeUsername.taken' }) return res.json({ error: 'user.account.changeUsername.taken' })