From 74a3efe78daab1a2e6097efab0862336cabe207a Mon Sep 17 00:00:00 2001
From: Cory McWilliams <cory@unprompted.com>
Date: Fri, 22 Sep 2023 22:41:47 +0000
Subject: [PATCH] Let's restrict valid usernames.

git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@4471 ed5197a5-7fde-0310-b194-c3ffbd925b24
---
 core/auth.js      |  6 ++++++
 tools/autotest.py | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/core/auth.js b/core/auth.js
index 69e12f06..19ad1902 100644
--- a/core/auth.js
+++ b/core/auth.js
@@ -113,6 +113,11 @@ function getCookies(headers) {
 	return cookies;
 }
 
+function isNameValid(name) {
+	let c = name.charAt(0);
+	return ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z')) && name.split().map(x => x >= ('a' && x <= 'z') || x >= ('A' && x <= 'Z') || x >= ('0' && x <= '9'));
+}
+
 function handler(request, response) {
 	let session = getCookies(request.headers).session;
 	if (request.uri == "/login") {
@@ -138,6 +143,7 @@ function handler(request, response) {
 				account = account ? JSON.parse(account) : account;
 				if (formData.register == "1") {
 					if (!account &&
+						isNameValid(formData.name) &&
 						formData.password == formData.confirm) {
 						let users = new Set();
 						let users_original = gDatabase.get('users');
diff --git a/tools/autotest.py b/tools/autotest.py
index 979e1df3..ca80b47b 100755
--- a/tools/autotest.py
+++ b/tools/autotest.py
@@ -80,6 +80,27 @@ try:
 	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'loginButton').click()
 	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'error')
 
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'register_label').click()
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'name').send_keys('test_user')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'password').send_keys('wrong_test_password')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'confirm').send_keys('wrong_test_password')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'loginButton').click()
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'error')
+
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'register_label').click()
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'name').send_keys('1invalid')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'password').send_keys('test_password')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'confirm').send_keys('test_password')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'loginButton').click()
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'error')
+
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'register_label').click()
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'name').send_keys('😁')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'password').send_keys('test_password')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'confirm').send_keys('test_password')
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'loginButton').click()
+	driver.find_element(By.TAG_NAME, 'tf-auth').shadow_root.find_element(By.ID, 'error')
+
 	print('SUCCESS.')
 finally:
 	driver.close()