fix issue where users could bypass username sanity checks with direct urls

2022-10-22 18:15:15 -04:00
parent 5055f862b0
commit 745de7de1f
3 changed files with 45 additions and 25 deletions
--- a/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js
+++ b/zefie_wtvp_minisrv/ServiceVault/wtv-setup/validate-add-user-done.js
@@ -17,8 +17,15 @@ if (!errpage) {

 if (!errpage) {
    if (session_data.getNumberOfUserAccounts() > minisrv_config.config.user_accounts.max_users_per_account) errpage = wtvshared.doErrorPage(400, "You are not authorized to add more than " + minisrv_config.config.user_accounts.max_users_per_account + ` account${minisrv_config.config.user_accounts.max_users_per_account > 1 ? 's' : ''}.`);
+
+    if (!request_headers.query.user_name) errpage = wtvshared.doErrorPage(400, "Please enter a username.");
+    else if (request_headers.query.user_name.length < minisrv_config.config.user_accounts.min_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.min_username_length + "</b> or more characters.");
+    else if (request_headers.query.user_name.length > minisrv_config.config.user_accounts.max_username_length) errpage = wtvshared.doErrorPage(400, "Please choose a username with <b>" + minisrv_config.config.user_accounts.max_username_length + "</b> or less characters.");
+    else if (!wtvr.checkUsernameSanity(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have chosen contains invalid characters. Please choose a username with only <b>letters</b>, <b>numbers</b>, <b>_</b> or <b>-</b>. Also, please be sure your username begins with a letter.");
+    else if (!wtvr.checkUsernameAvailable(request_headers.query.user_name)) errpage = wtvshared.doErrorPage(400, "The username you have selected is already in use. Please select another username.");
 }

+
 if (errpage) {
    headers = errpage[0];
    data = errpage[1];