validate usernames on registration (#982)

improve login password incorrect error message update docs for registration with passwords
author: Conrad Ludgate <conradludgate@gmail.com> 2023-05-16 22:03:53 +0100
committer: GitHub <noreply@github.com> 2023-05-16 22:03:53 +0100
commit: 7d5a82df14160242cdd01a0f1651dab18b41a973 (patch)
tree: 85983f2f3efd289e413ab2be8338a4e17d52287f /atuin-server
parent: 7b9dea72e3d2435f75825e8e66a04285332d5aa5 (diff)
1 files changed, 15 insertions, 1 deletions
diff --git a/atuin-server/src/handlers/user.rs b/atuin-server/src/handlers/user.rs
index ec2131e12..e67828e45 100644
--- a/atuin-server/src/handlers/user.rs
+++ b/atuin-server/src/handlers/user.rs
@@ -92,6 +92,18 @@ pub async fn register<DB: Database>(
         );
     }
 
+    for c in register.username.chars() {
+        match c {
+            'a'..='z' | 'A'..='Z' | '0'..='9' | '-' => {}
+            _ => {
+                return Err(ErrorResponse::reply(
+                    "Only alphanumeric and hyphens (-) are allowed in usernames",
+                )
+                .with_status(StatusCode::BAD_REQUEST))
+            }
+        }
+    }
+
     let hashed = hash_secret(&register.password);
 
     let new_user = NewUser {
@@ -190,7 +202,9 @@ pub async fn login<DB: Database>(
     let verified = verify_str(user.password.as_str(), login.password.borrow());
 
     if !verified {
-        return Err(ErrorResponse::reply("user not found").with_status(StatusCode::NOT_FOUND));
+        return Err(
+            ErrorResponse::reply("password is not correct").with_status(StatusCode::UNAUTHORIZED)
+        );
     }
 
     Ok(Json(LoginResponse {
author	Conrad Ludgate <conradludgate@gmail.com>	2023-05-16 22:03:53 +0100
committer	GitHub <noreply@github.com>	2023-05-16 22:03:53 +0100
commit	7d5a82df14160242cdd01a0f1651dab18b41a973 (patch)
tree	85983f2f3efd289e413ab2be8338a4e17d52287f /atuin-server
parent	7b9dea72e3d2435f75825e8e66a04285332d5aa5 (diff)