Merge pull request #818 from fourcube/fix/issue-810-validate-usernames

Validate usernames before creating accounts.

Author: kjetilk

lib/requests/create-account-request.js

@@ -124,6 +124,7 @@ class CreateAccountRequest extends AuthRequest {
     let accountManager = this.accountManager
 
     return Promise.resolve(userAccount)
+      .then(this.cancelIfUsernameInvalid.bind(this))
       .then(this.cancelIfAccountExists.bind(this))
       .then(this.createAccountStorage.bind(this))
       .then(this.saveCredentialsFor.bind(this))
@@ -186,6 +187,26 @@ class CreateAccountRequest extends AuthRequest {
         return userAccount
       })
   }
+
+  /**
+   * Check if a username is a valid slug.
+   *
+   * @param userAccount {UserAccount} Instance of the account to be created
+   *
+   * @throws {Error} If errors were encountering while validating the
+   *   username.
+   *
+   * @return {Promise<UserAccount>} Chainable
+   */
+  cancelIfUsernameInvalid (userAccount) {
+    if (!userAccount.username || !/^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(userAccount.username)) {
+      const error = new Error('Invalid username')
+      error.status = 400
+      throw error
+    }
+
+    return userAccount
+  }
 }
 
 /**

test/unit/create-account-request-test.js

@@ -84,6 +84,48 @@ describe('CreateAccountRequest', () => {
           done()
         })
     })
+
+    it('should return a 400 error if a username is invalid', () => {
+      let accountManager = AccountManager.from({ host })
+      let locals = { authMethod: defaults.auth, accountManager, oidc: { users: {} } }
+
+      accountManager.accountExists = sinon.stub().returns(Promise.resolve(false))
+
+      const invalidUsernames = [
+        '-',
+        '-a',
+        'a-',
+        '9-',
+        'alice--bob',
+        'alice bob'
+      ]
+
+      let invalidUsernamesCount = 0
+
+      const requests = invalidUsernames.map((username) => {
+        let aliceData = {
+          username: username, password: '1234'
+        }
+
+        let req = HttpMocks.createRequest({ app: { locals }, body: aliceData })
+        let request = CreateAccountRequest.fromParams(req, res)
+
+        return request.createAccount()
+          .then(() => {
+            throw new Error('should not happen')
+          })
+          .catch(err => {
+            invalidUsernamesCount++
+            expect(err.message).to.match(/Invalid username/)
+            expect(err.status).to.equal(400)
+          })
+      })
+
+      return Promise.all(requests)
+        .then(() => {
+          expect(invalidUsernamesCount).to.eq(invalidUsernames.length)
+        })
+    })
   })
 })