Update DbAuthMiddleware.php

Changes $usernamePattern - defaults to /^\p{L}+$/u , visible characters, no punctuation, unicode mode $usernameMaxLength - defaults to 255 changed validation of other inputs from filter_validate() to htmlspecialchars() fixed typos missing and extra $
apps-caraga · Mar 30, 2023 · c64d996 · c64d996
1 parent 372e36f
commit c64d996
Showing 1 changed file with 5 additions and 6 deletions.
diff --git a/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php b/src/Tqdev/PhpCrudApi/Middleware/DbAuthMiddleware.php
@@ -71,9 +71,9 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             $usernameColumnName = $this->getProperty('usernameColumn', 'username');
             $usernameColumn = $table->getColumn($usernameColumnName);
             $passwordColumnName = $this->getProperty('passwordColumn', 'password');
-            $usernamePattern = $this->getProperty('usernamePattern','/^[A-Za-z0-9]+$/'); // specify regex pattern for username, defaults to alphanumeric characters
+            $usernamePattern = $this->getProperty('usernamePattern', '/^\p{L}+$/u'); // defaults to visible chars,unicode mode and no punctuation
             $usernameMinLength = (int)$this->getProperty('usernameMinLength',5);
-            $usernameMaxLength = (int)$this->getProperty('usernameMaxLength',30);
+            $usernameMaxLength = (int)$this->getProperty('usernameMaxLength',255);
             if($usernameMinLength > $usernameMaxLength){
                 //obviously, $usernameMinLength should be less than $usernameMaxLength, but we'll still check in case of mis-config then we'll swap the 2 values
                 $lesser = $usernameMaxLength;
@@ -129,8 +129,7 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                           }else if($key === $passwordColumnName){
                               $data[$passwordColumnName] = password_hash($password, PASSWORD_DEFAULT);
                           }else{
-				    		$data[$key] = filter_var($value, FILTER_VALIDATE_EMAIL) ? $value : filter_var($value,FILTER_SANITIZE_ENCODED);
-                              //sanitize all other inputs, except for valid or properly formatted email address
+				$data[$key] = htmlspecialchars($value);	
                           }
                       }
                  }
@@ -142,11 +141,11 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 			 * query 2,3 or more times. 
 			 * As a TEMPORARY WORKAROUND, we'll just attempt to register the new user and wait for the db to throw a DUPLICATE KEY EXCEPTION.
 			 */
-		}catch(\PDOException error){
+		}catch(\PDOException $error){
 			if($error->getCode() ==="23000"){
 				return $this->responder->error(ErrorCode::DUPLICATE_KEY_EXCEPTION,'',$error->getMessage());
 			}else{
-				return $this->responder->error(ErrorCode::INPUT_VALIDATION_FAILED,$$error->getMessage());
+				return $this->responder->error(ErrorCode::INPUT_VALIDATION_FAILED,$error->getMessage());
 			}
 		}
                 $users = $this->db->selectAll($table, $columnNames, $condition, $columnOrdering, 0, 1);