Username validation (#282)

* user-did table * yay fixed it * resolve available domains from db * serverDid + tests * check for invalid domains * username validation * woopsied on merge * fix migration * lower indexes * even moar validation
bluesky-social · Nov 1, 2022 · 8982e13 · 8982e13
1 parent 51dd566
commit 8982e13
Show file tree

Hide file tree

Showing 12 changed files with 1,096 additions and 144 deletions.
diff --git a/packages/pds/package.json b/packages/pds/package.json
@@ -31,6 +31,7 @@
     "@atproto/uri": "*",
     "@atproto/xrpc-server": "*",
     "@hapi/bourne": "^3.0.0",
+    "@sideway/address": "^5.0.0",
     "better-sqlite3": "^7.6.2",
     "cors": "^2.8.5",
     "dotenv": "^16.0.0",

diff --git a/packages/pds/src/api/com/atproto/account.ts b/packages/pds/src/api/com/atproto/account.ts
@@ -6,6 +6,7 @@ import * as locals from '../../../locals'
 import { countAll } from '../../../db/util'
 import { UserAlreadyExistsError } from '../../../db'
 import SqlBlockstore from '../../../sql-blockstore'
+import { ensureUsernameValid } from './util/username'
 import { grantRefreshToken } from './util/auth'
 
 export default function (server: Server) {
@@ -26,32 +27,15 @@ export default function (server: Server) {
   })
 
   server.com.atproto.createAccount(async (_params, input, _req, res) => {
-    const { email, username, password, inviteCode, recoveryKey } = input.body
+    const { password, inviteCode, recoveryKey } = input.body
     const { db, auth, config, keypair, logger } = locals.get(res)
+    const username = input.body.username.toLowerCase()
+    const email = input.body.email.toLowerCase()
 
-    // In order to perform the significant db updates ahead of
-    // registering the did, we will use a temp invalid did. Once everything
-    // goes well and a fresh did is registered, we'll replace the temp values.
-    const now = new Date().toISOString()
-
-    // Validate username
-
-    if (username.startsWith('did:')) {
-      throw new InvalidRequestError(
-        'Cannot register a username that starts with `did:`',
-        'InvalidUsername',
-      )
-    }
+    // throws if not
+    ensureUsernameValid(username, config.availableUserDomains)
 
-    const supportedUsername = config.availableUserDomains.some((host) =>
-      username.toLowerCase().endsWith(host),
-    )
-    if (!supportedUsername) {
-      throw new InvalidRequestError(
-        'Not a supported username domain',
-        'InvalidUsername',
-      )
-    }
+    const now = new Date().toISOString()
 
     const result = await db.transaction(async (dbTxn) => {
       if (config.inviteRequired) {

diff --git a/packages/pds/src/api/com/atproto/password-reset.ts b/packages/pds/src/api/com/atproto/password-reset.ts
@@ -9,7 +9,7 @@ export default function (server: Server) {
   server.com.atproto.requestAccountPasswordReset(
     async (_params, input, _req, res) => {
       const { db, mailer, config } = locals.get(res)
-      const { email } = input.body
+      const email = input.body.email.toLowerCase()
 
       const user = await db.getUserByEmail(email)
 

diff --git a/packages/pds/src/api/com/atproto/session.ts b/packages/pds/src/api/com/atproto/session.ts
@@ -21,7 +21,8 @@ export default function (server: Server) {
   })
 
   server.com.atproto.createSession(async (_params, input, _req, res) => {
-    const { username, password } = input.body
+    const { password } = input.body
+    const username = input.body.username.toLowerCase()
     const { db, auth } = locals.get(res)
     const validPass = await db.verifyUserPassword(username, password)
     if (!validPass) {