From 7d5a82df14160242cdd01a0f1651dab18b41a973 Mon Sep 17 00:00:00 2001
From: Conrad Ludgate <conradludgate@gmail.com>
Date: Tue, 16 May 2023 22:03:53 +0100
Subject: validate usernames on registration (#982)

improve login password incorrect error message

update docs for registration with passwords
---
 atuin-server/src/handlers/user.rs | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'atuin-server/src')

diff --git a/atuin-server/src/handlers/user.rs b/atuin-server/src/handlers/user.rs
index ec2131e1..e67828e4 100644
--- a/atuin-server/src/handlers/user.rs
+++ b/atuin-server/src/handlers/user.rs
@@ -92,6 +92,18 @@ pub async fn register<DB: Database>(
         );
     }
 
+    for c in register.username.chars() {
+        match c {
+            'a'..='z' | 'A'..='Z' | '0'..='9' | '-' => {}
+            _ => {
+                return Err(ErrorResponse::reply(
+                    "Only alphanumeric and hyphens (-) are allowed in usernames",
+                )
+                .with_status(StatusCode::BAD_REQUEST))
+            }
+        }
+    }
+
     let hashed = hash_secret(&register.password);
 
     let new_user = NewUser {
@@ -190,7 +202,9 @@ pub async fn login<DB: Database>(
     let verified = verify_str(user.password.as_str(), login.password.borrow());
 
     if !verified {
-        return Err(ErrorResponse::reply("user not found").with_status(StatusCode::NOT_FOUND));
+        return Err(
+            ErrorResponse::reply("password is not correct").with_status(StatusCode::UNAUTHORIZED)
+        );
     }
 
     Ok(Json(LoginResponse {
-- 
cgit v1.3.1