Added backend and frontend validation for username registration

2026-02-01 16:46:05 +00:00 · 2014-04-01 17:11:52 +01:00 · 2014-04-01 17:11:52 +01:00 · d5a59f96c2
commit d5a59f96c2
parent d30fd0040a
3 changed files with 17 additions and 2 deletions
--- a/lib/addons/memcached/index.js
+++ b/lib/addons/memcached/index.js
@ -53,7 +53,10 @@ module.exports = function(app, connection) {

    // Removes user data from old cookies
    var username = undefsafe(req, 'session.user.name');
-    var key = username.replace(' ', '^^');
+    var key;
+    if (username !== undefined) {
+      key = username.replace(' ', '^^');
+    }

    var setUserMetadata = setMetadata.bind(null, req);
    var populateUserMetadata = getMetadata.bind(null, username, req, key);
--- a/lib/handlers/user.js
+++ b/lib/handlers/user.js
@ -47,6 +47,18 @@ module.exports = Observable.extend({
      return next();
    }

+    var reg = /^[a-zA-Z0-9_\-]+$/;
+    if (!reg.test(username)) {
+      req.error = {
+        ok: false,
+        message: 'Only numbers, letters, underscore and dash are allowed in the username',
+        raw: 'Character not allowed',
+        status: 400
+      };
+
+      return next();
+    }
+
    userModel.load(username, function (err, result) {
      if (result) {
        // Username taken
--- a/views/register-login.html
+++ b/views/register-login.html
@ -15,7 +15,7 @@
  <form action="{{root}}/register" method="post" class="register">
    <div>
      <label for="signup-username">Username</label>
-      <input name="username" id="signup-username" type="text" required>
+      <input name="username" id="signup-username" type="text" required pattern="[a-zA-Z0-9_\-]+" oninvalid="setCustomValidity('Only numbers, letters, underscore and dash are allowed in the username')">
    </div>
    <div>
      <label for="signup-email">Email address</label>