From 15a0787491e5f1aa7b4b6a19fb857a00f4076731 Mon Sep 17 00:00:00 2001
From: Keiran <keiran0@proton.me>
Date: Fri, 4 Oct 2024 02:49:41 +0100
Subject: [PATCH 1/3] Added max username length to auth/register route

---
 src/pages/auth/register.tsx | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/pages/auth/register.tsx b/src/pages/auth/register.tsx
index d728507ea..93ebb55aa 100644
--- a/src/pages/auth/register.tsx
+++ b/src/pages/auth/register.tsx
@@ -21,6 +21,8 @@ export default function Register({ code = undefined, title, user_registration })
   const [verifyPasswordError, setVerifyPasswordError] = useState('');
   const [strength, setStrength] = useState(0);
 
+  const MAX_USERNAME_LENGTH = 16;
+
   const setUser = useSetRecoilState(userSelector);
   const router = useRouter();
 
@@ -30,6 +32,11 @@ export default function Register({ code = undefined, title, user_registration })
   const checkUsername = async () => {
     setUsername(username.trim());
 
+    if (username.length > MAX_USERNAME_LENGTH) {
+      setUsernameError(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+      return;
+    }
+
     setUsernameError('');
 
     const res = await useFetch('/api/user/check', 'POST', { code, username });
@@ -40,6 +47,7 @@ export default function Register({ code = undefined, title, user_registration })
     }
   };
 
+
   const checkPassword = () => {
     setVerifyPasswordError('');
     setPassword(password.trim());
@@ -101,7 +109,14 @@ export default function Register({ code = undefined, title, user_registration })
               <TextInput
                 label='Username'
                 value={username}
-                onChange={(e) => setUsername(e.target.value)}
+                onChange={(e) => {
+                  setUsername(e.target.value);
+                  if (e.target.value.length > MAX_USERNAME_LENGTH) {
+                    setUsernameError(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+                  } else {
+                    setUsernameError('');
+                  }
+                }}
                 error={usernameError}
                 onBlur={() => checkUsername()}
               />

From 813fcab065e9ddb81bcedb826eb92094da4e1b04 Mon Sep 17 00:00:00 2001
From: Keiran <keiran0@proton.me>
Date: Fri, 4 Oct 2024 03:07:01 +0100
Subject: [PATCH 2/3] Fixed register

---
 src/pages/auth/register.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/pages/auth/register.tsx b/src/pages/auth/register.tsx
index 93ebb55aa..918edd358 100644
--- a/src/pages/auth/register.tsx
+++ b/src/pages/auth/register.tsx
@@ -47,7 +47,6 @@ export default function Register({ code = undefined, title, user_registration })
     }
   };
 
-
   const checkPassword = () => {
     setVerifyPasswordError('');
     setPassword(password.trim());

From cc24427ab25b5a7b131cfff2cf5cd4ce2db8ba37 Mon Sep 17 00:00:00 2001
From: Keiran <keiran0@proton.me>
Date: Fri, 4 Oct 2024 19:43:26 +0100
Subject: [PATCH 3/3] Fixed register route for api

---
 src/pages/api/auth/register.ts | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/src/pages/api/auth/register.ts b/src/pages/api/auth/register.ts
index e5f65d79f..fb68e02c5 100644
--- a/src/pages/api/auth/register.ts
+++ b/src/pages/api/auth/register.ts
@@ -9,6 +9,7 @@ import { jsonUserReplacer } from 'lib/utils/client';
 import { extname } from 'path';
 
 const logger = Logger.get('user');
+const MAX_USERNAME_LENGTH = 12;
 
 async function handler(req: NextApiReq, res: NextApiRes) {
   const user = await req.user();
@@ -26,34 +27,32 @@ async function handler(req: NextApiReq, res: NextApiRes) {
     code?: string;
   };
 
-  if (!username) badRequest = true;
-  if (!password) badRequest = true;
+  if (!username || !password) return res.badRequest('Bad Username/Password');
+
+  // Validate username length
+  if (username.length > MAX_USERNAME_LENGTH) {
+    return res.badRequest(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+  }
 
   const existing = await prisma.user.findFirst({
-    where: {
-      username,
-    },
-    select: {
-      username: true,
-    },
+    where: { username },
+    select: { username: true },
   });
 
-  if (existing) badRequest = true;
-
-  if (badRequest) return res.badRequest('Bad Username/Password');
+  if (existing) return res.badRequest('Bad Username/Password');
 
   if (code) {
     if (config.features.invites) {
       const invite = await prisma.invite.findUnique({
-        where: {
-          code,
-        },
+        where: { code },
       });
 
       if (!invite || invite?.used) return res.badRequest('Bad invite');
       usedInvite = true;
     } else return res.badRequest('Bad Username/Password');
-  } else if (config.features.invites && !user?.administrator) return res.badRequest('Bad invite');
+  } else if (config.features.invites && !user?.administrator) {
+    return res.badRequest('Bad invite');
+  }
 
   const hashed = await hashPassword(password);
 
@@ -85,7 +84,7 @@ async function handler(req: NextApiReq, res: NextApiRes) {
     });
 
   logger.debug(
-    `registered user${usedInvite ? ' via invite ' + code : ''} ${JSON.stringify(newUser, jsonUserReplacer)}`,
+    `registered user${usedInvite ? ' via invite ' + code : ''} ${JSON.stringify(newUser, jsonUserReplacer)}`
   );
 
   delete newUser.password;