Added a check for username length

src/pages/api/auth/register.ts

@@ -9,6 +9,7 @@ import { jsonUserReplacer } from 'lib/utils/client';
 import { extname } from 'path';
 
 const logger = Logger.get('user');
+const MAX_USERNAME_LENGTH = 12;
 
 async function handler(req: NextApiReq, res: NextApiRes) {
   const user = await req.user();
@@ -26,34 +27,32 @@ async function handler(req: NextApiReq, res: NextApiRes) {
     code?: string;
   };
 
-  if (!username) badRequest = true;
-  if (!password) badRequest = true;
+  if (!username || !password) return res.badRequest('Bad Username/Password');
+
+  // Validate username length
+  if (username.length > MAX_USERNAME_LENGTH) {
+    return res.badRequest(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+  }
 
   const existing = await prisma.user.findFirst({
-    where: {
-      username,
-    },
-    select: {
-      username: true,
-    },
+    where: { username },
+    select: { username: true },
   });
 
-  if (existing) badRequest = true;
-
-  if (badRequest) return res.badRequest('Bad Username/Password');
+  if (existing) return res.badRequest('Bad Username/Password');
 
   if (code) {
     if (config.features.invites) {
       const invite = await prisma.invite.findUnique({
-        where: {
-          code,
-        },
+        where: { code },
       });
 
       if (!invite || invite?.used) return res.badRequest('Bad invite');
       usedInvite = true;
     } else return res.badRequest('Bad Username/Password');
-  } else if (config.features.invites && !user?.administrator) return res.badRequest('Bad invite');
+  } else if (config.features.invites && !user?.administrator) {
+    return res.badRequest('Bad invite');
+  }
 
   const hashed = await hashPassword(password);
 
@@ -85,7 +84,7 @@ async function handler(req: NextApiReq, res: NextApiRes) {
     });
 
   logger.debug(
-    `registered user${usedInvite ? ' via invite ' + code : ''} ${JSON.stringify(newUser, jsonUserReplacer)}`,
+    `registered user${usedInvite ? ' via invite ' + code : ''} ${JSON.stringify(newUser, jsonUserReplacer)}`
   );
 
   delete newUser.password;

src/pages/auth/register.tsx

@@ -21,6 +21,8 @@ export default function Register({ code = undefined, title, user_registration })
   const [verifyPasswordError, setVerifyPasswordError] = useState('');
   const [strength, setStrength] = useState(0);
 
+  const MAX_USERNAME_LENGTH = 16;
+
   const setUser = useSetRecoilState(userSelector);
   const router = useRouter();
 
@@ -30,6 +32,11 @@ export default function Register({ code = undefined, title, user_registration })
   const checkUsername = async () => {
     setUsername(username.trim());
 
+    if (username.length > MAX_USERNAME_LENGTH) {
+      setUsernameError(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+      return;
+    }
+
     setUsernameError('');
 
     const res = await useFetch('/api/user/check', 'POST', { code, username });
@@ -101,7 +108,14 @@ export default function Register({ code = undefined, title, user_registration })
               <TextInput
                 label='Username'
                 value={username}
-                onChange={(e) => setUsername(e.target.value)}
+                onChange={(e) => {
+                  setUsername(e.target.value);
+                  if (e.target.value.length > MAX_USERNAME_LENGTH) {
+                    setUsernameError(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+                  } else {
+                    setUsernameError('');
+                  }
+                }}
                 error={usernameError}
                 onBlur={() => checkUsername()}
               />