Check login before logging it

src/controllers/admin_api.rs

@@ -6,6 +6,7 @@ use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersAct
 use crate::data::action_logger::{Action, ActionLogger};
 use crate::data::current_user::CurrentUser;
 use crate::data::user::UserID;
+use crate::utils::string_utils;
 
 #[derive(serde::Deserialize)]
 pub struct FindUserNameReq {
@@ -21,6 +22,10 @@ pub async fn find_username(
     req: web::Form<FindUserNameReq>,
     users: web::Data<Addr<UsersActor>>,
 ) -> impl Responder {
+    if !string_utils::is_acceptable_login(&req.username) {
+        return HttpResponse::BadRequest().json("Invalid login!");
+    }
+
     let res = users
         .send(FindUserByUsername(req.0.username))
         .await

src/controllers/admin_controller.rs

@@ -15,6 +15,7 @@ use crate::data::client::{Client, ClientID, ClientManager};
 use crate::data::current_user::CurrentUser;
 use crate::data::provider::{Provider, ProviderID, ProvidersManager};
 use crate::data::user::{GeneralSettings, GrantedClients, User, UserID};
+use crate::utils::string_utils;
 use crate::utils::string_utils::rand_str;
 
 #[derive(Template)]
@@ -105,7 +106,16 @@ pub async fn users_route(
     let mut danger = None;
     let mut success = None;
 
-    if let Some(update) = update_query {
+    // Check update query for invalid input
+    if update_query
+        .as_ref()
+        .map(|l| string_utils::is_acceptable_login(&l.username))
+        == Some(false)
+    {
+        danger = Some("Invalid login provided, the modifications could not be saved!".to_string());
+    }
+    // Perform request (if any)
+    else if let Some(update) = update_query {
         let edited_user: Option<User> = users
             .send(users_actor::GetUserRequest(update.uid.clone()))
             .await

src/controllers/login_controller.rs

@@ -18,6 +18,7 @@ use crate::data::provider::{Provider, ProvidersManager};
 use crate::data::session_identity::{SessionIdentity, SessionStatus};
 use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;
+use crate::utils::string_utils;
 
 pub struct BaseLoginPage<'a> {
     pub danger: Option<String>,
@@ -132,6 +133,16 @@ pub async fn login_route(
             query.redirect.get_encoded()
         ));
     }
+    // Check if given login is not acceptable
+    else if req
+        .as_ref()
+        .map(|r| string_utils::is_acceptable_login(&r.login))
+        == Some(false)
+    {
+        danger = Some(
+            "Given login could not be processed, because it has an invalid format!".to_string(),
+        );
+    }
     // Try to authenticate user
     else if let Some(req) = &req {
         login = req.login.clone();

src/data/user.rs

@@ -311,7 +311,7 @@ impl Eq for User {}
 impl Default for User {
     fn default() -> Self {
         Self {
-            uid: UserID("".to_string()),
+            uid: UserID(uuid::Uuid::new_v4().to_string()),
             first_name: "".to_string(),
             last_name: "".to_string(),
             username: "".to_string(),

src/utils/string_utils.rs

@@ -36,9 +36,14 @@ pub fn apply_env_vars(val: &str) -> String {
     val
 }
 
+/// Check out whether a given login is acceptable or not
+pub fn is_acceptable_login(login: &str) -> bool {
+    mailchecker::is_valid(login) || lazy_regex::regex!("^[a-zA-Z0-9-+]+$").is_match(login)
+}
+
 #[cfg(test)]
 mod test {
-    use crate::utils::string_utils::apply_env_vars;
+    use crate::utils::string_utils::{apply_env_vars, is_acceptable_login};
     use std::env;
 
     const VAR_ONE: &str = "VAR_ONE";
@@ -56,4 +61,12 @@ mod test {
         let src = format!("This is ${{{}}}", VAR_INVALID);
         assert_eq!(src, apply_env_vars(&src));
     }
+
+    #[test]
+    fn test_is_acceptable_login() {
+        assert!(is_acceptable_login("admin"));
+        assert!(is_acceptable_login("someone@somewhere.fr"));
+        assert!(!is_acceptable_login("someone@somewhere.#fr"));
+        assert!(!is_acceptable_login("bad bad"));
+    }
 }