server text sanitation, username/email filters, and code length measurement

1 files changed, 16 insertions, 0 deletions

diff --git a/src/routes/user.rs b/src/routes/user.rs
index 178a272..31a5824 100644
--- a/src/routes/user.rs
+++ b/src/routes/user.rs
@@ -1,6 +1,7 @@
 use axum::extract::{Json, State};
 use axum::http::StatusCode;
 use axum::response::IntoResponse;
+use regex::Regex;
 use serde::{Deserialize, Serialize};
 
 use crate::AppState;
@@ -12,6 +13,7 @@ pub(crate) struct CreateUserRequest {
     email: String,
     username: String,
     password: String,
+    register_code: String,
 }
 
 pub async fn create_user(
@@ -19,6 +21,20 @@ pub async fn create_user(
     Json(request): Json<CreateUserRequest>
 ) -> Result<impl IntoResponse, RouteError> {
 
+    if request.register_code != state.register_code {
+        return Err(RouteError::AuthorizationFailure());
+    }
+
+    let email_re = Regex::new(r"^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$").unwrap();
+    if !email_re.is_match(&request.email) {
+        return Err(RouteError::MalformedField("email".into()));
+    }
+
+    let username_re = Regex::new(r"^[a-zA-Z0-9_\-]+$").unwrap();
+    if !username_re.is_match(&request.username) {
+        return Err(RouteError::MalformedField("username".into()));
+    }
+    
     match state.database.fetch_user_by_email(&request.email) {
         Err(_) => return Err(RouteError::Internal("database action failed".into())),
         Ok(Some(_)) => return Err(RouteError::UserCreateEmailExists(request.email)),