From e67abe016428b2a07ca08e4d969b44ad45b3edb1 Mon Sep 17 00:00:00 2001
From: Slendy <josh@slendy.pw>
Date: Sun, 13 Nov 2022 22:17:41 -0600
Subject: [PATCH] Don't issue registration tokens for names that already exist

---
 .../Controllers/UserEndpoints.cs              |  6 ++++++
 .../Pages/RegisterForm.cshtml.cs              | 20 ++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs b/ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs
index 35cb2886..d61aba76 100644
--- a/ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs
+++ b/ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs
@@ -83,6 +83,12 @@ public class UserEndpoints : ApiEndpointController
         APIKey? apiKey = await this.database.APIKeys.FirstOrDefaultAsync(k => k.Key == authToken);
         if (apiKey == null) return this.StatusCode(403, null);
 
+        if (!string.IsNullOrWhiteSpace(username))
+        {
+            bool userExists = await this.database.Users.AnyAsync(u => u.Username == username);
+            if (userExists) return this.BadRequest();
+        }
+
         RegistrationToken token = new()
         {
             Created = DateTime.Now,
diff --git a/ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs b/ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs
index e471b3fc..a4154868 100644
--- a/ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs
+++ b/ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs
@@ -29,10 +29,16 @@ public class RegisterForm : BaseLayout
         {
             if (this.Request.Query.ContainsKey("token"))
             {
-                if (!this.Database.IsRegistrationTokenValid(this.Request.Query["token"]))
+                string token = this.Request.Query["token"];
+                if (!this.Database.IsRegistrationTokenValid(token))
                     return this.StatusCode(403, this.Translate(ErrorStrings.TokenInvalid));
 
-                username = (await this.Database.RegistrationTokens.FirstAsync(r => r.Token == this.Request.Query["token"].ToString())).Username;
+                string? tokenUsername = await this.Database.RegistrationTokens.Where(r => r.Token == token)
+                    .Select(u => u.Username)
+                    .FirstOrDefaultAsync();
+                if (tokenUsername == null) return this.BadRequest();
+
+                username = tokenUsername;
             }
             else
             {
@@ -113,17 +119,21 @@ public class RegisterForm : BaseLayout
 
     [UsedImplicitly]
     [SuppressMessage("ReSharper", "SpecifyStringComparison")]
-    public IActionResult OnGet()
+    public async Task<IActionResult> OnGet()
     {
         this.Error = string.Empty;
         if (ServerConfiguration.Instance.Authentication.PrivateRegistration)
         {
             if (this.Request.Query.ContainsKey("token"))
             {
-                if (!this.Database.IsRegistrationTokenValid(this.Request.Query["token"]))
+                string token = this.Request.Query["token"];
+                if (!this.Database.IsRegistrationTokenValid(token))
                     return this.StatusCode(403, this.Translate(ErrorStrings.TokenInvalid));
 
-                this.Username = this.Database.RegistrationTokens.First(r => r.Token == this.Request.Query["token"].ToString()).Username;
+                string? tokenUsername = await this.Database.RegistrationTokens.Where(r => r.Token == token)
+                    .Select(u => u.Username)
+                    .FirstAsync();
+                this.Username = tokenUsername;
             }
             else
             {