Don't issue registration tokens for names that already exist

2025-05-12 12:52:28 +00:00 · 2022-11-13 22:17:41 -06:00 · 2022-11-13 22:17:41 -06:00 · e67abe0164
commit e67abe0164
parent 75de1d0faa
2 changed files with 21 additions and 5 deletions
--- a/ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs
+++ b/ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs
@ -83,6 +83,12 @@ public class UserEndpoints : ApiEndpointController
        APIKey? apiKey = await this.database.APIKeys.FirstOrDefaultAsync(k => k.Key == authToken);
        if (apiKey == null) return this.StatusCode(403, null);

+        if (!string.IsNullOrWhiteSpace(username))
+        {
+            bool userExists = await this.database.Users.AnyAsync(u => u.Username == username);
+            if (userExists) return this.BadRequest();
+        }
+
        RegistrationToken token = new()
        {
            Created = DateTime.Now,
--- a/ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs
+++ b/ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs
@ -29,10 +29,16 @@ public class RegisterForm : BaseLayout
        {
            if (this.Request.Query.ContainsKey("token"))
            {
-                if (!this.Database.IsRegistrationTokenValid(this.Request.Query["token"]))
+                string token = this.Request.Query["token"];
+                if (!this.Database.IsRegistrationTokenValid(token))
                    return this.StatusCode(403, this.Translate(ErrorStrings.TokenInvalid));

-                username = (await this.Database.RegistrationTokens.FirstAsync(r => r.Token == this.Request.Query["token"].ToString())).Username;
+                string? tokenUsername = await this.Database.RegistrationTokens.Where(r => r.Token == token)
+                    .Select(u => u.Username)
+                    .FirstOrDefaultAsync();
+                if (tokenUsername == null) return this.BadRequest();
+
+                username = tokenUsername;
            }
            else
            {
@ -113,17 +119,21 @@ public class RegisterForm : BaseLayout

    [UsedImplicitly]
    [SuppressMessage("ReSharper", "SpecifyStringComparison")]
-    public IActionResult OnGet()
+    public async Task<IActionResult> OnGet()
    {
        this.Error = string.Empty;
        if (ServerConfiguration.Instance.Authentication.PrivateRegistration)
        {
            if (this.Request.Query.ContainsKey("token"))
            {
-                if (!this.Database.IsRegistrationTokenValid(this.Request.Query["token"]))
+                string token = this.Request.Query["token"];
+                if (!this.Database.IsRegistrationTokenValid(token))
                    return this.StatusCode(403, this.Translate(ErrorStrings.TokenInvalid));

-                this.Username = this.Database.RegistrationTokens.First(r => r.Token == this.Request.Query["token"].ToString()).Username;
+                string? tokenUsername = await this.Database.RegistrationTokens.Where(r => r.Token == token)
+                    .Select(u => u.Username)
+                    .FirstAsync();
+                this.Username = tokenUsername;
            }
            else
            {