From 7d5a82df14160242cdd01a0f1651dab18b41a973 Mon Sep 17 00:00:00 2001 From: Conrad Ludgate Date: Tue, 16 May 2023 22:03:53 +0100 Subject: [PATCH] validate usernames on registration (#982) improve login password incorrect error message update docs for registration with passwords --- README.md | 2 +- atuin-server/src/handlers/user.rs | 16 +++++++++++++++- docs/docs/commands/sync.md | 10 ++++++++-- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0967513..6b4d2ba 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ Read more below for offline-only usage, or for hosting your own server. ``` bash <(curl https://raw.githubusercontent.com/ellie/atuin/main/install.sh) -atuin register -u -e -p +atuin register -u -e atuin import auto atuin sync ``` diff --git a/atuin-server/src/handlers/user.rs b/atuin-server/src/handlers/user.rs index ec2131e..e67828e 100644 --- a/atuin-server/src/handlers/user.rs +++ b/atuin-server/src/handlers/user.rs @@ -92,6 +92,18 @@ pub async fn register( ); } + for c in register.username.chars() { + match c { + 'a'..='z' | 'A'..='Z' | '0'..='9' | '-' => {} + _ => { + return Err(ErrorResponse::reply( + "Only alphanumeric and hyphens (-) are allowed in usernames", + ) + .with_status(StatusCode::BAD_REQUEST)) + } + } + } + let hashed = hash_secret(®ister.password); let new_user = NewUser { @@ -190,7 +202,9 @@ pub async fn login( let verified = verify_str(user.password.as_str(), login.password.borrow()); if !verified { - return Err(ErrorResponse::reply("user not found").with_status(StatusCode::NOT_FOUND)); + return Err( + ErrorResponse::reply("password is not correct").with_status(StatusCode::UNAUTHORIZED) + ); } Ok(Json(LoginResponse { diff --git a/docs/docs/commands/sync.md b/docs/docs/commands/sync.md index 8fbb0c4..8cd12c5 100644 --- a/docs/docs/commands/sync.md +++ b/docs/docs/commands/sync.md @@ -26,8 +26,11 @@ Register for a sync account with atuin register -u -e -p ``` -Usernames must be unique, and emails shall only be used for important -notifications (security breaches, changes to service, etc). +If you don't want to have your password be included in shell history, you can omit +the password flag and you will be prompted to provide it through stdin. + +Usernames must be unique and only contain alphanumerics or hyphens, +and emails shall only be used for important notifications (security breaches, changes to service, etc). Upon success, you are also logged in :) Syncing should happen automatically from here! @@ -62,6 +65,9 @@ If you want to log in to a new machine, you will require your encryption key atuin login -u -p -k ``` +If you don't want to have your password be included in shell history, you can omit +the password flag and you will be prompted to provide it through stdin. + ## Logout ```