From 713810f81bdec89938a8451512f01ae8e906782e Mon Sep 17 00:00:00 2001
From: not-nullptr <needhelpwithrift@gmail.com>
Date: Tue, 12 Mar 2024 19:13:36 +0000
Subject: [PATCH] fix exploit (i think?)

---
 src/routes/api/user/+server.ts |  6 ++++++
 src/routes/signup/+page.svelte | 16 ++++++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/routes/api/user/+server.ts b/src/routes/api/user/+server.ts
index 1dcc58e..cb39114 100644
--- a/src/routes/api/user/+server.ts
+++ b/src/routes/api/user/+server.ts
@@ -39,6 +39,12 @@ export async function POST({ request, getClientAddress }) {
 			error: "missing fields",
 		});
 	}
+	if (body.username.length < 3 || body.username.length > 24) {
+		return json<CreateAccountResponse>({
+			success: false,
+			error: "invalid username",
+		});
+	}
 	if (!validator.isEmail(body.email)) {
 		return json<CreateAccountResponse>({
 			success: false,
diff --git a/src/routes/signup/+page.svelte b/src/routes/signup/+page.svelte
index a13947d..5b5a2b0 100644
--- a/src/routes/signup/+page.svelte
+++ b/src/routes/signup/+page.svelte
@@ -61,8 +61,20 @@
 					>Contact us</a
 				>.
 			</p>
-			<input bind:value={emailInput} class="input" type="text" placeholder="Recovery Email" />
-			<input bind:value={usernameInput} class="input" type="text" placeholder="Username" />
+			<input
+				bind:value={emailInput}
+				maxlength="128"
+				class="input"
+				type="text"
+				placeholder="Recovery Email"
+			/>
+			<input
+				bind:value={usernameInput}
+				maxlength="24"
+				class="input"
+				type="text"
+				placeholder="Username"
+			/>
 			<div class="h-[78px]">
 				<HCaptcha on:success={captchaComplete} theme="dark" sitekey={PUBLIC_SITE_KEY} />
 			</div>