fix exploit (i think?)

2026-01-08 23:48:06 +01:00 · 2024-03-12 19:13:36 +00:00 · 2024-03-12 19:13:36 +00:00 · 713810f81b
commit 713810f81b
parent 2d28049b2a
2 changed files with 20 additions and 2 deletions
--- a/src/routes/api/user/+server.ts
+++ b/src/routes/api/user/+server.ts
@ -39,6 +39,12 @@ export async function POST({ request, getClientAddress }) {
 			error: "missing fields",
 		});
 	}
+	if (body.username.length < 3 || body.username.length > 24) {
+		return json<CreateAccountResponse>({
+			success: false,
+			error: "invalid username",
+		});
+	}
 	if (!validator.isEmail(body.email)) {
 		return json<CreateAccountResponse>({
 			success: false,
--- a/src/routes/signup/+page.svelte
+++ b/src/routes/signup/+page.svelte
@ -61,8 +61,20 @@
 					>Contact us</a
 				>.
 			</p>
-			<input bind:value={emailInput} class="input" type="text" placeholder="Recovery Email" />
-			<input bind:value={usernameInput} class="input" type="text" placeholder="Username" />
+			<input
+				bind:value={emailInput}
+				maxlength="128"
+				class="input"
+				type="text"
+				placeholder="Recovery Email"
+			/>
+			<input
+				bind:value={usernameInput}
+				maxlength="24"
+				class="input"
+				type="text"
+				placeholder="Username"
+			/>
 			<div class="h-[78px]">
 				<HCaptcha on:success={captchaComplete} theme="dark" sitekey={PUBLIC_SITE_KEY} />
 			</div>