validate usernames on registration (atuinsh#982)

improve login password incorrect error message update docs for registration with passwords
Fug4Mo · May 16, 2023 · 7d5a82d · 7d5a82d
1 parent 7b9dea7
commit 7d5a82d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -100,7 +100,7 @@ Read more below for offline-only usage, or for hosting your own server.
 ```
 bash <(curl https://raw.githubusercontent.com/ellie/atuin/main/install.sh)
 
-atuin register -u <USERNAME> -e <EMAIL> -p <PASSWORD>
+atuin register -u <USERNAME> -e <EMAIL>
 atuin import auto
 atuin sync
 ```

diff --git a/atuin-server/src/handlers/user.rs b/atuin-server/src/handlers/user.rs
@@ -92,6 +92,18 @@ pub async fn register<DB: Database>(
         );
     }
 
+    for c in register.username.chars() {
+        match c {
+            'a'..='z' | 'A'..='Z' | '0'..='9' | '-' => {}
+            _ => {
+                return Err(ErrorResponse::reply(
+                    "Only alphanumeric and hyphens (-) are allowed in usernames",
+                )
+                .with_status(StatusCode::BAD_REQUEST))
+            }
+        }
+    }
+
     let hashed = hash_secret(&register.password);
 
     let new_user = NewUser {
@@ -190,7 +202,9 @@ pub async fn login<DB: Database>(
     let verified = verify_str(user.password.as_str(), login.password.borrow());
 
     if !verified {
-        return Err(ErrorResponse::reply("user not found").with_status(StatusCode::NOT_FOUND));
+        return Err(
+            ErrorResponse::reply("password is not correct").with_status(StatusCode::UNAUTHORIZED)
+        );
     }
 
     Ok(Json(LoginResponse {

diff --git a/docs/docs/commands/sync.md b/docs/docs/commands/sync.md
@@ -26,8 +26,11 @@ Register for a sync account with
 atuin register -u <USERNAME> -e <EMAIL> -p <PASSWORD>
 ```
 
-Usernames must be unique, and emails shall only be used for important
-notifications (security breaches, changes to service, etc).
+If you don't want to have your password be included in shell history, you can omit
+the password flag and you will be prompted to provide it through stdin.
+
+Usernames must be unique and only contain alphanumerics or hyphens,
+and emails shall only be used for important notifications (security breaches, changes to service, etc).
 
 Upon success, you are also logged in :) Syncing should happen automatically from
 here!
@@ -62,6 +65,9 @@ If you want to log in to a new machine, you will require your encryption key
 atuin login -u <USERNAME> -p <PASSWORD> -k <KEY>
 ```
 
+If you don't want to have your password be included in shell history, you can omit
+the password flag and you will be prompted to provide it through stdin.
+
 ## Logout
 
 ```