Merge pull request #27 from carvilsi/forbidden-usernames

not allows user creation with a forbidden username

config/default.js

@@ -4,6 +4,10 @@ module.exports = {
   // positivelly you want to change this, here or override on production.js
   // also you can change this value at the docker-compose file
   pepper: 'M+Sleqzn9Fd/vDtgi/dY4aOAPTCdrf778UdH+BBWQYgVbKVNvk7nJQ==',
+  forbiddenUserNames: [
+    'anyone',
+    'pwyll'
+  ],
   mongodb: {
     user: 'root',
     // positivelly you want to change this, here or override on production.js

package.json

@@ -1,6 +1,6 @@
 {
   "name": "pwyll",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "description": "A snippet manager service",
   "main": "./lib/index.js",
   "scripts": {

src/routes/users.ts

@@ -6,6 +6,7 @@ import {
   userLengthCheck,
   secretLengthCheck,
   userExistenceCheck,
+  forbiddenNameCheck,
 } from '../util';
 import { errorRouteHandler } from '../errorHandlers';
 import { createUser } from '../controllers/users_controller';
@@ -24,6 +25,7 @@ router.post(
       const secret = req.body.secret;
       userLengthCheck(username);
       secretLengthCheck(secret);
+      forbiddenNameCheck(username);
       await userExistenceCheck(username);
       const id = await createUser(username, secret);
       res.status(200).send(id);

src/util/index.ts

@@ -9,6 +9,8 @@ import config from 'config';
 
 const logLevel = config.get('logLevel');
 const pepper = process.env.PEPPER_VALUE || config.get('pepper');
+const forbiddenUserNames: string[] = config.get('forbiddenUserNames');
+
 Logger.setLogLevel(logLevel);
 export const logger = Logger.create(`${info.name}`);
 
@@ -50,6 +52,12 @@ export function secretLengthCheck(secret: string): boolean {
   return true;
 }
 
+export function forbiddenNameCheck(username: string): boolean {
+  if (forbiddenUserNames.includes(username.toLocaleLowerCase()))
+    throw `${username} is a forbidden name, please choose a different`;
+  return true;
+}
+
 export async function userExistenceCheck(username: string): Promise<boolean> {
   const user = await findUserByName(username);
   if (user != null)

test/infoapp.test.ts

@@ -2,9 +2,10 @@
 const pckg = require('./../package.json');
 import { describe, expect, test } from '@jest/globals';
 import request from 'supertest';
+import testGlobals from './test_globals';
 
 describe('get the info', () => {
-  const pwyll_machine = 'http://localhost:46520';
+  const pwyll_machine = testGlobals.__PYWLL_SERVER_URL__;
 
   test('should retieve info text', async () => {
     const response = await request(pwyll_machine).get('/');

test/test_globals.ts

@@ -12,6 +12,7 @@ type TestGlobals = {
   __FAKE_ID__: string;
   __INVALID_ID__: string;
   __EXPORT_FILE__: string;
+  __FORBIDDEN_USER_NAMES__: string[];
 };
 
 const testGlobals: TestGlobals = {
@@ -29,6 +30,7 @@ const testGlobals: TestGlobals = {
   __INVALID_ID__: '000aa0000a0aa0000a00a23',
   __FAKE_ID__: '625ae0149d0bd9638b60e498',
   __EXPORT_FILE__: 'export-file.json',
+  __FORBIDDEN_USER_NAMES__: ['anyone', 'pwyll', 'Anyone', 'PWYLL'],
 };
 
 export default testGlobals;

test/users.test.ts

@@ -3,110 +3,87 @@
 /* eslint-disable node/no-unpublished-require */
 const Chance = require('chance');
 import { describe, expect, test } from '@jest/globals';
-import request from 'supertest';
+import request, { Response } from 'supertest';
+import testGlobals from './test_globals';
+
+async function createUser(
+  username?: string,
+  secret?: string
+): Promise<Response> {
+  return await request(testGlobals.__PYWLL_SERVER_URL__)
+    .post('/user')
+    .send({
+      username: username,
+      secret: secret,
+    })
+    .set('Accept', 'application/json');
+}
 
 describe('users ', () => {
-  const pwyll_machine = 'http://localhost:46520';
   const chance = new Chance();
   const name = chance.name();
 
   test('should create a user', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: name,
-        secret: 'my secret',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser(name, 'my secret');
     expect(res.statusCode).toBe(200);
     expect(res.text.length).toBe(26);
   });
 
   test('should not allow creating a user if secret is not provided', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({ username: name })
-      .set('Accept', 'application/json');
+    const res = await createUser(name, undefined);
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/bad request for endpoint, mandatory: secret/);
   });
 
   test('should not allow creating an existing user', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: name,
-        secret: 'my secret',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser(name, 'my secret');
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/already exists, please choose a different/);
   });
 
+  test('should not allow creating users with forbidden names', async () => {
+    const forbiddenNames = testGlobals.__FORBIDDEN_USER_NAMES__;
+    for (let i = 0; i < forbiddenNames.length; i++) {
+      const res = await createUser(forbiddenNames[i], 'my secret');
+      expect(res.statusCode).toBe(500);
+      expect(res.text).toMatch(
+        /is a forbidden name, please choose a different/
+      );
+    }
+  });
+
   test('should not allow creating a very long username', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: 'CthulhuTheOneThatSleepsDead',
-        secret: 'my secret',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser('CthulhuTheOneThatSleepsDead', 'my secret');
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/Username must be not longer than 20 characters/);
   });
 
   test('should not allow creating a user without username', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .set('Accept', 'application/json');
+    const res = await createUser();
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/bad request for endpoint, mandatory: username/);
   });
 
   test('should not allow creating a user with empty username', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: '',
-        secret: 'my secret',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser('', 'my secret');
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/Provide a user name/);
   });
 
   test('should not allow creating a user with blank username', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: '   ',
-        secret: 'my secret',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser('        ', 'my secret');
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/Provide a user name/);
   });
 
   test('should not allow creating a user with empty secret', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: 'aragorn',
-        secret: '',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser('Aragorn', '');
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/Provide a secret/);
   });
 
   test('should not allow creating a user with blank secret', async () => {
-    const res = await request(pwyll_machine)
-      .post('/user')
-      .send({
-        username: 'gandalf',
-        secret: '     ',
-      })
-      .set('Accept', 'application/json');
+    const res = await createUser('Gandalf', '     ');
     expect(res.statusCode).toBe(500);
     expect(res.text).toMatch(/Provide a secret/);
   });