D5241.1775239196.diff
No OneTemporary
Actions

Authored By

Unknown

Size

2 KB

Referenced Files

None

Subscribers

None

D5241.1775239196.diff
View Options

	diff --git a/src/app/Http/Controllers/API/SignupController.php b/src/app/Http/Controllers/API/SignupController.php
	--- a/src/app/Http/Controllers/API/SignupController.php
	+++ b/src/app/Http/Controllers/API/SignupController.php
	@@ -93,9 +93,17 @@
	*/
	public function init(Request $request)
	{
	+ // Don't allow URLs in user names preventing abuse of signup email
	+ // FIXME: I suppose we could also not use "Dear <user name>" in email
	+ $name_validator = static function (string $attribute, mixed $value, \Closure $fail) {
	+ if (str_contains($value, '://')) {
	+ $fail(self::trans('validation.invalidvalue'));
	+ }
	+ };
	+
	$rules = [
	- 'first_name' => 'max:128',
	- 'last_name' => 'max:128',
	+ 'first_name' => ['string', 'max:128', $name_validator],
	+ 'last_name' => ['string', 'max:128', $name_validator],
	'voucher' => 'max:32',
	'plan' => 'required',
	];
	diff --git a/src/resources/lang/en/validation.php b/src/resources/lang/en/validation.php
	--- a/src/resources/lang/en/validation.php
	+++ b/src/resources/lang/en/validation.php
	@@ -129,6 +129,7 @@
	'url' => 'The :attribute must be a valid URL.',
	'uuid' => 'The :attribute must be a valid UUID.',

	+ 'invalidvalue' => 'Invalid value',
	'invalidvalueof' => 'Invalid value of request property: :attribute.',
	'2fareq' => 'Second factor code is required.',
	'2fainvalid' => 'Second factor code is invalid.',
	diff --git a/src/tests/Feature/Controller/SignupTest.php b/src/tests/Feature/Controller/SignupTest.php
	--- a/src/tests/Feature/Controller/SignupTest.php
	+++ b/src/tests/Feature/Controller/SignupTest.php
	@@ -206,6 +206,26 @@
	$this->assertArrayHasKey('first_name', $json['errors']);
	$this->assertArrayHasKey('last_name', $json['errors']);

	+ // Data with names containing URLs
	+ $data = [
	+ 'email' => 'UsersApiControllerTest1@UsersApiControllerTest.com',
	+ 'first_name' => 'BTC http://test.com Test',
	+ 'last_name' => 'http://test.com',
	+ 'plan' => 'individual',
	+ ];
	+
	+ $response = $this->post('/api/auth/signup/init', $data);
	+ $response->assertStatus(422);
	+
	+ $json = $response->json();
	+
	+ $this->assertSame('error', $json['status']);
	+ $this->assertCount(2, $json['errors']);
	+ $this->assertArrayHasKey('first_name', $json['errors']);
	+ $this->assertArrayHasKey('last_name', $json['errors']);
	+ $this->assertSame(['Invalid value'], $json['errors']['first_name']);
	+ $this->assertSame(['Invalid value'], $json['errors']['last_name']);
	+
	// Data with invalid email (but not phone number), and invalid plan
	$data = [
	'email' => '@example.org',

File Metadata

Mime Type: text/plain
Expires: Fri, Apr 3, 5:59 PM (18 h, 52 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 18805779
Default Alt Text: D5241.1775239196.diff (2 KB)

D5241.1775239196.diffNo OneTemporaryActions

D5241.1775239196.diffView Options

File Metadata

Event Timeline

D5241.1775239196.diff
No OneTemporary
Actions

D5241.1775239196.diff
View Options