From 31fd45890a67e9a91234315e7bcc3d301a0c78dd Mon Sep 17 00:00:00 2001
From: Roland Osborne <roland.osborne@gmail.com>
Date: Wed, 20 Jul 2022 23:26:52 -0700
Subject: [PATCH] restrict whitespace from usernames

---
 net/server/internal/api_addAccount.go         | 6 ++++++
 net/server/internal/api_getAccountUsername.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/net/server/internal/api_addAccount.go b/net/server/internal/api_addAccount.go
index 21e20bcc..31205707 100644
--- a/net/server/internal/api_addAccount.go
+++ b/net/server/internal/api_addAccount.go
@@ -2,6 +2,7 @@ package databag
 
 import (
   "os"
+  "strings"
   "errors"
   "net/http"
   "crypto/sha256"
@@ -36,6 +37,11 @@ func AddAccount(w http.ResponseWriter, r *http.Request) {
     return
   }
 
+  if strings.Contains(username, " ") || strings.Contains(username, "\t") {
+    ErrResponse(w, http.StatusConflict, errors.New("username has whitespace"));
+    return
+  }
+
   // check if username is taken
   var count int64
   if err := store.DB.Model(&store.Account{}).Where("username = ?", username).Count(&count).Error; err != nil {
diff --git a/net/server/internal/api_getAccountUsername.go b/net/server/internal/api_getAccountUsername.go
index ed1d968c..71af37b8 100644
--- a/net/server/internal/api_getAccountUsername.go
+++ b/net/server/internal/api_getAccountUsername.go
@@ -2,6 +2,7 @@ package databag
 
 import (
   "errors"
+  "strings"
   "net/http"
   "databag/internal/store"
 )
@@ -34,6 +35,11 @@ func GetAccountUsername(w http.ResponseWriter, r *http.Request) {
     return
   }
 
+  if strings.Contains(username, " ") || strings.Contains(username, "\t") {
+    WriteResponse(w, false)
+    return
+  }
+
   var accounts []accountUsername;
   err := store.DB.Model(&store.Account{}).Where("username = ?", username).Find(&accounts).Error
   if err != nil {