Fix #97 Validate usernames with a configurable regex

2026-01-17 10:08:05 +00:00 · 2023-05-31 15:23:43 +02:00 · 2023-05-31 15:23:43 +02:00 · 6555112715
commit 6555112715
parent 30b8e492d8
4 changed files with 17 additions and 8 deletions
--- a/flexiapi/.env.example
+++ b/flexiapi/.env.example
@ -24,6 +24,7 @@ ACCOUNT_REALM=null # Default realm for the accounts, fallback to the domain if n
 ACCOUNT_EMAIL_UNIQUE=false # Emails are unique between all the accounts
 ACCOUNT_CONSUME_EXTERNAL_ACCOUNT_ON_CREATE=false
 ACCOUNT_BLACKLISTED_USERNAMES=
+ACCOUNT_USERNAME_REGEX="^[a-z0-9+_.-]*$"

 # Account provisioning
 ACCOUNT_PROVISIONING_RC_FILE=
--- a/flexiapi/app/Rules/SIPUsername.php
+++ b/flexiapi/app/Rules/SIPUsername.php
@ -26,7 +26,7 @@ class SIPUsername implements Rule
 {
    public function passes($attribute, $value)
    {
-        return Validator::regex('/^[a-z0-9+_.-]*$/')->validate($value);
+        return Validator::regex('/' . config('app.account_username_regex') . '/')->validate($value);
    }

    public function message()
--- a/flexiapi/config/app.php
+++ b/flexiapi/config/app.php
@ -31,6 +31,7 @@ return [
    'account_email_unique' => env('ACCOUNT_EMAIL_UNIQUE', false),
    'consume_external_account_on_create' => env('ACCOUNT_CONSUME_EXTERNAL_ACCOUNT_ON_CREATE', false),
    'blacklisted_usernames' => env('ACCOUNT_BLACKLISTED_USERNAMES', ''),
+    'account_username_regex' => env('ACCOUNT_USERNAME_REGEX', '^[a-z0-9+_.-]*$'),

    /**
     * Time limit before the API Key and related cookie are expired
--- a/flexiapi/tests/Feature/ApiAccountTest.php
+++ b/flexiapi/tests/Feature/ApiAccountTest.php
@ -111,28 +111,35 @@ class ApiAccountTest extends TestCase
        $username = 'blabla🔥';
        $domain = 'example.com';

-        $response = $this->keyAuthenticated($password->account)
+        $this->keyAuthenticated($password->account)
            ->json($this->method, $this->route, [
                'username' => $username,
                'domain' => $domain,
                'algorithm' => 'SHA-256',
                'password' => '123456',
-            ]);
+            ])->assertJsonValidationErrors(['username']);

-        $response->assertJsonValidationErrors(['username']);
+        // Change the regex
+        config()->set('app.account_username_regex', '^[a-z0-9🔥+_.-]*$');
+
+        $this->keyAuthenticated($password->account)
+            ->json($this->method, $this->route, [
+                'username' => $username,
+                'domain' => $domain,
+                'algorithm' => 'SHA-256',
+                'password' => '123456',
+            ])->assertStatus(200);

        $username = 'blabla hop';
        $domain = 'example.com';

-        $response = $this->keyAuthenticated($password->account)
+        $this->keyAuthenticated($password->account)
            ->json($this->method, $this->route, [
                'username' => $username,
                'domain' => $domain,
                'algorithm' => 'SHA-256',
                'password' => '123456',
-            ]);
-
-        $response->assertJsonValidationErrors(['username']);
+            ])->assertJsonValidationErrors(['username']);
    }

    public function testDomain()