From 6555112715ab4e427c6e624f26fead46d915ec08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timoth=C3=A9e=20Jaussoin?=
 <timothee.jaussoin@belledonne-communications.com>
Date: Wed, 31 May 2023 15:23:43 +0200
Subject: [PATCH] Fix #97 Validate usernames with a configurable regex

---
 flexiapi/.env.example                     |  1 +
 flexiapi/app/Rules/SIPUsername.php        |  2 +-
 flexiapi/config/app.php                   |  1 +
 flexiapi/tests/Feature/ApiAccountTest.php | 21 ++++++++++++++-------
 4 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/flexiapi/.env.example b/flexiapi/.env.example
index 0bec119..2271e69 100644
--- a/flexiapi/.env.example
+++ b/flexiapi/.env.example
@@ -24,6 +24,7 @@ ACCOUNT_REALM=null # Default realm for the accounts, fallback to the domain if n
 ACCOUNT_EMAIL_UNIQUE=false # Emails are unique between all the accounts
 ACCOUNT_CONSUME_EXTERNAL_ACCOUNT_ON_CREATE=false
 ACCOUNT_BLACKLISTED_USERNAMES=
+ACCOUNT_USERNAME_REGEX="^[a-z0-9+_.-]*$"
 
 # Account provisioning
 ACCOUNT_PROVISIONING_RC_FILE=
diff --git a/flexiapi/app/Rules/SIPUsername.php b/flexiapi/app/Rules/SIPUsername.php
index bd9defe..af652ae 100644
--- a/flexiapi/app/Rules/SIPUsername.php
+++ b/flexiapi/app/Rules/SIPUsername.php
@@ -26,7 +26,7 @@ class SIPUsername implements Rule
 {
     public function passes($attribute, $value)
     {
-        return Validator::regex('/^[a-z0-9+_.-]*$/')->validate($value);
+        return Validator::regex('/' . config('app.account_username_regex') . '/')->validate($value);
     }
 
     public function message()
diff --git a/flexiapi/config/app.php b/flexiapi/config/app.php
index 14947a1..8f4f023 100644
--- a/flexiapi/config/app.php
+++ b/flexiapi/config/app.php
@@ -31,6 +31,7 @@ return [
     'account_email_unique' => env('ACCOUNT_EMAIL_UNIQUE', false),
     'consume_external_account_on_create' => env('ACCOUNT_CONSUME_EXTERNAL_ACCOUNT_ON_CREATE', false),
     'blacklisted_usernames' => env('ACCOUNT_BLACKLISTED_USERNAMES', ''),
+    'account_username_regex' => env('ACCOUNT_USERNAME_REGEX', '^[a-z0-9+_.-]*$'),
 
     /**
      * Time limit before the API Key and related cookie are expired
diff --git a/flexiapi/tests/Feature/ApiAccountTest.php b/flexiapi/tests/Feature/ApiAccountTest.php
index 2f3a807..50a3f5c 100644
--- a/flexiapi/tests/Feature/ApiAccountTest.php
+++ b/flexiapi/tests/Feature/ApiAccountTest.php
@@ -111,28 +111,35 @@ class ApiAccountTest extends TestCase
         $username = 'blabla🔥';
         $domain = 'example.com';
 
-        $response = $this->keyAuthenticated($password->account)
+        $this->keyAuthenticated($password->account)
             ->json($this->method, $this->route, [
                 'username' => $username,
                 'domain' => $domain,
                 'algorithm' => 'SHA-256',
                 'password' => '123456',
-            ]);
+            ])->assertJsonValidationErrors(['username']);
 
-        $response->assertJsonValidationErrors(['username']);
+        // Change the regex
+        config()->set('app.account_username_regex', '^[a-z0-9🔥+_.-]*$');
+
+        $this->keyAuthenticated($password->account)
+            ->json($this->method, $this->route, [
+                'username' => $username,
+                'domain' => $domain,
+                'algorithm' => 'SHA-256',
+                'password' => '123456',
+            ])->assertStatus(200);
 
         $username = 'blabla hop';
         $domain = 'example.com';
 
-        $response = $this->keyAuthenticated($password->account)
+        $this->keyAuthenticated($password->account)
             ->json($this->method, $this->route, [
                 'username' => $username,
                 'domain' => $domain,
                 'algorithm' => 'SHA-256',
                 'password' => '123456',
-            ]);
-
-        $response->assertJsonValidationErrors(['username']);
+            ])->assertJsonValidationErrors(['username']);
     }
 
     public function testDomain()