From 24999ef0811780553b6e9b9995a3041e5c32e182 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Wed, 15 Jan 2025 16:49:58 +0100
Subject: [PATCH] Check with the homeserver the username is still available
 before registering

---
 .../handlers/src/views/register/steps/finish.rs  | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/crates/handlers/src/views/register/steps/finish.rs b/crates/handlers/src/views/register/steps/finish.rs
index aebdfb43..2f66a16d 100644
--- a/crates/handlers/src/views/register/steps/finish.rs
+++ b/crates/handlers/src/views/register/steps/finish.rs
@@ -12,6 +12,7 @@ use axum_extra::TypedHeader;
 use chrono::Duration;
 use mas_axum_utils::{cookies::CookieJar, FancyError, SessionInfoExt as _};
 use mas_data_model::UserAgent;
+use mas_matrix::BoxHomeserverConnection;
 use mas_router::{PostAuthAction, UrlBuilder};
 use mas_storage::{
     queue::{ProvisionUserJob, QueueJobRepositoryExt as _},
@@ -36,6 +37,7 @@ pub(crate) async fn get(
     activity_tracker: BoundActivityTracker,
     user_agent: Option<TypedHeader<headers::UserAgent>>,
     State(url_builder): State<UrlBuilder>,
+    homeserver: BoxHomeserverConnection,
     cookie_jar: CookieJar,
     Path(id): Path<Ulid>,
 ) -> Result<impl IntoResponse, FancyError> {
@@ -72,6 +74,7 @@ pub(crate) async fn get(
     // Check that this registration belongs to this browser
     let registrations = UserRegistrationSessions::load(&cookie_jar);
     if !registrations.contains(&registration) {
+        // XXX: we should have a better error screen here
         return Err(FancyError::from(anyhow::anyhow!(
             "Could not find the registration in the browser cookies"
         )));
@@ -82,12 +85,21 @@ pub(crate) async fn get(
     // address
 
     if repo.user().exists(&registration.username).await? {
+        // XXX: this could have a better error message, but as this is unlikely to
+        // happen, we're fine with a vague message for now
         return Err(FancyError::from(anyhow::anyhow!(
             "Username is already taken"
         )));
     }
 
-    // TODO: query the homeserver
+    if !homeserver
+        .is_localpart_available(&registration.username)
+        .await?
+    {
+        return Err(FancyError::from(anyhow::anyhow!(
+            "Username is not available"
+        )));
+    }
 
     // For now, we require an email address on the registration, but this might
     // change in the future
@@ -115,6 +127,8 @@ pub(crate) async fn get(
         .await?
         > 0
     {
+        // XXX: this could have a better error message, but as this is unlikely to
+        // happen, we're fine with a vague message for now
         return Err(FancyError::from(anyhow::anyhow!(
             "Email address is already used"
         )));