fix: username validation

getAlby · Jan 1, 2025 · 178dc37 · 178dc37
1 parent 6801b54
commit 178dc37
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 9 deletions.
diff --git a/app/actions.ts b/app/actions.ts
@@ -1,6 +1,6 @@
 "use server";
 
-import { saveConnectionSecret } from "./db";
+import { saveConnectionSecret, UsernameTakenError } from "./db";
 import { getAlbyHubUrl, getDailyWalletLimit, getDomain } from "./utils";
 
 export type Reserves = {
@@ -135,6 +135,12 @@ export async function createWallet(
     };
   } catch (error) {
     console.error(error);
+
+    // only expose known errors
+    if (error instanceof UsernameTakenError) {
+      return { wallet: undefined, error: error.message };
+    }
+
     return { wallet: undefined, error: "internal error" };
   }
 }

diff --git a/app/api/wallets/route.ts b/app/api/wallets/route.ts
@@ -22,6 +22,12 @@ export async function POST(request: Request) {
   // force lowercase username
   if (createWalletRequest.username) {
     createWalletRequest.username = createWalletRequest.username.toLowerCase();
+
+    if (!/^[a-z0-9]+$/.test(createWalletRequest.username)) {
+      return new Response("only letters and numbers in username are allowed", {
+        status: 400,
+      });
+    }
   }
 
   const { wallet, error } = await createWallet(

diff --git a/app/db.ts b/app/db.ts
@@ -1,9 +1,16 @@
 import { PrismaClient } from "@prisma/client";
 import { nwc } from "@getalby/sdk";
 import { getPublicKey } from "nostr-tools";
+import { PrismaClientKnownRequestError } from "@prisma/client/runtime/library";
 
 const prisma = new PrismaClient();
 
+export class UsernameTakenError extends Error {
+  constructor() {
+    super("username taken");
+  }
+}
+
 export async function saveConnectionSecret(
   username: string | undefined,
   connectionSecret: string
@@ -15,14 +22,25 @@ export async function saveConnectionSecret(
   const pubkey = getPublicKey(parsed.secret);
   username = username || pubkey.substring(0, 6);
 
-  const result = await prisma.connectionSecret.create({
-    data: {
-      id: connectionSecret,
-      username,
-      pubkey,
-    },
-  });
-  return { username: result.username };
+  try {
+    const result = await prisma.connectionSecret.create({
+      data: {
+        id: connectionSecret,
+        username,
+        pubkey,
+      },
+    });
+    return { username: result.username };
+  } catch (error) {
+    console.error("failed to save wallet", error);
+    if (
+      error instanceof PrismaClientKnownRequestError &&
+      error.code === "P2002" // unique constraint
+    ) {
+      throw new UsernameTakenError();
+    }
+    throw error;
+  }
 }
 
 export async function findWalletConnection(query: { username: string }) {