Improve userName & displayName validation on accountCreation stage (!166) · Merge requests · e / infra / ecloud / nextcloud-apps / Ecloud Accounts

Fahim Salam Chowdhury requested to merge dev/3551-improve_username_validation_security_on_account_creation_stage into main Oct 09, 2024

When creating new account, frontend calls /accounts/validate_fields api to validate username & displayname. Then it again calls /accounts/create to create new account.

There is a chance any malicious user can detect it & validate userName & displayName against proper names but create account with invalid values by making js calls.

To mitigate this issue, we will save the validated username & displayname on user's session & /create endpoint won't take these params. These values will be fetched from the session.

issue: https://gitlab.e.foundation/e/infra/backlog/-/issues/3551+s

Edited Oct 09, 2024 by Fahim Salam Chowdhury

Improve userName & displayName validation on accountCreation stage

Merge request reports