diff --git a/lang/zh_cn.toml b/lang/zh_cn.toml index a0dd540..9c5a495 100644 --- a/lang/zh_cn.toml +++ b/lang/zh_cn.toml @@ -24,3 +24,4 @@ invalid_checkid = "不存在的验证id" created_successfully = "创建成功" invalid_token = "token无效" invalid_redirect_url = "无效的重定向URL" +invalid_username = "用户名仅为数字字母或 '-' 与 '_' 组成,且长度>3" \ No newline at end of file diff --git a/server/main.py b/server/main.py index 9d38d93..4b3b2e9 100644 --- a/server/main.py +++ b/server/main.py @@ -107,6 +107,17 @@ def check_passwd(passwd: str): return 1 +def check_username(passwd: str): + if (len(passwd) < 3): + return 1 + pattern = r'[A-Za-z0-9\_\-]{3,16}' + + if re.match(pattern, passwd): + return 0 + else: + return 1 + + async def authenticate_user(username: str, password: str): hashed_password = await db.get_user(username) if not hashed_password: @@ -144,6 +155,10 @@ async def check_apikey(tkn: str): @app.post("/api/login") async def login_callback(response: Response, username: str = Form(), password: str = Form()): + if (check_username(username)): + return {"msg": cfg.lang["invalid_username"]} + if (check_passwd(password)): + return {"msg": cfg.lang["weak_passwd"]} if (await authenticate_user(username, password)): tokennow = await create_token(username) tkn = prep_uuid(uuid.uuid4().hex) @@ -162,6 +177,8 @@ regex = re.compile( async def login_callback(username: str = Form(), password: str = Form(), email: str = Form()): if (check_passwd(password)): return {"msg": cfg.lang["weak_passwd"], "code": 1} + if (check_username(username)): + return {"msg": cfg.lang["invalid_username"]} if (not re.fullmatch(regex, email)): return {"msg": cfg.lang["invalid_email"], "code": 1} if not (await db.check_user(username)): @@ -215,6 +232,8 @@ async def resetpasswd(uid: str, response: Response): @app.post("/api/send_resetpasswd") async def resetpasswd(username: str = Form()): + if (check_username(username)): + return {"msg": cfg.lang["invalid_username"]} if (await db.check_user(username)): email = await db.get_email(username) tkn = prep_uuid(uuid.uuid4().hex)