🔒️ Harden name validation

2025-04-28 17:56:37 +02:00 · 2025-03-10 17:08:42 +00:00 · 2025-03-10 17:08:42 +00:00 · ebb541dc6b
commit ebb541dc6b
parent 897cdb4cfd
3 changed files with 34 additions and 2 deletions
--- a/apps/web/src/app/[locale]/(auth)/register/components/schema.ts
+++ b/apps/web/src/app/[locale]/(auth)/register/components/schema.ts
@ -1,7 +1,11 @@
 import { z } from "zod";

+import { isValidName } from "@/utils/is-valid-name";
+
 export const registerNameFormSchema = z.object({
-  name: z.string().min(1).max(100),
+  name: z.string().trim().min(1).max(100).refine(isValidName, {
+    message: "Please enter a valid name, not a URL, email, or phone number",
+  }),
  email: z.string().email(),
 });

--- a/apps/web/src/trpc/routers/auth.ts
+++ b/apps/web/src/trpc/routers/auth.ts
@ -8,6 +8,7 @@ import { isEmailBlocked } from "@/auth/helpers/is-email-blocked";
 import { mergeGuestsIntoUser } from "@/auth/helpers/merge-user";
 import { isTemporaryEmail } from "@/auth/helpers/temp-email-domains";
 import { getEmailClient } from "@/utils/emails";
+import { isValidName } from "@/utils/is-valid-name";
 import { createToken, decryptToken } from "@/utils/session";

 import { createRateLimitMiddleware, publicProcedure, router } from "../trpc";
@ -33,7 +34,7 @@ export const auth = router({
    .use(createRateLimitMiddleware("request_registration", 5, "1 m"))
    .input(
      z.object({
-        name: z.string().min(1).max(100),
+        name: z.string().trim().min(1).max(100).refine(isValidName),
        email: z.string().email(),
      }),
    )
--- a/apps/web/src/utils/is-valid-name.ts
+++ b/apps/web/src/utils/is-valid-name.ts
@ -0,0 +1,27 @@
+/**
+ * Checks if a string contains contact information like URLs, email addresses, or phone numbers
+ * Returns true if the string is a valid personal/company name (no contact info)
+ * Returns false if the string contains contact information
+ */
+export function isValidName(value: string) {
+  // Check for URL patterns
+  const urlPattern =
+    /[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)/i;
+  if (urlPattern.test(value)) {
+    return false;
+  }
+
+  // Check for email patterns
+  const emailPattern = /.+@.+\..+/i;
+  if (emailPattern.test(value)) {
+    return false;
+  }
+
+  // Check for phone number patterns (various formats)
+  const phonePattern = /\+?[\d\s\(\)\-\.]{7,}/;
+  if (phonePattern.test(value)) {
+    return false;
+  }
+
+  return true;
+}