Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[auth] Validate usernames upfront #14808

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[auth] Validate usernames upfront #14808

wants to merge 4 commits into from

Conversation

cjllanwarne
Copy link
Collaborator

Change Description

Moves validation of usernames to the front-end, so invalid username requests never get into the database and block driver processing of new user requests.

Security Assessment

  • This change has a low security impact

Impact Description

Low because we are removing a path to a possible error state.

patrick-schultz
patrick-schultz requested changes Jan 31, 2025
View reviewed changes
auth/auth/auth.py
@@ -151,6 +151,16 @@ async def check_valid_new_user(tx: Transaction, username, login_id, is_developer
return None
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we seem to only allow alphanumeric usernames. Do you know if that's true, or is this not being executed for some reason? Either way, it would be nice to define username validity in one place.

Copy link
Collaborator Author

@cjllanwarne cjllanwarne Jan 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, interesting, I somehow missed this. The original error report was caused by uppercase characters, which I guess is why it got past this check originally. Usernames which don't conform to RFC1123 was where I started seeing downstream problems with user creation, but since "(lowercase) alphanumeric" is a subset of RFC1123, I'm inclined to make that our new rule, instead of expanding the options up to include all of RFC1123.

And I like the idea of moving that check into this function, instead of adding a new validation. I'll do that.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact, RFC1123 would be a fine validation for the credentials_secret_name that we allow as a development environment option, and is currently unvalidated until it potentially blows up the user creation process downstream. So I'll repurpose the original change into a token name validator, and make username validation stricter and happening here

cjllanwarne
cjllanwarne commented Jan 31, 2025
View reviewed changes
auth/auth/auth.py
@@ -128,7 +128,7 @@ async def check_valid_new_user(tx: Transaction, username, login_id, is_developer
raise MultipleUserTypes(username)
if not is_service_account and not login_id:
raise EmptyLoginID(username)
if not username or not all(c for c in username if c.isalnum()):
if not username or not (username.isalnum() and username.islower()):
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Am I missing an important reason why this was being done character by character previously?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grohli grohli Awaiting requested review from grohli

@patrick-schultz patrick-schultz Awaiting requested review from patrick-schultz

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cjllanwarne @patrick-schultz