@@ -11,9 +11,12 @@ import (
"syscall"
"git.sr.ht/~amolith/willow/users"
+ "github.com/microcosm-cc/bluemonday"
"golang.org/x/term"
)
+var bmStrict = bluemonday.StrictPolicy()
+
// createUser is a CLI that creates a new user with the specified username
func createUser(dbConn *sql.DB, username string) {
fmt.Println("Creating user", username)
@@ -38,7 +41,16 @@ func createUser(dbConn *sql.DB, username string) {
fmt.Println("Passwords do not match")
os.Exit(1)
}
- err = users.Register(dbConn, username, string(password))
+
+ // Both frontend and backend need to sanitise the
+ // password the same way. This feel like a code
+ // smell; user creation should all be in the user
+ // package and the cli and frontend and API and
+ // everything should use that.
+ //
+ // TODO: Abstract this
+ sanitisedPassword := bmStrict.Sanitize(string(password))
+ err = users.Register(dbConn, username, sanitisedPassword)
if err != nil {
fmt.Println("Error creating user:", err)
os.Exit(1)
@@ -94,7 +106,9 @@ func checkAuthorised(dbConn *sql.DB, username string) {
}
fmt.Println()
- authorised, err := users.UserAuthorised(dbConn, username, string(password))
+ // TODO: Abstract this, refer to note in createUser()
+ sanitisedPassword := bmStrict.Sanitize(string(password))
+ authorised, err := users.UserAuthorised(dbConn, username, sanitisedPassword)
if err != nil {
fmt.Println("Error checking authorisation:", err)
os.Exit(1)