From 90e5446078c7c35a0c2c4b1f08b7a6712e534341 Mon Sep 17 00:00:00 2001
From: Michael C <michael@mchang.name>
Date: Fri, 30 Dec 2022 00:41:45 -0500
Subject: [PATCH] add privateID username check

- bump AGPL to package-lock
---
 package-lock.json         |  2 +-
 src/routes/setUsername.ts | 15 +++++++++++
 test/cases/setUsername.ts | 56 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 70 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 2ed2143..b9efc28 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7,7 +7,7 @@
     "": {
       "name": "sponsor_block_server",
       "version": "0.1.0",
-      "license": "MIT",
+      "license": "AGPL-3.0-only",
       "dependencies": {
         "axios": "^1.1.3",
         "better-sqlite3": "^8.0.1",
diff --git a/src/routes/setUsername.ts b/src/routes/setUsername.ts
index e3d4baa..6465b80 100644
--- a/src/routes/setUsername.ts
+++ b/src/routes/setUsername.ts
@@ -32,6 +32,11 @@ export async function setUsername(req: Request, res: Response): Promise<Response
     // eslint-disable-next-line no-control-regex
     userName = userName.replace(/[\u0000-\u001F\u007F-\u009F]/g, "");
 
+    // check privateID against publicID
+    if (!await checkPrivateUsername(userName, userID)) {
+        return res.sendStatus(400);
+    }
+
     if (adminUserIDInput != undefined) {
         //this is the admin controlling the other users account, don't hash the controling account's ID
         adminUserIDInput = await getHashCache(adminUserIDInput);
@@ -88,3 +93,13 @@ export async function setUsername(req: Request, res: Response): Promise<Response
         return res.sendStatus(500);
     }
 }
+
+async function checkPrivateUsername(username: string, userID: string): Promise<boolean> {
+    const userIDHash = await getHashCache(userID);
+    const userNameHash = await getHashCache(username);
+    if (userIDHash == userNameHash) return false;
+    const sponsorTimeRow = await db.prepare("get", `SELECT "userID" FROM "sponsorTimes" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
+    const userNameRow = await db.prepare("get", `SELECT "userID" FROM "userNames" WHERE "userID" = ? LIMIT 1`, [userNameHash]);
+    if ((sponsorTimeRow || userNameRow)?.userID) return false;
+    return true;
+}
\ No newline at end of file
diff --git a/test/cases/setUsername.ts b/test/cases/setUsername.ts
index 39a518b..25c03f3 100644
--- a/test/cases/setUsername.ts
+++ b/test/cases/setUsername.ts
@@ -22,12 +22,22 @@ const user07PrivateUserID = "setUsername_07";
 const username07 = "Username 07";
 const user08PrivateUserID = "setUsername_08";
 
+// private = public cases
+// user09 - username === privateID
+const user09PrivateUserID = "setUsername_09";
+// user 10/11 - user 11 username === user 10 privateID
+const user10PrivateUserID = "setUsername_10_collision";
+const username10 = "setUsername_10";
+const user11PrivateUserID = "setUsername_11";
+const user12PrivateUserID = "setUsername_12";
+const username12 = "Username 12";
+
 async function addUsername(userID: string, userName: string, locked = 0) {
     await db.prepare("run", 'INSERT INTO "userNames" ("userID", "userName", "locked") VALUES(?, ?, ?)', [userID, userName, locked]);
     await addLogUserNameChange(userID, userName);
 }
 
-async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string }> {
+async function getUsernameInfo(userID: string): Promise<{ userName: string, locked: string}> {
     const row = await db.prepare("get", 'SELECT "userName", "locked" FROM "userNames" WHERE "userID" = ?', [userID]);
     if (!row) {
         return null;
@@ -88,6 +98,10 @@ describe("setUsername", () => {
         await addUsername(getHash(user05PrivateUserID), username05, 0);
         await addUsername(getHash(user06PrivateUserID), username06, 0);
         await addUsername(getHash(user07PrivateUserID), username07, 1);
+        await addUsername(getHash(user07PrivateUserID), username07, 0);
+        await addUsername(getHash(user10PrivateUserID), username10, 0);
+        // user11 skipped
+        await addUsername(getHash(user12PrivateUserID), username12, 0);
     });
 
     it("Should be able to set username that has never been set", (done) => {
@@ -240,6 +254,44 @@ describe("setUsername", () => {
                 const usernameInfo = await getUsernameInfo(getHash(user08PrivateUserID));
                 assert.strictEqual(usernameInfo, null);
                 done();
-            });
+            })
+            .catch((err) => done(err));
+    });
+
+    it("Should return error if trying to set username to privateID", (done) => {
+        const privateID = user09PrivateUserID;
+        postSetUserName(privateID, privateID)
+            .then(async (res) => {
+                assert.strictEqual(res.status, 400);
+                const usernameInfo = await getUsernameInfo(getHash(privateID));
+                assert.strictEqual(usernameInfo, null);
+                done();
+            })
+            .catch((err) => done(err));
+    });
+
+    it("Should return error if trying to set username to someone else's privateID", (done) => {
+        const privateID = user11PrivateUserID;
+        postSetUserName(privateID, user10PrivateUserID)
+            .then(async (res) => {
+                assert.strictEqual(res.status, 400);
+                const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's privateID
+                assert.strictEqual(usernameInfo, null);
+                done();
+            })
+            .catch((err) => done(err));
+    });
+
+    it("Should not return error if trying to set username to someone else's publicID", (done) => {
+        const privateID = user12PrivateUserID;
+        const user10PublicID = getHash(user10PrivateUserID);
+        postSetUserName(privateID, user10PublicID)
+            .then(async (res) => {
+                assert.strictEqual(res.status, 200);
+                const usernameInfo = await getUsernameInfo(getHash(privateID)); // user 10's publicID
+                assert.strictEqual(usernameInfo.userName, user10PublicID);
+                done();
+            })
+            .catch((err) => done(err));
     });
 });