Username Blacklist during Signup

Justoverclock

UsernameBlacklist

A Flarum extension. Add a blacklist for certain username during registration. Is just an extension that i've released to make some practice with flarum modal component.

HhetIZV7P3

Installation

Install with composer:

composer require justoverclock/username-blacklist:"*"

Updating

composer update justoverclock/username-blacklist:"*"
php flarum cache:clear

clarkwinkelmann

I understand it's purely a client-side blacklist? You can still register the banned usernames using the REST API or by manipulating the page using the browser developer tools.

I noticed this line in the source code is unreachable (if (BannedWordModal) will always return true because it just checks if the class exists). I don't think the unreachable code is actually needed anyway (?)

Justoverclock

clarkwinkelmann yes is purely client side because i need some docs to understand well the server side code, but I will continue to try

That line is there because if the modal appear, it return the called element as null in console log

Ralkage

Justoverclock have you looked at the Middleware section of the Flarum docs? I can probably whip up a POC, but you can also take a look at how Pwned Passwords did it with the password field 😉

Edit: Here is a basic Middleware example I created based off the Pwned Passwords extension; I was in a bit of a rush so I only used a single value for comparison, but ultimately you should be able to store a list of blacklisted usernames in the settings table and compare those values to what is being submitted when the user tries to register.

<?php

namespace Ralkage\DrawingBoard\Middleware;

use Flarum\Foundation\ErrorHandling\JsonApiFormatter;
use Flarum\Foundation\ErrorHandling\Registry;
use Flarum\Foundation\ValidationException;
use Flarum\Http\UrlGenerator;
use Illuminate\Support\Arr;
use Laminas\Diactoros\Uri;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;

class PreventBlacklistedUsernames implements MiddlewareInterface
{
    /**
     * @var UrlGenerator
     */
    private UrlGenerator $url;

    public function __construct(UrlGenerator $url)
    {
        $this->url = $url;
    }

    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $data = $request->getParsedBody();
        $uri = new Uri($this->url->to('forum')->path('/register'));
        $path = $request->getUri()->getPath();
        $blackListedUsernameExample = 'Ral';

        if ($request->getMethod() === 'POST' && $uri->getPath() === $path && Arr::has($data, 'username')
            && $data['username'] === $blackListedUsernameExample) {

            return (new JsonApiFormatter())->format(
                resolve(Registry::class)->handle(
                    new ValidationException(['username' => 'This username cannot be used.'])
                ),
                $request
            );
        }

        return $handler->handle($request);
    }
}

Not the perfect example, but that should handle the server-side validation 🙂

Justoverclock

Yes I’m trying to understand middleware but I need an example that match with my requirement , I will understand one day 😂

is this the relevant part for me?

 public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $data = $request->getParsedBody();
        $blackListedUsernameExample = 'Ral';

        if ($request->getMethod() ===  Arr::has($data, 'username')
            && $data['username'] === $blackListedUsernameExample) {

            return (new JsonApiFormatter())->format(
                resolve(Registry::class)->handle(
                    new ValidationException(['username' => 'This username cannot be used.'])
                ),
                $request
            );
        }

        return $handler->handle($request);
    }
}

luceos

I'm about to 💤 but I'd like to point out that a middleware seems overly convoluted. User creation and updates are validated using the UserValidator class, there's also an extender to extend these validators.

Ralkage

luceos agreed, I was also going to suggest extending the UserValidator class since I just remembered we had a Validator extender 😂 but what about the validation message? How would one create a new validation message when using the extender?

Kylo

clarkwinkelmann

Also of relevance https://discuss.flarum.org/d/28255-restrict-registration-email-domain/14 and https://github.com/clarkwinkelmann/flarum-ext-external-email-validation/blob/main/src/ExternalEmailValidationRule.php (switch email with username and the same approach can be used)

Googol

Issue:
This forum have a security bug.
We have setting blacklist add a word "fuck" it is on the blacklist.
But a user fuckGoogolXXX that have been register success.
This bug main reason is only confirm in front-end.
Can you fix this bug?

clarkwinkelmann

Googol as discussed in earlier posts, this extension is designed in a way that can be bypassed by users with the necessary technical knowledge.

There is this other extension made by myself that implements server-side username validation https://discuss.flarum.org/d/28378-username-blacklist . To block words with it, you would have to use regex mode and a rule like /fuck/i for case-insensitive match anywhere in the string.

Googol

In FreeFlarum can't do it.