fix: Consistently guard names like the API does

Author: dawsontoth

src/features/auth/SignUp.tsx

@@ -8,6 +8,7 @@ import { FormMessage } from '@/components/ui/form/FormMessage';
 import { Input } from '@/components/ui/input';
 import { reoClient } from '@/integrations/reo/reo';
 import { parseCompanyFromEmail } from '@/lib/string/parseCompanyFromEmail';
+import { personNameRegex } from '@/lib/string/regex/personNameRegex';
 import { zodRequireEmail } from '@/lib/zod/email';
 import { zodRequirePassword } from '@/lib/zod/password';
 import { zodResolver } from '@hookform/resolvers/zod';
@@ -26,11 +27,19 @@ const SignUpSchema = z.object({
 		.string()
 		.trim()
 		.min(2, { error: 'Please enter your first name.' })
+		.regex(
+			personNameRegex,
+			{ error: 'First name can only contain letters, spaces, and hyphens.' },
+		)
 		.max(40, { error: 'First name cannot be longer than 40 characters.' }),
 	lastname: z
 		.string()
 		.trim()
 		.min(2, { error: 'Please enter your last name.' })
+		.regex(
+			personNameRegex,
+			{ error: 'Last name can only contain letters, spaces, and hyphens.' },
+		)
 		.max(80, { error: 'Last name cannot be longer than 80 characters.' }),
 	password: zodRequirePassword
 		.min(8, { error: 'Password must be at least 8 characters long.' }),

src/lib/string/regex/personNameRegex.test.ts

@@ -0,0 +1,109 @@
+import { describe, expect, it } from 'vitest';
+import { personNameRegex } from './personNameRegex';
+
+describe('personNameRegex', () => {
+	it('should match valid names', () => {
+		const validNames = [
+			'John Doe',
+			'Jane Smith',
+			'Anne-Marie',
+			"O'Connor",
+			'François',
+			'Müller',
+			'Łukasz',
+			'José',
+			'María-José',
+			'Åse',
+			'Øyvind',
+			'Æthelred',
+			'ßert',
+			'Česlav',
+		];
+
+		for (const name of validNames) {
+			expect(name).toMatch(personNameRegex);
+		}
+	});
+
+	it('should not match deceptive names (URLs)', () => {
+		const deceptiveNames = [
+			'https://hacker.com/give-me-your-money',
+			'http://malicious.site',
+			'www.google.com',
+			'hacker.com',
+		];
+
+		for (const name of deceptiveNames) {
+			expect(name).not.toMatch(personNameRegex);
+		}
+	});
+
+	it('should not match strings with invalid characters', () => {
+		const invalidNames = [
+			'John Doe 123',
+			'John! Doe',
+			'John@Doe',
+			'John#Doe',
+			'John$Doe',
+			'John%Doe',
+			'John^Doe',
+			'John&Doe',
+			'John*Doe',
+			'John(Doe)',
+			'John+Doe',
+			'John=Doe',
+			'John{Doe}',
+			'John}Doe',
+			'John[Doe]',
+			'John]Doe',
+			'John|Doe',
+			'John\\Doe',
+			'John;Doe',
+			'John:Doe',
+			'John"Doe',
+			'John<Doe>',
+			'John.Doe',
+			'John/Doe',
+			'John?Doe',
+		];
+
+		for (const name of invalidNames) {
+			expect(name).not.toMatch(personNameRegex);
+		}
+	});
+
+	it('should match strings that are only special characters', () => {
+		// We are stopping attack vectors, not bad data entry.
+		const invalidNames = [
+			' ',
+			',',
+			'-',
+			"'",
+			' ,',
+			'- -',
+			',,,',
+		];
+
+		for (const name of invalidNames) {
+			expect(name).toMatch(personNameRegex);
+		}
+	});
+
+	it('should match names with spaces, hyphens, and quotes', () => {
+		const names = [
+			'John Doe',
+			'Anne-Marie',
+			"O'Connor",
+			'Doe, John',
+			'  John  ', // Regex allows spaces, though SignUp.tsx trims them
+		];
+
+		for (const name of names) {
+			expect(name).toMatch(personNameRegex);
+		}
+	});
+
+	it('should not match empty string', () => {
+		expect('').not.toMatch(personNameRegex);
+	});
+});

src/lib/string/regex/personNameRegex.ts

@@ -0,0 +1,2 @@
+export const personNameRegex =
+	/^[a-zA-ZàáâäãåąčćęèéêëėįìíîïłńòóôöõøùúûüųūÿýżźñçčšžæÀÁÂÄÃÅĄĆČĖĘÈÉÊËÌÍÎÏĮŁŃÒÓÔÖÕØÙÚÛÜŲŪŸÝŻŹÑßÇŒÆČŠŽ∂ð ,'-]+$/u;