Merge pull request #893 from solid/feature/blacklist-username

A simple service for handling blacklisting of usernames

Author: kjetilk

README.md

@@ -82,7 +82,7 @@ Note that this example creates the `fullchain.pem` and `privkey.pem` files
 in a directory one level higher from the current, so that you don't
 accidentally commit your certificates to `solid` while you're developing.
 
-If you would like to get rid of the browser warnings, import your fullchain.pem certificate into your 'Trusted Root Certificate' store. 
+If you would like to get rid of the browser warnings, import your fullchain.pem certificate into your 'Trusted Root Certificate' store.
 
 ### Run multi-user server (intermediate)
 
@@ -375,6 +375,12 @@ In order to test a single component, you can run
 npm run test-(acl|formats|params|patch)
 ```
 
+## Blacklisted usernames
+
+By default Solid will not allow [certain usernames as they might cause
+confusion or allow vulnerabilies for social engineering](https://github.com/marteinn/The-Big-Username-Blacklist).
+This list is configurable via `config/usernames-blacklist.json`. Solid does not
+blacklist profanities by default.
 
 ## Contributing
 

config/usernames-blacklist.json

@@ -0,0 +1,4 @@
+{
+  "useTheBigUsernameBlacklist": true,
+  "customBlacklistedUsernames": []
+}

lib/create-app.js

@@ -12,8 +12,8 @@ const authProxy = require('./handlers/auth-proxy')
 const SolidHost = require('./models/solid-host')
 const AccountManager = require('./models/account-manager')
 const vhost = require('vhost')
-const EmailService = require('./models/email-service')
-const TokenService = require('./models/token-service')
+const EmailService = require('./services/email-service')
+const TokenService = require('./services/token-service')
 const capabilityDiscovery = require('./capability-discovery')
 const API = require('./api')
 const errorPages = require('./handlers/error-pages')

lib/requests/create-account-request.js

@@ -3,6 +3,7 @@
 const AuthRequest = require('./auth-request')
 const WebIdTlsCertificate = require('../models/webid-tls-certificate')
 const debug = require('../debug').accounts
+const blacklistService = require('../services/blacklist-service')
 
 /**
  * Represents a 'create new user account' http request (either a POST to the
@@ -115,30 +116,28 @@ class CreateAccountRequest extends AuthRequest {
   /**
    * Creates an account for a given user (from a POST to `/api/accounts/new`)
    *
-   * @throws {Error} An http 400 error if an account already exists
+   * @throws {Error} If errors were encountering while validating the username.
    *
    * @return {Promise<UserAccount>} Resolves with newly created account instance
    */
-  createAccount () {
+  async createAccount () {
     let userAccount = this.userAccount
     let accountManager = this.accountManager
 
-    return Promise.resolve(userAccount)
-      .then(this.cancelIfUsernameInvalid.bind(this))
-      .then(this.cancelIfAccountExists.bind(this))
-      .then(this.createAccountStorage.bind(this))
-      .then(this.saveCredentialsFor.bind(this))
-      .then(this.sendResponse.bind(this))
-      .then(userAccount => {
-        // 'return' not used deliberately, no need to block and wait for email
-        if (userAccount && userAccount.email) {
-          debug('Sending Welcome email')
-          accountManager.sendWelcomeEmail(userAccount)
-        }
-      })
-      .then(() => {
-        return userAccount
-      })
+    this.cancelIfUsernameInvalid(userAccount)
+    this.cancelIfBlacklistedUsername(userAccount)
+    await this.cancelIfAccountExists(userAccount)
+    await this.createAccountStorage(userAccount)
+    await this.saveCredentialsFor(userAccount)
+    await this.sendResponse(userAccount)
+
+    // 'return' not used deliberately, no need to block and wait for email
+    if (userAccount && userAccount.email) {
+      debug('Sending Welcome email')
+      accountManager.sendWelcomeEmail(userAccount)
+    }
+
+    return userAccount
   }
 
   /**
@@ -196,12 +195,33 @@ class CreateAccountRequest extends AuthRequest {
    * @throws {Error} If errors were encountering while validating the
    *   username.
    *
-   * @return {Promise<UserAccount>} Chainable
+   * @return {UserAccount} Chainable
    */
   cancelIfUsernameInvalid (userAccount) {
     if (!userAccount.username || !/^[a-z0-9]+(?:-[a-z0-9]+)*$/.test(userAccount.username)) {
       debug('Invalid username ' + userAccount.username)
-      const error = new Error('Invalid username')
+      const error = new Error('Invalid username (contains invalid characters)')
+      error.status = 400
+      throw error
+    }
+
+    return userAccount
+  }
+
+  /**
+   * Check if a username is a valid slug.
+   *
+   * @param userAccount {UserAccount} Instance of the account to be created
+   *
+   * @throws {Error} If username is blacklisted
+   *
+   * @return {UserAccount} Chainable
+   */
+  cancelIfBlacklistedUsername (userAccount) {
+    const validUsername = blacklistService.validate(userAccount.username)
+    if (!validUsername) {
+      debug('Invalid username ' + userAccount.username)
+      const error = new Error('Invalid username (username is blacklisted)')
       error.status = 400
       throw error
     }

lib/services/blacklist-service.js

@@ -0,0 +1,33 @@
+const blacklistConfig = require('../../config/usernames-blacklist.json')
+const blacklist = require('the-big-username-blacklist').list
+
+class BlacklistService {
+  constructor () {
+    this.reset()
+  }
+
+  addWord (word) {
+    this.list.push(BlacklistService._prepareWord(word))
+  }
+
+  reset (config) {
+    this.list = BlacklistService._initList(config)
+  }
+
+  validate (word) {
+    return this.list.indexOf(BlacklistService._prepareWord(word)) === -1
+  }
+
+  static _initList (config = blacklistConfig) {
+    return [
+      ...(config.useTheBigUsernameBlacklist ? blacklist : []),
+      ...config.customBlacklistedUsernames
+    ]
+  }
+
+  static _prepareWord (word) {
+    return word.trim().toLocaleLowerCase()
+  }
+}
+
+module.exports = new BlacklistService()

lib/models/email-service.js renamed to lib/services/email-service.js

@@ -2,7 +2,7 @@
 
 const nodemailer = require('nodemailer')
 const path = require('path')
-const debug = require('./../debug').email
+const debug = require('../debug').email
 
 /**
  * Models a Nodemailer-based email sending service.

lib/models/token-service.js renamed to lib/services/token-service.js

@@ -77,6 +77,7 @@
     "solid-permissions": "^0.6.0",
     "solid-ws": "^0.2.3",
     "text-encoder-lite": "^1.0.1",
+    "the-big-username-blacklist": "^1.5.1",
     "ulid": "^0.1.0",
     "uuid": "^3.0.0",
     "valid-url": "^1.0.9",

package-lock.json

@@ -15,7 +15,7 @@ const LDP = require('../../lib/ldp')
 const SolidHost = require('../../lib/models/solid-host')
 const AccountManager = require('../../lib/models/account-manager')
 const UserAccount = require('../../lib/models/user-account')
-const TokenService = require('../../lib/models/token-service')
+const TokenService = require('../../lib/services/token-service')
 const WebIdTlsCertificate = require('../../lib/models/webid-tls-certificate')
 
 const testAccountsDir = path.join(__dirname, '../resources/accounts')