Restriction of username and email (#2676)

# Description - https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/8 - https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/9 - https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/21 - https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/22 ## Checklist - [x] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [x] I have performed a self-review of my own code - [ ] I have attached images of the change if it is UI based - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] If my code has heavily changed functionality I have updated relevant docs on [Stirling-PDFs doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) - [x] My changes generate no new warnings - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only)
2025-10-25 11:17:28 +02:00 · 2025-01-12 16:30:17 +01:00 · 2025-01-12 16:30:17 +01:00 · 8619b1cf59
commit 8619b1cf59
parent c6c6cbeaa9
3 changed files with 22 additions and 4 deletions
--- a/src/main/java/stirling/software/SPDF/config/security/UserService.java
+++ b/src/main/java/stirling/software/SPDF/config/security/UserService.java
@ -329,12 +329,16 @@ public class UserService implements UserServiceInterface {

    public boolean isUsernameValid(String username) {
        // Checks whether the simple username is formatted correctly
+        // Regular expression for user name: Min. 3 characters, max. 50 characters
        boolean isValidSimpleUsername =
-                username.matches("^[a-zA-Z0-9][a-zA-Z0-9@._+-]*[a-zA-Z0-9]$");
+                username.matches("^[a-zA-Z0-9](?!.*[-@._+]{2,})[a-zA-Z0-9@._+-]{1,48}[a-zA-Z0-9]$");
+
        // Checks whether the email address is formatted correctly
+        // Regular expression for email addresses: Max. 320 characters, with RFC-like validation
        boolean isValidEmail =
                username.matches(
-                        "^(?=.{1,64}@)[A-Za-z0-9]+(\\.[A-Za-z0-9_+.-]+)*@[^-][A-Za-z0-9-]+(\\.[A-Za-z0-9-]+)*(\\.[A-Za-z]{2,})$");
+                        "^(?=.{1,320}$)(?=.{1,64}@)[A-Za-z0-9](?:[A-Za-z0-9_.+-]*[A-Za-z0-9])?@[^-][A-Za-z0-9-]+(?:\\\\.[A-Za-z0-9-]+)*(?:\\\\.[A-Za-z]{2,})$");
+
        List<String> notAllowedUserList = new ArrayList<>();
        notAllowedUserList.add("ALL_USERS".toLowerCase());
        boolean notAllowedUser = notAllowedUserList.contains(username.toLowerCase());
--- a/src/main/resources/templates/account.html
+++ b/src/main/resources/templates/account.html
@ -104,7 +104,14 @@
              </div>
              <script th:inline="javascript">
                jQuery.validator.addMethod("usernamePattern", function(value, element) {
-                    return this.optional(element) || /^[a-zA-Z0-9][a-zA-Z0-9@._+-]*[a-zA-Z0-9]$|^(?=.{1,64}@)[A-Za-z0-9]+(\.[A-Za-z0-9_+.-]+)*@[^-][A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$/.test(value);
+                  // Regular expression for user name: Min. 3 characters, max. 50 characters
+                  const regexUsername = /^[a-zA-Z0-9](?!.*[-@._+]{2,})([a-zA-Z0-9@._+-]{1,48})[a-zA-Z0-9]$/;
+
+                  // Regular expression for email addresses: Max. 320 characters, with RFC-like validation
+                  const regexEmail = /^(?=.{1,320}$)(?=.{1,64}@)[A-Za-z0-9](?:[A-Za-z0-9_.+-]*[A-Za-z0-9])?@[^-][A-Za-z0-9-]+(?:\.[A-Za-z0-9-]+)*(?:\.[A-Za-z]{2,})$/;
+
+                  // Check if the field is optional or meets the requirements
+                  return this.optional(element) || regexUsername.test(value) || regexEmail.test(value);
                }, /*[[#{invalidUsernameMessage}]]*/ "Invalid username format");
                $(document).ready(function() {
                  $.validator.addMethod("passwordMatch", function(value, element) {
--- a/src/main/resources/templates/addUsers.html
+++ b/src/main/resources/templates/addUsers.html
@ -207,7 +207,14 @@

      <script th:inline="javascript">
        jQuery.validator.addMethod("usernamePattern", function(value, element) {
-            return this.optional(element) || /^[a-zA-Z0-9][a-zA-Z0-9@._+-]*[a-zA-Z0-9]$|^(?=.{1,64}@)[A-Za-z0-9]+(\.[A-Za-z0-9_+.-]+)*@[^-][A-Za-z0-9-]+(\.[A-Za-z0-9-]+)*(\.[A-Za-z]{2,})$/.test(value);
+          // Regular expression for user name: Min. 3 characters, max. 50 characters
+          const regexUsername = /^[a-zA-Z0-9](?!.*[-@._+]{2,})([a-zA-Z0-9@._+-]{1,48})[a-zA-Z0-9]$/;
+
+          // Regular expression for email addresses: Max. 320 characters, with RFC-like validation
+          const regexEmail = /^(?=.{1,320}$)(?=.{1,64}@)[A-Za-z0-9](?:[A-Za-z0-9_.+-]*[A-Za-z0-9])?@[^-][A-Za-z0-9-]+(?:\.[A-Za-z0-9-]+)*(?:\.[A-Za-z]{2,})$/;
+
+          // Check if the field is optional or meets the requirements
+          return this.optional(element) || regexUsername.test(value) || regexEmail.test(value);
        }, /*[[#{invalidUsernameMessage}]]*/ "Invalid username format");
        $(document).ready(function() {
          $('[data-toggle="tooltip"]').tooltip();