username sanitisation for registration

2023-05-08 17:22:20 +12:00 · 2023-05-08 17:22:20 +12:00 · 7ee04d085f
commit 7ee04d085f
parent 48c2ef76f5
8 changed files with 402 additions and 2350 deletions
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -0,0 +1,24 @@
+{
+	"version": "2.0.0",
+	"tasks": [
+		{
+			"type": "npm",
+			"script": "test",
+			"group": {
+				"kind": "build",
+				"isDefault": true
+			},
+			"problemMatcher": [],
+			"label": "npm: test",
+			"detail": "cross-env FORCE_COLOR=true supertape --format tap test/test.js | tap-dot",
+			"presentation": {
+				"echo": false,
+				"reveal": "always",
+				"focus": false,
+				"panel": "shared",
+				"showReuseMessage": false,
+				"clear": true
+			}
+		}
+	]
+}
--- a/d2m/actions/register-user.js
+++ b/d2m/actions/register-user.js
@ -4,39 +4,16 @@ const assert = require("assert")

 const passthrough = require("../../passthrough")
 const { discord, sync, db } = passthrough
-/** @type {import("../../matrix/mreq")} */
-const mreq = sync.require("../../matrix/mreq")
+/** @type {import("../../matrix/api")} */
+const api = sync.require("../../matrix/api")
 /** @type {import("../../matrix/file")} */
 const file = sync.require("../../matrix/file")

-async function registerUser(username) {
-	assert.ok(username.startsWith("_ooye_"))
-	/** @type {import("../../types").R.Registered} */
-	const res = await mreq.mreq("POST", "/client/v3/register", {
-		type: "m.login.application_service",
-		username
-	})
-	return res
-}
-
 /**
 * A sim is an account that is being simulated by the bridge to copy events from the other side.
 * @param {import("discord-api-types/v10").APIUser} user
 */
 async function createSim(user) {
 	assert.notEqual(user.discriminator, "0000", "user is not a webhook")
-	fetch("https://matrix.cadence.moe/_matrix/client/v3/register", {
-		method: "POST",
-		body: JSON.stringify({
-			type: "m.login.application_service",
-			username: "_ooye_example"
-		}),
-		headers: {
-			Authorization: `Bearer ${reg.as_token}`
-		}
-	}).then(res => res.text()).then(text => {
-
-		console.log(text)
-	}).catch(err => {
-		console.log(err)
-	})
+	api.register("_ooye_example")
+}
--- a/d2m/converters/user-to-mxid.js
+++ b/d2m/converters/user-to-mxid.js
@ -0,0 +1,74 @@
+// @ts-check
+
+const assert = require("assert")
+
+const passthrough = require("../../passthrough")
+const { sync, db } = passthrough
+
+/**
+ * Downcased and stripped username. Can only include a basic set of characters.
+ * https://spec.matrix.org/v1.6/appendices/#user-identifiers
+ * @param {import("discord-api-types/v10").APIUser} user
+ * @returns {string} localpart
+ */
+function downcaseUsername(user) {
+	// First, try to convert the username to the set of allowed characters
+	let downcased = user.username.toLowerCase()
+		// spaces to underscores...
+		.replace(/ /g, "_")
+		// remove disallowed characters...
+		.replace(/[^a-z0-9._=/-]*/g, "")
+		// remove leading and trailing dashes and underscores...
+		.replace(/(?:^[_-]*|[_-]*$)/g, "")
+	// The new length must be at least 2 characters (in other words, it should have some content)
+	if (downcased.length < 2) {
+		downcased = user.id
+	}
+	return downcased
+}
+
+/** @param {string[]} preferences */
+function* generateLocalpartAlternatives(preferences) {
+	const best = preferences[0]
+	assert.ok(best)
+	// First, suggest the preferences...
+	for (const localpart of preferences) {
+		yield localpart
+	}
+	// ...then fall back to generating number suffixes...
+	let i = 2
+	while (true) {
+		yield best + (i++)
+	}
+}
+
+/**
+ * @param {import("discord-api-types/v10").APIUser} user
+ * @returns {string}
+ */
+function userToSimName(user) {
+	assert.notEqual(user.discriminator, "0000", "cannot create user for a webhook")
+
+	// 1. Is sim user already registered?
+	const existing = db.prepare("SELECT sim_name FROM sim WHERE discord_id = ?").pluck().get(user.id)
+	if (existing) return existing
+
+	// 2. Register based on username (could be new or old format)
+	const downcased = downcaseUsername(user)
+	const preferences = [downcased]
+	if (user.discriminator.length === 4) { // Old style tag? If user.username is unavailable, try the full tag next
+		preferences.push(downcased + user.discriminator)
+	}
+
+	// Check for conflicts with already registered sims
+	/** @type {string[]} */
+	const matches = db.prepare("SELECT sim_name FROM sim WHERE sim_name LIKE ? ESCAPE '@'").pluck().all(downcased + "%")
+	// Keep generating until we get a suggestion that doesn't conflict
+	for (const suggestion of generateLocalpartAlternatives(preferences)) {
+		if (!matches.includes(suggestion)) return suggestion
+	}
+
+	throw new Error(`Ran out of suggestions when generating sim name. downcased: "${downcased}"`)
+}
+
+module.exports.userToSimName = userToSimName
--- a/d2m/converters/user-to-mxid.test.js
+++ b/d2m/converters/user-to-mxid.test.js
@ -0,0 +1,33 @@
+const {test} = require("supertape")
+const tryToCatch = require("try-to-catch")
+const assert = require("assert")
+const {userToSimName} = require("./user-to-mxid")
+
+test("user2name: cannot create user for a webhook", async t => {
+   const [error] = await tryToCatch(() => userToSimName({discriminator: "0000"}))
+   t.ok(error instanceof assert.AssertionError, error.message)
+})
+
+test("user2name: works on normal name", t => {
+   t.equal(userToSimName({username: "Harry Styles!", discriminator: "0001"}), "harry_styles")
+})
+
+test("user2name: works on emojis", t => {
+   t.equal(userToSimName({username: "Cookie 🍪", discriminator: "0001"}), "cookie")
+})
+
+test("user2name: works on crazy name", t => {
+   t.equal(userToSimName({username: "*** D3 &W (89) _7//-", discriminator: "0001"}), "d3_w_89__7//")
+})
+
+test("user2name: adds discriminator if name is unavailable (old tag format)", t => {
+   t.equal(userToSimName({username: "BOT$", discriminator: "1234"}), "bot1234")
+})
+
+test("user2name: adds number suffix if name is unavailable (new username format)", t => {
+   t.equal(userToSimName({username: "bot", discriminator: "0"}), "bot2")
+})
+
+test("user2name: uses ID if name becomes too short", t => {
+   t.equal(userToSimName({username: "f***", discriminator: "0001", id: "9"}), "9")
+})
--- a/matrix/api.js
+++ b/matrix/api.js
@ -0,0 +1,20 @@
+// @ts-check
+
+const passthrough = require("../passthrough")
+const { discord, sync, db } = passthrough
+/** @type {import("./mreq")} */
+const mreq = sync.require("./mreq")
+/** @type {import("./file")} */
+const file = sync.require("./file")
+
+/**
+ * @returns {Promise<import("../types").R.Registered>}
+ */
+function register(username) {
+   return mreq.mreq("POST", "/client/v3/register", {
+      type: "m.login.application_service",
+      username
+   })
+}
+
+module.exports.register = register
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -18,21 +18,23 @@
    "better-sqlite3": "^8.3.0",
    "cloudstorm": "^0.7.0",
    "discord-markdown": "git+https://git.sr.ht/~cadence/nodejs-discord-markdown#24508e701e91d5a00fa5e773ced874d9ee8c889b",
-    "heatsync": "^2.4.0",
+    "heatsync": "^2.4.1",
    "js-yaml": "^4.1.0",
    "matrix-appservice": "^2.0.0",
    "matrix-js-sdk": "^24.1.0",
    "mixin-deep": "^2.0.1",
    "node-fetch": "^2.6.7",
-    "snowtransfer": "^0.7.0"
+    "snowtransfer": "^0.7.0",
+    "try-to-catch": "^3.0.1"
  },
  "devDependencies": {
    "@types/node": "^18.16.0",
    "@types/node-fetch": "^2.6.3",
+    "cross-env": "^7.0.3",
    "supertape": "^8.3.0",
    "tap-dot": "github:cloudrac3r/tap-dot#223a4e67a6f7daf015506a12a7af74605f06c7f4"
  },
  "scripts": {
-    "test": "FORCE_COLOR=true supertape --format tap test/test.js | tap-dot"
+    "test": "cross-env FORCE_COLOR=true supertape --format tap test/test.js | tap-dot"
  }
 }
--- a/test/test.js
+++ b/test/test.js
@ -8,8 +8,9 @@ const passthrough = require("../passthrough")
 const db = new sqlite("db/ooye.db")

 // @ts-ignore
-const sync = new HeatSync({persistent: false})
+const sync = new HeatSync({watchFS: false})

 Object.assign(passthrough, { config, sync, db })

 require("../d2m/actions/create-room.test")
+require("../d2m/converters/user-to-mxid.test")