From 902dfa7e7c4c3b2e16cabf6d7bac906c45a22242 Mon Sep 17 00:00:00 2001
From: Cadence Ember <cadence@disroot.org>
Date: Tue, 18 Feb 2025 15:59:32 +1300
Subject: [PATCH] Validate mxid format in web login

---
 src/web/pug/log-in-with-matrix.pug        |  2 +-
 src/web/routes/log-in-with-matrix.js      |  2 +-
 src/web/routes/log-in-with-matrix.test.js | 18 ++++++++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/web/pug/log-in-with-matrix.pug b/src/web/pug/log-in-with-matrix.pug
index 3f7da91..9853eaf 100644
--- a/src/web/pug/log-in-with-matrix.pug
+++ b/src/web/pug/log-in-with-matrix.pug
@@ -11,6 +11,6 @@ block body
           input(type="hidden" name="next" value=next)
         .d-flex.gy4.fd-column
           label.s-label(for="mxid") Your Matrix ID
-          input.fl-grow1.s-input.wmx3#mxid(name="mxid" required placeholder="@user:example.org")
+          input.fl-grow1.s-input.wmx3#mxid(name="mxid" required placeholder="@user:example.org" pattern="@([^:]+):([a-z0-9:\-]+\.[a-z0-9.:\-]+)")
         div
           button.s-btn.s-btn__github#log-in-button Continue with Matrix
diff --git a/src/web/routes/log-in-with-matrix.js b/src/web/routes/log-in-with-matrix.js
index b5c741c..89d36c2 100644
--- a/src/web/routes/log-in-with-matrix.js
+++ b/src/web/routes/log-in-with-matrix.js
@@ -17,7 +17,7 @@ const auth = sync.require("../auth")
 
 const schema = {
 	form: z.object({
-		mxid: z.string(),
+		mxid: z.string().regex(/^@([^:]+):([a-z0-9:-]+\.[a-z0-9.:-]+)$/),
 		next: z.string().optional()
 	}),
 	token: z.object({
diff --git a/src/web/routes/log-in-with-matrix.test.js b/src/web/routes/log-in-with-matrix.test.js
index 5e8e2da..1c37d9b 100644
--- a/src/web/routes/log-in-with-matrix.test.js
+++ b/src/web/routes/log-in-with-matrix.test.js
@@ -16,6 +16,24 @@ test("log in with matrix: shows web page with form on first request", async t =>
 
 let token
 
+test("log in with matrix: checks if mxid format looks valid", async t => {
+	const [error] = await tryToCatch(() => router.test("post", "/api/log-in-with-matrix", {
+		body: {
+			mxid: "x@cadence:cadence.moe"
+		}
+	}))
+	t.equal(error.data.issues[0].validation, "regex")
+})
+
+test("log in with matrix: checks if mxid domain format looks valid", async t => {
+	const [error] = await tryToCatch(() => router.test("post", "/api/log-in-with-matrix", {
+		body: {
+			mxid: "@cadence:cadence."
+		}
+	}))
+	t.equal(error.data.issues[0].validation, "regex")
+})
+
 test("log in with matrix: sends message when there is no m.direct data", async t => {
 	const event = {}
 	let called = 0