From 00473eaef6f013ccce870335785873f89db0617d Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Fri, 14 May 2021 10:44:14 +1000
Subject: Prevent usernames in Chat mode of length 128 chars or more

---
 cli/onionshare_cli/resources/static/js/chat.js   | 11 +++++++-
 cli/onionshare_cli/resources/templates/chat.html |  3 ++-
 cli/onionshare_cli/web/chat_mode.py              | 33 +++++++++++++++++-------
 desktop/tests/test_gui_chat.py                   | 22 ++++++++++++++++
 4 files changed, 57 insertions(+), 12 deletions(-)

diff --git a/cli/onionshare_cli/resources/static/js/chat.js b/cli/onionshare_cli/resources/static/js/chat.js
index 258b020b..97b14e3e 100644
--- a/cli/onionshare_cli/resources/static/js/chat.js
+++ b/cli/onionshare_cli/resources/static/js/chat.js
@@ -88,7 +88,7 @@ var emitMessage = function (socket) {
 
 var updateUsername = function (socket) {
   var username = $('#username').val();
-  if (!checkUsernameExists(username)) {
+  if (!checkUsernameExists(username) && !checkUsernameLength(username)) {
     $.ajax({
       method: 'POST',
       url: `http://${document.domain}:${location.port}/update-session-username`,
@@ -133,6 +133,15 @@ var checkUsernameExists = function (username) {
   return false;
 }
 
+var checkUsernameLength = function (username) {
+  $('#username-error').text('');
+  if (username.length > 128) {
+    $('#username-error').text('Please choose a shorter username.');
+    return true;
+  }
+  return false;
+}
+
 var getScrollDiffBefore = function () {
   return $('#chat').scrollTop() - ($('#chat')[0].scrollHeight - $('#chat')[0].offsetHeight);
 }
diff --git a/cli/onionshare_cli/resources/templates/chat.html b/cli/onionshare_cli/resources/templates/chat.html
index 7156d58c..7f60b11d 100644
--- a/cli/onionshare_cli/resources/templates/chat.html
+++ b/cli/onionshare_cli/resources/templates/chat.html
@@ -23,6 +23,7 @@
   <div class="chat-container no-js">
     <div class="chat-users">
       <div class="editable-username">
+        <p>Your username:</p>
         <input id="username" value="{{ username }}" />
         <p id="username-error"></p>
       </div>
@@ -43,4 +44,4 @@
   <script async src="{{ static_url_path }}/js/chat.js"></script>
 </body>
 
-</html>
\ No newline at end of file
+</html>
diff --git a/cli/onionshare_cli/web/chat_mode.py b/cli/onionshare_cli/web/chat_mode.py
index 8b2a5673..e9b573dd 100644
--- a/cli/onionshare_cli/web/chat_mode.py
+++ b/cli/onionshare_cli/web/chat_mode.py
@@ -79,20 +79,33 @@ class ChatModeWeb:
             if (
                 data.get("username", "")
                 and data.get("username", "") not in self.connected_users
+                and len(data.get("username", "")) < 128
             ):
                 session["name"] = data.get("username", session.get("name"))
-            self.web.add_request(
-                request.path,
-                {"id": history_id, "status_code": 200},
-            )
+                self.web.add_request(
+                    request.path,
+                    {"id": history_id, "status_code": 200},
+                )
 
-            self.web.add_request(self.web.REQUEST_LOAD, request.path)
-            r = make_response(
-                jsonify(
-                    username=session.get("name"),
-                    success=True,
+                self.web.add_request(self.web.REQUEST_LOAD, request.path)
+                r = make_response(
+                    jsonify(
+                        username=session.get("name"),
+                        success=True,
+                    )
+                )
+            else:
+                self.web.add_request(
+                    request.path,
+                    {"id": history_id, "status_code": 403},
+                )
+
+                r = make_response(
+                    jsonify(
+                        username=session.get("name"),
+                        success=False,
+                    )
                 )
-            )
             return self.web.add_security_headers(r)
 
         @self.web.socketio.on("joined", namespace="/chat")
diff --git a/desktop/tests/test_gui_chat.py b/desktop/tests/test_gui_chat.py
index 7a19168b..08c619c6 100644
--- a/desktop/tests/test_gui_chat.py
+++ b/desktop/tests/test_gui_chat.py
@@ -47,6 +47,27 @@ class TestChat(GuiBaseTest):
         self.assertTrue(jsonResponse["success"])
         self.assertEqual(jsonResponse["username"], "oniontest")
 
+    def change_username_too_long(self, tab):
+        """Test that we can't set our username to something 128 chars or longer"""
+        url = f"http://127.0.0.1:{tab.app.port}/update-session-username"
+        bad_username = "sduBB9yEMkyQpwkMM4A9nUbQwNUbPU2PQuJYN26zCQ4inELpB76J5i5oRUnD3ESVaE9NNE8puAtBj2DiqDaZdVqhV8MonyxSSGHRv87YgM5dzwBYPBxttoQSKZAUkFjo"
+        data = {"username":bad_username}
+        if tab.settings.get("general", "public"):
+            r = requests.post(url, json=data)
+        else:
+            r = requests.post(
+                url,
+                json=data,
+                auth=requests.auth.HTTPBasicAuth(
+                    "onionshare", tab.get_mode().server_status.web.password
+                ),
+            )
+
+        QtTest.QTest.qWait(500, self.gui.qtapp)
+        jsonResponse = r.json()
+        self.assertFalse(jsonResponse["success"])
+        self.assertNotEqual(jsonResponse["username"], bad_username)
+
     def run_all_chat_mode_tests(self, tab):
         """Tests in chat mode after starting a chat"""
         self.server_working_on_start_button_pressed(tab)
@@ -60,6 +81,7 @@ class TestChat(GuiBaseTest):
         self.server_status_indicator_says_started(tab)
         self.view_chat(tab)
         self.change_username(tab)
+        self.change_username_too_long(tab)
         self.server_is_stopped(tab)
         self.web_server_is_stopped(tab)
         self.server_status_indicator_says_closed(tab)
-- 
cgit v1.2.3-54-g00ecf