Fixed a bug where it was possible to create multiple accounts with the same display name, added error messages for the registration page

Kowi21 · Kowi21 · commit f9963b4fc81b · 2025-05-07T10:46:35.000+02:00
diff --git a/ATBPServer/post-requests.js b/ATBPServer/post-requests.js
@@ -6,41 +6,82 @@ const bcrypt = require('bcrypt');
 const dbOp = require('./db-operations.js');
 const crypto = require('crypto');
 
+function escapeRegex(string) {
+  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 module.exports = {
-  handleRegister: function (username, password, names, forgot, collection) {
+  handleRegister: function (username, password, selectedNameParts, forgot, collection) {
     return new Promise(function (resolve, reject) {
       bcrypt.hash(password, 10, (err, hash) => {
-        var name = '';
-        for (var i in names) {
-          name += names[i];
-          if (i != names.length - 1 && names[i] != '') name += ' ';
+        if (err) {
+          console.error("Bcrypt password hashing error:", err);
+          return reject(new Error("Password hashing failed"));
+        }
+
+        let validNameParts = selectedNameParts.filter(n => n && n.trim() !== '');
+        const finalDisplayNameForStorage = validNameParts.join(' ');
+
+        if (validNameParts.length < 2) {
+          return reject(new Error("Insufficient display name parts selected."));
+        }
+
+        let baseDisplayNameForLookup = finalDisplayNameForStorage;
+
+        const prefixRegex = /^(?:\[DEV\]\s*|\[ATBPDEV\]\s*)/i;
+        baseDisplayNameForLookup = baseDisplayNameForLookup.replace(prefixRegex, '').trim();
+
+        if (!baseDisplayNameForLookup) {
+          return reject(new Error("A valid core display name is required."));
         }
+
+        const escapedUsername = escapeRegex(username);
+        const escapedBaseDisplayName = escapeRegex(baseDisplayNameForLookup);
+
+        const displayNameConflictRegex = new RegExp(
+          `^(?:${prefixRegex.source})?${escapedBaseDisplayName}$`,
+          'i'
+        );
+
         collection
           .findOne({
             $or: [
-              { 'user.TEGid': { $regex: new RegExp(`^${username}$`, 'i') } },
-              {
-                'user.dname': name
-                  .replace('[DEV] ', '')
-                  .replace('[ATBPDEV] ', ''),
-              },
+              { 'user.TEGid': { $regex: new RegExp(`^${escapedUsername}$`, 'i') } },
+              { 'user.dname': displayNameConflictRegex },
             ],
           })
-          .then((user) => {
-            if (user != null) {
-              resolve('login');
+          .then((existingUser) => {
+            if (existingUser != null) {
+
+              if (existingUser.user.TEGid.toLowerCase() === username.toLowerCase()) {
+                resolve('usernameTaken');
+              } else {
+                // If the username didn't match, the displayNameConflictRegex must have.
+                resolve('displayNameTaken');
+              }
             } else {
-              bcrypt.hash(forgot, 10, (er, has) => {
+              bcrypt.hash(forgot, 10, (er, forgotHash) => {
+                if (er) {
+                  console.error("Bcrypt secret phrase hashing error:", er);
+                  return reject(new Error("Secret phrase hashing failed"));
+                }
+
                 dbOp
-                  .createNewUser(username, name, hash, has, collection)
+                  .createNewUser(username, finalDisplayNameForStorage, hash, forgotHash, collection)
                   .then((u) => {
                     resolve(u);
                   })
-                  .catch(console.error);
+                  .catch(dbErr => {
+                    console.error("Error in createNewUser:", dbErr);
+                    reject(dbErr);
+                  });
               });
             }
           })
-          .catch(console.error);
+          .catch(queryErr => {
+            console.error("Error in findOne user check:", queryErr);
+            reject(queryErr);
+          });
       });
     });
   },
diff --git a/ATBPServer/server.js b/ATBPServer/server.js
@@ -873,61 +873,85 @@ mongoClient.connect((err) => {
 
   app.post('/auth/register', (req, res) => {
     var nameCount = 0;
-    if (
-      req.body.name1 != '' &&
-      displayNames.list1.includes(getLowerCaseName(req.body.name1))
-    )
+    const name1 = req.body.name1 ? req.body.name1.trim() : '';
+    const name2 = req.body.name2 ? req.body.name2.trim() : '';
+    const name3 = req.body.name3 ? req.body.name3.trim() : '';
+
+    if (name1 !== '' && displayNames.list1.includes(getLowerCaseName(name1))) {
       nameCount++;
-    else if (req.body.name1 != '') nameCount = -100;
-    if (
-      req.body.name2 != '' &&
-      displayNames.list2.includes(getLowerCaseName(req.body.name2))
-    )
+    } else if (name1 !== '') {
+      nameCount = -100;
+    }
+
+    if (name2 !== '' && displayNames.list2.includes(getLowerCaseName(name2))) {
       nameCount++;
-    else if (req.body.name2 != '') nameCount = -100;
-    if (
-      req.body.name3 != '' &&
-      displayNames.list3.includes(getLowerCaseName(req.body.name3))
-    )
+    } else if (name2 !== '') {
+      nameCount = -100;
+    }
+
+    if (name3 !== '' && displayNames.list3.includes(getLowerCaseName(name3))) {
       nameCount++;
-    else if (req.body.name3 != '') nameCount = -100;
+    } else if (name3 !== '') {
+      nameCount = -100;
+    }
+
+    const username = req.body.username ? req.body.username.trim() : '';
+    const password = req.body.password;
+    const confirmPassword = req.body.confirm;
+    const forgotPhrase = req.body.forgot ? req.body.forgot.trim() : '';
 
     if (
-      req.body.username != '' &&
-      req.body.password != '' &&
-      nameCount > 1 &&
-      req.body.password == req.body.confirm
+      username !== '' &&
+      password !== '' &&
+      forgotPhrase !== '' &&
+      nameCount >= 2 && // Require at least 2 valid parts for the display name
+      password === confirmPassword
     ) {
-      var names = [req.body.name1, req.body.name2, req.body.name3];
+      var namesForDisplay = [name1, name2, name3].filter(n => n !== ''); // Filter out empty parts for display name construction
+
       postRequest
         .handleRegister(
-          req.body.username,
-          req.body.password,
-          names,
-          req.body.forgot,
+          username,
+          password,
+          namesForDisplay,
+          forgotPhrase,
           playerCollection
         )
-        .then((user) => {
-          if (user == 'login') {
-            res.redirect('/login?exists=true');
-          } else {
-            res.cookie('TEGid', user.user.TEGid);
-            res.cookie('authid', user.user.authid);
-            res.cookie('dname', user.user.dname);
-            res.cookie('authpass', user.user.authpass);
-            var date = Date.parse(user.session.expires_at);
-            res.cookie('session_token', user.session.token, {
+        .then((result) => {
+          if (result === 'usernameTaken') {
+            res.redirect('/register?usernameTaken=true');
+          } else if (result === 'displayNameTaken') {
+            res.redirect('/register?displayNameTaken=true');
+          } else if (typeof result === 'object' && result.user && result.session) { // Successful registration
+            res.cookie('TEGid', result.user.TEGid);
+            res.cookie('authid', result.user.authid);
+            res.cookie('dname', result.user.dname);
+            res.cookie('authpass', result.user.authpass);
+            var date = Date.parse(result.session.expires_at);
+            res.cookie('session_token', result.session.token, {
               maxAge: date.valueOf() - Date.now(),
             });
             res.cookie('logged', true);
             res.redirect(config.httpserver.url);
+          } else {
+            console.warn("handleRegister returned unexpected result:", result);
+            res.redirect('/register?failed=true&reason=unexpected');
           }
         })
         .catch((e) => {
-          console.log(e);
-          res.redirect('/register?failed=true');
+          console.error("Error during registration process:", e);
+
+          res.redirect('/register?failed=true&reason=servererror');
         });
-    } else res.redirect('/register?failed=true');
+    } else {
+      // Initial validation failed (empty fields, passwords don't match, invalid display name count)
+      let reason = 'validation';
+      if (password !== confirmPassword) reason = 'passwordmismatch';
+      if (nameCount < 2 && nameCount > -100) reason = 'displaynameparts'; // if nameCount is -100, it's an invalid selection
+      else if (nameCount === -100) reason = 'invaliddisplayname';
+
+      res.redirect(`/register?failed=true&reason=${reason}`);
+    }
   });
 
   app.post('/auth/forgot', (req, res) => {
diff --git a/ATBPServer/views/register.ejs b/ATBPServer/views/register.ejs
@@ -197,16 +197,69 @@
 <script defer type="text/javascript" src="js/bootstrap.bundle.min.js"></script>
 
 <script type="text/javascript">
-  const failed = window.location.search.includes('failed');
-  const exists = window.location.search.includes('exists');
-  if (failed) window.alert("Registration failed!");
-  else if (exists) window.alert("User already exists! Please login.");
+  const params = new URLSearchParams(window.location.search);
+  const failed = params.get('failed') === 'true';
+  const usernameTaken = params.get('usernameTaken') === 'true';
+  const displayNameTaken = params.get('displayNameTaken') === 'true';
+  const reason = params.get('reason');
+
+  if (usernameTaken) {
+    window.alert("Registration failed: Username is already taken. Please choose another.");
+  } else if (displayNameTaken) {
+    window.alert("Registration failed: Display Name is already taken. Please choose another.");
+  } else if (failed) {
+    let message = "Registration failed! Please check your inputs.";
+    if (reason === 'passwordmismatch') {
+      message = "Registration failed: Passwords do not match.";
+    } else if (reason === 'displaynameparts') {
+      message = "Registration failed: Please select at least two parts for your display name.";
+    } else if (reason === 'invaliddisplayname') {
+      message = "Registration failed: An invalid display name part was selected.";
+    } else if (reason === 'servererror') {
+      message = "Registration failed: A server error occurred. Please try again later.";
+    } else if (reason === 'unexpected') {
+      message = "Registration failed: An unexpected error occurred. Please try again.";
+    }
+    window.alert(message);
+  }
 
   function blockSpecialChar(e) {
     var format = /[ `!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?~]/;
     return e.key != undefined ? !format.test(e.key) : !format.test(String.fromCharCode(e.charCode));
   }
 
+
+  document.addEventListener('DOMContentLoaded', function() {
+    const form = document.getElementById('form');
+    const passwordInput = document.getElementById('password');
+    const confirmInput = document.getElementById('confirm');
+
+    if (form && passwordInput && confirmInput) {
+      form.addEventListener('submit', function(event) {
+        if (passwordInput.value !== confirmInput.value) {
+          alert("Passwords do not match!");
+          event.preventDefault(); // Prevent form submission
+          confirmInput.focus();
+        }
+
+        const name1 = document.getElementById('name1').value;
+        const name2 = document.getElementById('name2').value;
+        const name3 = document.getElementById('name3').value;
+        let selectedNameParts = 0;
+        if (name1) selectedNameParts++;
+        if (name2) selectedNameParts++;
+        if (name3) selectedNameParts++;
+
+        if (selectedNameParts < 2) {
+          alert("Please select at least two parts for your display name.");
+          event.preventDefault();
+
+          document.getElementById('name1').focus();
+        }
+      });
+    }
+  });
+
 </script>
 <div class="container" style="width: 32rem;">
     <div class="card text-center">
