From c3df68f2ed34cca590946a19182bd29c924f5075 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Tue, 30 Sep 2025 11:05:42 -0400 Subject: [PATCH] fix: don\'t begin processing local login if the passed-in username isn't even valid --- src/controllers/authentication.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/controllers/authentication.js b/src/controllers/authentication.js index fef6f088b6..d5a0965d7b 100644 --- a/src/controllers/authentication.js +++ b/src/controllers/authentication.js @@ -420,6 +420,10 @@ authenticationController.localLogin = async function (req, username, password, n } const userslug = slugify(username); + if (!utils.isUserNameValid(username) || !userslug) { + return next(new Error('[[error:invalid-username]]')); + } + const uid = await user.getUidByUserslug(userslug); try { const [userData, isAdminOrGlobalMod, canLoginIfBanned] = await Promise.all([