View Issue Details

IDProjectCategoryView StatusLast Update
0008170Talerlibeufin-bank-ui (SPA)public2024-03-12 13:44
ReporterChristian Grothoff Assigned ToAntoine A  
PrioritynormalSeveritytweakReproducibilityN/A
Status resolvedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product Versiongit (master) 
Target Version0.10Fixed in Version0.10 
Summary0008170: Username character set restrictions?
DescriptionWhen creating a bank account, the SPA seems to allow any username (I tried spaces, %, -, ~ -- anything goes, it seems).
However, I suspect that libeufin-bank does or maybe should impose restrictions on the username, especially as it is used in URLs.
So we should decide & document those restrictions (if they are not yet!), and the SPA should already enforce the restrictions when the user name is entered by the admin. Unless you're sure that truly anything goes...
TagsNo tags attached.

Relationships

child of 0008365 resolvedChristian Grothoff package and upload libeufin 0.10 to ftp and stable Debian/Ubuntu server 

Activities

Christian Grothoff

2024-01-21 19:33

manager   ~0020946

Not sure who of the two of you should start on with this, depends a bit on what exactly the issue is. I just suspect there is one ;-).

sebasjm

2024-03-11 19:31

developer   ~0021842

let's first define from server side which charset are allowed for the username, also for password.

when you have that regex for both, assign that to me and I will implement it in the SPA to prevent a request that we know it will fail.

PD: if you also have any other restriction for other field like "full name" please include it

Christian Grothoff

2024-03-11 19:35

manager   ~0021843

I'd just use the legal characters that don't require escaping in URLs, minus the separators "/?&#". That way, we can be sure that we can safely use the username in any access path (/accounts/$USERNAME/something) without causing problems or requiring escaping. WDYT?

As for the full name, I'd probably just go for full UTF-8.

sebasjm

2024-03-11 19:46

developer   ~0021845

ok, i will restrict to ALPHA DIGIT "-" / "." / "_" / "~" based on https://datatracker.ietf.org/doc/html/rfc3986#section-2.3

sebasjm

2024-03-12 13:02

developer   ~0021860

0b8b9950d..113f6614c

Issue History

Date Modified Username Field Change
2024-01-21 19:32 Christian Grothoff New Issue
2024-01-21 19:32 Christian Grothoff Status new => assigned
2024-01-21 19:32 Christian Grothoff Assigned To => sebasjm
2024-01-21 19:33 Christian Grothoff Note Added: 0020946
2024-02-10 00:24 Christian Grothoff Relationship added child of 0008365
2024-03-11 19:31 sebasjm Assigned To sebasjm => Antoine A
2024-03-11 19:31 sebasjm Status assigned => feedback
2024-03-11 19:31 sebasjm Note Added: 0021842
2024-03-11 19:35 Christian Grothoff Note Added: 0021843
2024-03-11 19:35 Christian Grothoff Status feedback => assigned
2024-03-11 19:46 sebasjm Note Added: 0021845
2024-03-12 13:02 sebasjm Status assigned => resolved
2024-03-12 13:02 sebasjm Resolution open => fixed
2024-03-12 13:02 sebasjm Note Added: 0021860
2024-03-12 13:44 Christian Grothoff Fixed in Version => 0.10