From 10f0adb7a512d104241508691a3857a1ad2d8bcb Mon Sep 17 00:00:00 2001
From: Antonia Koch <146366740+AntoniaBK@users.noreply.github.com>
Date: Thu, 2 May 2024 13:24:47 +0200
Subject: [PATCH] add: validate username at login

---
 website/web/__init__.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/website/web/__init__.py b/website/web/__init__.py
index 89eea04..3168003 100644
--- a/website/web/__init__.py
+++ b/website/web/__init__.py
@@ -53,7 +53,7 @@ else:
     all_timezones_set = available_timezones()
 
 from .genericapi import api as generic_api
-from .helpers import (User, build_users_table, get_secret_key,
+from .helpers import (User, valid_username, build_users_table, get_secret_key,
                       load_user_from_request, src_request_ip, sri_load,
                       get_lookyloo_instance)
 from .proxied import ReverseProxied
@@ -107,6 +107,9 @@ def login() -> WerkzeugResponse | str | Response:
                '''
 
     username = request.form['username']
+    if not valid_username(username):
+        flash('User is not permitted.', 'error')
+        return redirect(url_for('login'))
     users_table = build_users_table()
     if username in users_table and check_password_hash(users_table[username]['password'], request.form['password']):
         user = User()