bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

fix(handlers): strengthen input validation with regex patterns

Improve validation robustness in block/unblock handlers:

1. DID validation with regex:
- Pattern: ^did:(plc|web):[a-zA-Z0-9._:%-]+$
- Rejects invalid formats like "did:x" or "did:"
- Ensures only supported DID methods (plc, web)

2. Handle validation:
- Verify handle contains @ symbol for domain
- Rejects incomplete handles like "!" or "!name"
- Ensures proper format: !name@domain.tld

Previous validation only checked prefix, allowing invalid values
to pass through to service layer. New validation catches format
errors early with clear error messages.

Addresses: Important review comment #4

bretton.dev d80dd0fd df964fa8

options
unified split
Changed files
+32 -4
internal
api
handlers
community
block.go
+32 -4
internal/api/handlers/community/block.go 
···

       
6

       
6

       
 

       
	"encoding/json"


     

       
7

       
7

       
 

       
	"log"


     

       
8

       
8

       
 

       
	"net/http"


     

       

       
9

       
+

       
	"regexp"


     

       
9

       
10

       
 

       
	"strings"


     

       
10

       
11

       
 

       
)


     

       
11

       
12

       
 

       



     
···

       
45

       
46

       
 

       
		return


     

       
46

       
47

       
 

       
	}


     

       
47

       
48

       
 

       



     

       
48

       

       
-

       
	// Validate format (DID or handle)


     

       
49

       

       
-

       
	if !strings.HasPrefix(req.Community, "did:") && !strings.HasPrefix(req.Community, "!") {


     

       

       
49

       
+

       
	// Validate format (DID or handle) with proper regex patterns


     

       

       
50

       
+

       
	if strings.HasPrefix(req.Community, "did:") {


     

       

       
51

       
+

       
		// Validate DID format: did:method:identifier


     

       

       
52

       
+

       
		// atProto supports did:plc and did:web


     

       

       
53

       
+

       
		didRegex := regexp.MustCompile(`^did:(plc|web):[a-zA-Z0-9._:%-]+$`)


     

       

       
54

       
+

       
		if !didRegex.MatchString(req.Community) {


     

       

       
55

       
+

       
			writeError(w, http.StatusBadRequest, "InvalidRequest", "invalid DID format")


     

       

       
56

       
+

       
			return


     

       

       
57

       
+

       
		}


     

       

       
58

       
+

       
	} else if strings.HasPrefix(req.Community, "!") {


     

       

       
59

       
+

       
		// Validate handle format: !name@domain.tld


     

       

       
60

       
+

       
		if !strings.Contains(req.Community, "@") {


     

       

       
61

       
+

       
			writeError(w, http.StatusBadRequest, "InvalidRequest", "handle must contain @domain")


     

       

       
62

       
+

       
			return


     

       

       
63

       
+

       
		}


     

       

       
64

       
+

       
	} else {


     

       
50

       
65

       
 

       
		writeError(w, http.StatusBadRequest, "InvalidRequest",


     

       
51

       
66

       
 

       
			"community must be a DID (did:plc:...) or handle (!name@instance.com)")


     

       
52

       
67

       
 

       
		return


     
···

       
111

       
126

       
 

       
		return


     

       
112

       
127

       
 

       
	}


     

       
113

       
128

       
 

       



     

       
114

       

       
-

       
	// Validate format (DID or handle)


     

       
115

       

       
-

       
	if !strings.HasPrefix(req.Community, "did:") && !strings.HasPrefix(req.Community, "!") {


     

       

       
129

       
+

       
	// Validate format (DID or handle) with proper regex patterns


     

       

       
130

       
+

       
	if strings.HasPrefix(req.Community, "did:") {


     

       

       
131

       
+

       
		// Validate DID format: did:method:identifier


     

       

       
132

       
+

       
		didRegex := regexp.MustCompile(`^did:(plc|web):[a-zA-Z0-9._:%-]+$`)


     

       

       
133

       
+

       
		if !didRegex.MatchString(req.Community) {


     

       

       
134

       
+

       
			writeError(w, http.StatusBadRequest, "InvalidRequest", "invalid DID format")


     

       

       
135

       
+

       
			return


     

       

       
136

       
+

       
		}


     

       

       
137

       
+

       
	} else if strings.HasPrefix(req.Community, "!") {


     

       

       
138

       
+

       
		// Validate handle format: !name@domain.tld


     

       

       
139

       
+

       
		if !strings.Contains(req.Community, "@") {


     

       

       
140

       
+

       
			writeError(w, http.StatusBadRequest, "InvalidRequest", "handle must contain @domain")


     

       

       
141

       
+

       
			return


     

       

       
142

       
+

       
		}


     

       

       
143

       
+

       
	} else {


     

       
116

       
144

       
 

       
		writeError(w, http.StatusBadRequest, "InvalidRequest",


     

       
117

       
145

       
 

       
			"community must be a DID (did:plc:...) or handle (!name@instance.com)")


     

       
118

       
146

       
 

       
		return