feat: add rate limiting, case-insensitive usernames and session security

2026-02-21 14:03:34 +01:00
parent 638a27208f
commit 22a6bc5123
5 changed files with 26 additions and 8 deletions
--- a/app/Http/Controllers/Auth/CompleteProfileController.php
+++ b/app/Http/Controllers/Auth/CompleteProfileController.php
@@ -43,7 +43,15 @@ class CompleteProfileController extends Controller
        }

        $request->validate([
-            'username' => ['required', 'string', 'max:255', 'alpha_dash', 'unique:'.User::class],
+            'username' => [
+                'required', 'string', 'max:255', 'alpha_dash',
+                function ($attribute, $value, $fail) {
+                    $exists = User::whereRaw('LOWER(username) = ?', [strtolower($value)])->exists();
+                    if ($exists) {
+                        $fail('The username has already been taken.');
+                    }
+                },
+            ],
            'first_name' => ['required', 'string', 'max:255'],
            'last_name' => ['required', 'string', 'max:255'],
        ]);
@@ -62,6 +70,7 @@ class CompleteProfileController extends Controller
        event(new Registered($user));

        Auth::login($user, remember: true);
+        $request->session()->regenerate();

        return redirect()->intended(config('auth-ui.redirects.login', '/'));
    }
--- a/app/Http/Controllers/Auth/RegisterController.php
+++ b/app/Http/Controllers/Auth/RegisterController.php
@@ -37,7 +37,15 @@ class RegisterController extends Controller
        }

        $request->validate([
-            'username' => ['required', 'string', 'max:255', 'alpha_dash', 'unique:'.User::class],
+            'username' => [
+                'required', 'string', 'max:255', 'alpha_dash',
+                function ($attribute, $value, $fail) {
+                    $exists = User::whereRaw('LOWER(username) = ?', [strtolower($value)])->exists();
+                    if ($exists) {
+                        $fail('The username has already been taken.');
+                    }
+                },
+            ],
            'first_name' => ['required', 'string', 'max:255'],
            'last_name' => ['required', 'string', 'max:255'],
            'email' => ['required', 'string', 'lowercase', 'email', 'max:255', 'unique:'.User::class],
--- a/app/Http/Controllers/Auth/SocialiteController.php
+++ b/app/Http/Controllers/Auth/SocialiteController.php
@@ -79,7 +79,7 @@ class SocialiteController extends Controller
            $suggestedUsername = $this->suggestUsername($socialUser);

            // Check if username is already taken
-            if (User::where('username', $suggestedUsername)->exists()) {
+            if (User::whereRaw('LOWER(username) = ?', [strtolower($suggestedUsername)])->exists()) {
                // Store social data in session and redirect to complete profile
                session()->put('socialite_user', [
                    'email' => $socialUser->getEmail(),
@@ -103,6 +103,7 @@ class SocialiteController extends Controller
        }

        Auth::login($user, remember: true);
+        request()->session()->regenerate();

        return redirect()->intended(config('auth-ui.redirects.login', '/'));
    }