feat: add rate limiting, case-insensitive usernames and session security

2026-02-21 14:03:34 +01:00
parent 638a27208f
commit 22a6bc5123
5 changed files with 26 additions and 8 deletions
--- a/app/Http/Controllers/Auth/CompleteProfileController.php
+++ b/app/Http/Controllers/Auth/CompleteProfileController.php
@@ -43,7 +43,15 @@ class CompleteProfileController extends Controller
        }

        $request->validate([
-            'username' => ['required', 'string', 'max:255', 'alpha_dash', 'unique:'.User::class],
+            'username' => [
+                'required', 'string', 'max:255', 'alpha_dash',
+                function ($attribute, $value, $fail) {
+                    $exists = User::whereRaw('LOWER(username) = ?', [strtolower($value)])->exists();
+                    if ($exists) {
+                        $fail('The username has already been taken.');
+                    }
+                },
+            ],
            'first_name' => ['required', 'string', 'max:255'],
            'last_name' => ['required', 'string', 'max:255'],
        ]);
@@ -62,6 +70,7 @@ class CompleteProfileController extends Controller
        event(new Registered($user));

        Auth::login($user, remember: true);
+        $request->session()->regenerate();

        return redirect()->intended(config('auth-ui.redirects.login', '/'));
    }