From 30b9c6237f0afe218b144d573f1c1990f535afd7 Mon Sep 17 00:00:00 2001
From: Blake Blackshear <blakeb@blakeshome.com>
Date: Sun, 12 May 2024 09:51:43 -0500
Subject: [PATCH] validate username and fixes

---
 frigate/api/auth.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 1ba89f37a..ba8b92d7f 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -5,6 +5,7 @@ import hashlib
 import json
 import logging
 import os
+import re
 import secrets
 import time
 from datetime import datetime
@@ -239,6 +240,9 @@ def create_user():
 
     request_data = request.get_json()
 
+    if not re.match("^[A-Za-z0-9._]+$", request_data.get("username", "")):
+        make_response({"message": "Invalid username"}, 400)
+
     password_hash = hash_password(request_data["password"], iterations=HASH_ITERATIONS)
 
     User.insert(
@@ -252,7 +256,7 @@ def create_user():
 
 @AuthBp.route("/users/<username>", methods=["DELETE"])
 def delete_user(username: str):
-    User.delete_by_id(username).execute()
+    User.delete_by_id(username)
     return jsonify({"success": True})