fix: add some more input validation to /v1/register

2026-04-25 15:41:36 -05:00 · 2025-09-02 18:38:48 -04:00 · 2025-09-02 18:38:48 -04:00 · fe75d36945
commit fe75d36945
parent 9d18028432
2 changed files with 52 additions and 1 deletions
--- a/src/services/api/routes/v1/register.ts
+++ b/src/services/api/routes/v1/register.ts
@ -6,7 +6,7 @@ import moment from 'moment';
 import hcaptcha from 'hcaptcha';
 import Mii from 'mii-js';
 import { doesPNIDExist, connection as databaseConnection } from '@/database';
-import { nintendoPasswordHash, sendConfirmationEmail, generateToken } from '@/util';
+import { isValidBirthday, nintendoPasswordHash, sendConfirmationEmail, generateToken } from '@/util';
 import IP2LocationManager from '@/ip2location';
 import { SystemType } from '@/types/common/system-types';
 import { TokenType } from '@/types/common/token-types';
@ -71,6 +71,36 @@ router.post('/', async (request: express.Request, response: express.Response): P
 		}
 	}

+	if (!clientIP || clientIP === '') {
+		response.status(400).json({
+			app: 'api',
+			status: 400,
+			error: 'IP must be forwarded to check local laws'
+		});
+
+		return;
+	}
+
+	if (!birthday || birthday === '') {
+		response.status(400).json({
+			app: 'api',
+			status: 400,
+			error: 'Birthday must be set'
+		});
+
+		return;
+	}
+
+	if (!isValidBirthday(birthday)) {
+		response.status(400).json({
+			app: 'api',
+			status: 400,
+			error: 'Birthday must be a valid date'
+		});
+
+		return;
+	}
+
 	// TODO - This is kinda ugly
 	const birthdate = new Date(birthday);
 	const today = new Date();
--- a/src/util.ts
+++ b/src/util.ts
@ -338,3 +338,24 @@ export function getValueFromHeaders(headers: IncomingHttpHeaders, key: string):
 export function mapToObject(map: Map<any, any>): object {
 	return Object.fromEntries(Array.from(map.entries(), ([k, v]) => v instanceof Map ? [k, mapToObject(v)] : [k, v]));
 }
+
+export function isValidBirthday(dateString: string): boolean {
+	// * Birthdays MUST be in the format YYYY-MM-DD. This is how the
+	// * console sends them, regardless of region
+
+	// * Make sure general format is right
+	const regex = /^\d{4}-\d{2}-\d{2}$/;
+	if (!regex.test(dateString)) {
+		return false;
+	}
+
+	// * Actually check that it's a valid date
+	const parts = dateString.split('-');
+	const year = parseInt(parts[0], 10);
+	const month = parseInt(parts[1], 10);
+	const day = parseInt(parts[2], 10);
+
+	const date = new Date(year, month - 1, day);
+
+	return date.getFullYear() === year && date.getMonth() === month - 1 && date.getDate() === day;
+}