add: simple validation and sanitizing

src/routes/signup/+page.server.ts

@@ -5,6 +5,7 @@ import { users } from '$lib/server/schema';
 import { eq } from 'drizzle-orm';
 import bcrypt from 'bcrypt';
 import { env } from '$env/dynamic/private';
+import { sanitizeString, sanitizeUsername } from '$lib/server/validation';
 
 export const load: PageServerLoad = async () => {
 	// Determine which OAuth providers are available
@@ -31,12 +32,18 @@ export const actions: Actions = {
 		const password = formData.get('password') as string;
 		const confirmPassword = formData.get('confirmPassword') as string;
 
-		if (!name?.trim()) {
-			return fail(400, { error: 'Name is required', name, username });
+		let sanitizedUsername: string;
+		let sanitizedName: string | null;
+
+		try {
+			sanitizedName = sanitizeString(name, 100);
+			sanitizedUsername = sanitizeUsername(username);
+		} catch (error) {
+			return fail(400, { error: 'Invalid input', name, username });
 		}
 
-		if (!username?.trim()) {
-			return fail(400, { error: 'Username is required', name, username });
+		if (!sanitizedName) {
+			return fail(400, { error: 'Name is required', name, username });
 		}
 
 		if (!password || password.length < 8) {
@@ -48,7 +55,7 @@ export const actions: Actions = {
 		}
 
 		const existingUser = await db.query.users.findFirst({
-			where: eq(users.username, username.trim().toLowerCase())
+			where: eq(users.username, sanitizedUsername)
 		});
 
 		if (existingUser) {
@@ -58,8 +65,8 @@ export const actions: Actions = {
 		const hashedPassword = await bcrypt.hash(password, 10);
 
 		await db.insert(users).values({
-			name: name.trim(),
-			username: username.trim().toLowerCase(),
+			name: sanitizedName,
+			username: sanitizedUsername,
 			password: hashedPassword
 		});