From ae98162b2151b0a6fe21e64f6bcbc11418c7471f Mon Sep 17 00:00:00 2001
From: Oleksii Holub <1935960+Tyrrrz@users.noreply.github.com>
Date: Fri, 23 Aug 2024 22:38:01 +0300
Subject: [PATCH] Add hacky validation for hints during registration (#695)

---
 .../Pages/App/Playground/NewAccount.cshtml    | 26 ++++++++++++++-----
 .../Pages/App/Playground/NewAccount.cshtml.cs |  2 +-
 2 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml b/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml
index 08bac95d1..246a922e6 100644
--- a/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml
+++ b/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml
@@ -119,10 +119,25 @@ document.addEventListener('DOMContentLoaded', function() {
 document.getElementById('register-btn').addEventListener('click', (e) => createNewAccount(e));
 
 const createNewAccount = async (e) => {
-    let form = document.getElementById("registration-form");
+    const form = document.getElementById("registration-form");
     const data = new FormData(form);
 
-    let req = await fetch("?handler=token", {
+    // Validation
+    if (data.get("hints")) {
+        const hints = data.get("hints").split(",").map(h => h.trim().toLowerCase());
+
+        if (new Set(hints).size !== hints.length) {
+            alert("You cannot provide duplicate hints.");
+            return;
+        }
+
+        if (!hints.every(h => ["client-device", "security-key", "hybrid"].includes(h))) {
+            alert("Hint values must be either 'client-device', 'security-key', or 'hybrid'.");
+            return;
+        }
+    }
+
+    const res = await fetch("?handler=token", {
         method: "post",
         body: data,
         headers: {
@@ -130,8 +145,8 @@ const createNewAccount = async (e) => {
         }
     });
 
-    if (req.ok) {
-        const { token } = await req.json();
+    if (res.ok) {
+        const { token } = await res.json();
         const nicknameForDevice = data.get("nickname");
         const { error } = await p.register(token, nicknameForDevice);
 
@@ -144,8 +159,7 @@ const createNewAccount = async (e) => {
     } else {
         const container = document.getElementById("error-message-summary-container");
         const field = container.getElementsByClassName("alert-box-message")[0];
-        const body = await req.text();
-        const problemDetails = JSON.parse(body);
+        const problemDetails = await res.json();
         field.textContent = problemDetails.title;
         container.classList.remove("hidden");
     }
diff --git a/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml.cs b/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml.cs
index 2d0d422bf..f721d911f 100644
--- a/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml.cs
+++ b/src/AdminConsole/Pages/App/Playground/NewAccount.cshtml.cs
@@ -26,7 +26,7 @@ public async Task<IActionResult> OnPostToken(string name, string email, string a
                 Aliases = [email],
                 AliasHashing = false,
                 Attestation = attestation,
-                Hints = hints?.Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries)
+                Hints = hints?.Split(',', StringSplitOptions.TrimEntries | StringSplitOptions.RemoveEmptyEntries) ?? []
             });
 
             return new JsonResult(token);