add forbidden usernames

app/auth.py

@@ -8,6 +8,17 @@ import re
 
 ph = PasswordHasher()
 
+FORBIDDEN_USERNAMES = (
+    'administrator', 'administration', 'administrators',
+    'system',
+    'mod', 'moderator', 'moderators', 'moderation',
+    'deleted-user', 'deleted_user',
+    'support',
+    #routes
+    'log-in', 'log_in', 'login',
+    'sign-up', 'sign_up', 'signup',
+)
+
 def digest(password):
     return ph.hash(password)
 
@@ -50,8 +61,11 @@ def parse_username(username: str) -> Tuple[str, str]:
     if len(username) < 3:
         raise ValueError
 
+    if username.lower() in FORBIDDEN_USERNAMES:
+        raise ValueError
+
     invalid_regex = r'[^a-zA-Z0-9_-]'
-    return username, re.sub(invalid_regex, '_', username.lower())[:24]
+    return re.sub(invalid_regex, '_', username.lower())[:24], username
 
 def is_password_valid(password: str) -> bool:
     return re.match(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,255}$', password) is not None

app/routes/threads.py

@@ -51,7 +51,7 @@ def reply(slug):
 def feed(slug):
     return 'stub'
 
-@bp.get('/new')
+@bp.get('/new/')
 @login_required
 def new():
     topics = Topics.select()

app/routes/users.py

@@ -50,7 +50,7 @@ def sign_up():
 @redirect_if_logged_in()
 def sign_up_post():
     generic_error_page = redirect(url_for('.sign_up', error='The username or password you entered is invalid.'))
-    user_exists_error_page = redirect(url_for('.sign_up', error='This username is already taken. Please pick another.'))
+    invalid_username_error_page = redirect(url_for('.sign_up', error='This username cannot be used. Please pick another.'))
     passwords_error_page = redirect(url_for('.sign_up', error='The passwords do not match.'))
     username = request.form.get('username', default='')
     if not username:
@@ -59,10 +59,13 @@ def sign_up_post():
         return generic_error_page
     if len(request.form.getlist('password')) != 2:
         return passwords_error_page
-    username_pair = parse_username(username)
+    try:
+        username_pair = parse_username(username)
+    except ValueError:
+        return invalid_username_error_page
     potential_user = Users.find({'username': username})
     if potential_user:
-        return user_exists_error_page
+        return invalid_username_error_page
 
     if request.form.getlist('password')[0] != request.form.getlist('password')[1]:
         return passwords_error_page