add forbidden usernames

app/auth.py

@@ -8,6 +8,17 @@ import re
 
 ph = PasswordHasher()
 
+FORBIDDEN_USERNAMES = (
+    'administrator', 'administration', 'administrators',
+    'system',
+    'mod', 'moderator', 'moderators', 'moderation',
+    'deleted-user', 'deleted_user',
+    'support',
+    #routes
+    'log-in', 'log_in', 'login',
+    'sign-up', 'sign_up', 'signup',
+)
+
 def digest(password):
     return ph.hash(password)
 
@@ -50,8 +61,11 @@ def parse_username(username: str) -> Tuple[str, str]:
     if len(username) < 3:
         raise ValueError
 
+    if username.lower() in FORBIDDEN_USERNAMES:
+        raise ValueError
+
     invalid_regex = r'[^a-zA-Z0-9_-]'
-    return username, re.sub(invalid_regex, '_', username.lower())[:24]
+    return re.sub(invalid_regex, '_', username.lower())[:24], username
 
 def is_password_valid(password: str) -> bool:
     return re.match(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,255}$', password) is not None