From 80acec720c33149ec50e112c928fc6c8dd118bc2 Mon Sep 17 00:00:00 2001
From: Yuri Tatishchev <itatishch@gmail.com>
Date: Thu, 9 Jan 2025 14:44:48 -0800
Subject: [PATCH] opnsense: sanitize usernames for creating peers

---
 src/lib/opnsense/index.ts             |  3 +++
 src/lib/server/devices.ts             |  3 ++-
 src/routes/api/connections/+server.ts | 10 ++++------
 3 files changed, 9 insertions(+), 7 deletions(-)
 create mode 100644 src/lib/opnsense/index.ts

diff --git a/src/lib/opnsense/index.ts b/src/lib/opnsense/index.ts
new file mode 100644
index 0000000..a4e9e24
--- /dev/null
+++ b/src/lib/opnsense/index.ts
@@ -0,0 +1,3 @@
+export function opnsenseSanitezedUsername(username: string) {
+	return username.slice(0, 63).replace(/[^a-zA-Z0-9_-]/g, '_');
+}
diff --git a/src/lib/server/devices.ts b/src/lib/server/devices.ts
index eda67e9..6366dca 100644
--- a/src/lib/server/devices.ts
+++ b/src/lib/server/devices.ts
@@ -7,6 +7,7 @@ import { env } from '$env/dynamic/private';
 import { and, count, eq, isNull } from 'drizzle-orm';
 import { err, ok, type Result } from '$lib/types';
 import type { DeviceDetails } from '$lib/devices';
+import { opnsenseSanitezedUsername } from '$lib/opnsense';
 
 export async function findDevices(userId: string) {
 	return db.query.devices.findMany({
@@ -196,7 +197,7 @@ async function opnsenseCreateClient(params: {
 		body: JSON.stringify({
 			configbuilder: {
 				enabled: '1',
-				name: `vpgen-${params.username}`,
+				name: `vpgen-${opnsenseSanitezedUsername(params.username)}`,
 				pubkey: params.pubkey,
 				psk: params.psk,
 				tunneladdress: params.allowedIps,
diff --git a/src/routes/api/connections/+server.ts b/src/routes/api/connections/+server.ts
index 0da2b6d..f149152 100644
--- a/src/routes/api/connections/+server.ts
+++ b/src/routes/api/connections/+server.ts
@@ -4,6 +4,7 @@ import { opnsenseAuth, opnsenseUrl } from '$lib/server/opnsense';
 import type { OpnsenseWgPeers } from '$lib/opnsense/wg';
 import { findDevices } from '$lib/server/devices';
 import type { ConnectionDetails } from '$lib/connections';
+import { opnsenseSanitezedUsername } from '$lib/opnsense';
 
 export const GET: RequestHandler = async (event) => {
 	if (!event.locals.user) {
@@ -50,8 +51,7 @@ export const GET: RequestHandler = async (event) => {
 };
 
 async function fetchOpnsensePeers(username: string) {
-	const apiUrl = `${opnsenseUrl}/api/wireguard/service/show`;
-	const options: RequestInit = {
+	const res = await fetch(`${opnsenseUrl}/api/wireguard/service/show`, {
 		method: 'POST',
 		headers: {
 			Authorization: opnsenseAuth,
@@ -65,11 +65,9 @@ async function fetchOpnsensePeers(username: string) {
 			// TODO: use a more unique search phrase
 			// unfortunately 64 character limit,
 			// but it should be fine if users can't change their own username
-			searchPhrase: `vpgen-${username}`,
+			searchPhrase: `vpgen-${opnsenseSanitezedUsername(username)}`,
 			type: ['peer'],
 		}),
-	};
-
-	const res = await fetch(apiUrl, options);
+	});
 	return (await res.json()) as OpnsenseWgPeers;
 }