From 8c2e898bd417b28eb90489ad3b2577dba4fad266 Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Sun, 28 Sep 2025 12:07:19 -0700
Subject: [PATCH] Feat: Add reserved word validation for custom slugs

---
 functions/api/links/create.js | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/functions/api/links/create.js b/functions/api/links/create.js
index b97086b..d5bcc31 100644
--- a/functions/api/links/create.js
+++ b/functions/api/links/create.js
@@ -1,2 +1 @@
-const genSlug=l=>[...Array(l)].map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"[Math.random()*62|0]).join("");
-export async function onRequestPost({request,env}){try{const{destination_url,slug,username,pass_hash}=await request.json();if(!destination_url||!username||!pass_hash)return new Response("Missing fields",{status:400});const user=await env.D1_EV.prepare("SELECT pass_hash, custom_slugs FROM users WHERE username = ?").bind(username).first();if(user?.pass_hash!==pass_hash)return new Response("Invalid credentials",{status:401});let finalSlug=slug;if(finalSlug){if(!/^[a-zA-Z0-9-]{3,32}$/.test(finalSlug)||await env.KV_EV.get(finalSlug))return new Response("Invalid or taken slug",{status:400})}else{do{finalSlug=genSlug(6)}while(await env.KV_EV.get(finalSlug))}let dest=destination_url.startsWith("http")?destination_url:`https://${destination_url}`;try{new URL(dest)}catch{return new Response("Invalid destination URL",{status:400})}const storedDest=dest.replace(/^https?:\/\//,"");let s;try{s=JSON.parse(user.custom_slugs)}catch(e){}const customSlugs=Array.isArray(s)?s:[];customSlugs.push(finalSlug);await Promise.all([env.KV_EV.put(finalSlug,storedDest),env.D1_EV.prepare("UPDATE users SET custom_slugs = ? WHERE username = ?").bind(JSON.stringify(customSlugs),username).run()]);return Response.json({slug:finalSlug},{status:201})}catch(e){return new Response(e.message,{status:500})}}
+const genSlug=l=>[...Array(l)].map(()=>"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"[Math.random()*62|0]).join("");const R=new Set(['api','dash','admin','login','logout','signin','signup','register','account','settings','profile','password','user','users','link','links','url','urls','robots','sitemap','favicon','well-known','assets','static','img','js','css','public']);export async function onRequestPost({request,env}){try{const{destination_url,slug,username,pass_hash}=await request.json();if(!destination_url||!username||!pass_hash)return new Response("Missing fields",{status:400});const user=await env.D1_EV.prepare("SELECT pass_hash, custom_slugs FROM users WHERE username = ?").bind(username).first();if(user?.pass_hash!==pass_hash)return new Response("Invalid credentials",{status:401});let finalSlug=slug;if(finalSlug){if(R.has(finalSlug.toLowerCase())||!/^[a-zA-Z0-9-]{3,32}$/.test(finalSlug)||await env.KV_EV.get(finalSlug))return new Response("Invalid or taken slug",{status:400})}else{do{finalSlug=genSlug(6)}while(await env.KV_EV.get(finalSlug))}let dest=destination_url.startsWith("http")?destination_url:`https://${destination_url}`;try{new URL(dest)}catch{return new Response("Invalid destination URL",{status:400})}const storedDest=dest.replace(/^https?:\/\//,"");let s;try{s=JSON.parse(user.custom_slugs)}catch(e){}const customSlugs=Array.isArray(s)?s:[];customSlugs.push(finalSlug);await Promise.all([env.KV_EV.put(finalSlug,storedDest),env.D1_EV.prepare("UPDATE users SET custom_slugs = ? WHERE username = ?").bind(JSON.stringify(customSlugs),username).run()]);return Response.json({slug:finalSlug},{status:201})}catch(e){return new Response(e.message,{status:500})}}