fix: Forbid registering users with a non-local localpart

2026-02-20 20:39:38 -05:00 · 2026-02-20 20:39:38 -05:00 · d9537e9b55
commit d9537e9b55
parent 0d1de70d8f
2 changed files with 13 additions and 0 deletions
--- a/src/api/client/account.rs
+++ b/src/api/client/account.rs
@ -252,6 +252,13 @@ pub(crate) async fn register_route(
 						}
 					}

+					// Don't allow registration with user IDs that aren't local
+					if !services.globals.user_is_local(&user_id) {
+						return Err!(Request(InvalidUsername(
+							"Username {body_username} is not local to this server"
+						)));
+					}
+
 					user_id
 				},
 				| Err(e) => {
--- a/src/service/users/mod.rs
+++ b/src/service/users/mod.rs
@ -184,6 +184,12 @@ impl Service {
 		password: Option<&str>,
 		origin: Option<&str>,
 	) -> Result<()> {
+		if !self.services.globals.user_is_local(user_id)
+			&& (password.is_some() || origin.is_some())
+		{
+			return Err!("Cannot create a nonlocal user with a set password or origin");
+		}
+
 		self.db
 			.userid_origin
 			.insert(user_id, origin.unwrap_or("password"));