Username has no maximum length enforced #52
Description
Summary
In internal/service/user.go:170-250, ValidateUsername enforces a minimum length of 3 characters but no maximum. A user can submit a username of arbitrary length, which:
- Wastes database storage (unbounded
VARCHAR) - Slows down the profanity detector (
goaway) which processes the full string - Can cause UI rendering issues in clients expecting short display names
- Could be used as a minor DoS vector
Suggested Fix
Add a max length check:
const maxUsernameLength = 30
if len(username) > maxUsernameLength {
return fmt.Errorf("username must be at most %d characters", maxUsernameLength)
}Also consider adding a DB-level constraint if not already present.