3 files changed, 42 insertions, 1 deletions

diff --git a/src/invite/app.rs b/src/invite/app.rs
index 176075f..182eb67 100644
--- a/src/invite/app.rs
+++ b/src/invite/app.rs
@@ -6,7 +6,7 @@ use crate::{
     clock::DateTime,
     db::{Duplicate as _, NotFound as _},
     event::{repo::Provider as _, Broadcaster, Event},
-    login::{repo::Provider as _, Login, Password},
+    login::{repo::Provider as _, validate, Login, Password},
     name::Name,
     token::{repo::Provider as _, Secret},
 };
@@ -44,6 +44,10 @@ impl<'a> Invites<'a> {
         password: &Password,
         accepted_at: &DateTime,
     ) -> Result<(Login, Secret), AcceptError> {
+        if !validate::name(name) {
+            return Err(AcceptError::InvalidName(name.clone()));
+        }
+
         let mut tx = self.db.begin().await?;
         let invite = tx
             .invites()
@@ -92,6 +96,8 @@ impl<'a> Invites<'a> {
 pub enum AcceptError {
     #[error("invite not found: {0}")]
     NotFound(Id),
+    #[error("invalid login name: {0}")]
+    InvalidName(Name),
     #[error("name in use: {0}")]
     DuplicateLogin(Name),
     #[error(transparent)]
diff --git a/src/invite/routes/invite/post.rs b/src/invite/routes/invite/post.rs
index 627eca3..bb68e07 100644
--- a/src/invite/routes/invite/post.rs
+++ b/src/invite/routes/invite/post.rs
@@ -45,6 +45,9 @@ impl IntoResponse for Error {
         let Self(error) = self;
         match error {
             app::AcceptError::NotFound(_) => NotFound(error).into_response(),
+            app::AcceptError::InvalidName(_) => {
+                (StatusCode::BAD_REQUEST, error.to_string()).into_response()
+            }
             app::AcceptError::DuplicateLogin(_) => {
                 (StatusCode::CONFLICT, error.to_string()).into_response()
             }
diff --git a/src/invite/routes/invite/test/post.rs b/src/invite/routes/invite/test/post.rs
index 65ab61e..40e0580 100644
--- a/src/invite/routes/invite/test/post.rs
+++ b/src/invite/routes/invite/test/post.rs
@@ -206,3 +206,35 @@ async fn conflicting_name() {
         matches!(error, AcceptError::DuplicateLogin(error_name) if error_name == conflicting_name)
     );
 }
+
+#[tokio::test]
+async fn invalid_name() {
+    // Set up the environment
+
+    let app = fixtures::scratch_app().await;
+    let issuer = fixtures::login::create(&app, &fixtures::now()).await;
+    let invite = fixtures::invite::issue(&app, &issuer, &fixtures::now()).await;
+
+    // Call the endpoint
+
+    let name = fixtures::login::propose_invalid_name();
+    let password = fixtures::login::propose_password();
+    let identity = fixtures::cookie::not_logged_in();
+    let request = post::Request {
+        name: name.clone(),
+        password: password.clone(),
+    };
+    let post::Error(error) = post::handler(
+        State(app.clone()),
+        fixtures::now(),
+        identity,
+        Path(invite.id),
+        Json(request),
+    )
+    .await
+    .expect_err("using an invalid name should fail");
+
+    // Verify the response
+
+    assert!(matches!(error, AcceptError::InvalidName(error_name) if name == error_name));
+}