[ZendTo] Limit authentication by user-name

John Thurston john.thurston at alaska.gov
Thu Jun 16 00:02:32 BST 2022


Experimentation shows I can get the behavior I seek by prepending
   (?!.*-(foo|bar|baz)$)
to the default usernameRegexp (well, prepending it to the expression, 
not the string. So stuffing it between the / and the ^)

The result is a line in the log, of the form:
   Warning: illegal username "jimmy-joe-foo" attempted to login

I still haven't found an exclusion regexp, so this may have to do.



--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

On 6/15/2022 12:08 PM, John Thurston via ZendTo wrote:
> We expect internal users to authenticate to ZendTo to perform their
> transfers. There is a subset of accounts we think should _not_ be
> allowed to authenticate. These accounts are recognizable because their
> usernames end with magic strings:
>    -foo
>    -bar
> 
> I see 'usernameRegexp' in the config file:
>    // Regular expression defining a valid username for the Login page.
>    // Usually no need to change this.
>    'usernameRegexp'    => '/^([a-zA-Z0-9][a-zA-Z0-9\_\.\-\@\\\]*)$/i',
> 
> Is this where I might try to hack together a regexp which would fail to
> match those magic strings?
> 
> Is there a different regexp (which I have not yet found) which defines
> an exclusion list of usernames?



More information about the ZendTo mailing list