chore: update with Solidstate audit feedback

Author: zensh

src/ic_message/src/api_update.rs

@@ -10,19 +10,20 @@ use crate::{is_authenticated, store, types};
 
 #[ic_cdk::update(guard = "is_authenticated")]
 async fn register_username(username: String, name: Option<String>) -> Result<UserInfo, String> {
-    if username.len() > types::MAX_USER_SIZE {
+    if username.len() > types::MAX_USER_NAME_SIZE {
         Err("username is too long".to_string())?;
     }
     if username.starts_with("_") {
         Err("invalid username".to_string())?;
     }
+
     validate_key(&username.to_ascii_lowercase())?;
 
     if let Some(ref name) = name {
         if name.is_empty() {
             Err("name is empty".to_string())?;
         }
-        if name.len() > types::MAX_USER_NAME_SIZE {
+        if name.len() > types::MAX_DISPLAY_NAME_SIZE {
             Err("name is too long".to_string())?;
         }
         if name != name.trim() {

src/ic_message/src/types.rs

@@ -6,8 +6,8 @@ use std::collections::BTreeSet;
 pub const TOKEN_1: u64 = 100_000_000;
 pub const TOKEN_FEE: u64 = 10_000; // 0.0001 token
 pub const MIN_NAME_PRICE: u64 = TOKEN_1;
-pub const MAX_USER_NAME_SIZE: usize = 32;
-pub const MAX_USER_SIZE: usize = 20;
+pub const MAX_DISPLAY_NAME_SIZE: usize = 32;
+pub const MAX_USER_NAME_SIZE: usize = 20;
 
 #[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
 pub struct StateInfo {

src/ic_message_types/src/profile.rs

@@ -8,7 +8,9 @@ pub const MAX_PROFILE_FOLLOWING: usize = 2048;
 pub const MAX_PROFILE_BIO_SIZE: usize = 2048; // 2KB
 pub const MAX_PROFILE_LINKS: usize = 100;
 pub const MAX_PROFILE_TOKENS: usize = 100;
-
+pub const MAX_PROFILE_CHANNEL_ALIAS_LEN: usize = 20;
+pub const MAX_PROFILE_CHANNEL_TAGS_LEN: usize = 5;
+pub const MAX_PROFILE_CHANNEL_TAG_LEN: usize = 20;
 #[derive(CandidType, Clone, Debug, Deserialize, Serialize)]
 pub struct UserInfo {
     pub id: Principal,
@@ -57,6 +59,30 @@ impl UpdateProfileInput {
                 return Err(format!("bio size limit exceeded: {}", bio.len()));
             }
         }
+        // Check for conflicts in follow and unfollow
+        if !self.follow.is_disjoint(&self.unfollow) {
+            return Err("conflicting principals in follow and unfollow".to_string());
+        }
+
+        for (channel, setting) in self.upsert_channels.iter() {
+            if self.remove_channels.contains(channel) {
+                return Err(format!(
+                    "channel {:?} exists in both upsert and remove",
+                    channel
+                ));
+            }
+            if setting.alias.len() > MAX_PROFILE_CHANNEL_ALIAS_LEN {
+                return Err(format!("channel alias too long: {}", setting.alias.len()));
+            }
+            if setting.tags.len() > MAX_PROFILE_CHANNEL_TAGS_LEN {
+                return Err(format!("too many tags: {}", setting.tags.len()));
+            }
+            for tag in &setting.tags {
+                if tag.len() > MAX_PROFILE_CHANNEL_TAG_LEN {
+                    return Err(format!("tag too long: {}", tag.len()));
+                }
+            }
+        }
         Ok(())
     }
 }
@@ -98,7 +124,7 @@ impl Link {
 #[derive(CandidType, Clone, Debug, Default, Deserialize, Serialize)]
 pub struct UploadImageInput {
     pub size: u64,            // should <= 256KB
-    pub content_type: String, // image/webp or image/svg+xml
+    pub content_type: String, // "image/webp" | "image/png" | "image/jpeg" | "image/svg+xml"
 }
 
 impl UploadImageInput {