From 66836f0ce97a571a4cb1d030e1aaa74c61b860cf Mon Sep 17 00:00:00 2001
From: ankushchk <ankush@Ankushs-MacBook-Air-2.local>
Date: Sun, 29 Mar 2026 09:16:19 +0530
Subject: [PATCH] fix: block join role escalation and add username format
 validation

Made-with: Cursor
---
 src/worker.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/worker.py b/src/worker.py
index 9656277..95baf97 100644
--- a/src/worker.py
+++ b/src/worker.py
@@ -563,6 +563,8 @@ async def api_register(req, env):
 
     if not username or not email or not password:
         return err("username, email, and password are required")
+    if not re.fullmatch(r"[a-zA-Z0-9_]{3,30}", username):
+        return err("Username must be 3-30 characters and contain only letters, numbers, or underscores")
     if len(password) < 8:
         return err("Password must be at least 8 characters")
 
@@ -870,12 +872,11 @@ async def api_join(req, env):
         return bad_resp
 
     act_id = body.get("activity_id")
-    role   = (body.get("role") or "participant").strip()
 
     if not act_id:
         return err("activity_id is required")
-    if role not in ("participant", "instructor", "organizer"):
-        role = "participant"
+
+    role = "participant"
 
     act = await env.DB.prepare(
         "SELECT id FROM activities WHERE id=?"