Fix signup validation and recaptcha handling

[MerwinJoshwa]

Fixes #1476

Changes:

• Fixed signup validation to handle invalid inputs properly
• Improved error handling during signup to prevent failures
• Ensured reCAPTCHA validation is checked before processing signup

Screenshots for the change:

• Not applicable (backend-only changes)

Summary by Sourcery

Improve signup validation robustness and reCAPTCHA enforcement in the signup API.

Bug Fixes:

• Reject signup requests with missing or whitespace-only signup or password values.
• Ensure reCAPTCHA validation requires a non-empty token and fails cleanly when it is absent or invalid.

Enhancements:

• Apply minor code style and readability improvements in the signup service, including clearer conditionals and error handling structure.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Adjusts signup flow validation and reCAPTCHA handling to reject empty/whitespace inputs earlier while tightening reCAPTCHA checks, and makes minor style/robustness fixes in the signup service.

Sequence diagram for updated signup validation and reCAPTCHA flow

sequenceDiagram
    actor User
    participant FrontendApp
    participant SignUpService
    participant DAO
    participant VerifyRecaptcha

    User->>FrontendApp: submit signup(signup, password, g_recaptcha_response)
    FrontendApp->>SignUpService: HTTP POST /signup

    SignUpService->>SignUpService: trim signup, password
    alt signup or password empty
        SignUpService-->>FrontendApp: 422 signup or password empty
        FrontendApp-->>User: show validation error
    else inputs present
        SignUpService->>SignUpService: validate email pattern
        alt invalid email
            SignUpService-->>FrontendApp: 422 invalid email
            FrontendApp-->>User: show email error
        else valid email
            SignUpService->>DAO: getAuthentication(signup)
            DAO-->>SignUpService: Authentication
            alt user already exists
                SignUpService-->>FrontendApp: 422 user already exists
                FrontendApp-->>User: show user exists error
            else new user
                SignUpService->>DAO: getConfig users.captcha.signup
                DAO-->>SignUpService: isSignUpCaptchaEnabled
                alt captcha enabled
                    SignUpService->>SignUpService: read g-recaptcha-response
                    alt empty or missing
                        SignUpService-->>FrontendApp: 422 Please verify recaptcha
                        FrontendApp-->>User: show recaptcha required
                    else present
                        SignUpService->>VerifyRecaptcha: verify(g_recaptcha_response)
                        VerifyRecaptcha-->>SignUpService: boolean
                        alt verification failed
                            SignUpService-->>FrontendApp: 422 Please verify recaptcha
                            FrontendApp-->>User: show recaptcha error
                        else verification ok
                            SignUpService->>DAO: create user, store credentials
                            DAO-->>SignUpService: success
                            SignUpService-->>FrontendApp: 200 signup success
                            FrontendApp-->>User: show success
                        end
                    end
                else captcha disabled
                    SignUpService->>DAO: create user, store credentials
                    DAO-->>SignUpService: success
                    SignUpService-->>FrontendApp: 200 signup success
                    FrontendApp-->>User: show success
                end
            end
        end
    end

Loading

Class diagram for SignUpService and related components after validation changes

classDiagram

    class SignUpService {
        +JSONObject getDefaultPermissions(UserRole baseUserRole)
        +ServiceResponse serviceImpl(Query post, HttpServletResponse response, Authorization authorization)
        -String getVerificationMailContent(String token, String userId) throws APIException
    }

    class Query {
        +String get(String key, String defaultValue)
    }

    class Authorization {
        +ClientIdentity getIdentity()
        +void setUserRole(UserRole role)
    }

    class ClientIdentity {
        +String getName()
        +boolean isEmail()
    }

    class ClientCredential {
        <<enumeration>> Type
        +Type type
        +String name
        +ClientCredential(Type type, String name)
    }

    class Authentication {
        +boolean exists()
    }

    class DAO {
        +static String getConfig(String key, String defaultValue)
        +static Authentication getAuthentication(ClientCredential credential)
    }

    class VerifyRecaptcha {
        +static boolean verify(String gRecaptchaResponse)
    }

    class EmailHandler {
        +static String EMAIL_PATTERN
    }

    class TimeoutMatcher {
        +TimeoutMatcher(java.util.regex.Matcher matcher)
        +boolean matches()
    }

    class UserRole {
        <<enumeration>>
        SUPERADMIN
        ADMIN
        OPERATOR
        USER
    }

    class ServiceResponse
    class JSONObject
    class HttpServletResponse
    class APIException

    SignUpService --> Query : uses
    SignUpService --> Authorization : uses
    SignUpService --> ClientIdentity : uses
    SignUpService --> ClientCredential : creates
    SignUpService --> Authentication : uses
    SignUpService --> DAO : uses
    SignUpService --> VerifyRecaptcha : verifies
    SignUpService --> EmailHandler : uses pattern
    SignUpService --> TimeoutMatcher : uses
    SignUpService --> ServiceResponse : returns
    SignUpService --> JSONObject : builds permissions
    SignUpService --> HttpServletResponse : writes response
    SignUpService --> APIException : throws
    Authorization --> UserRole : sets
    ClientCredential --> ClientCredential.Type : has

Loading

File-Level Changes

Change	Details	Files
Harden signup field validation to correctly reject empty or whitespace-only credentials before proceeding.	Normalize signup and password values by defaulting to empty strings and trimming whitespace Treat empty or whitespace-only signup or password as a 422 error with the existing "signup or password empty" response Remove now-unnecessary null-based retrieval of signup and password after the emptiness check	src/ai/susi/server/api/aaa/SignUpService.java
Tighten reCAPTCHA validation so missing or empty tokens are rejected and keep verification logic centralized.	Default the g-recaptcha-response parameter to an empty string instead of null Reject the request when the reCAPTCHA parameter is empty or when VerifyRecaptcha.verify returns false with a 422 error Keep the reCAPTCHA check gated behind the existing isSignUpCaptchaEnabled flag	src/ai/susi/server/api/aaa/SignUpService.java
Apply minor robustness and formatting improvements across the signup service.	Normalize switch and if/else brace spacing to project style Guard host.url lookup with a block-style null check that throws a 500 APIException when misconfigured Remove stray blank lines and align parameter documentation in getVerificationMailContent Javadoc	src/ai/susi/server/api/aaa/SignUpService.java

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#1476	Fix the signup backend so that valid signup attempts (with non-empty email and password) are accepted and processed correctly.	✅
#1476	Ensure reCAPTCHA is correctly validated during signup so it does not wrongly block valid signup attempts.	✅

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}