From 903d6a8a19905d91e21612f640ce09b7c368eb5c Mon Sep 17 00:00:00 2001
From: Emi Matchu <emi@matchu.dev>
Date: Sun, 22 Jun 2025 11:16:26 -0700
Subject: [PATCH] Disallow email addresses in Neopets usernames

People are evading the filtering in the description and they know it!
Boooo!
---
 app/assets/javascripts/closet_hangers/index.js    | 5 +++++
 app/controllers/neopets_connections_controller.rb | 5 ++++-
 app/models/neopets_connection.rb                  | 3 ++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/assets/javascripts/closet_hangers/index.js b/app/assets/javascripts/closet_hangers/index.js
index 1226a5cd..81246b6d 100644
--- a/app/assets/javascripts/closet_hangers/index.js
+++ b/app/assets/javascripts/closet_hangers/index.js
@@ -754,6 +754,11 @@
 						contactField.val(connection.id);
 						submitContactForm();
 					},
+					error: function (xhr) {
+						var data = JSON.parse(xhr.responseText);
+						var fullMessage = data.full_error_messages.join("\n");
+						alert("Oops, we couldn't save this username!\n\n" + fullMessage);
+					},
 				});
 			}
 		} else {
diff --git a/app/controllers/neopets_connections_controller.rb b/app/controllers/neopets_connections_controller.rb
index da792534..65f0d108 100644
--- a/app/controllers/neopets_connections_controller.rb
+++ b/app/controllers/neopets_connections_controller.rb
@@ -5,7 +5,10 @@ class NeopetsConnectionsController < ApplicationController
     if connection.save
       render json: connection
     else
-      render json: {error: 'failure'}, status: :internal_server_error
+      render json: {
+        errors: connection.errors,
+        full_error_messages: connection.errors.map(&:full_message)
+      }, status: :bad_request
     end
   end
 
diff --git a/app/models/neopets_connection.rb b/app/models/neopets_connection.rb
index e52560ea..a57d4167 100644
--- a/app/models/neopets_connection.rb
+++ b/app/models/neopets_connection.rb
@@ -1,5 +1,6 @@
 class NeopetsConnection < ApplicationRecord
   belongs_to :user
 
-  validates :neopets_username, uniqueness: {scope: :user_id}
+  validates :neopets_username, uniqueness: {scope: :user_id},
+    format: { without: /@/, message: 'must not be an email address, for user safety' }
 end