feat: add PATCH request support, expand PATCH /users/@me, serialize enums correctly

2024-07-12 17:12:24 +02:00 · 2024-07-12 17:12:24 +02:00 · e95e0a79ff
commit e95e0a79ff
parent d6c9345dba
20 changed files with 427 additions and 48 deletions
--- a/Foxnouns.Backend/Config.cs
+++ b/Foxnouns.Backend/Config.cs
@ -6,7 +6,8 @@ public class Config
 {
    public string Host { get; init; } = "localhost";
    public int Port { get; init; } = 3000;
-    public string BaseUrl { get; init; } = null!;
+    public string BaseUrl { get; set; } = null!;
    public string MediaBaseUrl { get; set; } = null!;
    public string Address => $"http://{Host}:{Port}";
--- a/Foxnouns.Backend/Controllers/Authentication/DiscordAuthController.cs
+++ b/Foxnouns.Backend/Controllers/Authentication/DiscordAuthController.cs
@ -48,7 +48,7 @@ public class DiscordAuthController(
    public async Task<IActionResult> RegisterAsync([FromBody] AuthController.OauthRegisterRequest req)
    {
        var remoteUser = await keyCacheSvc.GetKeyAsync<RemoteAuthService.RemoteUser>($"discord:{req.Ticket}");
-        if (remoteUser == null) throw new ApiError.BadRequest("Invalid ticket");
+        if (remoteUser == null) throw new ApiError.BadRequest("Invalid ticket", "ticket");
        if (await db.AuthMethods.AnyAsync(a => a.AuthType == AuthType.Discord && a.RemoteId == remoteUser.Id))
        {
            logger.Error("Discord user {Id} has valid ticket but is already linked to an existing account",
--- a/Foxnouns.Backend/Controllers/MetaController.cs
+++ b/Foxnouns.Backend/Controllers/MetaController.cs
@ -20,7 +20,7 @@ public class MetaController(DatabaseContext db) : ApiControllerBase
        );
    }
-    [HttpGet("coffee")]
+    [HttpGet("/api/v2/coffee")]
    public IActionResult BrewCoffee() => Problem("Sorry, I'm a teapot!", statusCode: StatusCodes.Status418ImATeapot);
    private record MetaResponse(string Version, string Hash, int Members, UserInfo Users);
--- a/Foxnouns.Backend/Controllers/UsersController.cs
+++ b/Foxnouns.Backend/Controllers/UsersController.cs
@ -1,8 +1,11 @@
 using Foxnouns.Backend.Database;
 using Foxnouns.Backend.Database.Models;
 using Foxnouns.Backend.Jobs;
 using Foxnouns.Backend.Middleware;
 using Foxnouns.Backend.Services;
 using Foxnouns.Backend.Utils;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 namespace Foxnouns.Backend.Controllers;
@ -10,28 +13,76 @@ namespace Foxnouns.Backend.Controllers;
 public class UsersController(DatabaseContext db, UserRendererService userRendererService) : ApiControllerBase
 {
    [HttpGet("{userRef}")]
    [ProducesResponseType<UserRendererService.UserResponse>(statusCode: StatusCodes.Status200OK)]
    public async Task<IActionResult> GetUserAsync(string userRef)
    {
        var user = await db.ResolveUserAsync(userRef);
-        return Ok(await userRendererService.RenderUserAsync(user, selfUser: CurrentUser));
+        return await GetUserInnerAsync(user);
    }
    [HttpGet("@me")]
    [Authorize("identify")]
    [ProducesResponseType<UserRendererService.UserResponse>(statusCode: StatusCodes.Status200OK)]
    public async Task<IActionResult> GetMeAsync()
    {
        var user = await db.ResolveUserAsync(CurrentUser!.Id);
-        return Ok(await userRendererService.RenderUserAsync(user, selfUser: CurrentUser));
+        return await GetUserInnerAsync(user);
    }
    private async Task<IActionResult> GetUserInnerAsync(User user)
    {
        return Ok(await userRendererService.RenderUserAsync(
            user,
            selfUser: CurrentUser,
            token: CurrentToken,
            renderMembers: true,
            renderAuthMethods: true
        ));
    }
    [HttpPatch("@me")]
    [Authorize("user.update")]
    [ProducesResponseType<UserRendererService.UserResponse>(statusCode: StatusCodes.Status200OK)]
    public async Task<IActionResult> UpdateUserAsync([FromBody] UpdateUserRequest req)
    {
-        if (req.Avatar != null)
+        await using var tx = await db.Database.BeginTransactionAsync();
        var user = await db.Users.FirstAsync(u => u.Id == CurrentUser!.Id);
        if (req.Username != null && req.Username != user.Username)
        {
            ValidationUtils.ValidateUsername(req.Username);
            user.Username = req.Username;
        }
        if (req.HasProperty(nameof(req.DisplayName)))
        {
            ValidationUtils.ValidateDisplayName(req.DisplayName);
            user.DisplayName = req.DisplayName;
        }
        if (req.HasProperty(nameof(req.Bio)))
        {
            ValidationUtils.ValidateBio(req.Bio);
            user.Bio = req.Bio;
        }
        if (req.HasProperty(nameof(req.Avatar)))
        {
            ValidationUtils.ValidateAvatar(req.Avatar);
            AvatarUpdateJob.QueueUpdateUserAvatar(CurrentUser!.Id, req.Avatar);
        return NoContent();
        }
-    public record UpdateUserRequest(string? Username, string? DisplayName, string? Avatar);
+        await db.SaveChangesAsync();
        await tx.CommitAsync();
        return Ok(await userRendererService.RenderUserAsync(user, CurrentUser, renderMembers: false,
            renderAuthMethods: false));
    }
    public class UpdateUserRequest : PatchRequest
    {
        public string? Username { get; init; }
        public string? DisplayName { get; init; }
        public string? Bio { get; init; }
        public string? Avatar { get; init; }
    }
 }
--- a/Foxnouns.Backend/Database/Models/User.cs
+++ b/Foxnouns.Backend/Database/Models/User.cs
@ -1,3 +1,5 @@
 using System.Text.RegularExpressions;
 namespace Foxnouns.Backend.Database.Models;
 public class User : BaseModel
--- a/Foxnouns.Backend/ExpectedError.cs
+++ b/Foxnouns.Backend/ExpectedError.cs
@ -1,3 +1,4 @@
 using System.Collections.ObjectModel;
 using System.Net;
 using Foxnouns.Backend.Middleware;
 using Microsoft.AspNetCore.Mvc.ModelBinding;
@ -21,7 +22,8 @@ public class ApiError(string message, HttpStatusCode? statusCode = null, ErrorCo
    public readonly HttpStatusCode StatusCode = statusCode ?? HttpStatusCode.InternalServerError;
    public readonly ErrorCode ErrorCode = errorCode ?? ErrorCode.InternalServerError;
-    public class Unauthorized(string message) : ApiError(message, statusCode: HttpStatusCode.Unauthorized);
+    public class Unauthorized(string message) : ApiError(message, statusCode: HttpStatusCode.Unauthorized,
        errorCode: ErrorCode.AuthenticationError);
    public class Forbidden(string message, IEnumerable<string>? scopes = null)
        : ApiError(message, statusCode: HttpStatusCode.Forbidden)
@ -29,7 +31,45 @@ public class ApiError(string message, HttpStatusCode? statusCode = null, ErrorCo
        public readonly string[] Scopes = scopes?.ToArray() ?? [];
    }
-    public class BadRequest(string message, ModelStateDictionary? modelState = null)
+    public class BadRequest(string message, IReadOnlyDictionary<string, string>? errors = null)
        : ApiError(message, statusCode: HttpStatusCode.BadRequest)
    {
        public BadRequest(string message, string field) : this(message,
            new Dictionary<string, string> { { field, message } })
        {
        }
        public JObject ToJson()
        {
            var o = new JObject
            {
                { "status", (int)HttpStatusCode.BadRequest },
                { "message", Message },
                { "code", ErrorCode.BadRequest.ToString() }
            };
            if (errors == null) return o;
            var a = new JArray();
            foreach (var error in errors)
            {
                var errorObj = new JObject
                {
                    { "key", error.Key },
                    { "errors", new JArray(new JObject { { "message", error.Value } }) }
                };
                a.Add(errorObj);
            }
            o.Add("errors", a);
            return o;
        }
    }
    /// <summary>
    /// A special version of BadRequest that ASP.NET generates when it encounters an invalid request.
    /// Any other methods should use <see cref="ApiError.BadRequest" /> instead.
    /// </summary>
    public class AspBadRequest(string message, ModelStateDictionary? modelState = null)
        : ApiError(message, statusCode: HttpStatusCode.BadRequest)
    {
        public JObject ToJson()
@ -37,6 +77,7 @@ public class ApiError(string message, HttpStatusCode? statusCode = null, ErrorCo
            var o = new JObject
            {
                { "status", (int)HttpStatusCode.BadRequest },
                { "message", Message },
                { "code", ErrorCode.BadRequest.ToString() }
            };
            if (modelState == null) return o;
@ -52,7 +93,6 @@ public class ApiError(string message, HttpStatusCode? statusCode = null, ErrorCo
                        new JArray(error.Value!.Errors.Select(e => new JObject { { "message", e.ErrorMessage } }))
                    }
                };
                a.Add(errorObj);
            }
--- a/Foxnouns.Backend/Jobs/AvatarUpdateJob.cs
+++ b/Foxnouns.Backend/Jobs/AvatarUpdateJob.cs
@ -12,7 +12,7 @@ using SixLabors.ImageSharp.Processing.Processors.Transforms;
 namespace Foxnouns.Backend.Jobs;
-[SuppressMessage("ReSharper", "MemberCanBePrivate.Global")]
+[SuppressMessage("ReSharper", "MemberCanBePrivate.Global", Justification = "Hangfire jobs need to be public")]
 public class AvatarUpdateJob(DatabaseContext db, IMinioClient minio, Config config, ILogger logger)
 {
    private readonly string[] _validContentTypes = ["image/png", "image/webp", "image/jpeg"];
@ -94,14 +94,69 @@ public class AvatarUpdateJob(DatabaseContext db, IMinioClient minio, Config conf
        await db.SaveChangesAsync();
    }
-    public Task UpdateMemberAvatar(Snowflake id, string newAvatar)
+    public async Task UpdateMemberAvatar(Snowflake id, string newAvatar)
    {
-        throw new NotImplementedException();
+        var member = await db.Members.FindAsync(id);
        if (member == null)
        {
            logger.Warning("Update avatar job queued for {MemberId} but no member with that ID exists", id);
            return;
        }
-    public Task ClearMemberAvatar(Snowflake id)
+        try
        {
-        throw new NotImplementedException();
+            var image = await ConvertAvatar(newAvatar);
            var hash = Convert.ToHexString(await SHA256.HashDataAsync(image)).ToLower();
            image.Seek(0, SeekOrigin.Begin);
            var prevHash = member.Avatar;
            await minio.PutObjectAsync(new PutObjectArgs()
                .WithBucket(config.Storage.Bucket)
                .WithObject(MemberAvatarPath(id, hash))
                .WithObjectSize(image.Length)
                .WithStreamData(image)
                .WithContentType("image/webp")
            );
            member.Avatar = hash;
            await db.SaveChangesAsync();
            if (prevHash != null && prevHash != hash)
                await minio.RemoveObjectAsync(new RemoveObjectArgs()
                    .WithBucket(config.Storage.Bucket)
                    .WithObject(MemberAvatarPath(id, prevHash))
                );
            logger.Information("Updated avatar for member {MemberId}", id);
        }
        catch (ArgumentException ae)
        {
            logger.Warning("Invalid data URI for new avatar for member {MemberId}: {Reason}", id, ae.Message);
        }
    }
    public async Task ClearMemberAvatar(Snowflake id)
    {
        var member = await db.Members.FindAsync(id);
        if (member == null)
        {
            logger.Warning("Clear avatar job queued for {MemberId} but no member with that ID exists", id);
            return;
        }
        if (member.Avatar == null)
        {
            logger.Warning("Clear avatar job queued for {MemberId} with null avatar", id);
            return;
        }
        await minio.RemoveObjectAsync(new RemoveObjectArgs()
            .WithBucket(config.Storage.Bucket)
            .WithObject(MemberAvatarPath(member.Id, member.Avatar))
        );
        member.Avatar = null;
        await db.SaveChangesAsync();
    }
    private async Task<Stream> ConvertAvatar(string uri)
--- a/Foxnouns.Backend/Middleware/ErrorHandlerMiddleware.cs
+++ b/Foxnouns.Backend/Middleware/ErrorHandlerMiddleware.cs
@ -1,4 +1,5 @@
 using System.Net;
 using Foxnouns.Backend.Utils;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Converters;
@ -54,6 +55,12 @@ public class ErrorHandlerMiddleware(ILogger baseLogger, IHub sentry) : IMiddlewa
                    return;
                }
                if (ae is ApiError.BadRequest br)
                {
                    await ctx.Response.WriteAsync(br.ToJson().ToString());
                    return;
                }
                await ctx.Response.WriteAsync(JsonConvert.SerializeObject(new HttpApiError
                {
                    Status = (int)ae.StatusCode,
@ -101,8 +108,9 @@ public record HttpApiError
 {
    public required int Status { get; init; }
-    [JsonConverter(typeof(StringEnumConverter))]
+    [JsonConverter(typeof(ScreamingSnakeCaseEnumConverter))]
    public required ErrorCode Code { get; init; }
    [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
    public string? ErrorId { get; init; }
    public required string Message { get; init; }
--- a/Foxnouns.Backend/Program.cs
+++ b/Foxnouns.Backend/Program.cs
@ -4,6 +4,7 @@ using Serilog;
 using Foxnouns.Backend.Extensions;
 using Foxnouns.Backend.Middleware;
 using Foxnouns.Backend.Services;
 using Foxnouns.Backend.Utils;
 using Hangfire;
 using Hangfire.Redis.StackExchange;
 using Microsoft.AspNetCore.Mvc;
@ -22,24 +23,34 @@ var config = builder.AddConfiguration();
 builder.AddSerilog();
-builder.WebHost.UseSentry(opts =>
+builder.WebHost
    .UseSentry(opts =>
    {
        opts.Dsn = config.Logging.SentryUrl;
        opts.TracesSampleRate = config.Logging.SentryTracesSampleRate;
        opts.MaxRequestBodySize = RequestSize.Small;
    })
    .ConfigureKestrel(opts =>
    {
        // Requests are limited to a maximum of 2 MB.
        // No valid request body will ever come close to this limit,
        // but the limit is slightly higher to prevent valid requests from being rejected.
        opts.Limits.MaxRequestBodySize = 2 * 1024 * 1024;
    });
 builder.Services
    .AddControllers()
    .AddNewtonsoftJson(options =>
-        options.SerializerSettings.ContractResolver = new DefaultContractResolver
+    {
        options.SerializerSettings.ContractResolver = new PatchRequestContractResolver
        {
            NamingStrategy = new SnakeCaseNamingStrategy()
        };
    })
    .ConfigureApiBehaviorOptions(options =>
    {
        options.InvalidModelStateResponseFactory = actionContext => new BadRequestObjectResult(
-            new ApiError.BadRequest("Bad request", actionContext.ModelState).ToJson()
+            new ApiError.AspBadRequest("Bad request", actionContext.ModelState).ToJson()
        );
    });
--- a/Foxnouns.Backend/Services/AuthService.cs
+++ b/Foxnouns.Backend/Services/AuthService.cs
@ -46,7 +46,7 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
        AssertValidAuthType(authType, instance);
        if (await db.Users.AnyAsync(u => u.Username == username))
-            throw new ApiError.BadRequest("Username is already taken");
+            throw new ApiError.BadRequest("Username is already taken", "username");
        var user = new User
        {
@ -122,7 +122,7 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
    public (string, Token) GenerateToken(User user, Application application, string[] scopes, Instant expires)
    {
        if (!AuthUtils.ValidateScopes(application, scopes))
-            throw new ApiError.BadRequest("Invalid scopes requested for this token");
+            throw new ApiError.BadRequest("Invalid scopes requested for this token", "scopes");
        var (token, hash) = GenerateToken();
        return (token, new Token
--- a/Foxnouns.Backend/Services/MemberRendererService.cs
+++ b/Foxnouns.Backend/Services/MemberRendererService.cs
@ -3,16 +3,20 @@ using Foxnouns.Backend.Database.Models;
 namespace Foxnouns.Backend.Services;
-public class MemberRendererService(DatabaseContext db)
+public class MemberRendererService(DatabaseContext db, Config config)
 {
    public PartialMember RenderPartialMember(Member member) => new(member.Id, member.Name,
-        member.DisplayName, member.Bio, member.Names, member.Pronouns);
+        member.DisplayName, member.Bio, AvatarUrlFor(member), member.Names, member.Pronouns);
    private string? AvatarUrlFor(Member member) =>
        member.Avatar != null ? $"{config.MediaBaseUrl}/members/{member.Id}/avatars/{member.Avatar}.webp" : null;
    public record PartialMember(
        Snowflake Id,
        string Name,
        string? DisplayName,
        string? Bio,
        string? AvatarUrl,
        IEnumerable<FieldEntry> Names,
        IEnumerable<Pronoun> Pronouns);
 }
--- a/Foxnouns.Backend/Services/UserRendererService.cs
+++ b/Foxnouns.Backend/Services/UserRendererService.cs
@ -1,24 +1,54 @@
 using Foxnouns.Backend.Database;
 using Foxnouns.Backend.Database.Models;
 using Foxnouns.Backend.Utils;
 using Microsoft.EntityFrameworkCore;
 using Newtonsoft.Json;
 namespace Foxnouns.Backend.Services;
-public class UserRendererService(DatabaseContext db, MemberRendererService memberRendererService)
+public class UserRendererService(DatabaseContext db, MemberRendererService memberRendererService, Config config)
 {
-    public async Task<UserResponse> RenderUserAsync(User user, User? selfUser = null, bool renderMembers = true)
+    public async Task<UserResponse> RenderUserAsync(User user, User? selfUser = null,
        Token? token = null,
        bool renderMembers = true,
        bool renderAuthMethods = false)
    {
-        renderMembers = renderMembers && (!user.ListHidden || selfUser?.Id == user.Id);
+        var isSelfUser = selfUser?.Id == user.Id;
        var tokenCanReadHiddenMembers = token.HasScope("member.read");
        var tokenCanReadAuth = token.HasScope("user.read_privileged");
-        var members = renderMembers ? await db.Members.Where(m => m.UserId == user.Id).ToListAsync() : [];
+        renderMembers = renderMembers &&
                        (!user.ListHidden || (isSelfUser && tokenCanReadHiddenMembers));
        renderAuthMethods = renderAuthMethods && isSelfUser && tokenCanReadAuth;
        IEnumerable<Member> members =
            renderMembers ? await db.Members.Where(m => m.UserId == user.Id).ToListAsync() : [];
        // Unless the user is requesting their own members AND the token can read hidden members, we filter out unlisted members.
        if (!(isSelfUser && tokenCanReadHiddenMembers)) members = members.Where(m => m.Unlisted);
        var authMethods = renderAuthMethods
            ? await db.AuthMethods
                .Where(a => a.UserId == user.Id)
                .Include(a => a.FediverseApplication)
                .ToListAsync()
            : [];
        return new UserResponse(
-            user.Id, user.Username, user.DisplayName, user.Bio, user.MemberTitle, user.Avatar, user.Links, user.Names,
+            user.Id, user.Username, user.DisplayName, user.Bio, user.MemberTitle, AvatarUrlFor(user), user.Links, user.Names,
            user.Pronouns, user.Fields,
-            renderMembers ? members.Select(memberRendererService.RenderPartialMember) : null);
+            renderMembers ? members.Select(memberRendererService.RenderPartialMember) : null,
            renderAuthMethods
                ? authMethods.Select(a => new AuthenticationMethodResponse(
                    a.Id, a.AuthType, a.RemoteId,
                    a.RemoteUsername, a.FediverseApplication?.Domain
                ))
                : null
        );
    }
    private string? AvatarUrlFor(User user) =>
        user.Avatar != null ? $"{config.MediaBaseUrl}/users/{user.Id}/avatars/{user.Avatar}.webp" : null;
    public record UserResponse(
        Snowflake Id,
        string Username,
@ -30,7 +60,20 @@ public class UserRendererService(DatabaseContext db, MemberRendererService membe
        IEnumerable<FieldEntry> Names,
        IEnumerable<Pronoun> Pronouns,
        IEnumerable<Field> Fields,
-        [JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
+        [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
-        IEnumerable<MemberRendererService.PartialMember>? Members
+        IEnumerable<MemberRendererService.PartialMember>? Members,
        [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
        IEnumerable<AuthenticationMethodResponse>? AuthMethods
    );
    public record AuthenticationMethodResponse(
        Snowflake Id,
        [property: JsonConverter(typeof(ScreamingSnakeCaseEnumConverter))]
        AuthType Type,
        string RemoteId,
        [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
        string? RemoteUsername,
        [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)]
        string? FediverseInstance
    );
 }
--- a/Foxnouns.Backend/Utils/AuthUtils.cs
+++ b/Foxnouns.Backend/Utils/AuthUtils.cs
@ -10,7 +10,7 @@ public static class AuthUtils
    private static readonly string[] ForbiddenSchemes = ["javascript", "file", "data", "mailto", "tel"];
    public static readonly string[] UserScopes =
-        ["user.read_hidden", "user.read_privileged", "user.update"];
+        ["user.read_privileged", "user.update"];
    public static readonly string[] MemberScopes = ["member.read", "member.update", "member.create"];
@ -35,6 +35,9 @@ public static class AuthUtils
        return expandedScopes.ToArray();
    }
    public static bool HasScope(this Token? token, string scope) =>
        token?.Scopes.ExpandScopes().Contains(scope) == true;
    private static string[] ExpandAppScopes(this string[] scopes)
    {
        var expandedScopes = scopes.ExpandScopes().ToList();
--- a/Foxnouns.Backend/Utils/PatchRequest.cs
+++ b/Foxnouns.Backend/Utils/PatchRequest.cs
@ -0,0 +1,35 @@
 using System.Reflection;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Serialization;
 namespace Foxnouns.Backend.Utils;
 /// <summary>
 /// A base class used for PATCH requests which stores information on whether a key is explicitly set to null or not passed at all.
 /// </summary>
 public abstract class PatchRequest
 {
    private readonly HashSet<string> _properties = [];
    public bool HasProperty(string propertyName) => _properties.Contains(propertyName);
    public void SetHasProperty(string propertyName) => _properties.Add(propertyName);
 }
 /// <summary>
 /// A custom contract resolver to reduce the boilerplate needed to use <see cref="PatchRequest" />.
 /// Based on this StackOverflow answer: https://stackoverflow.com/a/58748036
 /// </summary>
 public class PatchRequestContractResolver : DefaultContractResolver
 {
    protected override JsonProperty CreateProperty(MemberInfo member, MemberSerialization memberSerialization)
    {
        var prop = base.CreateProperty(member, memberSerialization);
        prop.SetIsSpecified += (o, _) =>
        {
            if (o is not PatchRequest patchRequest) return;
            patchRequest.SetHasProperty(prop.UnderlyingName!);
        };
        return prop;
    }
 }
--- a/Foxnouns.Backend/Utils/ScreamingSnakeCaseEnumConverter.cs
+++ b/Foxnouns.Backend/Utils/ScreamingSnakeCaseEnumConverter.cs
@ -0,0 +1,18 @@
 using System.Globalization;
 using Newtonsoft.Json.Converters;
 using Newtonsoft.Json.Serialization;
 namespace Foxnouns.Backend.Utils;
 /// <summary>
 /// A custom StringEnumConverter that converts enum members to SCREAMING_SNAKE_CASE, rather than CamelCase as is the default.
 /// Newtonsoft.Json doesn't provide a screaming snake case naming strategy, so we just wrap the normal snake case one and convert it to uppercase.
 /// </summary>
 public class ScreamingSnakeCaseEnumConverter() : StringEnumConverter(new ScreamingSnakeCaseNamingStrategy(), false)
 {
    private class ScreamingSnakeCaseNamingStrategy : SnakeCaseNamingStrategy
    {
        protected override string ResolvePropertyName(string name) =>
            base.ResolvePropertyName(name).ToUpper(CultureInfo.InvariantCulture);
    }
 }
--- a/Foxnouns.Backend/Utils/ValidationUtils.cs
+++ b/Foxnouns.Backend/Utils/ValidationUtils.cs
@ -0,0 +1,76 @@
 using System.Text.RegularExpressions;
 namespace Foxnouns.Backend.Utils;
 /// <summary>
 /// Static methods for validating user input (mostly making sure it's not too short or too long)
 /// </summary>
 public static class ValidationUtils
 {
    private static readonly Regex UsernameRegex = new("^[\\w-.]{2,40}$", RegexOptions.IgnoreCase);
    private static readonly string[] InvalidUsernames =
    [
        "..",
        "admin",
        "administrator",
        "mod",
        "moderator",
        "api",
        "page",
        "pronouns",
        "settings",
        "pronouns.cc",
        "pronounscc"
    ];
    /// <summary>
    /// Validates whether a username is valid. If it is not valid, throws <see cref="Foxnouns.Backend.ApiError" />.
    /// This does not check if the username is already taken.
    /// </summary>
    public static void ValidateUsername(string username)
    {
        if (!UsernameRegex.IsMatch(username))
            throw username.Length switch
            {
                < 2 => new ApiError.BadRequest("Username is too short", "username"),
                > 40 => new ApiError.BadRequest("Username is too long", "username"),
                _ => new ApiError.BadRequest(
                    "Username is invalid, can only contain alphanumeric characters, dashes, underscores, and periods",
                    "username")
            };
        if (InvalidUsernames.Any(u => string.Equals(u, username, StringComparison.InvariantCultureIgnoreCase)))
            throw new ApiError.BadRequest("Username is not allowed", "username");
    }
    public static void ValidateDisplayName(string? displayName)
    {
        if (displayName == null) return;
        switch (displayName.Length)
        {
            case 0:
                throw new ApiError.BadRequest("Display name is too short", "display_name");
            case > 100:
                throw new ApiError.BadRequest("Display name is too long", "display_name");
        }
    }
    public static void ValidateBio(string? bio)
    {
        if (bio == null) return;
        switch (bio.Length)
        {
            case 0:
                throw new ApiError.BadRequest("Bio is too short", "bio");
            case > 1024:
                throw new ApiError.BadRequest("Bio is too long", "bio");
        }
    }
    public static void ValidateAvatar(string? avatar)
    {
        if (avatar == null) return;
        if (avatar.Length > 1_500_000) throw new ApiError.BadRequest("Avatar is too big", "avatar");
    }
 }
--- a/Foxnouns.Backend/config.example.ini
+++ b/Foxnouns.Backend/config.example.ini
@ -4,6 +4,8 @@ Host = localhost
 Port = 5000
 ; The base *external* URL
 BaseUrl = https://pronouns.localhost
 ; The base URL for media, without a trailing slash. This must be publicly accessible.
 MediaBaseUrl = https://cdn-staging.pronouns.localhost
 [Logging]
 ; The level to log things at. Valid settings: Verbose, Debug, Information, Warning, Error, Fatal
--- a/SCOPES.md
+++ b/SCOPES.md
@ -0,0 +1,18 @@
 # List of API endpoints and scopes
 ## Scopes
 - `identify`: `@me` will refer to token user (always granted)
 - `user.read_privileged`: can read privileged information such as authentication methods
 - `user.update`: can update the user's profile.
  **cannot** update anything locked behind `user.read_privileged`
 - `member.read`: can view member list if it's hidden and enumerate unlisted members
 - `member.create`: can create new members
 - `member.update`: can edit and delete members
 ## Users
 - GET `/users/{userRef}`: `identify` required to use `@me` as user reference.
  `user.read_privileged` required to view authentication methods.
  `member.read` required to view unlisted members.
 - PATCH `/users/@me`: `user.update` required.
--- a/STYLE.md
+++ b/STYLE.md
@ -0,0 +1,12 @@
 # Code style
 ## C# code style
 Code should be formatted with `dotnet format` or Rider's built-in formatter.  
 Variables should *always* be declared using `var`, unless the correct type
 can't be inferred from the declaration (i.e. if the variable needs to be an
 `IEnumerable<T>` instead of a `List<T>`, or if a variable is initialized as `null`).
 ## TypeScript code style
 Use `prettier` for formatting the frontend code.