Validate OAuth sign-up handle using @atproto/syntax

Fixes #3619

.changeset/chatty-cheetahs-repair.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Properly validate handle syntax during sign-up

packages/oauth/oauth-provider/package.json

@@ -40,6 +40,7 @@
     "@atproto/jwk": "workspace:*",
     "@atproto/jwk-jose": "workspace:*",
     "@atproto/oauth-types": "workspace:*",
+    "@atproto/syntax": "workspace:*",
     "@hapi/accept": "^6.0.3",
     "@hapi/address": "^5.1.1",
     "@hapi/bourne": "^3.0.0",

packages/oauth/oauth-provider/src/account/account-store.ts

@@ -1,6 +1,7 @@
 import { isEmailValid } from '@hapi/address'
 import { isDisposableEmail } from 'disposable-email-domains-js'
 import { z } from 'zod'
+import { ensureValidHandle } from '@atproto/syntax'
 import { ClientId } from '../client/client-id.js'
 import { DeviceId } from '../device/device-id.js'
 import { localeSchema } from '../lib/locale.js'
@@ -19,9 +20,18 @@ export const newPasswordSchema = z.string().min(8)
 export const tokenSchema = z.string().regex(/^[A-Z2-7]{5}-[A-Z2-7]{5}$/)
 export const handleSchema = z
   .string()
-  .min(3)
-  .max(30)
-  .regex(/^[a-z0-9][a-z0-9-]+[a-z0-9](?:\.[a-z0-9][a-z0-9-]+[a-z0-9])+$/)
+  // @NOTE: We only check against validity towards ATProto's syntax. Additional
+  // rules may be imposed by the store implementation.
+  .superRefine((value, ctx) => {
+    try {
+      ensureValidHandle(value)
+    } catch (err) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: err instanceof Error ? err.message : 'Invalid handle',
+      })
+    }
+  })
 export const emailSchema = z
   .string()
   .email()