From 070eba4b4c45c74a2a16701400a84648baed8dbd Mon Sep 17 00:00:00 2001
From: "Apple\\Apple" <zeraturing@foxmail.com>
Date: Fri, 13 Jun 2025 12:28:26 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(setup):=20enforce=20username?=
 =?UTF-8?q?=20length=20=E2=89=A4=2012=20during=20initial=20system=20setup?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The User model applies `validate:"max=12"` to the `Username` field, but the
initial setup flow did not validate this constraint. This allowed creation
of a root user with an overly long username (e.g. "Uselessly1344"), which
later caused every update request to fail with:

  Field validation for 'Username' failed on the 'max' tag

This patch adds an explicit length check in `controller/setup.go` to reject
usernames longer than 12 characters during setup, keeping validation rules
consistent across the entire application.

Refs: #1214
---
 controller/setup.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/controller/setup.go b/controller/setup.go
index 0a13bcf9..8943a1a0 100644
--- a/controller/setup.go
+++ b/controller/setup.go
@@ -75,6 +75,14 @@ func PostSetup(c *gin.Context) {
 
 	// If root doesn't exist, validate and create admin account
 	if !rootExists {
+		// Validate username length: max 12 characters to align with model.User validation
+		if len(req.Username) > 12 {
+			c.JSON(400, gin.H{
+				"success": false,
+				"message": "用户名长度不能超过12个字符",
+			})
+			return
+		}
 		// Validate password
 		if req.Password != req.ConfirmPassword {
 			c.JSON(400, gin.H{