Django: ajax response for valid/available username/email during registration

Question

I am using jQuery to do some inline form validation during user registration to prevent form errors after posting by checking to see if:

• username is available
• email has not already been registered

The idea is to give the user feedback before the form is submitted to prevent frustration. The code is at the bottom.

Questions:

• Is this a potential security problem? I had the thought that someone looking at my javascript could find the url I am polling for the username/email confirmation and then use it themselves (I don't know why they would do this, but one never knows).
• If it is, what protections can I implement? I had read a little about cross-site scripting protection but am not sure how it could be implemented in a AJAX request, such as this, or if it is even necessary.

Thanks for your input.

Current Code:

I have defined the following view (which I took from some snippet, but can't recall where):

def is_field_available(request):
    if request.method == "GET":
        get = request.GET.copy()
        if get.has_key('username'):
            name = get['username']
            if User.objects.filter(username__iexact=name) or \
                UserProfile.objects.filter(display_name__iexact=name):
                return HttpResponse(False)
            else:
                return HttpResponse(True)
        if get.has_key('email'):
            email = get['email']
            if User.objects.filter(email__iexact=email):
                return HttpResponse(False)
            else:
                return HttpResponse(True)

    return HttpResponseServerError("Requires username or email to test")

Here is a sample of the jQuery code:

$.get('is-user-name-available/', { email: $(this).val() },
    function(data, status){
        if(data == "True"){
            $input.fieldValid();
        } else {
            $input.fieldInvalid("This email address has already been registered.  Try another or recover your password.");
        }
});

Edit: updated the code and rephrased my questions. [10/07/09]

Answer 1

See http://www.djangosnippets.org/snippets/771/ - you can restrict your view to ajax requests. The only way to do cross-domain ajax is jsonp which you do not support in your view.

Answer 2

Yes, this is a potential security problem, but not too big one: just make sure that your code is safe, and always returns something that doesn't reveal information that should be hidden.

There's nothing bad if someone will input in browser: example.com/account/verify_username/?username=admin (although I'd suggest to use POST only here)

So what should be done: 1) Verify that there're all parameters you need and they're in a correct format 2) Possibly verify where request came from 3) Make sure you handle all exceptions that can happen in the code 4) Don't forget about unit testing - for that try to place your logic NOT in a view, but in some method :)