fix(account): /account/update_name validates name input

Reject empty / whitespace / explicit-null / over-cap names with 400
instead of NREing on null assignment or storing arbitrarily-long
strings the DB column has no cap on. 24-char limit is a conservative
backstop against direct API abuse; the client UI enforces its own
keyboard limit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

SVSim.EmulatedEntrypoint/Controllers/AccountController.cs

@@ -10,6 +10,14 @@ namespace SVSim.EmulatedEntrypoint.Controllers;
 /// </summary>
 public class AccountController : SVSimController
 {
+    /// <summary>
+    /// Conservative server-side cap on viewer display names. The client's UserNameInput
+    /// enforces its own limit at the keyboard; this is the backstop against direct API
+    /// abuse (10-MB names ballooning every subsequent /load/index, etc.). Names are
+    /// typically &lt;=20 chars in prod traffic.
+    /// </summary>
+    private const int MaxDisplayNameLength = 24;
+
     private readonly SVSimDbContext _db;
 
     public AccountController(SVSimDbContext db)
@@ -22,6 +30,14 @@ public class AccountController : SVSimController
     {
         if (!TryGetViewerId(out long viewerId)) return Unauthorized();
 
+        // Defensive null check: the DTO defaults to string.Empty but a JSON body with
+        // an explicit `"name": null` deserialises through msgpack→JSON→STJ to null, and
+        // assigning null to viewer.DisplayName (non-nullable in the entity) would NRE.
+        if (string.IsNullOrWhiteSpace(request.Name))
+            return BadRequest(new { error = "name_empty" });
+        if (request.Name.Length > MaxDisplayNameLength)
+            return BadRequest(new { error = "name_too_long" });
+
         var viewer = await _db.Viewers.FirstAsync(v => v.Id == viewerId);
         viewer.DisplayName = request.Name;
         await _db.SaveChangesAsync();

SVSim.UnitTests/Controllers/AccountControllerTests.cs

@@ -31,4 +31,79 @@ public class AccountControllerTests
         var viewer = await db.Viewers.FirstAsync(v => v.Id == viewerId);
         Assert.That(viewer.DisplayName, Is.EqualTo("littlefootse"));
     }
+
+    [TestCase("")]
+    [TestCase("   ")]
+    [TestCase("\t\n")]
+    public async Task UpdateName_rejects_empty_or_whitespace(string name)
+    {
+        using var factory = new SVSimTestFactory();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 0);
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        var requestJson = $$"""{"name":{{JsonSerializer.Serialize(name)}},"viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/account/update_name",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.BadRequest));
+
+        // Display name remains the seeded default ("Test Viewer").
+        using var scope = factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<SVSimDbContext>();
+        var viewer = await db.Viewers.FirstAsync(v => v.Id == viewerId);
+        Assert.That(viewer.DisplayName, Is.EqualTo("Test Viewer"));
+    }
+
+    [Test]
+    public async Task UpdateName_rejects_explicit_null()
+    {
+        using var factory = new SVSimTestFactory();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 0);
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        // Explicit JSON null — used to NRE when the controller assigned request.Name
+        // (default string.Empty) straight to viewer.DisplayName without a null check.
+        var requestJson = """{"name":null,"viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/account/update_name",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.BadRequest));
+    }
+
+    [Test]
+    public async Task UpdateName_rejects_too_long_name()
+    {
+        using var factory = new SVSimTestFactory();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 0);
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        // 25 chars > the 24-char server cap.
+        var name = new string('a', 25);
+        var requestJson = $$"""{"name":"{{name}}","viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/account/update_name",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.BadRequest));
+    }
+
+    [Test]
+    public async Task UpdateName_accepts_name_at_cap_boundary()
+    {
+        using var factory = new SVSimTestFactory();
+        long viewerId = await factory.SeedViewerAsync(tutorialState: 0);
+        using var client = factory.CreateAuthenticatedClient(viewerId);
+
+        // Exactly 24 chars — boundary case.
+        var name = new string('a', 24);
+        var requestJson = $$"""{"name":"{{name}}","viewer_id":"0","steam_id":0,"steam_session_ticket":""}""";
+        var response = await client.PostAsync("/account/update_name",
+            new StringContent(requestJson, Encoding.UTF8, "application/json"));
+
+        Assert.That(response.StatusCode, Is.EqualTo(HttpStatusCode.OK));
+
+        using var scope = factory.Services.CreateScope();
+        var db = scope.ServiceProvider.GetRequiredService<SVSimDbContext>();
+        var viewer = await db.Viewers.FirstAsync(v => v.Id == viewerId);
+        Assert.That(viewer.DisplayName, Is.EqualTo(name));
+    }
 }