#
#	Example of forbidding all attempts to login via
#	realms.
#
deny_realms {
	if (&User-Name && (&User-Name =~ /@|\\/)) {
		reject
	}
}

#
#	Filter the username
#
#  Force some sanity on User-Name. This helps to avoid issues
#  issues where the back-end database is "forgiving" about
#  what constitutes a user name.
#
filter_username {
	if (!&User-Name) {
		noop
	}

	#
	#  reject mixed case e.g. "UseRNaMe"
	#
	#if (&User-Name != "%{tolower:%{User-Name}}") {
	#	reject
	#}

	#
	#  reject all whitespace
	#  e.g. "user@ site.com", or "us er", or " user", or "user "
	#
	if (&User-Name =~ / /) {
		update reply {
			&Reply-Message += 'Rejected: Username contains whitespace'
		}
		reject
	}

	#
	#  reject Multiple @'s
	#  e.g. "user@site.com@site.com"
	#
	if (&User-Name =~ /@.*@/ ) {
		update reply {
			&Reply-Message += 'Rejected: Multiple @ in username'
		}
		reject
	}

	#
	#  reject double dots
	#  e.g. "user@site..com"
	#
	if (&User-Name =~ /\.\./ ) {
		update reply {
			&Reply-Message += 'Rejected: Username contains ..s'
		}
		reject
	}

	#
	#  must have at least 1 string-dot-string after @
	#  e.g. "user@site.com"
	#
	if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
		update reply {
			&Reply-Message += 'Rejected: Realm does not have at least one dot separator'
		}
		reject
	}

	#
	#  Realm ends with a dot
	#  e.g. "user@site.com."
	#
	if (&User-Name =~ /\.$/)  {
		update reply {
			&Reply-Message += 'Rejected: Realm ends with a dot'
		}
		reject
	}

	#
	#  Realm begins with a dot
	#  e.g. "user@.site.com"
	#
	if (&User-Name =~ /@\./)  {
		update reply {
			&Reply-Message += 'Rejected: Realm begins with a dot'
		}
		reject
	}
}
