From e6b1ce4c6df54eb3210aed6ecec4c4f66fba30bf Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Sat, 21 Feb 2026 00:48:03 +0100
Subject: [PATCH] fix: block PASS/USER/NICK from clients post-registration

All three registration commands are now explicitly intercepted after
the client has authenticated. NICK gets a notice pointing to the
bouncer command; PASS and USER are silently dropped.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/bouncer/client.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/bouncer/client.py b/src/bouncer/client.py
index 948b5dc..945a619 100644
--- a/src/bouncer/client.py
+++ b/src/bouncer/client.py
@@ -112,13 +112,14 @@ class Client:
         if msg.command == "QUIT":
             return
 
-        # Block direct NICK -- must go through /msg *bouncer NICK <network> <nick>
-        if msg.command == "NICK":
-            self._send_msg(IRCMessage(
-                command="NOTICE",
-                params=[self._nick, "Use /msg *bouncer NICK <network> <nick>"],
-                prefix="*bouncer!bouncer@bouncer",
-            ))
+        # Block registration commands -- never forward to networks
+        if msg.command in ("NICK", "PASS", "USER"):
+            if msg.command == "NICK":
+                self._send_msg(IRCMessage(
+                    command="NOTICE",
+                    params=[self._nick, "Use /msg *bouncer NICK <network> <nick>"],
+                    prefix="*bouncer!bouncer@bouncer",
+                ))
             return
 
         # Intercept bouncer control commands