diff --git a/yellow/auth.py b/yellow/auth.py
index de05baf..40515d5 100644
--- a/yellow/auth.py
+++ b/yellow/auth.py
@@ -1,3 +1,5 @@
+import re
+
 import peewee
 from quart import session, redirect, url_for
 
@@ -14,6 +16,9 @@ async def handle_user_login(resp: dict):
     username = user['preferred_username']
     uid = user['sub']
 
+    if not re.match(r"^[a-zA-Z0-9_\.-]+$", username):
+        raise Exception("bad username")
+
     try:
         user = User.select().where(User.id == uid).get()
     except peewee.DoesNotExist: