diff --git a/src/pages/api/auth/register.ts b/src/pages/api/auth/register.ts
index e5f65d79f..fb68e02c5 100644
--- a/src/pages/api/auth/register.ts
+++ b/src/pages/api/auth/register.ts
@@ -9,6 +9,7 @@ import { jsonUserReplacer } from 'lib/utils/client';
 import { extname } from 'path';
 
 const logger = Logger.get('user');
+const MAX_USERNAME_LENGTH = 12;
 
 async function handler(req: NextApiReq, res: NextApiRes) {
   const user = await req.user();
@@ -26,34 +27,32 @@ async function handler(req: NextApiReq, res: NextApiRes) {
     code?: string;
   };
 
-  if (!username) badRequest = true;
-  if (!password) badRequest = true;
+  if (!username || !password) return res.badRequest('Bad Username/Password');
+
+  // Validate username length
+  if (username.length > MAX_USERNAME_LENGTH) {
+    return res.badRequest(`Username cannot exceed ${MAX_USERNAME_LENGTH} characters`);
+  }
 
   const existing = await prisma.user.findFirst({
-    where: {
-      username,
-    },
-    select: {
-      username: true,
-    },
+    where: { username },
+    select: { username: true },
   });
 
-  if (existing) badRequest = true;
-
-  if (badRequest) return res.badRequest('Bad Username/Password');
+  if (existing) return res.badRequest('Bad Username/Password');
 
   if (code) {
     if (config.features.invites) {
       const invite = await prisma.invite.findUnique({
-        where: {
-          code,
-        },
+        where: { code },
       });
 
       if (!invite || invite?.used) return res.badRequest('Bad invite');
       usedInvite = true;
     } else return res.badRequest('Bad Username/Password');
-  } else if (config.features.invites && !user?.administrator) return res.badRequest('Bad invite');
+  } else if (config.features.invites && !user?.administrator) {
+    return res.badRequest('Bad invite');
+  }
 
   const hashed = await hashPassword(password);
 
@@ -85,7 +84,7 @@ async function handler(req: NextApiReq, res: NextApiRes) {
     });
 
   logger.debug(
-    `registered user${usedInvite ? ' via invite ' + code : ''} ${JSON.stringify(newUser, jsonUserReplacer)}`,
+    `registered user${usedInvite ? ' via invite ' + code : ''} ${JSON.stringify(newUser, jsonUserReplacer)}`
   );
 
   delete newUser.password;