From c79b2913a2a36f24c9069294661b5bc4f31b6c0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mathias=20Haugsb=C3=B8?= Date: Sun, 18 Dec 2022 17:16:19 +0100 Subject: [PATCH 1/2] Auth: Case insensitive login check on username Allows users to add users with capital letters and then login with just lowercase letters. We accidentally capitalized the first letter of our username so the other people using it frequently thinks they wrote the wrong password. --- server/auth.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/auth.js b/server/auth.js index 3ce1a604..9bb9dd01 100644 --- a/server/auth.js +++ b/server/auth.js @@ -15,7 +15,7 @@ exports.login = async function (username, password) { return null; } - let user = await R.findOne("user", " username = ? AND active = 1 ", [ + let user = await R.findOne("user", " username LIKE ? AND active = 1 ", [ username, ]); From b3ac7c3d433568cd9737e1cb563efd9d19a073d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mathias=20Haugsb=C3=B8?= Date: Mon, 19 Dec 2022 12:18:33 +0100 Subject: [PATCH 2/2] Username case insensitive, patch db instead of using LIKE --- db/patch-user-username-case-insensitive.sql | 47 +++++++++++++++++++++ server/auth.js | 2 +- server/database.js | 1 + 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 db/patch-user-username-case-insensitive.sql diff --git a/db/patch-user-username-case-insensitive.sql b/db/patch-user-username-case-insensitive.sql new file mode 100644 index 00000000..90b7f1cb --- /dev/null +++ b/db/patch-user-username-case-insensitive.sql @@ -0,0 +1,47 @@ +CREATE TABLE [temp_user]( + [id] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, + [username] VARCHAR(255) NOT NULL UNIQUE COLLATE NOCASE, + [password] VARCHAR(255), + [active] BOOLEAN NOT NULL DEFAULT 1, + [timezone] VARCHAR(150), + twofa_secret VARCHAR(64), + twofa_status BOOLEAN default 0 NOT NULL, + twofa_last_token VARCHAR(6) +); + +INSERT INTO [temp_user] SELECT +[id], +[username], +[password], +[active], +[timezone], +twofa_secret, +twofa_status, +twofa_last_token + FROM user; + +DROP TABLE user; + +CREATE TABLE [user]( + [id] INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, + [username] VARCHAR(255) NOT NULL UNIQUE COLLATE NOCASE, + [password] VARCHAR(255), + [active] BOOLEAN NOT NULL DEFAULT 1, + [timezone] VARCHAR(150), + twofa_secret VARCHAR(64), + twofa_status BOOLEAN default 0 NOT NULL, + twofa_last_token VARCHAR(6) +); + +INSERT INTO [user] SELECT +[id], +[username], +[password], +[active], +[timezone], +twofa_secret, +twofa_status, +twofa_last_token + FROM [temp_user]; + +DROP TABLE [temp_user]; diff --git a/server/auth.js b/server/auth.js index 9bb9dd01..b4eeee41 100644 --- a/server/auth.js +++ b/server/auth.js @@ -15,7 +15,7 @@ exports.login = async function (username, password) { return null; } - let user = await R.findOne("user", " username LIKE ? AND active = 1 ", [ + let user = await R.findOne("user", " username = ? AND active = 1", [ username, ]); diff --git a/server/database.js b/server/database.js index 2544f197..7764df3f 100644 --- a/server/database.js +++ b/server/database.js @@ -66,6 +66,7 @@ class Database { "patch-add-radius-monitor.sql": true, "patch-monitor-add-resend-interval.sql": true, "patch-maintenance-table2.sql": true, + "patch-user-username-case-insensitive.sql": { parents: [ "patch-2fa-invalidate-used-token.sql", "patch-2fa.sql" ] } }; /**