From e28b2f1f422c7d8da12ad50239f289ce4ccdd7e1 Mon Sep 17 00:00:00 2001
From: Julian Rother <julianr@fsmpi.rwth-aachen.de>
Date: Mon, 26 Jul 2021 12:00:30 +0200
Subject: [PATCH] Auto-convert loginnames to lowercase on login and password
 reset

For password reset this prevents circumventing the loginname/email-based
ratelimit.
---
 tests/test_session.py     | 6 ++++++
 uffd/api/views.py         | 2 +-
 uffd/selfservice/views.py | 2 +-
 uffd/session/views.py     | 2 +-
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/tests/test_session.py b/tests/test_session.py
index 7509256b..f99ab1a1 100644
--- a/tests/test_session.py
+++ b/tests/test_session.py
@@ -61,6 +61,12 @@ class TestSession(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertLoggedIn()
 
+	def test_titlecase_password(self):
+		r = self.client.post(path=url_for('session.login'),
+			data={'loginname': self.test_data.get('user').get('loginname').title(), 'password': self.test_data.get('user').get('password')}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertLoggedIn()
+
 	def test_redirect(self):
 		r = self.login_as('user', ref=url_for('test_login_required'))
 		self.assertEqual(r.status_code, 200)
diff --git a/uffd/api/views.py b/uffd/api/views.py
index ca122186..399ff5d0 100644
--- a/uffd/api/views.py
+++ b/uffd/api/views.py
@@ -79,7 +79,7 @@ def getusers():
 def checkpassword():
 	if set(request.values.keys()) != {'loginname', 'password'}:
 		abort(400)
-	username = request.form['loginname']
+	username = request.form['loginname'].lower()
 	password = request.form['password']
 	login_delay = login_ratelimit.get_delay(username)
 	if login_delay:
diff --git a/uffd/selfservice/views.py b/uffd/selfservice/views.py
index a3279127..605512a7 100644
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -60,7 +60,7 @@ def forgot_password():
 	if request.method == 'GET':
 		return render_template('selfservice/forgot_password.html')
 
-	loginname = request.values['loginname']
+	loginname = request.values['loginname'].lower()
 	mail = request.values['mail']
 	reset_delay = reset_ratelimit.get_delay(loginname+'/'+mail)
 	host_delay = host_ratelimit.get_delay()
diff --git a/uffd/session/views.py b/uffd/session/views.py
index 964a885b..8d095a2c 100644
--- a/uffd/session/views.py
+++ b/uffd/session/views.py
@@ -81,7 +81,7 @@ def login():
 	if request.method == 'GET':
 		return render_template('session/login.html', ref=request.values.get('ref'))
 
-	username = request.form['loginname']
+	username = request.form['loginname'].lower()
 	password = request.form['password']
 	login_delay = login_ratelimit.get_delay(username)
 	host_delay = host_ratelimit.get_delay()
-- 
GitLab