Auto-convert loginnames to lowercase on login and password reset

For password reset this prevents circumventing the loginname/email-based
ratelimit.

tests/test_session.py

@@ -61,6 +61,12 @@ class TestSession(UffdTestCase):
 		self.assertEqual(r.status_code, 200)
 		self.assertLoggedIn()
 
+	def test_titlecase_password(self):
+		r = self.client.post(path=url_for('session.login'),
+			data={'loginname': self.test_data.get('user').get('loginname').title(), 'password': self.test_data.get('user').get('password')}, follow_redirects=True)
+		self.assertEqual(r.status_code, 200)
+		self.assertLoggedIn()
+
 	def test_redirect(self):
 		r = self.login_as('user', ref=url_for('test_login_required'))
 		self.assertEqual(r.status_code, 200)

uffd/api/views.py

@@ -79,7 +79,7 @@ def getusers():
 def checkpassword():
 	if set(request.values.keys()) != {'loginname', 'password'}:
 		abort(400)
-	username = request.form['loginname']
+	username = request.form['loginname'].lower()
 	password = request.form['password']
 	login_delay = login_ratelimit.get_delay(username)
 	if login_delay:

uffd/selfservice/views.py

@@ -60,7 +60,7 @@ def forgot_password():
 	if request.method == 'GET':
 		return render_template('selfservice/forgot_password.html')
 
-	loginname = request.values['loginname']
+	loginname = request.values['loginname'].lower()
 	mail = request.values['mail']
 	reset_delay = reset_ratelimit.get_delay(loginname+'/'+mail)
 	host_delay = host_ratelimit.get_delay()

uffd/session/views.py

@@ -81,7 +81,7 @@ def login():
 	if request.method == 'GET':
 		return render_template('session/login.html', ref=request.values.get('ref'))
 
-	username = request.form['loginname']
+	username = request.form['loginname'].lower()
 	password = request.form['password']
 	login_delay = login_ratelimit.get_delay(username)
 	host_delay = host_ratelimit.get_delay()