[BUG] accounts - username/email is not treated case insensitive

Question

[BUG] accounts - username/email is not treated case insensitive

molokov opened this issue 7 months ago · comments

Danny S commented 7 months ago

Is there an existing issue for this?

I have searched the existing Issues

Current Behavior

For accounts: usernames email addresses are matched case sensitive, which means the following:

a) Two accounts can be signed up for using the same email address but different case.

NOTE: Usernames are checked as case insensitive, so you can't create two accounts with the same username but different case ( https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L151-L156 )

b) When logging in using a username/email which doesn't match the case of an account, an error of "Invalid username/email and password" is given.
c) When attempting to reset a password via username/email which doesn't match the case of account, an error of "Invalid username/email" is given.

This has tripped up many users of my website, because they've not used all lowercase on their email addresses when signing up, and had forgotten their usernames for password reset or login. So of course, they attempted with email address and discovered that they couldn't get in that way either (because the case of the email wasn't an exact match).

Given that email addresses are cases insensitive, so should our use/authentication of them be here. We also disallow two usernames of different cases when creating an account, but username for login/password reset is case sensitive, which isn't consistent.

Expected Behavior

Username and Email matching should be case insensitive for user accounts.

Steps To Reproduce

A) Sign up for an two accounts with the same email address, just different case. This succeeds and two accounts are created. Expected error: "This email is already registered".

B) Log in to an account using an username or email with different case to the one registered. This should succeed.

C) Reset password on an account using an username or email with different case to the one registered. This should succeed.

Environment

- Operating System: Ubuntu 22.04
- Python version: 3.10.12
- Django version: 4.2.8
- Database engine and version: SQLite 3.37.2
- Mezzanine version: 6.0.0 (master)

Anything else?

Should be a fairly simple fix - instead of

username_or_email = Q(username=username) | Q(email=username)

we should use

username_or_email = Q(username__iexact=username) | Q(email__iexact=username)

This line appears at https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L264
and https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/core/auth_backends.py#L28

For signup, the line to fix would be: https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L184 for email addresses.

Note that usernames are checked case insensitive when signing up at https://github.com/stephenmcd/mezzanine/blob/master/mezzanine/accounts/forms.py#L151-L156 so this should likely apply to usernames as well.

I'll make a fix on my fork and see if I can raise a pull request.

Goutham N · Answer 1 · Sun May 19 2024 10:52:23 GMT+0800 (China Standard Time)

Can i work on this ?

Danny S · Answer 2 · Mon May 20 2024 06:56:12 GMT+0800 (China Standard Time)

Hi Goutham, I already have a pull request open on this with the solution, see above.