flow-development-collection icon indicating copy to clipboard operation
flow-development-collection copied to clipboard
verified publisher icon neos

Caseinsensitive Login

Open neos-bot opened this issue 11 years ago • 3 comments

Jira issue originally created by user @daniellienert:

Username is currently "Foo". Login is possible with "foo".

Imho Username needs exact match.

Created from Forge Issue: https://forge.typo3.org/issues/58733

Jira-URL: https://jira.neos.io/browse/NEOS-458

neos-bot avatar Oct 01 '14 12:10 neos-bot

The origin for this behaviour seems to be the database.

The default database is created caseinsensitive:

CREATE DATABASE `db` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;

the parameter '$username' is transferred correctly to every step - but when looking up the account: https://github.com/neos/flow-development-collection/blob/25f0b6abba5d45e1376fdfa05c5b7589e2bc3a54/Neos.Flow/Classes/Security/AccountRepository.php#L87

the database returns a caseinsensitve result:

22-07-18 13:26:11 2156       DEBUG     Neos.Flow

SELECT [...] FROM neos_flow_security_account n0_ WHERE n0_.accountidentifier = ? AND n0_.authenticationprovidername = ? [...] LIMIT 1

    [array] => 
        params:
        [array] => 
            0:
            [string] => AdMin
            1:
            [string] => Neos.Neos:Backend
            2:
            [object] => [DateTime]:

i was for a second confused about the third argument to $query->equals which is bool $caseSensitive = true by default - but setting it to false looks like:

WHERE LOWER(n0_.accountidentifier) = ?
    [array] => 
        params:
        [array] => 
            0:
            [string] => admin
            1:
            [string] => Neos.Neos:Backend
            2:
            [object] => [DateTime]:

On my system i also annot create a user called admin and AdMin:

The username "AdMin" is already in use

btw this seems to be a flow problem - as neos only uses the flow PersistedUsernamePasswordProvider so i will transfer it to flow...

mhsdesign avatar Jul 18 '22 11:07 mhsdesign

Yeah, tricky issue, the collation really only drives query behavior, so indeed the query will happen case insensitive, the stored data should still be correctly cased though as the collation should not influence was is actually written (and it should return from the DB correctly cased). So we might only have to adjust the collation if we actually want case sensitive user names (I see certain problems with duplication and "fake" account names ala lOp vs I0p, but I am not against making it case sensitive.

kitsunet avatar Jul 18 '22 13:07 kitsunet

yes i can confirm that the usernames are stored case sensitive

mhsdesign avatar Jul 18 '22 13:07 mhsdesign