[#6337] added support for case-insensitive password auth

2025-01-26 12:24:16 +02:00
parent c101798516
commit 33340a6977
13 changed files with 412 additions and 39 deletions
--- a/apis/record_auth_with_oauth2.go
+++ b/apis/record_auth_with_oauth2.go
@@ -8,6 +8,7 @@ import (
 	"log/slog"
 	"maps"
 	"net/http"
+	"strings"
 	"time"

 	validation "github.com/go-ozzo/ozzo-validation/v4"
@@ -194,10 +195,20 @@ func (form *recordOAuth2LoginForm) checkProviderName(value any) error {

 func oldCanAssignUsername(txApp core.App, collection *core.Collection, username string) bool {
 	// ensure that username is unique
-	checkUnique := dbutils.HasSingleColumnUniqueIndex(collection.OAuth2.MappedFields.Username, collection.Indexes)
-	if checkUnique {
-		if _, err := txApp.FindFirstRecordByData(collection, collection.OAuth2.MappedFields.Username, username); err == nil {
-			return false // already exist
+	index, hasUniqueue := dbutils.FindSingleColumnUniqueIndex(collection.Indexes, collection.OAuth2.MappedFields.Username)
+	if hasUniqueue {
+		var expr dbx.Expression
+		if strings.EqualFold(index.Columns[0].Collate, "nocase") {
+			// case-insensitive search
+			expr = dbx.NewExp("username = {:username} COLLATE NOCASE", dbx.Params{"username": username})
+		} else {
+			expr = dbx.HashExp{"username": username}
+		}
+
+		var exists int
+		_ = txApp.RecordQuery(collection).Select("(1)").AndWhere(expr).Limit(1).Row(&exists)
+		if exists > 0 {
+			return false
 		}
 	}

--- a/apis/record_auth_with_oauth2_test.go
+++ b/apis/record_auth_with_oauth2_test.go
@@ -14,6 +14,7 @@ import (
 	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/tests"
 	"github.com/pocketbase/pocketbase/tools/auth"
+	"github.com/pocketbase/pocketbase/tools/dbutils"
 	"golang.org/x/oauth2"
 )

@@ -1210,7 +1211,7 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 			},
 		},
 		{
-			Name:   "creating user (with mapped OAuth2 fields and avatarURL->non-file field)",
+			Name:   "creating user (with mapped OAuth2 fields, case-sensitive username and avatarURL->non-file field)",
 			Method: http.MethodPost,
 			URL:    "/api/collections/users/auth-with-oauth2",
 			Body: strings.NewReader(`{
@@ -1230,7 +1231,7 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 						AuthUser: &auth.AuthUser{
 							Id:        "oauth2_id",
 							Email:     "oauth2@example.com",
-							Username:  "oauth2_username",
+							Username:  "tESt2_username", // wouldn't match with existing because the related field index is case-sensitive
 							Name:      "oauth2_name",
 							AvatarURL: server.URL + "/oauth2_avatar.png",
 						},
@@ -1258,7 +1259,7 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 			ExpectedContent: []string{
 				`"email":"oauth2@example.com"`,
 				`"emailVisibility":false`,
-				`"username":"oauth2_username"`,
+				`"username":"tESt2_username"`,
 				`"name":"http://127.`,
 				`"verified":true`,
 				`"avatar":""`,
@@ -1294,7 +1295,7 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 			},
 		},
 		{
-			Name:   "creating user (with mapped OAuth2 fields and duplicated username)",
+			Name:   "creating user (with mapped OAuth2 fields and duplicated case-insensitive username)",
 			Method: http.MethodPost,
 			URL:    "/api/collections/users/auth-with-oauth2",
 			Body: strings.NewReader(`{
@@ -1314,13 +1315,21 @@ func TestRecordAuthWithOAuth2(t *testing.T) {
 						AuthUser: &auth.AuthUser{
 							Id:       "oauth2_id",
 							Email:    "oauth2@example.com",
-							Username: "test2_username",
+							Username: "tESt2_username",
 							Name:     "oauth2_name",
 						},
 						Token: &oauth2.Token{AccessToken: "abc"},
 					}
 				}

+				// make the username index case-insensitive to ensure that case-insensitive match is used
+				index, ok := dbutils.FindSingleColumnUniqueIndex(usersCol.Indexes, "username")
+				if ok {
+					index.Columns[0].Collate = "nocase"
+					usersCol.RemoveIndex(index.IndexName)
+					usersCol.Indexes = append(usersCol.Indexes, index.Build())
+				}
+
 				// add the test provider in the collection
 				usersCol.MFA.Enabled = false
 				usersCol.OAuth2.Enabled = true
--- a/apis/record_auth_with_password.go
+++ b/apis/record_auth_with_password.go
@@ -3,10 +3,14 @@ package apis
 import (
 	"database/sql"
 	"errors"
+	"slices"
+	"strings"

 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/go-ozzo/ozzo-validation/v4/is"
+	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tools/dbutils"
 	"github.com/pocketbase/pocketbase/tools/list"
 )

@@ -32,12 +36,12 @@ func recordAuthWithPassword(e *core.RequestEvent) error {
 	var foundErr error

 	if form.IdentityField != "" {
-		foundRecord, foundErr = e.App.FindFirstRecordByData(collection.Id, form.IdentityField, form.Identity)
+		foundRecord, foundErr = findRecordByIdentityField(e.App, collection, form.IdentityField, form.Identity)
 	} else {
 		// prioritize email lookup
 		isEmail := is.EmailFormat.Validate(form.Identity) == nil
 		if isEmail && list.ExistInSlice(core.FieldNameEmail, collection.PasswordAuth.IdentityFields) {
-			foundRecord, foundErr = e.App.FindAuthRecordByEmail(collection.Id, form.Identity)
+			foundRecord, foundErr = findRecordByIdentityField(e.App, collection, core.FieldNameEmail, form.Identity)
 		}

 		// search by the other identity fields
@@ -47,7 +51,7 @@ func recordAuthWithPassword(e *core.RequestEvent) error {
 					continue // no need to search by the email field if it is not an email
 				}

-				foundRecord, foundErr = e.App.FindFirstRecordByData(collection.Id, name, form.Identity)
+				foundRecord, foundErr = findRecordByIdentityField(e.App, collection, name, form.Identity)
 				if foundErr == nil {
 					break
 				}
@@ -95,3 +99,31 @@ func (form *authWithPasswordForm) validate(collection *core.Collection) error {
 		validation.Field(&form.IdentityField, validation.In(list.ToInterfaceSlice(collection.PasswordAuth.IdentityFields)...)),
 	)
 }
+
+func findRecordByIdentityField(app core.App, collection *core.Collection, field string, value any) (*core.Record, error) {
+	if !slices.Contains(collection.PasswordAuth.IdentityFields, field) {
+		return nil, errors.New("invalid identity field " + field)
+	}
+
+	index, ok := dbutils.FindSingleColumnUniqueIndex(collection.Indexes, field)
+	if !ok {
+		return nil, errors.New("missing " + field + " unique index constraint")
+	}
+
+	var expr dbx.Expression
+	if strings.EqualFold(index.Columns[0].Collate, "nocase") {
+		// case-insensitive search
+		expr = dbx.NewExp("[["+field+"]] = {:identity} COLLATE NOCASE", dbx.Params{"identity": value})
+	} else {
+		expr = dbx.HashExp{field: value}
+	}
+
+	record := &core.Record{}
+
+	err := app.RecordQuery(collection).AndWhere(expr).Limit(1).One(record)
+	if err != nil {
+		return nil, err
+	}
+
+	return record, nil
+}
--- a/apis/record_auth_with_password_test.go
+++ b/apis/record_auth_with_password_test.go
@@ -8,11 +8,38 @@ import (

 	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/tests"
+	"github.com/pocketbase/pocketbase/tools/dbutils"
 )

 func TestRecordAuthWithPassword(t *testing.T) {
 	t.Parallel()

+	updateIdentityIndex := func(collectionIdOrName string, fieldCollateMap map[string]string) func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+		return func(t testing.TB, app *tests.TestApp, e *core.ServeEvent) {
+			collection, err := app.FindCollectionByNameOrId("clients")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			for column, collate := range fieldCollateMap {
+				index, ok := dbutils.FindSingleColumnUniqueIndex(collection.Indexes, column)
+				if !ok {
+					t.Fatalf("Missing unique identityField index for column %q", column)
+				}
+
+				index.Columns[0].Collate = collate
+
+				collection.RemoveIndex(index.IndexName)
+				collection.Indexes = append(collection.Indexes, index.Build())
+			}
+
+			err = app.Save(collection)
+			if err != nil {
+				t.Fatalf("Failed to update identityField index: %v", err)
+			}
+		}
+	}
+
 	scenarios := []tests.ApiScenario{
 		{
 			Name:            "disabled password auth",
@@ -164,6 +191,22 @@ func TestRecordAuthWithPassword(t *testing.T) {
 				"OnMailerRecordAuthAlertSend": 1,
 			},
 		},
+		{
+			Name:   "unknown explicit identityField",
+			Method: http.MethodPost,
+			URL:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identityField": "created",
+				"identity":"test@example.com",
+				"password":"1234567890"
+			}`),
+			ExpectedStatus: 400,
+			ExpectedContent: []string{
+				`"data":{`,
+				`"identityField":{"code":"validation_in_invalid"`,
+			},
+			ExpectedEvents: map[string]int{"*": 0},
+		},
 		{
 			Name:   "valid identity field and valid password with mismatched explicit identityField",
 			Method: http.MethodPost,
@@ -440,6 +483,141 @@ func TestRecordAuthWithPassword(t *testing.T) {
 			},
 		},

+		// case sensitivity checks
+		// -----------------------------------------------------------
+		{
+			Name:   "with explicit identityField (case-sensitive)",
+			Method: http.MethodPost,
+			URL:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identityField": "username",
+				"identity":"Clients57772",
+				"password":"1234567890"
+			}`),
+			BeforeTestFunc:  updateIdentityIndex("clients", map[string]string{"username": ""}),
+			ExpectedStatus:  400,
+			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents: map[string]int{
+				"*":                               0,
+				"OnRecordAuthWithPasswordRequest": 1,
+			},
+		},
+		{
+			Name:   "with explicit identityField (case-insensitive)",
+			Method: http.MethodPost,
+			URL:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identityField": "username",
+				"identity":"Clients57772",
+				"password":"1234567890"
+			}`),
+			BeforeTestFunc: updateIdentityIndex("clients", map[string]string{"username": "nocase"}),
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"email":"test@example.com"`,
+				`"username":"clients57772"`,
+				`"token":`,
+			},
+			NotExpectedContent: []string{
+				// hidden fields
+				`"tokenKey"`,
+				`"password"`,
+			},
+			ExpectedEvents: map[string]int{
+				"*":                               0,
+				"OnRecordAuthWithPasswordRequest": 1,
+				"OnRecordAuthRequest":             1,
+				"OnRecordEnrich":                  1,
+				// authOrigin track
+				"OnModelCreate":               1,
+				"OnModelCreateExecute":        1,
+				"OnModelAfterCreateSuccess":   1,
+				"OnModelValidate":             1,
+				"OnRecordCreate":              1,
+				"OnRecordCreateExecute":       1,
+				"OnRecordAfterCreateSuccess":  1,
+				"OnRecordValidate":            1,
+				"OnMailerSend":                1,
+				"OnMailerRecordAuthAlertSend": 1,
+			},
+		},
+		{
+			Name:   "without explicit identityField and non-email field (case-insensitive)",
+			Method: http.MethodPost,
+			URL:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identity":"Clients57772",
+				"password":"1234567890"
+			}`),
+			BeforeTestFunc: updateIdentityIndex("clients", map[string]string{"username": "nocase"}),
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"email":"test@example.com"`,
+				`"username":"clients57772"`,
+				`"token":`,
+			},
+			NotExpectedContent: []string{
+				// hidden fields
+				`"tokenKey"`,
+				`"password"`,
+			},
+			ExpectedEvents: map[string]int{
+				"*":                               0,
+				"OnRecordAuthWithPasswordRequest": 1,
+				"OnRecordAuthRequest":             1,
+				"OnRecordEnrich":                  1,
+				// authOrigin track
+				"OnModelCreate":               1,
+				"OnModelCreateExecute":        1,
+				"OnModelAfterCreateSuccess":   1,
+				"OnModelValidate":             1,
+				"OnRecordCreate":              1,
+				"OnRecordCreateExecute":       1,
+				"OnRecordAfterCreateSuccess":  1,
+				"OnRecordValidate":            1,
+				"OnMailerSend":                1,
+				"OnMailerRecordAuthAlertSend": 1,
+			},
+		},
+		{
+			Name:   "without explicit identityField and email field (case-insensitive)",
+			Method: http.MethodPost,
+			URL:    "/api/collections/clients/auth-with-password",
+			Body: strings.NewReader(`{
+				"identity":"tESt@example.com",
+				"password":"1234567890"
+			}`),
+			BeforeTestFunc: updateIdentityIndex("clients", map[string]string{"email": "nocase"}),
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"email":"test@example.com"`,
+				`"username":"clients57772"`,
+				`"token":`,
+			},
+			NotExpectedContent: []string{
+				// hidden fields
+				`"tokenKey"`,
+				`"password"`,
+			},
+			ExpectedEvents: map[string]int{
+				"*":                               0,
+				"OnRecordAuthWithPasswordRequest": 1,
+				"OnRecordAuthRequest":             1,
+				"OnRecordEnrich":                  1,
+				// authOrigin track
+				"OnModelCreate":               1,
+				"OnModelCreateExecute":        1,
+				"OnModelAfterCreateSuccess":   1,
+				"OnModelValidate":             1,
+				"OnRecordCreate":              1,
+				"OnRecordCreateExecute":       1,
+				"OnRecordAfterCreateSuccess":  1,
+				"OnRecordValidate":            1,
+				"OnMailerSend":                1,
+				"OnMailerRecordAuthAlertSend": 1,
+			},
+		},
+
 		// rate limit checks
 		// -----------------------------------------------------------
 		{