Lowercase username

There is a weird bug that I discovered in which the system is neither crashing nor logging in properly when I either register or login with mixed case for user login accounts. I’m not sure of the reason but I assume that everyone here doesn’t want ThisLogin to be different from thislogin and so my suggestion is to use lowercase on all the signup / login endpoints by default (all transitions, REST, etc …)

This bug was detected specifically because in iOS apps, the first letter is always capitalized which exposed this anomaly. WDYT?

1 Like

Yes, we have seen this problem. Actually, looking at the code, this is not the intended behavior, as moqui ensures uniqueness of the username and emailAddress fields in UserAccount, and even does case-insensitive search in the MoquiShiroRealm code for login. The login actually succeeds, but the username recorded in the session (as handled by Shiro) is the original username of the request (which does not match the username in the DB using case-sensitive search) and this makes the authentication to fail after the redirection of the successful login.
So, my thought is that the case-insensitive search should be done before calling Apache Shiro methods, so the username recorded will be the case-sensitively correct one.

Actually, I have created a PR that makes the second lookup use ignoreCase for the username field, which works: Handle usernames with different casing in session data by jenshp · Pull Request #576 · moqui/moqui-framework · GitHub
There is also some code where the initial login would support the email address instead of the username, which still fails.

1 Like

The fix makes sense, so instead of lowercasing you simply ignore the case upon login and hence preserve the way the user stored their credentials. I hope this gets merged, but meanwhile I will add this as a patch on our system

1 Like

Thank you @jenshp for the PR, and for the explanation here, looks good and is now merged.