fix(login): remove normalization to prevent username enumeration

# Which Problems Are Solved The username entered by the user was resp. replaced by the stored user's username. This provided a possibility to enumerate usernames as unknown usernames were not normalized. # How the Problems Are Solved - Store and display the username as entered by the user. - Removed the part where the loginname was always set to the user's loginname when retrieving the `nextSteps` # Additional Changes None # Additional Context None (cherry picked from commit 14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c)
2025-06-10 14:38:33 +00:00 · 2025-03-31 12:44:49 +02:00 · 2025-03-31 12:44:49 +02:00 · ae1e86ed9a
commit ae1e86ed9a
parent 11facd7e6f
1 changed files with 1 additions and 4 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@ -789,7 +789,7 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain
 	}
 	// if there's an active (human) user, let's use it
 	if user != nil && !user.HumanView.IsZero() && domain.UserState(user.State).IsEnabled() {
-		request.SetUserInfo(user.ID, loginNameInput, user.PreferredLoginName, "", "", user.ResourceOwner)
+		request.SetUserInfo(user.ID, loginNameInput, preferredLoginName, "", "", user.ResourceOwner)
 		return nil
 	}
 	// the user was either not found or not active
@ -1055,9 +1055,6 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
 	if err != nil {
 		return nil, err
 	}
-	if user.PreferredLoginName != "" {
-		request.LoginName = user.PreferredLoginName
-	}
 	userSession, err := userSessionByIDs(ctx, repo.UserSessionViewProvider, repo.UserEventProvider, request.AgentID, user)
 	if err != nil {
 		return nil, err