From d00a47c6f8fe5ec65d02cf3de9af3c0b726dd521 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Mon, 31 Mar 2025 12:44:49 +0200 Subject: [PATCH] fix(login): remove normalization to prevent username enumeration # Which Problems Are Solved The username entered by the user was resp. replaced by the stored user's username. This provided a possibility to enumerate usernames as unknown usernames were not normalized. # How the Problems Are Solved - Store and display the username as entered by the user. - Removed the part where the loginname was always set to the user's loginname when retrieving the `nextSteps` # Additional Changes None # Additional Context None (cherry picked from commit 14de8ecac2afafee4975ed7ac26f3ca4a2b0f82c) --- .../auth/repository/eventsourcing/eventstore/auth_request.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go index 60486b66f9..8428e0fb49 100644 --- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go +++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go @@ -789,7 +789,7 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain } // if there's an active (human) user, let's use it if user != nil && !user.HumanView.IsZero() && domain.UserState(user.State).IsEnabled() { - request.SetUserInfo(user.ID, loginNameInput, user.PreferredLoginName, "", "", user.ResourceOwner) + request.SetUserInfo(user.ID, loginNameInput, preferredLoginName, "", "", user.ResourceOwner) return nil } // the user was either not found or not active @@ -1054,9 +1054,6 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth if err != nil { return nil, err } - if user.PreferredLoginName != "" { - request.LoginName = user.PreferredLoginName - } userSession, err := userSessionByIDs(ctx, repo.UserSessionViewProvider, repo.UserEventProvider, request.AgentID, user) if err != nil { return nil, err