Force lower case on username comparisons

I made some poor assumptions about case-sensitivity in relation to the Mastodon accounts table. Changed now to force username comparison to lower during the select statement, and not trust that we're getting lower case from the ejabberd end, either. This should eliminate the issue of some users being unable to authenticate.
This commit is contained in:
Mike Barnes 2020-09-21 13:28:38 +00:00
parent 7f69c4a177
commit d232855057

View file

@ -12,7 +12,7 @@ db_name="mastodon"
# This is the query that pulls the password hash for the given user. Mastodon doesn't store the domain for local accounts in # This is the query that pulls the password hash for the given user. Mastodon doesn't store the domain for local accounts in
# the database, so we ignore the host component and try to match username where the domain is NULL. # the database, so we ignore the host component and try to match username where the domain is NULL.
db_query_getpass="select users.encrypted_password as password from accounts inner join users on accounts.id=users.account_id where accounts.username = %(user)s and accounts.domain is null" db_query_getpass="select users.encrypted_password as password from accounts inner join users on accounts.id=users.account_id where lower(accounts.username) = %(user)s and accounts.domain is null"
######################################################################## ########################################################################
#Setup #Setup
@ -97,7 +97,7 @@ def get_password(user, host):
# Right now we ignore the host component, as Mastodon doesn't store it for local accounts. # Right now we ignore the host component, as Mastodon doesn't store it for local accounts.
# It may be required one day, so the code to handle passing it to the query is left in for now. # It may be required one day, so the code to handle passing it to the query is left in for now.
cursor = database.cursor() cursor = database.cursor()
cursor.execute(db_query_getpass, {"user": user, "host": host}) cursor.execute(db_query_getpass, {"user": user.lower(), "host": host})
data = cursor.fetchone() data = cursor.fetchone()
cursor.close() cursor.close()
return data[0] if data != None else None return data[0] if data != None else None