Treat fediverse usernames as case-insensitive (#2155)

* treat fediverse usernames as case-insensitive for auth * add test for case insensitive, clean up duplicate import in federverse auth controller * fix test, there was an issue with state when all the tests were run
3 years ago · e20985ecb4
3 changed files with 22 additions and 4 deletions
--- a/auth/fediverse/fediverse.go
+++ b/auth/fediverse/fediverse.go
@ -3,6 +3,7 @@ package fediverse
				@@ -3,6 +3,7 @@ package fediverse
 import (
 	"crypto/rand"
 	"io"
+	"strings"
 	"time"
 )

@ -37,7 +38,7 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
				@@ -37,7 +38,7 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
 		Code:            code,
 		UserID:          userID,
 		UserDisplayName: userDisplayName,
-		Account:         account,
+		Account:         strings.ToLower(account),
 		Timestamp:       time.Now(),
 	}
 	pendingAuthRequests[accessToken] = r
--- a/auth/fediverse/fediverse_test.go
+++ b/auth/fediverse/fediverse_test.go
@ -1,6 +1,9 @@
				@@ -1,6 +1,9 @@
 package fediverse

-import "testing"
+import (
+	"strings"
+	"testing"
+)

 const (
 	accessToken     = "fake-access-token"
@ -58,3 +61,18 @@ func TestSingleOTPFlowRequest(t *testing.T) {
				@@ -58,3 +61,18 @@ func TestSingleOTPFlowRequest(t *testing.T) {
 		t.Error("Second registration should not be permitted.")
 	}
 }
+
+func TestAccountCaseInsensitive(t *testing.T) {
+	account := "Account"
+	accessToken := "another-fake-access-token"
+	r1, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+	_, reg1 := ValidateFediverseOTP(accessToken, r1.Code)
+
+	// Simulate second auth with account in different case
+	r2, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, strings.ToUpper(account))
+	_, reg2 := ValidateFediverseOTP(accessToken, r2.Code)
+
+	if reg1.Account != reg2.Account {
+		t.Errorf("Account names should be case-insensitive: %s %s", reg1.Account, reg2.Account)
+	}
+}
--- a/controllers/auth/fediverse/fediverse.go
+++ b/controllers/auth/fediverse/fediverse.go
@ -7,7 +7,6 @@ import (
				@@ -7,7 +7,6 @@ import (

 	"github.com/owncast/owncast/activitypub"
 	"github.com/owncast/owncast/auth"
-	"github.com/owncast/owncast/auth/fediverse"
 	fediverseauth "github.com/owncast/owncast/auth/fediverse"
 	"github.com/owncast/owncast/controllers"
 	"github.com/owncast/owncast/core/chat"
@ -57,7 +56,7 @@ func VerifyFediverseOTPRequest(w http.ResponseWriter, r *http.Request) {
				@@ -57,7 +56,7 @@ func VerifyFediverseOTPRequest(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	accessToken := r.URL.Query().Get("accessToken")
-	valid, authRegistration := fediverse.ValidateFediverseOTP(accessToken, req.Code)
+	valid, authRegistration := fediverseauth.ValidateFediverseOTP(accessToken, req.Code)
 	if !valid {
 		w.WriteHeader(http.StatusForbidden)
 		return