fix: harden tubco login matching

2026-04-08 13:52:00 +02:00
parent b60d9eaeb7
commit 5b1fd6dc14
2 changed files with 29 additions and 1 deletions
--- a/backend/workflows/forms.py
+++ b/backend/workflows/forms.py
@@ -135,6 +135,8 @@ class AppLoginForm(forms.Form):
            auth_username = login_value
            user_model = get_user_model()
            matched_user = user_model.objects.filter(email__iexact=login_value).first()
+            if matched_user is None:
+                matched_user = user_model.objects.filter(username__iexact=login_value).first()
            if matched_user:
                auth_username = matched_user.username
            self.user_cache = authenticate(self.request, username=auth_username, password=password)
@@ -494,7 +496,7 @@ class UserManagementCreateForm(forms.Form):
    def clean_username(self):
        username = (self.cleaned_data.get('username') or '').strip()
        user_model = get_user_model()
-        if user_model.objects.filter(username=username).exists():
+        if user_model.objects.filter(username__iexact=username).exists():
            raise forms.ValidationError(_('Dieser Benutzername ist bereits vergeben.'))
        return username

--- a/backend/workflows/tests/test_account_ui.py
+++ b/backend/workflows/tests/test_account_ui.py
@@ -2,6 +2,7 @@ from django.contrib.auth import get_user_model
 from django.test import Client, TestCase
 from django.utils import timezone

+from workflows.forms import UserManagementCreateForm
 from workflows.models import UserProfile
 from workflows.roles import ROLE_PLATFORM_OWNER, assign_user_role
 from workflows.totp import generate_totp_token
@@ -194,3 +195,28 @@ class AccountUISmokeTests(TestCase):
        )

        self.assertEqual(response.status_code, 302)
+
+    def test_login_accepts_username_case_insensitively(self):
+        client = Client()
+
+        response = client.post(
+            '/accounts/login/',
+            {'username': 'PROFILE-USER', 'password': 'secret-12345'},
+            HTTP_HOST='localhost',
+        )
+
+        self.assertEqual(response.status_code, 302)
+
+    def test_user_management_create_form_rejects_case_insensitive_username_duplicate(self):
+        form = UserManagementCreateForm(
+            data={
+                'first_name': 'Another',
+                'last_name': 'User',
+                'username': 'PROFILE-USER',
+                'email': 'another@example.com',
+                'role_key': 'staff',
+            }
+        )
+
+        self.assertFalse(form.is_valid())
+        self.assertIn('username', form.errors)