From 7af8744c856545f62a2f24fd1a700f40b90b8e37 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Thu, 11 Feb 2021 09:57:57 +0300
Subject: authentication: make logins case-insensitive (force lowercase)

---
 classes/pref/users.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'classes/pref/users.php')

diff --git a/classes/pref/users.php b/classes/pref/users.php
index f6acc0d20..45c4b82b8 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -206,7 +206,7 @@ class Pref_Users extends Handler_Protected {
 				$pass_query_part = "";
 			}
 
-			$sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = ?,
+			$sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = LOWER(?),
 				access_level = ?, email = ?, otp_enabled = false WHERE id = ?");
 			$sth->execute([$login, $access_level, $email, $uid]);
 
@@ -238,18 +238,18 @@ class Pref_Users extends Handler_Protected {
 			if (!$login) return; // no blank usernames
 
 			$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
-				login = ?");
+				LOWER(login) = LOWER(?)");
 			$sth->execute([$login]);
 
 			if (!$sth->fetch()) {
 
 				$sth = $this->pdo->prepare("INSERT INTO ttrss_users
 					(login,pwd_hash,access_level,last_login,created, salt)
-					VALUES (?, ?, 0, null, NOW(), ?)");
+					VALUES (LOWER(?), ?, 0, null, NOW(), ?)");
 				$sth->execute([$login, $pwd_hash, $salt]);
 
 				$sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
-					login = ? AND pwd_hash = ?");
+					LOWER(login) = LOWER(?) AND pwd_hash = ?");
 				$sth->execute([$login, $pwd_hash]);
 
 				if ($row = $sth->fetch()) {
-- 
cgit v1.2.3-54-g00ecf