Auth: Improve sanitization of usernames and handles

Signed-off-by: Michael Mayer <michael@photoprism.app>
2023-03-15 22:41:59 +01:00 · 2023-03-15 22:41:59 +01:00 · cc12f3f457
commit cc12f3f457
parent 4a980b4fbf
3 changed files with 35 additions and 5 deletions
--- a/internal/entity/auth_user_test.go
+++ b/internal/entity/auth_user_test.go
@ -1137,4 +1137,21 @@ func TestUser_FullName(t *testing.T) {

 		assert.Equal(t, "Jane Doe", u.FullName())
 	})
+	t.Run("Windows", func(t *testing.T) {
+		u := User{
+			ID:          1234567,
+			UserUID:     "urqdrfb72479n047",
+			UserName:    "DOMAIN\\Jens Mander",
+			UserRole:    acl.RoleAdmin.String(),
+			DisplayName: "",
+			SuperAdmin:  false,
+			CanLogin:    true,
+			WebDAV:      true,
+			CanInvite:   false,
+		}
+
+		assert.Equal(t, "jens.mander", u.Handle())
+		assert.Equal(t, "domain\\jens mander", u.Username())
+		assert.Equal(t, "Jens Mander", u.FullName())
+	})
 }
--- a/pkg/clean/auth.go
+++ b/pkg/clean/auth.go
@ -13,6 +13,13 @@ var EmailRegexp = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0
 // Handle returns the sanitized username with trimmed whitespace and in lowercase.
 func Handle(s string) string {
 	s, _, _ = strings.Cut(s, "@")
+
+	if d, u, found := strings.Cut(s, "\\"); found && u != "" {
+		s = u
+	} else {
+		s = d
+	}
+
 	s = strings.TrimSpace(s)

 	// Remove unwanted characters.
@ -21,8 +28,8 @@ func Handle(s string) string {
 			return -1
 		}
 		switch r {
-		case '"', '\'', '(', ')', '#', '&', '$', ',', '+', '=', '`', '~', '?', '|', '*', '\\', '/', ':', ';', '<', '>', '{', '}':
-			return -1
+		case ' ', '"', '\'', '(', ')', '#', '&', '$', ',', '+', '=', '`', '~', '?', '|', '*', '/', '\\', ':', ';', '<', '>', '{', '}':
+			return '.'
 		}
 		return r
 	}, s)
@ -45,7 +52,7 @@ func Username(s string) string {
 			return -1
 		}
 		switch r {
-		case '"', '\'', '(', ')', '#', '&', '$', ',', '+', '=', '`', '~', '?', '|', '*', '\\', '/', ':', ';', '<', '>', '{', '}':
+		case '"', '\'', '(', ')', '#', '&', '$', ',', '+', '=', '`', '~', '?', '|', '*', '/', ':', ';', '<', '>', '{', '}':
 			return -1
 		}
 		return r
--- a/pkg/clean/auth_test.go
+++ b/pkg/clean/auth_test.go
@ -14,13 +14,16 @@ func TestHandle(t *testing.T) {
 		assert.Equal(t, "admin", Handle(" Admin@foo "))
 	})
 	t.Run(" Admin ", func(t *testing.T) {
-		assert.Equal(t, "admin foo", Handle(" Admin foo "))
+		assert.Equal(t, "admin.foo", Handle(" Admin foo "))
 	})
 	t.Run(" admin ", func(t *testing.T) {
 		assert.Equal(t, "admin", Handle(" admin "))
 	})
 	t.Run("admin/user", func(t *testing.T) {
-		assert.Equal(t, "adminuser", Handle("admin/user"))
+		assert.Equal(t, "admin.user", Handle("admin/user"))
+	})
+	t.Run("Windows", func(t *testing.T) {
+		assert.Equal(t, "jens.mander", Handle("DOMAIN\\Jens Mander "))
 	})
 }

@ -40,6 +43,9 @@ func TestUsername(t *testing.T) {
 	t.Run("admin/user", func(t *testing.T) {
 		assert.Equal(t, "adminuser", Username("admin/user"))
 	})
+	t.Run("Windows", func(t *testing.T) {
+		assert.Equal(t, "domain\\jens mander", Username("DOMAIN\\Jens Mander "))
+	})
 }

 func TestEmail(t *testing.T) {