From e09849d5b48e4409705b95db49e90f57a9485911 Mon Sep 17 00:00:00 2001 From: Maurice Date: Wed, 17 Jun 2026 21:00:04 +0200 Subject: [PATCH] fix(oidc): keep dots in generated usernames The OIDC username sanitizer stripped dots because they were missing from the allowed character class, so a name claim like "first.last" became "firstlast". Dots are valid usernames (the profile validator already allows ^[a-zA-Z0-9_.-]+$), so add the dot to the sanitizer. --- server/src/services/oidcService.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/server/src/services/oidcService.ts b/server/src/services/oidcService.ts index ebf140fa..774faa83 100644 --- a/server/src/services/oidcService.ts +++ b/server/src/services/oidcService.ts @@ -417,8 +417,10 @@ export function findOrCreateUser( const bcrypt = require('bcryptjs'); const hash = bcrypt.hashSync(randomPass, 10); - // Username: sanitize and avoid collisions - let username = name.replace(/[^a-zA-Z0-9_-]/g, '').substring(0, 30) || 'user'; + // Username: sanitize and avoid collisions. Keep dots — they are valid in + // usernames (see the ^[a-zA-Z0-9_.-]+$ validation in authService) and common + // in OIDC name claims like "first.last". + let username = name.replace(/[^a-zA-Z0-9_.-]/g, '').substring(0, 30) || 'user'; const existing = db.prepare('SELECT id FROM users WHERE LOWER(username) = LOWER(?)').get(username); if (existing) username = `${username}_${Date.now() % 10000}`;