k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 13:21:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(oidc): keep dots in generated usernames

Browse Source 
The OIDC username sanitizer stripped dots because they were missing from the
allowed character class, so a name claim like "first.last" became "firstlast".
Dots are valid usernames (the profile validator already allows
^[a-zA-Z0-9_.-]+$), so add the dot to the sanitizer.
This commit is contained in:
Maurice
2026-06-17 21:00:04 +02:00
parent b3fc5411ca
commit e09849d5b4
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/services/oidcService.ts
+4 -2
View File
@@ -417,8 +417,10 @@ export function findOrCreateUser(
const bcrypt = require('bcryptjs'); const bcrypt = require('bcryptjs');
const hash = bcrypt.hashSync(randomPass, 10); const hash = bcrypt.hashSync(randomPass, 10);
// Username: sanitize and avoid collisions // Username: sanitize and avoid collisions. Keep dots — they are valid in
let username = name.replace(/[^a-zA-Z0-9_-]/g, '').substring(0, 30) || 'user'; // usernames (see the ^[a-zA-Z0-9_.-]+$ validation in authService) and common
// in OIDC name claims like "first.last".
let username = name.replace(/[^a-zA-Z0-9_.-]/g, '').substring(0, 30) || 'user';
const existing = db.prepare('SELECT id FROM users WHERE LOWER(username) = LOWER(?)').get(username); const existing = db.prepare('SELECT id FROM users WHERE LOWER(username) = LOWER(?)').get(username);
if (existing) username = `${username}_${Date.now() % 10000}`; if (existing) username = `${username}_${Date.now() % 10000}`;