From 5150027f0d45433aceb633724113d81a1af4e013 Mon Sep 17 00:00:00 2001
From: Tim Lorsbach <tim@lorsba.ch>
Date: Mon, 16 Feb 2026 13:58:06 +0100
Subject: [PATCH] [Fix] Login via email, prevent Usernames with certain chars

---
 epdb/views.py               | 28 +++++++++++++++++++++++++---
 templates/static/login.html |  6 ++++--
 2 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/epdb/views.py b/epdb/views.py
index fd9aac16..e8cc8276 100644
--- a/epdb/views.py
+++ b/epdb/views.py
@@ -6,7 +6,9 @@ from typing import Any, Dict, List
 import nh3
 from django.conf import settings as s
 from django.contrib.auth import get_user_model
-from django.core.exceptions import BadRequest, PermissionDenied
+from django.contrib.auth.validators import UnicodeUsernameValidator
+from django.core.exceptions import BadRequest, PermissionDenied, ValidationError
+from django.core.validators import validate_email
 from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotAllowed, JsonResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
@@ -160,14 +162,27 @@ def login(request):
 
         # Get email for username and check if the account is active
         try:
-            temp_user = get_user_model().objects.get(username=username)
+            # Try username and if it fails check if username is a valid email adress and we'll find a user
+            try:
+                temp_user = get_user_model().objects.get(username=username)
+            except get_user_model().DoesNotExist as e:
+                # validate_email returns None if input is valid -> check for None
+                # Otherwise a ValidationError is raised
+                if validate_email(username) is None:
+                    temp_user = get_user_model().objects.get(email=username)
+                else:
+                    raise e
 
             if not temp_user.is_active:
                 context["message"] = "User account is not activated yet!"
                 return render(request, "static/login.html", context)
 
             email = temp_user.email
-        except get_user_model().DoesNotExist:
+        except (get_user_model().DoesNotExist, ValidationError):
+            context["message"] = "Login failed!"
+            return render(request, "static/login.html", context)
+        except Exception as e:
+            logger.info(f"Uncaught exception while trying to login: {e}")
             context["message"] = "Login failed!"
             return render(request, "static/login.html", context)
 
@@ -230,6 +245,13 @@ def register(request):
             context["message"] = "Invalid username/email/password"
             return render(request, "static/login.html", context)
 
+        if UnicodeUsernameValidator(username) is not None:
+            context["message"] = (
+                "Enter a valid username. This value may contain only letters, "
+                "numbers, and @/./+/-/_ characters."
+            )
+            return render(request, "static/login.html", context)
+
         if password != rpassword or password == "":
             context["message"] = "Registration failed, provided passwords differ!"
             return render(request, "static/login.html", context)
diff --git a/templates/static/login.html b/templates/static/login.html
index c46303d8..459577ac 100644
--- a/templates/static/login.html
+++ b/templates/static/login.html
@@ -82,13 +82,13 @@
 
       <div class="form-control">
         <label class="label" for="username">
-          <span class="label-text">Username</span>
+          <span class="label-text">Account</span>
         </label>
         <input
           type="text"
           id="username"
           name="username"
-          placeholder="username"
+          placeholder="Username or Email"
           class="input input-bordered w-full"
           required
           autocomplete="username"
@@ -164,6 +164,8 @@
           name="username"
           placeholder="username"
           class="input input-bordered w-full"
+          pattern="^[A-Za-z0-9@.+_\-]{3,150}$"
+          title="Only letters, numbers, and @ . + - _ are allowed"
           required
           autocomplete="username"
         />